System iNetwork

October 2008

October 31, 2008 10:10 AM

ERP: In the Right Place at the Right Time

Are you there yet? Are you among the steady stream of customers moving into comprehensive Enterprise Resource Planning (ERP) and striving to create a paperless workplace both in the interest of economy and environmental concern?

If you need a nudge, you can get it from Symtrax’s Compleo Archivor, the latest component of its Compleo Suite multi-platform output-management solution. Fit for the i, Compleo Archivor offers automatic and secure storage of business-critical documents such as outgoing invoices, orders, delivery notes, quality certificates, and HR employee information, all in the familiar PDF format.

Meanwhile, it maintains the original file attributes critical for meeting legal and regulatory compliance standards. It completes the ERP output-management cycle of creating, distributing, and storing reports that originated as raw data from ERP systems.

"Compleo Archivor integrates directly with ERP systems. This enables its users to maintain the original document attributes," reports Bernard Aldebert, managing director and CEO of Symtrax. "With many archiving solutions, this important information is often lost." He notes that another important feature of Compleo Archivor is smart selective indexing, which enhances the efficiency and speed of the search and the storage.

The solution promises secure, web-based access so that users can archive and retrieve documents from multiple systems anytime, anywhere. Compleo Archivor features an intuitive search tool to quickly and easily find documents via a web browser. You can remotely search, access, extract, print, and distribute archived material.

"Some ERP vendors offer archiving modules as part of their solutions, but these solutions don’t free users from the ERP system or the vendor," Aldebert says. "Archiving solutions need to be independent from the ERP system so that users can always access archived documents regardless of the status of the vendor. That’s why an independent system, based on standards like PDF, is the best and most secure way to go."

Customers, he says, ask for ease of use. "All our solutions are user friendly with an intuitive, graphical interface. In addition, it takes only a couple of minutes to install them."

Vicki Hamende, application development and database editor

Posted by vhamende on October 31, 2008 at 10:10 AM | Comments (0)

October 29, 2008 9:06 AM

Raz-Lee Solution Protects Your Business from Deliberate and Inadvertent Risk

Typical day-to-day business-critical applications that companies use provide little or no field-level security. That's the hole that Raz-Lee's patent-pending AP-Journal security product covers, as I learned in a conversation with Raz-Lee's vice president of business development, Eli Spitz.

As opposed to application security, infrastructure security has traditionally gotten a lot of focus, and indeed numerous solutions exist in this market. Spitz notes that although IBM i is known to be very secure, the problem is that when people started using PCs to connect to the System i and to the outside world, everything became wide open for access, more often than not by insiders at the company--not just disgruntled employees--but employees transferring money, doing other dishonest activities, or even inadvertently putting security in jeopardy with honest mistakes.

When it comes to application security, Spitz says, "No one is really checking to see that field updates are reasonable--for example, salary increases or order-related information. Most companies would simply love to have a solution that would prevent and/or notify of unreasonable changes to the price, quantity, or delivery date of items ordered. Such changes, if not prevented or detected, will flow through the system, affecting other data as well."

AP-Journal puts business logic into applications--compliance logic, reasonableness checks--to verify at the moment of data entry whether a change is legitimate. "If you can define it, we can implement it," Spitz states. If an entry fails a check, all sorts of alerts are orchestrated. To stop the occurrence, AP-Journal can send out a notification message to appropriate personnel, and it can also shut down the terminal. AP-Journal's actions can be dependent on the severity of the change. For example, you could configure the product to notify if a five percent salary increase is given to a help-desk person, but if a 10 percent change occurs, you could have AP-Journal close the terminal and make it inoperable. You can also collect evidence: A procedure can be initiated to record the session from that moment forward. You can determine how long the recording goes and then turn off recording and shut down the terminal so that no other damage is done.

"AP-Journal's focus," Spitz says, "is on application data security: trapping unreasonable or suspect changes immediately upon occurrence to minimize error handling, to 'catch the thief,' and to save recovery time." Unpropagating or rolling back such changes would take a lot of time and get out of hand. Preventing these occurrences is what AP-Journal does.

Spitz acknowledges that this solution is based upon information gathered by IBM i journal receivers. The amount of data recorded to the journal receivers is huge and can easily reach hundreds of thousands of kilobytes. As part of Raz-Lee's patent, AP-Journal has a special-purpose repository that filters the data. "If you define the business items," Spitz maintains, "we'll store them in a condensed manner so there's no worry of data accumulating unreasonably in IBM journal receivers."

For more information about AP-Journal, visit Raz-Lee's AP-Journal web page.

--Linda Harty, security & networking/connectivity editor

Posted by lharty on October 29, 2008 at 9:06 AM | Comments (0)

October 22, 2008 4:39 PM

Vendors Without Borders

If you travel to the Netherlands or Bermuda, you might hear about international connections involving LANSA and ARCAD Software. A student career website bears LANSA's mark, and ARCAD has opened a new European office.

Corporate Careers for Bermudians

The government of Bermuda has developed an interactive website to link recent college graduates and local employers. The goal is to find promising homeland corporate careers for students. LANSA Professional Services used LANSA Integrator and Web Access Modules (WAMs), enriched with AJAX technology, to build and implement the site with the help of LANSA business partner Bermuda Information Technology Services (BITS).

A small island nation, Bermuda enjoys the third highest per-capita income in the world and has an unemployment rate of less than one percent. However, the low unemployment rate, when combined with the small number of university graduates returning home, has led the international business community to rely on foreign nationals for senior positions. Bermuda has close to 9,000 expatriate work-permit-holders, mostly in upper-level management.

"Employers would rather recruit Bermudians, as it is an expensive and lengthy procedure to arrange work permits for overseas job candidates," reports Dale D. Butler, minister of culture and social rehabilitation. "There are Bermudians who have studied overseas and want to return to Bermuda and work in their fields of study. There are also graduates locally who may be seeking an opportunity to work in their fields of study. The career site develops these relationships and enhances the recruitment process, informing all Bermudian stakeholders of the growing opportunities and talents in the various sectors."

In designing the career search engine and employment resource tool, the team had to resolve several concerns, such as maintaining confidentiality, ensuring the legitimacy of employers, and confirming the Bermudian status of students.

Matching Graduates and Businesses

LANSA Integrator now works behind the scenes to facilitate the exchange of documents. After students log on and create an account, they can post cover letters, upload résumés, access employment resources, and search for jobs. Even after students sign off, the system continues to match them to potential opportunities, emailing results as companies post new jobs and career information. On the other side, employers use their accounts to manage online profiles, post and update job and training information and employment applications, and access registrant data. They may contact students in different countries studying economics, for example, and notify them of upcoming opportunities within that field.

The career site is deployed on an IBM i model 520, as are many of the other systems for the Bermuda government. "The System i is solid and secure, and you don't need as many people to operate it," explains David Atwood, director of E-Government. "Currently we are running the site in a hosted System i environment. By hosting it externally, we took away some of the delays that may have occurred in setting up the infrastructure ourselves. Also, most students are in America and Canada, another reason why hosting works well."

In addition to being promoted in magazine, newspaper, and search-engine advertising, the site has appeared in video ads in cinemas and on the radio during holidays when students are home with their families. Bermuda's premier has visited a number of universities and has been active in getting the involvement of students.

ARCAD Opens New European Office

ARCAD Software, meanwhile, now offers professional business services to its Dutch customers through its new ARCAD Software BV office in Dongen, Netherlands. A developer of solutions that manage change and modernize business applications for IBM i and open systems teams, ARCAD Software BV can now provide local support for strategic clients such as Van Lanschot Bankiers.

"It is an opportune time for us to consolidate our position in the Netherlands," says ARCAD CEO and Chairman Philippe Magne. "First of all, we already have reference accounts in the country. Second, the well-publicized sales of other change-management software companies and the effect of the acquisitions on the viability of those companies' products present important upgrade potential for ARCAD."

Magne notes that replacing a change-management tool that is already in place is not easy, especially when the product has performed satisfactorily in the past. "That is why we explain to clients that this is not a replacement, but rather an evolution--a new dimension in change management," he says. "Today, regulatory constraints, security requirements, and strong integration of new technologies require a broader approach to change management."

ARCAD Software's home bases are in France (Paris and Annecy) as well as Peterborough, New Hampshire. In addition, staff members work in other locations worldwide.

Vicki Hamende, application development and database editor

Posted by vhamende on October 22, 2008 at 4:39 PM | Comments (0)

October 21, 2008 10:22 AM

Does Being Compliant Equate to Being Secure?

I touched base with Gary Palgon, vice president of product management for nuBridges, Inc., to get his in-the-field perspective on what's happening in the security arena as regulations continue to evolve to address ever-changing security threats. I asked him about the latest risks he's seeing, whether any new laws or regulations are coming down the pike, and if being compliant is enough to keep your business secure.

What security risks do you see businesses facing today?

Palgon: As we look back over the last four years or so, security concerns have evolved from just physical security to general security to system and software security. Today, the big push is the implementation for the Payment Card Industry Data Security Standard (PCI DSS). That standard changed security from just something that happens and that only the IT group worries about to something that has escalated to senior management.

The risks reported in the news media were initially about credit card information breaches. In the last 18 months, the news has been about breaches of other personally identifiable information. For businesses, the big risks associated with breaches today are, as data is breached, regardless of the kind of data, companies lose credibility and face lawsuits and fines. Most often, the threat driving companies to comply is the fear from the loss of credibility with their customers.

What's interesting is to note that while credit card information was the driver for compliance mandates, we're now seeing a lot across industries that don't have anything to do with the credit card piece but rather with all the other data: birth dates, driver's license numbers, and other personal information. So the laws that these companies must comply with are not what they feel threatened by, but the bigger problem for them is risks to their brand and their credibility in the event of a breach.

So the interesting part is that the only laws that require audits are SOX and HIPAA, and it has only been in the last nine months or so that true audits from HIPAA have come to fruition. For state breach notification laws (about 40 states have them), nobody comes into your business and says you're not complying. It's really an aftereffect: If you lose data, then the law kicks in and you're liable for having to notify the individuals whose information was breached. The validation that you're compliant doesn't take place until the problem has already occurred. In the insurance industry, it's those companies' responsibility as good corporate citizens to protect their clients' data, but nobody is coming in to say to them, "I'm going to routinely check that you're protecting your data." But PCI and SOX do require routine auditing.

What are the latest industry mandates, state regulations, international laws, and/or pending federal laws that you're seeing businesses needing help with?

Palgon: When we talk about the PCI Data Security Standard, there's actually a broader group of standards to consider, managed by the PCI Security Standards Council. PCI DSS is only one of several standards being overseen by this group. There's the Payment Application Data Security Standard (PA-DSS--the “cash register” itself), the PCI DSS, and the PIN Entry Device (PED) Security Requirements. There are some new laws for unattended payment terminals such as kiosks. There are rules that guide all of these.

As for federal laws, there are some pending ones but nothing that's going to happen in the next few months because of the change in the U.S. presidential administration. So we're in a quiet period for federal laws.

With international laws, there are no news ones lately, but a handful do apply. Like SOX in the U.S., the U.K. has the Companies Bill. The U.K. also has several other laws that are specific to the U.K. on how you handle data. Europe has its own laws; all around the world, there are laws. Companies that operate on a global basis have to pay attention to those laws where they operate. Regardless of where your headquarters is, you're liable for the laws where your company does business.

Does being compliant with a security mandate or regulation equate to actually being secure?

Palgon: The answer to that is easily, no. Where that became apparent was with what happened at Hannaford Bros. Co. The company was actually compliant with PCI DSS but in fact was not secure. One of the themes at last month's PCI Security Standards Council conference was that compliance doesn't equal security. So you have to continually evolve your organization and always look for new things to be secure. As we look to see how data has been breached over the years, we see that the typical bad guys initially went for data at rest in databases, so that's where the standard went to, with the PCI DSS. Then, as companies began to address that vulnerability, we got things like what happened to TJX: attacks on data moving through wireless networks. Bad buys then realized companies were locking those avenues down. There's a gap in the current PCI DSS in that it does not require data in motion within enterprises to be encrypted. Hannaford Bros. was secure on its B2B transfers and in its databases, but as data was being moved within the company, it was not encrypted.

So this is the next new area that needs to be addressed, and regulations will follow. It's an open issue that will have to be investigated to see what the options are. There has to be a start and an end to each data transfer, and the trick is to make sure that at no point is the data exposed in the clear, and when it gets to the endpoint, how do we make sure it's not put in the clear and is thereby insecure? Encrypting data is pretty simple; the difficulty is the security behind the keys and being able to make sure that only specific people have access to the keys, that no single user has control over the keys, and most important, that you rotate and change out the keys periodically.

With your customers, what issues are you seeing that need to be addressed to achieve data security on the IBM i as well as other hardware in the corporate IT environment, and how are you helping your customers tackle these issues?

Palgon: Really, it's kind of interesting, because we have a large IBM i customer base, and while historically we thought of IBM i shops as only i shops, there really are a lot more systems running in those shops than just the i. The more enterprises we touch, even though they have an i, we find that they're also running Windows, Linux, Unix, mainframe, and so forth. You can't look at those environments as silos because each of those environments must be able to transfer data and utilize data. You don't want to have to encrypt, decrypt, and re-encrypt between each environment. Companies are having to look at encryption and key management across the different platforms.

From a managed file transfer standpoint, what you're really trying to do is have control over all your transfers, external or internal, plus visibility of who's transferring what and when and to whom.

What other information or advice do you think our readers should have?

Palgon: In this realm, for data security, you need to take a strategic look and not a patch-and-bandage look. Historically, businesses have run into problems with that patch approach. We saw a lot of that approach three to four years ago, and businesses have realized that the programmer had the keys to the kingdom. Security is evolving, and it does need attention.

--Linda Harty, security & networking/connectivity editor

Posted by lharty on October 21, 2008 at 10:22 AM | Comments (0)

Vision Covers the Earth...

In case you were wondering what the next step for Vision Solutions might be, wait no longer. This step is a big one. Earlier this month, Vision Solutions announced a worldwide distribution agreement with IBM. Effective immediately, IBM will begin distributing Vision Cluster1 as a flagship enterprise cluster management solution for the i.

Vision Cluster1 for i5/OS provides a high-availability management interface that offers application-level monitoring and control of all data protection implementations, support for multiple data technologies across a single application's data, and managed failure switchover and recovery. Vision Cluster1 includes one-button switch capabilities that work with or without a logical replication solution.

You can read the entire release here.

--Erin Bradford, systems management & availability editor

Posted by ebradford on October 21, 2008 at 10:21 AM | Comments (0)

October 2, 2008 4:25 PM

IBM Announces New, Holistic Security and Compliance Framework for Retailers

On Wednesday, IBM announced SecureStore, "a new part of the IBM TotalStore portfolio designed to help Retailers resolve security and compliance issues and advance their business." The solution is targeted at helping retailers comply with the Payment Card Industry Data Security Standard (PCI DSS), reduce losses due to theft and fraud, and prevent data breaches.

To get all the details, read the full announcement, which includes a nifty product demo and a webinar. Also check out Dave Bartlett's Industry Solutions and Tivoli blog post.

--Linda Harty, security & networking/connectivity editor

Posted by lharty on October 2, 2008 at 4:25 PM | Comments (0)

BCD Is Sweeping the Globe

Business Computer Design, Int’l. Inc. (BCD) has made great strides in spreading its modernization suite across the globe with its Business Partners incentive. BCD offers up to $65,000.00 dollars of free product licenses to those interested in becoming a partner. This proposition seems to be something many companies take advantage of. Just recently, BCD’s modernization software gained edge across the globe as three more companies chose to join forces with BCD: Deltacare in Benelux countries, evolveIT in California, and Degrassa in Poland. Just some of BCD’s programs that these companies have opted to use include the WebSmart ILE, WebSmart PHP, Presto, Nexus Portal, Clover Query, and Catapult.

But what about Deltacare, evolveIT, and Degrassa? Who are they and what do they think BCD can bring to them?

Deltacare are in Den Bosch in the southern region of the Netherlands. They are a member of the Pantheon Group, one of the largest IBM Business Partners for the System i in the Netherlands. Deltacare works in the public and semi-public healthcare segment in helping organizations with project management and data management. BCD is now marketing and supporting its products in the Benelux countries, through Deltacare. Fritz van Muijlwijk, Deltacare manager of Business Development, said that the BCD products “are very important to help companies in the Benelux create modern and web-enabled applications on the System i, or help modernize existing legacy applications.”

From California, evolveIT, uses BCD application modernization tools for their System i professional services. For example, they recently completed a modernization project for Veolia Environmental Services using BCD’s WebSmart, Nexus Portal, and Clover Query.

Poland’s Dagessa also offer services, as well as, support and consulting for the IBM i. They are also using BCD’s software to leverage their own services.

Like the IBM i itself, BCD is trying to make itself useful everywhere in the world. It seems their partnership offerings is helpful in getting them there. To learn more about their business programs, go here.

-Cassandra Deemer, editorial assistant for System iNEWS

Posted by cdeemer on October 2, 2008 at 2:48 PM | Comments (0)

October 1, 2008 2:57 PM

RPG and .NET: Can We All Get Along?

Imagine that you're a manufacturer with all your data and applications sitting on an IBM i. You have a problem because your shop floor equipment runs .NET applications that can't interact with your i in realtime as your products roll down the assembly line. Not to worry! LANSA can help your two platforms get along. The company has created a solution that lets your .NET and IBM i applications seamlessly transact in realtime and synchronize disparate processes such as the ERP and industrial procedures in this example. As your manufactured goods sequentially step through production, information is pushed back and forth between the i and the .NET shop floor applications. LANSA gives you the ability to call RPG/Cobol programs from .NET and transact with the database in a quicker, more highly integrated way. As a bonus, .NET developers don’t have to know anything about the i, DB2, or LANSA to make it happen.

The formula is LANSA Open for .NET, a class library that combines the strengths of the .NET and IBM i environments without compromising data integrity. It harbors enterprise rules in a one meta repository, which is made available to developers through a completely independent data services layer that governs all database access. As a result, you can subject both platforms to the same validation constraints without duplicating source code, and you can also enjoy tighter security, faster performance, and cleaner, more reliable data. Ahh…RPG and .NET can indeed get along.

Strategic Middleware

David Brault, LANSA product marketing manager, sees LANSA Open for .NET as strategic middleware. "The LANSA Open for .NET class library contains a bunch of APIs that developers can embed into their applications for things such as native access to DB2, the ability to call legacy programs, and the ability to share business rules with their 5250 applications, all without having to write the code themselves. This means cleaner, more reliable data back on the i when DB2 data is updated by .NET programs. Now that companies want their .NET applications to do more than just read DB2 data, a proper data service must be part of their architecture," Brault says. "The product is not targeted to people who just want to read DB2 data from .NET. It's intended for people who want to go to the next level--straight through processing (STP) on the IBM i from their .NET apps."

.NET helps clients create nice-looking rich client interfaces, Brault explains, but the customers can still use the power of DB2 on the i for data processing. "In terms of development, there's the .NET camp and the RPG camp--rival tribes that tend not to get along well together. There's a clash between these two camps, and there's not a lot of synergy. We can finally get these mixed-mode development shops together on the same page by giving them the benefit of reuse."

Sharing Resources

Why did the company develop LANSA Open for .NET? "What we are finding is that most of our customers have a blend of RPG, .NET, and LANSA applications, and they need a better way to share resources," Brault says. "Let's say I'm an IT manager handling these siloed development camps. I can't share common rules, and I have security issues when using ODBC. I don't want to write information directly to DB2 files from .NET in an unchecked manner or suddenly my data integrity becomes suspect. Data integrity is a big issue. In the old days we had one set of RPG/Cobol source code, one database, and one interface device. Now we want to do transactions from other interfaces without putting bad data into our database. Because of this fact, some companies don't even try to integrate. They take .NET data and print out a report to re-key into the green screen applications to enforce the business rules. They can't guarantee, though, that what they typed in and what they re-keyed will be the same. Again, they could compromise their data integrity."

With the new product, clients can go to one location to make system-wide changes without recompiling or redeploying their applications. The repository automatically kicks in and tells the end users what they've done incorrectly. "Now the developers can code less and let the repository tell the end users exactly what they did wrong. They can specify the language for the error messages for companies with multilingual requirements."

.NET developers write their applications in C#, VB.NET, and so on. They enroll the LANSA Open for .NET class library into their environment, and it automatically provides a secure, encrypted TCP/IP connection to the i. The LANSA repository stores all the business rules in one spot but enforces them throughout the .NET applications.

Togetherness

Suppose you're a leading supplier and services provider to national companies. You buy a .NET application that front ends the i. LANSA Open for .NET is a solution that can help you maintain enterprise data integrity on the i, manage silo development teams and projects, extend the reach of your enterprise data to .NET, provide .NET applications with native access level to DB2, and enforce system-wide business rules.

LANSA Open for .NET, Brault concludes, provides "a single point of truth" to reuse all your validation rules and business logic among all your development camps to help them share resources and get along together.

Posted by vhamende on October 1, 2008 at 2:57 PM | Comments (0)