System iNetwork

May 2009

May 27, 2009 10:29 AM

IBM i Shops: Too Many People Have Too Much Access to Too Much Info

I spoke with Philip Lieberman, CEO of Lieberman Software, recently and got some information that you can use to help you help your company tighten its security belt. Programmers beware: You may be making a common but preventable security mistake that can cost you—and your company—big time.

What do you see as the most critical security issue facing IT—and the companies they serve—today?

Lieberman: In most organizations, too many people have too much access to too much information too much of the time. Back in the days of mainframes, there were mandatory access controls, but in the world of personal business computers and remote users along with GenX and GenY, the entire nature of controlling access to sensitive information has gone out the door. But the risks haven't changed. What's happened is the technology has changed and the population has changed, so we see many organizations ripe for a breach.

The issue really comes down to providing delegation of responsibility. It's partially an organizational/business change and partially an implementation of software to control these access points. IT auditors find this issue a key part of any serious IT audit—whether it's federal government or Governance, Risk, and Compliance (GRC).

The concern is one not of ROI but of business continuation and, increasingly, routine GRC—looking at risk management and risk mitigation and dealing with it organizationally and technologically. It comes down to answering two questions: Are there any locks on the doors? And are there systems in place to make sure people are doing the right things at the right times in the right places for the right reasons?

Does Lieberman Software have products that address these problems?

Lieberman: We have about 10 different products, ranging from password synchronization tools to privileged identity management tools to local security management tools. Some of our products are used by IT administrators, and others are used by CSOs, CIOs, and IT auditors. But, "products" are really the smallest part of the solution to the problem of security. The biggest part has to do with systems integrators and organizations implementing compartmentalization and controls. That's 95 percent of all the work. The technology that we sell provides the framework for technical implementation, but the bulk of the work is in the hands of the security pros who implement these processes within organizations.

These professionals work with the organization to decide on the methodology to use to control access to privileged systems. That's the hard work. It also represents a large opportunity for resellers and systems integrators. To many organizations, if they're not aware of our technology, it appears as though a solution is not technically feasible. So they tell their auditors that the problem is not solvable. The unfortunate consequence of not implementing a solution is that they could literally lose control of everything within the organization due to lack of physical, logical, and procedural controls.

One area we've been pressing forward aggressively in is shared password management. Our products run on all platforms, including the i, of course, but also mainframes, PCs, Unix, and Linux. A lot of organizations use the same passwords to access everything, for everybody in the IT department. What we're offering are different, ever-changing passwords for every system and approved access based on an employee's duties and business needs (segregation of duty). Many IT shops don't segregate duties, meaning that they allow anyone in IT access to anything they want. And when people leave the company, IT typically doesn't change or eliminate these passwords.

The decision to implement control systems requires a buy-in by C-level executives. It's an interesting situation. Back in the days of the mainframe, the IT department controlled access. Today, control has gotten lost, and many of the C-level executives may understand physical security and physical segregation (e.g., physical stock control, dealing with employee theft at the physical level), but they're really not educated in the fact that some of the largest losses can occur at the IT level (logical level).

Does Lieberman Software help educate people?

Lieberman: What we do is work with the consultants—the IT auditors and resellers. What we're looking for is additional trusted partners to work with.

The big issue is that companies have so many systems and passwords, that without an automated system, most organizations lose control of the security. We have the software that globally manages all that. When companies put the software in place, it discovers all machines and accounts and also how and where they're used. This information is used by auditors, security professionals, and IT managers to regularly update credentials and change the locks when employees leave—a key part of virtually every security standard (e.g., PCI, Sarbanes-Oxley, HIPAA).

It's a battle on a daily basis to try to get companies into a better posture. We see a spectrum of different clients, from those who work with and embrace the IT auditors and their assistance, to those who see auditors as just an annoyance. It's interesting to see the relative results in the financial meltdown happening today. Those companies that treated the auditors as their friends have gotten through this crisis better, whereas the others have not really weathered the effects very well. [Editor's Note: For an article that backs up this assertion and helps you figure out how to get more comfortable with auditors, read "Keep Auditors at Bay," by Robert S. Tipton.]

It's really a no brainer to implement these systems, because the benefit is obvious: You get to stay in business. But some CEOs, CFOs, and CIOs are reluctant to spend the money on IT security because it means less money for the bottom line (short term) and their bonuses.

Based on what you've seen in the field, do you have any security advice for programmers?

Lieberman: Programmers sometimes have some really bad habits. They'll embed passwords right into their programs. Then there will be a defect in their program, and that allows someone to see the source code, and then really bad things happen. Websites have gotten compromised and then exposed employee records, credit card numbers, and other sensitive data. All this ends up happening because of embedded credentials in web pages or because insecure websites become exposed. It's easy to embed passwords in programs, and it's harder to code correctly by using impersonation or programmatic password lookups. This is really where it gets into the weeds of implementation. There are inherent capabilities in the OS to hide or encrypt passwords, and there are also APIs that allow passwords to be retrieved. And there's integrated authentication that passes credentials to the actual database and allows the database to decide what that user can and cannot see.

Another problem we see is that programmers don't have their applications tested or validated for security by a third party or even in-house. Many of them don't have the expertise or the resources to get the testing done.

Some good advice is to always consider the consequence of a security breach: loss of your job and possibly even loss of the company.

On the other hand, nobody ever got a bonus for something bad not happening. No manager would say, "Hey, good job, we didn't hacked today." The problem with security is that it's inevitable that there will be a breach. As the saying goes, “Expect the worst; hope for the best.” But developers aren't taught that way. They're taught to just get the job done.

Is this situation getting better or worse?

Lieberman: It's not getting better; it's getting worse. Cloud computing is going to make the situation completely out of control—not like it isn't already!

The question is longevity. What is your allegiance to any organization and its long-term survival? Do you operate in a mode of protecting your job and organization, or are you just going from one fire to another without thinking about long-term survival? It's a thought-provoking problem. Consider that the greatest offenders may not even be the low-level employees but the C-level employees—those who seek only short-term profits and have no interest in investing in security training, security products, or secure programming.

Does your company have any new products or releases coming out?

Lieberman: In terms of updates and what goes on going forward, we're adding additional connectors for our privileged identity management solutions. For example, we have recently added connectors to most Security Incident and Event Manager (SIEM) systems. These systems reach out into all the systems in an organization and look at the audit logs as well as process critical events in realtime. They consolidate that info, present alerts, and can also prepare security compliance reports. They're part of an ongoing intrusion and compliance analysis system, and they are also used for availability. What we do for these SIEM systems that have embedded credentials that allow them to talk to other systems is make connectors that go out and keep credentials automatically updated. We make connectors for different systems, different versions of Unix, Linux, and IBM i. We're always updating these to deal with the evolving needs of our customers. Connectors deal with discovery of systems and management of privileged credentials. The basic idea is that a human would normally be requesting these credentials, but these automated systems operate autonomously and need help being updated as things change. Normally this is a manual process, but it really can't be done manually in any practical way.

—Linda Harty, executive editor & availability/security/networking/connectivity editor

Posted by lharty on May 27, 2009 at 10:29 AM | Comments (0)

May 12, 2009 1:53 PM

IBM Power Systems Try-Before-You-Buy Offer

IBM is offering a no-cost 60-day trial of the Power Systems 520 server running either IBM AIX, IBM i, or Linux. According to the IBM web page that contains the offer, here's how the program works:

1. Choose a configuration.
2. Fill out the contact information. You will be contacted within 24 hours to clarify and validate the information.
3. If approved, an IBM Business Partner or IBM Sales Representative will then contact you to arrange shipment and extend a trial agreement to you. Our program goal is to have the machine arrive at your location no later than 1 week after signing the trial agreement.
4. Should you decide not to keep the machine at the conclusion of the 60 day trial, please notify the IBM Business Partner or IBM Sales Representative, pack the machine in the original packing material, and return it to the address specified by the IBM Business Partner or IBM Sales Representative.

For complete information about the offer, visit IBM's website.

--Linda Harty, executive editor & security/availability/networking/connectivity editor

Posted by lharty on May 12, 2009 at 1:53 PM | Comments (0)

May 11, 2009 11:50 AM

MPG, CCSS Create Marketing Alliance to Benefit IBM i Customers

Midrange Performance Group, Inc. (MPG), and CCSS USA Corp. have announced a marketing alliance to better serve the requirements of their IBM i system monitoring and capacity planning customers.

CCSS develops QMessage Monitor, QSystem Monitor, and QRemote Control, which help users monitor and manage IBM i servers. "Cohesive industry alliances such as this will substantially benefit IT Managers that face a complex landscape of system issues, many of which include dependencies or interactions with other areas of the system. For them, solutions that can accommodate a 'big picture' vision of their needs are unquestionably more valuable." says Ray Wright, CEO of CCSS.

MPG, developer of Performance Navigator and Power Navigator, provides capacity planning, performance management, and problem determination support for the IBM i and AIX/Linux platforms. "This alliance will enable us to serve our customers in a more effective and cost efficient way," says Randy Watson, president of Midrange Performance Group. "Between our two companies, we cover the full range of system management requirements for the IBM i customer."
--Rita-Lyn Sanders, Senior Industry Editor, Programming & Systems Management

Posted by rsanders on May 11, 2009 at 11:50 AM | Comments (0)

May 4, 2009 9:25 AM

iFusion.net Protects Yet Uses IBM i Data for Mixed App Dev

At COMMON Reno, LANSA rolled out one of the company's more significant new products--iFusion.net. Its overall design comes with some particularly compelling propositions for IBM i-focused companies that find themselves shouting over widening chasms of new application development. More specifically, the divide comes from core enterprise applications and data on IBM i systems . . . and Microsoft-focused app solutions delivered via the 2007 Microsoft Office System, Office SharePoint Server 2007, Microsoft SQL Server, or applications built with the .NET Framework.

I know it sounds confusing, but not if you're one of the companies that find themselves with at least two, if not more, camps trying to provide end users with actionable data and useful applications.

"Microsoft owns the desktop; IBM owns the server, and applications run in silos," says Steve Gapp, president of LANSA Americas.

The basic issue is, rather than risk letting .NET developers run amok with core enterprise data running on an i system, companies have fractured their enterprise information.

"Today, people are the middleware between the platforms and processes," Gapp notes.

Meta Data Repository to the Rescue

At the heart of iFusion.net is LANSA's answer: a meta data repository ensures that the rules that govern your database transactions are centrally maintained and enforced by all programs, regardless of the platform or development language (C#, VB.NET, RPG, COBOL, LANSA, Synon, SQL, PHP). The result?

Zero duplication of business rules, tighter security, faster performance, and more assured data integrity for organizations that depend on DB2 and SQL databases, LANSA says.

For example, "With iFusion.net, .NET applications have native access to everything your RPG applications can take advantage of," Gapp explains.

Basically, iFusion.net gives Microsoft Visual Studio and .NET Framework developers the authority to perform Create, Read, Update, and Delete transactions on the core databases without risk of jeopardizing data integrity or security--and this last point, Gapp says, is the most important issue for i-focused managers who have end users running a variety of apps in what has become mixed-mode environments.

Not Necessarily a War in Many Companies

LANSA's meta data repository architecture isn't new, and many of the components have already been in use by LANSA customers--but iFusion.net as a product designed to maintain core IBM i data while allowing diverse application access is new.

"Back in 1987, when we created the LANSA platform, every customer ran their critical applications on AS/400 servers. Today, most of our customers still have an IBM i server at the core, but we recognize that many have also made big investments in Microsoft products and skills. iFusion.net has been developed specifically for organizations who are running this mixed-mode environment, so they can concentrate on extracting value from their resources, rather than forcing everyone and everything to a common standard. This mixed mode environment is everywhere you look, so we hope that our neutral approach is something that everyone in the IT department can finally agree upon and move forward with--because end-users are getting tired of waiting," notes Pete Draney, director and CEO of LANSA.

To learn more, check out LANSA's focused site at http://www.iFusion.net.

Posted by cmaxcer on May 4, 2009 at 9:25 AM | Comments (0)