System iNetwork

May 27, 2009

IBM i Shops: Too Many People Have Too Much Access to Too Much Info

I spoke with Philip Lieberman, CEO of Lieberman Software, recently and got some information that you can use to help you help your company tighten its security belt. Programmers beware: You may be making a common but preventable security mistake that can cost you—and your company—big time.

What do you see as the most critical security issue facing IT—and the companies they serve—today?

Lieberman: In most organizations, too many people have too much access to too much information too much of the time. Back in the days of mainframes, there were mandatory access controls, but in the world of personal business computers and remote users along with GenX and GenY, the entire nature of controlling access to sensitive information has gone out the door. But the risks haven't changed. What's happened is the technology has changed and the population has changed, so we see many organizations ripe for a breach.

The issue really comes down to providing delegation of responsibility. It's partially an organizational/business change and partially an implementation of software to control these access points. IT auditors find this issue a key part of any serious IT audit—whether it's federal government or Governance, Risk, and Compliance (GRC).

The concern is one not of ROI but of business continuation and, increasingly, routine GRC—looking at risk management and risk mitigation and dealing with it organizationally and technologically. It comes down to answering two questions: Are there any locks on the doors? And are there systems in place to make sure people are doing the right things at the right times in the right places for the right reasons?

Does Lieberman Software have products that address these problems?

Lieberman: We have about 10 different products, ranging from password synchronization tools to privileged identity management tools to local security management tools. Some of our products are used by IT administrators, and others are used by CSOs, CIOs, and IT auditors. But, "products" are really the smallest part of the solution to the problem of security. The biggest part has to do with systems integrators and organizations implementing compartmentalization and controls. That's 95 percent of all the work. The technology that we sell provides the framework for technical implementation, but the bulk of the work is in the hands of the security pros who implement these processes within organizations.

These professionals work with the organization to decide on the methodology to use to control access to privileged systems. That's the hard work. It also represents a large opportunity for resellers and systems integrators. To many organizations, if they're not aware of our technology, it appears as though a solution is not technically feasible. So they tell their auditors that the problem is not solvable. The unfortunate consequence of not implementing a solution is that they could literally lose control of everything within the organization due to lack of physical, logical, and procedural controls.

One area we've been pressing forward aggressively in is shared password management. Our products run on all platforms, including the i, of course, but also mainframes, PCs, Unix, and Linux. A lot of organizations use the same passwords to access everything, for everybody in the IT department. What we're offering are different, ever-changing passwords for every system and approved access based on an employee's duties and business needs (segregation of duty). Many IT shops don't segregate duties, meaning that they allow anyone in IT access to anything they want. And when people leave the company, IT typically doesn't change or eliminate these passwords.

The decision to implement control systems requires a buy-in by C-level executives. It's an interesting situation. Back in the days of the mainframe, the IT department controlled access. Today, control has gotten lost, and many of the C-level executives may understand physical security and physical segregation (e.g., physical stock control, dealing with employee theft at the physical level), but they're really not educated in the fact that some of the largest losses can occur at the IT level (logical level).

Does Lieberman Software help educate people?

Lieberman: What we do is work with the consultants—the IT auditors and resellers. What we're looking for is additional trusted partners to work with.

The big issue is that companies have so many systems and passwords, that without an automated system, most organizations lose control of the security. We have the software that globally manages all that. When companies put the software in place, it discovers all machines and accounts and also how and where they're used. This information is used by auditors, security professionals, and IT managers to regularly update credentials and change the locks when employees leave—a key part of virtually every security standard (e.g., PCI, Sarbanes-Oxley, HIPAA).

It's a battle on a daily basis to try to get companies into a better posture. We see a spectrum of different clients, from those who work with and embrace the IT auditors and their assistance, to those who see auditors as just an annoyance. It's interesting to see the relative results in the financial meltdown happening today. Those companies that treated the auditors as their friends have gotten through this crisis better, whereas the others have not really weathered the effects very well. [Editor's Note: For an article that backs up this assertion and helps you figure out how to get more comfortable with auditors, read "Keep Auditors at Bay," by Robert S. Tipton.]

It's really a no brainer to implement these systems, because the benefit is obvious: You get to stay in business. But some CEOs, CFOs, and CIOs are reluctant to spend the money on IT security because it means less money for the bottom line (short term) and their bonuses.

Based on what you've seen in the field, do you have any security advice for programmers?

Lieberman: Programmers sometimes have some really bad habits. They'll embed passwords right into their programs. Then there will be a defect in their program, and that allows someone to see the source code, and then really bad things happen. Websites have gotten compromised and then exposed employee records, credit card numbers, and other sensitive data. All this ends up happening because of embedded credentials in web pages or because insecure websites become exposed. It's easy to embed passwords in programs, and it's harder to code correctly by using impersonation or programmatic password lookups. This is really where it gets into the weeds of implementation. There are inherent capabilities in the OS to hide or encrypt passwords, and there are also APIs that allow passwords to be retrieved. And there's integrated authentication that passes credentials to the actual database and allows the database to decide what that user can and cannot see.

Another problem we see is that programmers don't have their applications tested or validated for security by a third party or even in-house. Many of them don't have the expertise or the resources to get the testing done.

Some good advice is to always consider the consequence of a security breach: loss of your job and possibly even loss of the company.

On the other hand, nobody ever got a bonus for something bad not happening. No manager would say, "Hey, good job, we didn't hacked today." The problem with security is that it's inevitable that there will be a breach. As the saying goes, “Expect the worst; hope for the best.” But developers aren't taught that way. They're taught to just get the job done.

Is this situation getting better or worse?

Lieberman: It's not getting better; it's getting worse. Cloud computing is going to make the situation completely out of control—not like it isn't already!

The question is longevity. What is your allegiance to any organization and its long-term survival? Do you operate in a mode of protecting your job and organization, or are you just going from one fire to another without thinking about long-term survival? It's a thought-provoking problem. Consider that the greatest offenders may not even be the low-level employees but the C-level employees—those who seek only short-term profits and have no interest in investing in security training, security products, or secure programming.

Does your company have any new products or releases coming out?

Lieberman: In terms of updates and what goes on going forward, we're adding additional connectors for our privileged identity management solutions. For example, we have recently added connectors to most Security Incident and Event Manager (SIEM) systems. These systems reach out into all the systems in an organization and look at the audit logs as well as process critical events in realtime. They consolidate that info, present alerts, and can also prepare security compliance reports. They're part of an ongoing intrusion and compliance analysis system, and they are also used for availability. What we do for these SIEM systems that have embedded credentials that allow them to talk to other systems is make connectors that go out and keep credentials automatically updated. We make connectors for different systems, different versions of Unix, Linux, and IBM i. We're always updating these to deal with the evolving needs of our customers. Connectors deal with discovery of systems and management of privileged credentials. The basic idea is that a human would normally be requesting these credentials, but these automated systems operate autonomously and need help being updated as things change. Normally this is a manual process, but it really can't be done manually in any practical way.

—Linda Harty, executive editor & availability/security/networking/connectivity editor

Posted by lharty at May 27, 2009 10:29 AM