23
Sat, Nov
1 New Articles

Technology Focus: Are You Ready for Your Next Audit?

Compliance / Privacy
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Unless maintaining compliance is a year-round effort in your enterprise, the answer to this question is very likely an emphatic "no!"

 

It's not often that we get to see a trendy new term enter the lexicon while being consciously aware it's happening. However, the recent holiday season may have given us that experience. Perhaps it's too early to tell for sure, but recent events should give additional meaningin the compliance market segment at leastto the term "You've been 'Targeted.' "

 

While the reaction of most of the consumers in the world was likely tempered by whether or not we charged something at one of the retailer's stores between November 27 and December 15, 2013, if you're an IT professional your second thought was probably, "Wow, I'm glad that wasn't us."

It Could Happen Here

The trouble is, someday it could be you. The disgrace, the damage to its brand, the discounts offered for PR purposes, the lawsuits, a possible Federal Trade Commission probe, and the penalties we probably won't even hear about mean Target's pain is going to last quite a whileto say nothing of that of its affected customers. The fact that the cause was likely unusual malware affecting the company's POS systems isn't going to get Target out of a terrible jam or mean it won't pay a possibly incalculable price.

 

Sadly for Target, its IT security staff probably felt they were secure and in compliance with applicable standards, particularly the Payment Card Industry Data Security Standard (PCI DSS). That's what compliance audits are all about, after all. But this breach happened anyway. If it could happen to an enterprise with the economic clout and retailing reach of Target, it could happen to your enterprise. And running your Accounts Receivable on an IBM i may not save you.

 

"[There is] a persistent—and flawed—belief that the [IBM i] server is inherently secure and nothing needs to be done to achieve this state," warns Robin Tatam, director of security technologies at The PowerTech Group. "While it's true that IBM i is one of the most securable OSes in the server market, it certainly doesn't come from the factory preconfigured that way." A second common misconception, Tatam notes, is that "security and compliance are one and the same. Compliance is adherence to a defined standard—even if that standard is incorrect or lacking substance. Being compliant doesn't guarantee that one is also secure."

 

Finally, he points out, a third problem is that many companies perform compliance audits "only when the auditor is onsite, instead of making compliance validation an ongoing activity."

Busy, Busy

Carol Woodbury, president and co-founder of SkyView Partners, emphasizes Tatam's final concernand adds another.

 

"Most organizations are strapped for time, so they don't have the ability to maintain compliance throughout the year. Then it's a 'fire drill' before the auditor arrives to correct the items that have fallen out of compliance or to address new compliance requirements. The result is not just that they have to pour a large effort into preparing for the audit; the worse issue is that their systems have been in a degrading state of security ever since the last audit."

 

"[Another] issue is that some organizations somehow are of the belief that regulations don't apply to them," Woodbury adds. "The PCI DSS requirements apply to every organization that accepts credit cards; it doesn't matter how large or small the organization is or how many or few transactions. Yet we've seen some organizations be in denial that PCI applies to them and then they're surprised when they get audited and fined for non-compliance."

Technical Issues Cause Even More Challenges

These issues are just the biggest elephants in the room. Unfortunately, there are others.

 

"[One] of the most common compliance pitfalls for IBM i companies is the ability to automatically produce compliance reports for individual LPARs, in which each individual LPAR has different optimal values for the compliance criteria," note Shmuel Zailer, CEO/CTO, and Eli Spitz, vice-president of business development, at Raz-Lee Security in a joint interview. "This 'simple-to-comprehend' facility is really very tricky to implement, but it's exactly what's needed to differentiate between compliance requirements for production, test, HA, and other systems. [A second problem is] enabling viewing [of such] compliance reports over a period of time (trends) or once-a-week values comparable on a single spreadsheet."

 

Zailer and Spitz also cite "a lack of best-practice IT-related compliance requirements," too often left in the hands of system administrators, and not sending compliance reports to "the relevant parties, each in the format which is appropriate for each."

Compliance or Complacency?

Reading between the lines, it's hopefully plain to see that the biggest danger of all is complacency. It's easy to find reasons to reassure yourself that all is well when the next auditor visit is months away and there are no consumers' attorneys banging on your door, lawsuits in hand. But what passes for OK in some people's minds can be shockingly inadequate in reality.

 

"I once performed an audit for a large company that knowingly granted All Object (*ALLOBJ) special authority—a global permission to every object on the server—to all of their users," confides PowerTech's Tatam. "This was to ensure that users never ran into authorization challenges. They justified this open-door policy to their auditors by implementing simple compensating controls, such as command-line restrictions and application security, to control their users. Sadly, neither the client nor the auditor had any idea that those users could easily connect via alternate interfaces like ODBC and FTP and read or change data in any file and even execute server commands!"

 

"We see organizations install software that is meant to prevent access to the system but [they] never implement it," SkyView's Woodbury recalls. "They can say they have the software to protect data, but it's actually doing nothing but taking up disk space."

 

"[Enterprises use] home-grown solutions to solve what is really a very professional challenge, requiring a professional, all-inclusive, solution," the Raz-Lee executives caution. "The compliance demands are posed by professional people (internal/external auditors, industry regulations, etc.) and must be addressed with worthy solutions."

Truth or Consequences

The vendors interviewed for this article point to numerous consequences for being found in non-compliance, such as heavy fines ($50,000 a month for two of SkyView's clients, Woodbury reports), legal expenses and notification costs, and simply "being sent back to the drawing board" to rewrite a compliance system from scratch. That's in addition to the penalties we've already reviewed for Target's unintentionally devastating security loophole.

 

Sadly, meeting compliance standards is a moving target rather than a static one. You'll fall behind by simply doing nothing new.

 

"The recent explosive adoption of smart, mobile devices, along with a trend towards cloud-based computing, has meant that most compliance standards are struggling to keep pace," warns Tatam. "I fully expect to see more regulations pertaining to securing data that's stored virtually, along with a continuation of controls designed to prevent loopholes that have been discovered and exploited."

 

How far behind the curve might your enterprise be if that comes to pass, particularly in light of how widespread the effect of Target's breach has been and how much political pressure that incident might generate for even stricter laws and regulations? Compliance is an ongoing requirement that needs to be the focus of an ongoing effort.

 

Below are major solutions for addressing compliance problems, products specifically designed for the IBM i and some of the OSes it uses. Hopefully, one of these solutions can help you and your enterprise avoid becoming the next poster child for non-compliance.

Auditing and Compliance Tools for IBM i

Bytware

Standguard Network Security

Standguard Network Security is an object-based security product for Power Systems that monitors exit points and the QAUDJRN, tracks and manages system access, defines user access permissions, alerts administrators to changes in system values and profile changes, audits business asset libraries, checks system authority settings, and provides numerous reports and audit trails.

 

CCSS

QSystem Monitor

QSystem Monitor is an application and job-monitoring solution for IBM i. It filters all system messaging activities and provides a check on use of FTP and QSECOFR authority. It monitors system-value and user-profile changes and invalid password attempts. It also includes features for compliance with SOX and PCI requirements by monitoring the QAUDJRN and sends alerts of administrator-defined security breaches to appropriate personnel.

 

Cilasoft

Cilasoft Suite

Cilasoft's suite consists of four integrated but separately available auditing products. QJRN/400 audits system activities and databases. Controler watches use of access protocols and system commands. Database View Monitor (DVM) audits read accesses of databases. Elevated Authority Manager (EAM) controls user activities to comply with HIPAA, PCI DSS, SOX, and other standards.

 

Cosyn Software

Cosyn Audit Trail for IBM AS/400 and iSeries

Cosyn Audit Trail tracks changes made to database files on IBM i machines without requiring the overhead of turning on journaling. The product uses triggers instead and outputs results to physical files that users can query or use to create their own reports. The product also tracks updates from Interactive SQL and selected query products from other vendors.

 

CXL

AZScan

AZScan is a Windows application that can audit and evaluate security on IBM i machines running i5/OS or Linux/UNIX, as well as Oracle databases. The product runs 53 security tests for i5/OS, creates reports intelligible to nontechnical auditors, pinpoints problems, and assists users with maintaining regulation and industry standards compliance.

 

Enforcive Systems Limited

Accelerator Package

Enforcive's Accelerator Package provides more than 700 predefined but customizable reports, alerts, and compliance definitions for COBIT 4.1, ISO 17799, PCI, and SOX standards on IBM i.

 

Cross-Platform Audit

Enforcive offers a cross-platform auditing service that includes multiplatform consolidation and security-event correlation for IBM Systems i and z, Oracle, SQL Server, Sun Solaris, and other servers running AIX, Linux, UNIX, and Windows.

 

Enforcive/Sensitive Field Masking

Enforcive/Sensitive Field Masking is a GUI-based tool that lets administrators designate sensitive database fields that are then blocked from viewing by any but authorized users. The product is flexible enough to designate different fields within the same file as available to different specified users. Masked files are also stored in a special library.

 

Enforcive/Enterprise Security for IBM i

Enterprise Security for IBM i features application exit-point controls, user-profile and group permission controls, IP address authorization, access controls down to objects and including the IFS, account swapping for adopted authorities, multiple-server policy replication, file protection against power users, a graphical application-security event analyzer, a graphical user-profile manager, and session timeout/inactive-user controls.

 

Enforcive/Field Encryption

Field Encryption lets security officers encrypt sensitive database alphanumeric and numeric fields using one of seven different encryption standards and unlimited multiple encryption keys. The tool also provides scrambling and encryption for backups, GUI-based administration, and compliance with the PCI DSS, requirement 3.

 

Enforcive/IP Packet Lockdown

IP Packet Lockdown incorporates intrusion detection, access control, and IP packet filtering that lets security officers set up and manage the ports and IP addresses from which they wish to receive network traffic and the specific System i ports at which they wish to receive that traffic. Similarly, SECOFRs can define those addresses and ports they wish to lock down and prevent from communicating.

 

Enforcive Security Assessment

Security Assessment is an external security testing application that launches real-time security penetration tests, summarizes current security policies, and highlights deviations from recommended policy settings.

 

Policy Compliance Manager - Enforcive

Policy Compliance Manager helps security personnel build, document, and maintain a corporate security policy. Product features include template-based compliance management, compliance-deviation monitoring and enforcement with an alert center for instant deviation reporting, a Sarbanes-Oxley compliance toolkit, a Help Desk assistant, and an optional PCI DSS reporting toolkit.

 

IBM Corporation

IBM Power SC

IBM Power SC is a security and compliance solution for IBM i and other servers running AIX, Linux, or PowerVM. The product automates security compliance activities, includes reporting systems for compliance measurement and audit, supports virtual machine environments across multiple systems, and ensures compliance with numerous industry standards as well as legal and other governmental mandates.

 

IBM Security AppScan Standard

IBM's Security AppScan Standard runs on i servers using JBoss, Apache Tomcat 6.0/7.0, WebSphere 7.0, AIX, Linux, and Windows. It scans Web applications for security holes and provides more than 40 compliance-related reports.

 

Imperva

SecureSphere Data Security Suite

SecureSphere Data Security Suite is a security and auditing solution that monitors databases, files, and Web applications via independent hardware appliances, agents running on host servers, and cross-platform administrative tools. The suite includes DB2 monitoring for IBM i and offers alerts, a database firewall with activity monitoring, access controls for sensitive data, and auditing features usable by non-technical auditors.

 

IT Security and Compliance Group

Security Audit Service

The Security Audit Service is typically a five-day onsite evaluation of the security implementation of a client's System i. The audit checks all aspects of the System i security configuration at the operating system, database, and user interface level, including evaluation of user accounts, object permissions, database security and the various access methods, resulting in an executive overview containing a list of high-severity items and remediation recommendations. Additional services include security assessment for networks, user-account maintenance and assessment, object-level security assessment, security implementation remediation, security event monitoring and reporting, QAUDJRN configuration, forensic analysis of security events, and implementation of single-sign on.

 

Kisco Information Systems

iFileAudit

Kisco's iFileAudit lets users track data updates and changes to files on a user-by-user, file-by-file, and field-by-field basis. The product includes a Web browser interface, a notation feature, the ability to track file-read actions for user-selected files, and the ability to produce audit reports on a global or selected basis.

 

NetIQ

NetIQ Secure Configuration Manager

NetIQ Secure Configuration Manager is a system-security configuration assessment and compliance-monitoring tool that helps administrators compare system security settings against regulatory and best-practice requirements. It assesses system configurations against multiple compliance mandates, reports on systems out of configuration, provides tools for restoring mandate compliance, generates reports that satisfy legal and industry standards requirements, and presents data via a dashboard-style interface.

 

Raz-Lee Security

iSecurity Compliance Pack

The iSecurity Compliance Pack is a suite of products that provides automatic and sophisticated reporting capabilities covering all types of security-related information. Coverage includes more than 300 customizable auditing reports, a visual console for investigating suspicious events, alerts, corrective programs and CL scripts, and a security assessment analysis application.

 

Safestone Technologies

Compliance Center for i

Safestone's Compliance Center for i provides a query-based reporting solution that automates the data collection and conversion into reports of audit, compliance, and security events. The product monitors such system activities as network accesses, object authorities, user profiles, QUADJRN and QHIST entries, system values, and SQL command usage. Users can either schedule reports on a regular basis or access them on demand. A version for servers running AIX is also available.

 

SkyView Partners

SkyView Audit Journal Reporter for IBM i and i5/OS

SkyView Audit Journal Reporter generates predefined and auditor-ready reports based on events recorded in QUADJRN. It helps reduce time needed to provide non-technical reports on system events for auditor use and produces ongoing reports as necessary to help users investigate compliance issues.

 

SkyView Policy Minder for IBM i and i5/OS

SkyView Policy Minder for IBM i and i5/OS automates security policy compliance and administration. Examples of features include automatic checking of system settings (e.g., user profiles, libraries, objects, directories, authorization lists), security policy documentation via template-based and customized settings, and report generation on multiple aspects of security policy. The product also includes tools for modifying system parameters that are out of line with established security policy.

 

SkyView Risk Assessor

SkyView Risk Assessor is a service that provides an analysis of more than 100 system risks from the point of view of an external expert. Designed to provide the basis for a security audit of IBM i machines, Risk Assessor also helps evaluate enterprise compliance with PCI, HIPAA, and other standards.

 

Tango/04 Computing Group

Multiplatform Security Knowledge Module

The Security Knowledge Module is a configuration of Tango/04's VISUAL Message Center that reports on system events, security incidents, and compliance violations across multiple platforms, including IBM i. The product maintains a database of all events and sends real-time alerts in response to security or compliance problems.

 

Operations Knowledge Module for iSeries/IBM i

The Operations Knowledge Module monitors multiple partitions or systems from a central console and reports on a variety of conditions and situations. These include system and subsystems performance, interactive job efficiency, messages from all message queues, security and permissions violations, and Web environments. Reports are available via dashboards, and the product also includes templates for new software apps that can measure each app's real-time service-level requirements.

 

The PowerTech Group

Compliance Monitor

Compliance Monitor provides a single console view of multiple systems, multiple reporting options, the ability to see all security events within the security audit journal (QAUDJRN), audit-data compression, and the ability to schedule assessments around production jobs. It also enables audit reporting and inspection of security-policy compliance with SOX, PCI, and other regulations and standards.

 

DataThread

DataThread tracks changes to databases, filters out routine activity and focuses on user-requested exceptions, centralizes and automates data-policy enforcement without requiring program changes to existing applications, notifies appropriate personnel of changes, and meets compliance requirements for all domestic and international regulations that require monitoring of IBM i data access and user activity.

 

Interact

Interact monitors more than 500 system security events in real time and sends them to a system log in real time for later analysis or troubleshooting. Examples include QAUDJRN, exit programs, messages from QSYSOPR and QSYSMSG, and other system events. Interact parses and simplifies audit journal entries so nontechnical users can read them and can filter system events by date, time, user, IP address, and other criteria.

 

John Ghrist

John Ghrist has been a journalist, programmer, and systems manager in the computer industry since 1982. He has covered the market for IBM i servers and their predecessor platforms for more than a quarter century and has attended more than 25 COMMON conferences. A former editor-in-chief with Defense Computing and a senior editor with SystemiNEWS, John has written and edited hundreds of articles and blogs for more than a dozen print and electronic publications. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: