05
Sat, Oct
2 New Articles

Case Study: Califon Systems' Security Module for iSeries

Case Studies
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

When you open a trade publication or a general newspaper these days, you're frequently greeted with a new report, often under a frightening headline, about a data security breach at a major company or at a government organization. Some of those security violations are minor, but others involve private financial or other information about thousands or even hundreds of thousands of people.

That's extremely disconcerting, but not terribly surprising. Organizations now accumulate a mountain of data about customers, prospects, products, internal operations, suppliers, and competitors. Over the past couple of decades, the volume and criticality of that data has leapt considerably, and it's continuing to grow. The more data that companies amass and the more valuable it is, the more tempting a target it presents. And the more that data is scattered around an organization, the greater is the risk that some of it will be inadvertently exposed. When you couple the increased volume and importance of stored data with the increased number of access points thanks to the Internet and linked supply chain systems, it's easy to see why the number of threats, many of them realized, has increased.

Not only are the security threats increasing, but the demand for protection of data is also rising. Again, that's not surprising. As organizations gather more confidential data and as that data's vulnerability is cataloged daily in the media, the subjects of the data are, understandably, becoming more concerned about privacy issues. Blaring headlines about data security breaches further fan the flames.

It's more than just the threat to privacy and intellectual property that companies need to worry about. Providing more people than necessary with data update rights increases the opportunity for human error or malfeasance to corrupt critical data. Read/write access should be restricted to only those people who need to have it and who have received proper training on the relevant applications and data management issues.

Furthermore, rigorous data security is now more than just a prudent, responsible business practice. For many organizations, it's now the law. New regulations passed in response to the threats and the actual breaches of security are forcing companies to enhance the security of their data, to improve their data auditing capabilities, and, consequently, to ensure the traceability of all data update activity.

This highly security-conscious environment is common to almost all organizations. Tire Kingdom is no exception. It took action by implementing the Califon Systems Security Module to fulfill the company's data security and auditing requirements.

About Tire Kingdom

Juno Beach, Florida–based Tire Kingdom is a major retailer and distributor of tires. Its more than 600 retail outlets throughout the United States, which employ over 7,000 people, also sell brakes, batteries, wheel alignments, and other automotive services.

Despite its current size, the company had humble beginnings. It was founded in 1972 with capital of just $150 and 50 consignment tires that were sold from a 200 square foot stall at the West Palm Beach Farmer's Market. Tire Kingdom subsequently grew considerably in both revenue and geographic scope. In June 2000, it was acquired by Memphis, Tennessee–based TBC Corporation, a publicly traded company. In November, 2005, TBC became a wholly owned subsidiary of Sumitomo Corporation of America.

TBC owns a number of subsidiaries in addition to Tire Kingdom, including Merchants Tire & Auto Centers, National Tire & Battery, Big O Tires, and Carroll Tire Company. All of TBC's subsidiaries run most of their operations on Tire Kingdom's iSeries Model 890 system, which maintains four partitions, two for production and two for development and testing.

The company's data flows are complex. Data comes into its iSeries systems from all of its stores, as well as from its trading partners.

Tire Kingdom was able to control iSeries access using standard operating system tools, but, despite the high level of security available on iSeries, the company needed a more comprehensive security solution than was possible using only the operating system tools.

Security Requirements

As at all companies, security is important to Tire Kingdom, but what primarily drove it to search for a way to augment iSeries security was a Sarbanes-Oxley (SOX) audit that was performed at the company. SOX regulations apply to all companies listed on a U.S. stock exchange. Among other things, SOX imposes strict data auditing, security, and control requirements.

Tire Kingdom's audit found that not all of the SOX data security and auditing requirements could be met using only iSeries security. Specifically, the company needed a way to track changes to critical operational data such as product prices. This tracking capability had to include information on not only what changes were made, but also when they were made and who made them.

Ironically, since the time of the SOX audit, TBC has been acquired by Sumitomo, meaning that Tire Kingdom is no longer a part of a company traded on a U.S. exchange. It is thus not subject to SOX. However, the company decided to proceed with the security enhancement project because, as John Pawlikowski, manager of i5 operations, noted, "Private companies are going through the same type of audits as public companies. Who cares if we're public or private? We still need to audit our financial compliance."

If it weren't for its stringent data logging requirements, Tire Kingdom probably could have used iSeries object security to provide the level of security it required, but even with that lesser requirement, implementing the necessary security would have been unwieldy. The company uses an ERP application that manages thousands of objects. Without a tool that would allow Tire Kingdom to assign object security more easily and quickly than the built-in iSeries object security facilities allow, the configuration and maintenance effort would have been too cumbersome and time-consuming.

In addition, Tire Kingdom wanted a way to manage security on a very granular level. For example, the company needs to allow authorized users to update price data through its ERP application. This requires granting the relevant users read/write access to the appropriate table(s). The problem was that the company wanted to allow these users to read the same data through desktop applications, such as Microsoft Access or Excel, but it did not want to let them update the data using those less-structured tools as that would bypass the processes and controls provided by the ERP. Giving users read/write access through some programs, but read-only access through others, was difficult, if not impossible, using solely iSeries security.

The Solution

In its hunt for a security solution, Tire Kingdom searched the Web, reviewed trade publications, and studied vendors' literature to narrow its selection down to just a couple of suppliers. After evaluating this shortlist, Tire Kingdom found that, in addition to meeting all of its technical requirements, the Califon Systems Security Module scored higher than the competition on ease of implementation and use. Contributing to the ease of implementation was the fact that, unlike what was the case with some of Califon's competitors, Tire Kingdom didn't need to install several IBM PTFs before installing the security software.

Califon Systems first released its Security Module in 1999 to take advantage of and augment the IBM AS/400 (subsequently iSeries and then System i) object-level security, as well as the exit point security software module inherent in AS/400. The software was developed by two high-level security experts who had extensive knowledge of AS/400, along with considerable enterprise security expertise.

In the early days after its introduction, the primary advantage of Califon Systems' solution was that it automated many of the AS/400 security functions that then required a very heavy administration burden to implement and maintain. Califon has considerably enhanced and added to the software over the years, to the point where it now offers several additional benefits.

Califon Systems Security Module takes advantage of the Registration Facility function that has been a part of OS/400 since V3R1.When a server request is started, the registered exit program is also called. Califon Systems Security Module uses these exit points to monitor and control object access. It can block access based on, among other criteria, location, type of function, type of command, SQL statement, and/or time of day.

This form of exit point security should be a high priority in most iSeries shops. Unlike built-in iSeries facilities, it provides the granularity necessary to control not just who is allowed to access which data, but also how they can access it.

When considering extra security, many people assume that a hardware or software firewall is adequate. That's not the case. A firewall is primarily designed to block denial of service or other mass attacks. Its purpose is to control access to particular ports. Unlike Califon Systems Security Module, a firewall cannot specifically limit access at the file or library level.

In addition to blocking access when required, Califon Systems Security Module logs information such as user, date, time, file, library, command, and directory for every data access and update. A flexible online query facility allows easy and rapid access to this log data for auditing and other purposes.

All setup, administration, and maintenance operations are performed via straightforward, easily navigable iSeries menus.

Tire Kingdom installed the Califon Systems Security Module using only in-house staff. It found the process to be fast and easy. When asked how long it took to install the software, Pawlikowski responded, "Minutes. Literally minutes, probably twenty or less." The company was able to complete the installation and the subsequent configuration and implementation without the need for any formal training. The operations staff simply read the user's guide.

What took the most time was not installation, but implementation. That was because Tire Kingdom took great care to interview users about their data requirements. It then undertook an extensive quality control phase to verify the collected information. Finally, the company completed a lengthy and thorough testing phase before moving the Califon Systems software into production. This extensive data gathering, analysis, and testing phase was undertaken to minimize the risk of implementing security rules that would mistakenly block legitimate data access for even the short period before the mistake could be corrected.

Tire Kingdom now uses Califon Systems Security Module to monitor updates to iSeries objects and files so that the company can, in particular, pinpoint revisions to records in relational database. Tire Kingdom also uses the software as an additional line of defense in its already multilayered data security environment.

Benefits

When asked about the advantages that he sees in Califon Systems Security Module, Pawlikowski cited the ease and speed of installation, as described above, but he also highlighted the product's ease of use. This was important because, despite Tire Kingdom's extensive analysis and testing process, when interviewed by IT, some users forgot about some of their less frequent data needs. As a result, the access rights required to serve those needs were initially denied.

As Pawlikowski explained, "If a user comes to us and says, 'Oh boy, you know what, once a quarter I run this process and I forgot to tell you guys about it,' we can very quickly adjust the access rights, run through a fast QA, and get it into production very quickly. I suspect we'll also run into this problem when people start performing their year-end tasks."

Pawlikowski also listed the security granularity afforded by the Califon Systems Security Module as another major benefit. It allows Tire Kingdom to grant or deny access to specific objects and libraries quickly and easily. This allows the company to restrict read/write rights to just those people who need to have them and who have the necessary expertise to modify the data correctly. This serves to reduce the number of data errors that occur.

Califon Systems Security Module also meets Tire Kingdom's need to limit update rights not just for particular data, but also based on the software used. For example, the company can provide a user with read/write access to pricing data when the user tries to update it through the ERP, but that same user might be granted read-only rights when using other software to access the same data.

Another feature that has afforded Tire Kingdom the opportunity to reduce the number of problems that occur in its data and applications is the software's ability to restrict object access by time of day. For example, read/write access for critical data or for a complex application can be denied outside of the hours when IT support is available. That way, there will always be an IT support person available to help a user solve a problem should one arise. Otherwise, critical data might remain in error until the IT support people return the next day. Until then, the original error could compound as systems continue to run using the corrupted data.

The Califon Systems Security Module's logging function allows Tire Kingdom to track down problems more quickly than was previously possible. Pawlikowski reported that, in the past, if someone updated a table incorrectly, it could take considerable time to find the problem. In the meantime, some of the company's programs could possibly stop because of the faulty data. Now, not only does Califon Systems' software help to reduce the probability of errors creeping into the data, but when a problem does occur, Tire Kingdom can use the log to track it down quickly and, therefore, keep its systems online and providing accurate data.

Pawlikowski discovered one benefit that he wasn't expecting. The logging function allows him to look at all SQL query strings coming into the database, which has helped in troubleshooting and optimization. If an application is not providing correct results, the developers can look at the precise query string to try to resolve the problem. Likewise, if database applications are running slowly, Pawlikowski can gather the log data and show it to the developers, who may decide to create a new index or look for ways to optimize the application's SQL code.

One other thing that impressed Pawlikowski about the Califon Systems Security Module is that "it did exactly what it was advertised to do. It's a very solid and reliable product."

Free Trial

Califon Systems offers a 30-day free trial for its Security Module. A request form for the free trial is available on the company's Web site. The software can then be downloaded from Califon's Web site or it can be emailed to you.

For more information, contact Califon Systems or visit its Web site at the address below.

Joel Klebanoff is a consultant, a writer, and president of Klebanoff Associates, Inc., a Toronto, Canada-based marketing communications firm. Joel has 25 years experience working in IT, first as a programmer/analyst and then as a marketer. He holds a Bachelor of Science in computer science and an MBA, both from the University of Toronto. Contact Joel at This email address is being protected from spambots. You need JavaScript enabled to view it..

http://www.mcpressonline.com/articles/images/2002/Califon%20-%20Tire%20Kingdom%20case%20studyV3--09200600.jpg
 

Califon Systems
110 Newport Center Drive
Suite 200
Newport Beach, California 92660
USA
Web: www.califon-systems.com
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Tel: 949.863.6195

Joel Klebanoff

Joel Klebanoff is a consultant, writer, and formerly president of Klebanoff Associates, Inc., a Toronto-based marketing communications firm. He has 30 years' experience in various IT capacities and now specializes in writing articles, white papers, and case studies for IT vendors and publications across North America. Joel is also the author of BYTE-ing Satire, a compilation of a year's worth of his columns. He holds a BS in computer science and an MBA, both from the University of Toronto.


MC Press books written by Joel Klebanoff available now on the MC Press Bookstore.

BYTE-ing Satire BYTE-ing Satire
Find out the hilarious answer to the eternal question: "Is technology more hindrance than help?"
List Price $14.95

Now On Sale

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: