05
Tue, Nov
5 New Articles

Technology Focus: In the Realm of Auditing and Compliance, the Song Remains the Same

Compliance / Privacy
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Despite a quality selection of auditing and compliance tools for IBM i, security problems in 2013 are largely "same old, same old."

 

Probably as much as two decades ago, when the IBM i was still the AS/400 and being touted as the most secure computing system in the world (mostly due its magnificent isolation), there were still security problems experts could point to. Primarily these were 1) not enough accountability for changes to databases, 2) too many users holding too-powerful security profiles, and 3) unauthorized users gaining access to systems (e.g., due to weak passwords).

 

Today, years after adoption of such reforms as federal lawse.g., Sarbanes-Oxley (SOX)and tighter industry standardse.g., payment card industry (PCI)the fundamental security concerns for the IBM i remain: Not enough accountability for changes to databases, too many users holding too-powerful security profiles, and unauthorized users gaining access to systems. Who knew that, in 2013, the title of the classic Led Zeppelin concert film would summarize the state of compliance on many IBM i machines?

Profiles, Schmofiles

"In our experience, the first and most basic area of weakness usually centers on the area of user profile authorities and passwords, system value definitions, object authorities, and similar [aspects]," reports Eli Spitz, vice president of business development at Raz-Lee Security.

 

"Profiles with too much authority," is a common fault, agrees Guy Marmorat, president and CEO of Cilasoft. "Whether it is through public or private authorities on business-critical files or special authorities, users often have power that exceeds the actual authority needed for their specific problem."

 

"Too much authority to data," is how Carol Woodbury, president and co-founder of Skyview Partners, puts it. "A main issue is that too many users have direct access from outside applications, and another is that users rely on default passwords or have too much user authority."

 

"Another area of weakness centers on the different ways in which business-critical application data is referenced, specifically by different groups of users (e.g., segregation of duties)," clarifies Raz-Lee's Spitz. "This includes the need to monitor changes made to database application files, which eventually leads to the need to view actual before/after data."

 

Slightly in dissent is Ken Linde, marketing manager for Enforcive (formerly BSAFE), who points to breaches via TCP/IP connections due to lack of adequate monitoring of File Transfer Protocol (FTP), Open Database Connectivity (ODBC), and remote SQL as the most common problem. As the second most common, he cites "the limited auditing configuration most shops have activated for their QAUDJRNL. This weakness can fall into one of three categories. The first being not activating any auditing, the second being activating limited auditing or not defining the additional audit requirements for high-privileged users, and the third including cases where the auditing settings are defined appropriately but are not being consistently reviewed."

 

While a majority of the vendors contacted for this article agree that user authority and data-change accountability problems are the most common for IBM i installations, they cited different problems when asked which are the most chronic security challenges.

Common vs. Chronic

"The most chronic compliance failures we see at customer sites is stagnation in keeping exit-point security policies up to date, weak implementation of password policies, and partial implementation of the security software tools available," notes Enforcive's Linde.

 

"Monitoring of business-critical application files, updates, and changes to these files," are what Raz-Lee's Spitz points to. As an example, he highlights that employees accessing their own personal credit card, health, and salary data is a compliance violation. "What contributes to problems in these areas is the dependence on manual methods rather than packaged products to address these issues."

 

"Ensuring that reports and alerts remain relevant to the environment" is the most-chronic problem nominee for Cilasoft's Marmorat. "Often the controls set up initially make sense, but environments change and the controls are not updated accordingly." He cites the example of introducing a new interface that enables a potential security hole but no controls are changed to safeguard the hole. "Furthermore," he adds, "internal documentation must be created to ensure that the security controls are sufficiently explained in case the security professional who designed the controls leaves the company."

The Thin Red Line

Obviously, to a very large extent, all these problems are a case of the song remaining the same after decades of experience with IBM i in IT departments. Why are so many of these traditional problems still with us despite this experience and attempts at reform from government and industry groups?

 

"The real issue is lack of administrator time," notes Skyview's Woodbury. "Administrators wear so many hats that if they don't take time to set up product automation features, things tend to slide back to where they were. This is often because there's a lack of management focus on the whole issue [of compliance]." She cites a frequent problem as that of management paying attention to compliance only when an audit is imminent. "That's when things like inactive profiles get cleaned up, but [administrators] don't do the extra step of automating that policing, and a year later these issues are still a problem."

 

Another issue is turnover in personnel. "An administrator implements our software but then a replacement isn't adequately trained. We see that over and over," Woodbury points out.

 

Enforcive's Linde backs up those concerns. "The sources of chronic failures are...limited time and professional resources allocated to handle security on an ongoing basis, high employee turnover and ineffective handover of security and compliance-related responsibilities, and limited documentation and policies pertaining to the security and compliance aspects of the environment."

 

"A lot of time and resources are spent on reinventing the wheel after a security professional leaves," agrees Cilasoft's Marmorat.

 

Spitz emphasizes the lack of use of automation features in auditing and compliance tools as a root concern. "Customers depend on manual solutions rather than searching for automatic tools that allow them to define rules.... This lack causes persistent problems, as business rules change all the time [but] companies cannot manually change definitions at the same time."

Meeting the Compliance Challenges

So what can be done in the face of such persistent compliance difficulties?

 

Woodbury cites "developing a 'compliance lifestyle' to maintain a consistent level of compliance. If there are daily or weekly administrative tasks, automate them or you don't stand a chance of staying in compliance. If you implement this kind of automation, you'll stay in compliance and can avoid the annual 'audit fire drill.' "

 

Almost regardless of what provider's auditing and compliance tools you use, full implementation of the products you do purchase seems like the best way to meet the challenges of both the most common and most chronic compliance problems.

 

Below are listings for auditing and compliance solutions currently available for the IBM i. Although the brief product descriptions don't provide more than an overview, links are provided to all product Web pages, at which you can find more complete information.

 

And as always when looking for products or services, be sure to check the MC Press Online Buyer's Guide.

Auditing and Compliance Tools for IBM i

 

Bytware

Standguard Network Security

Standguard Network Security provides security and compliance monitoring for networks that include IBM i systems. Auditing and compliance features include a SOX toolkit, numerous standard auditing reports, and compliance white papers.

 

CCSS

QSystem Monitor

QSystem Monitor is primarily a performance-monitoring solution for IBM i systems and applications. It includes features for compliance with SOX and PCI requirements by monitoring the QAUDJRN and sends alerts of administrator-defined security breaches to appropriate personnel.

 

Cilasoft

QJRN/400

QJRN/400 is an auditing application that enhances IBM i journaling functions to keep an eye on system events and changes to databases. It reports on changes to database authorization files, user profiles and authorities, network attributes, and system values. It also identifies modifications to corporate applications made by other software and monitors access of sensitive database fields.

 

Cosyn Software

Cosyn Audit Trail for IBM AS/400 and iSeries

Cosyn Audit Trail/400 tracks changes made to database files by using triggers instead of journaling and also tracks changes made by users and applications. The solution outputs results to physical files that users can query or use to create their own reports.

 

CXL

AZScan

AZScan is a Windows application that can audit and evaluate security on IBM i machines running i5/OS or Linux/UNIX, as well as Oracle databases. The product runs on PCs using copies of IBM i files and conducts 53 security tests for i5/OS. It also creates reports for nontechnical auditors, pinpoints problems, and assists users with maintaining regulation and industry standards compliance.

 

Enforcive Systems

Enforcive/Enterprise Security

Enforcive/Enterprise Security is a suite of 19 modules, each offering its own GUI, for controlling security and compliance activities on IBM i machines. Functional modules include controls for application access, an application security event analyzer, a user-profile manager, inactive-user controls, and multiple-system policy distribution and controls. Auditing controls include features for cross-system compliance reporting and auditing, field-level auditing template-based compliance monitoring and deviation reporting, compliance-driven alerts, and a SOX compliance toolkit. Additional services include enterprise-wide security assessments.

 

Imperva

SecureSphere Data Security Suite

SecureSphere Data Security Suite is primarily an application and database security solution that includes DB2 monitoring for IBM i. The solution's auditing features help non-technical auditors analyze and view database activity, as well as access standard and customizable reports on security-related user activities.

 

Innovatum

DataThread

DataThread tracks changes to databases, centralizes and automates data-policy enforcement without requiring program changes to existing applications, notifies appropriate personnel of changes, and meets compliance requirements for all domestic and international regulations that require monitoring of IBM i data access and user activity.

 

Kisco Information Systems

iFileAudit

Kisco's iFileAudit lets users track data updates and changes to files on a user-by-user, file-by-file, and field-by-field basis. The product includes a Web browser interface, a notation feature, and the ability to track file-read actions for user-selected files. It produces audit reports on a global or selected basis.

 

 

PowerTech Group

Compliance Monitor

Compliance Monitor provides a single console view with a GUI, multiple reporting options, the ability to see all security events within the security audit journal (QAUDJRN), audit-data compression, and the ability to schedule assessments around production jobs. It also enables audit reporting and inspection of security-policy compliance with SOX, PCI, and other regulations and standards.

 

Interact

Interact monitors more than 500 system security events in real time and sends them to a system log in real time for later analysis or troubleshooting. Examples include QAUDJRN, exit programs, messages from QSYSOPR and QSYSMSG, and other system events. Interact parses and simplifies audit journal entries so nontechnical users can read them and can filter system events by date, time, user, IP address, and other criteria.

 

Raz-Lee Security

iSecurity Audit

iSecurity Audit is a suite of 16 products designed to help with all facets of IBM i security concerns. Audit is the suite member most directly responsible for monitoring and reporting all activity on the system, as well as providing real-time server security and detailed audit trails. iSecurity Audit documents all QAUDJRN file activity, offers an interface for managing all QUADJRN parameters, provides GUI-based drilldown tools for activity statistics and histories, collects and displays all changes in user profiles, and generates more than 200 standard status reports.

 

iSecurity Visualizer

iSecurity Visualizer is the iSecurity suite member that handles graphical representation and analysis of audit log (and firewall log) data. It assists with investigations of problems and lets users query log files of any size.

 

Safestone Technologies

Compliance Center for i

Safestone's Compliance Center for i provides a query-based reporting solution for machines running i5/OS and AIX that automates the data collection and conversion into reports of audit, compliance, and security events. The product can generate reports for a single compliance objective (e.g., PCI DSS, SOX) and reports on a regularly scheduled basis.

 

SkyView Partners

Managed Services for Compliance Reporting

Managed Services for Compliance Reporting is a monthly service for i machines running i5/OS and AIX. It includes licenses for Policy Minder and Risk Assessor, monthly monitoring of five important security topics, and an annual inspection by Skyview personnel for compliance problems.

 

SkyView Audit Journal Reporter

SkyView Audit Journal Reporter generates predefined and auditor-ready reports based on events recorded in QUADJRN. It helps reduce time needed to provide non-technical reports on system events for auditor use and produces ongoing reports as necessary to help users investigate compliance issues.

 

SkyView Policy Minder for IBM i and i5/OS

SkyView Policy Minder for IBM i and i5/OS automates security policy compliance and documentation. Examples of features include automatic checking of system settings (e.g., user profiles, libraries, objects, directories, authorization lists), security policy documentation via template-based and customized settings, and report generation on multiple aspects of security policy. A version for machines running AIX is also available.

 

SkyView Risk Assessor

SkyView Risk Assessor provides an analysis of more than 100 system risks from the point of view of an external expert. Designed to provide the basis for a security audit of IBM i machines, Risk Assessor also helps evaluate enterprise compliance with PCI, HIPAA, and other standards.

 

SkyView Security Compliance Solution

SkyView Security Compliance Solution is a reporting application for IBM i that automates generation of security compliance reports. Standard reports include documents on system risk assessment, inactive profiles, users with default passwords, profiles having special authorities, system values settings, and access controls on files and directories containing sensitive information.

 

Tango/04 Computing Group

Tango/04 DataMonitor

Tango/04 Data Monitor audits transactions performed on specific records and fields in DB2/UDB databases. It provides audit trails of all activity to satisfy U.S. and European regulations and can produce reports in a variety of file formats.

 

John Ghrist

John Ghrist has been a journalist, programmer, and systems manager in the computer industry since 1982. He has covered the market for IBM i servers and their predecessor platforms for more than a quarter century and has attended more than 25 COMMON conferences. A former editor-in-chief with Defense Computing and a senior editor with SystemiNEWS, John has written and edited hundreds of articles and blogs for more than a dozen print and electronic publications. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: