26
Tue, Nov
1 New Articles

Considerations Before Purchasing Security-Related Internet Products

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Many of you are considering adding another "layer" of security to your existing system or network configuration. This article looks at some of the popular purchase decisions being made today and discusses what you need to consider to help you achieve that higher level of security you're looking for.

Make a Plan Before Going Shopping

I'm a list person. If I don't have my list when I go shopping, I forget half of what I was supposed to purchase. I also may buy items I wasn't intending to buy. A little planning and list-building makes my shopping go much more smoothly, and I end the day with the items that I really need. The same applies to purchasing any security-related product. Before going shopping, do some planning:

  • Define exactly what problem you're trying to solve. If you don't, be prepared for vendors to assert to you what your problem is and sell you a solution that may not help you achieve your goal.
  • Understand the laws or regulatory requirements that may affect the specifications of any product or service you're considering.
  • Understand any service-level agreements (SLAs) you have with your customers or business partners that may affect which product or service you choose.

Securing the Perimeter

If you're thinking about securing the perimeter, you have a couple of options for doing so.

Firewall

One method you may be considering to shore up the security of your network is to purchase a new firewall. Before contacting any of the firewall vendors, do some homework. First, decide exactly what problem you are trying to solve. In other words, what function is the new firewall supposed to perform that your old firewall can't? Firewall functionality ranges from very simple to very complex. Vendors will obviously try to sell you the most feature-packed firewall. The problem is that the more complex the firewall and the more features it has, the more likely it will be configured incorrectly, thus allowing unwanted traffic into your network. Studies have shown that the vast majority of firewall breaches are due to the firewall being misconfigured, not because of vulnerabilities or bugs in the firewall's software or hardware.

In light of the complexity issue, another consideration should be your personnel's skill set. They might be able to manage the configuration of your current firewall, but add complexity and features, and it may be beyond your personnel's abilities. If that's the case, you may have to send your employees for training or consider bringing in a specialist to configure the new firewall.

Finally, if your organization falls under the Payment Card Industry's (PCI) Data Security Standards, the firewall you choose must meet the PCI's firewall configuration requirements.

Intrusion Protection

Another method for securing the perimeter is to perform intrusion protection. Intrusion protection is a real-time, proactive, "shields up" defense to make sure no one accesses your network inappropriately. In all but the largest organizations, intrusion protection is typically outsourced to a company that specializes in this service. When choosing a vendor to perform this service, make sure you understand exactly what services they perform. Organizations having to comply with PCI's Data Security Standards understand that they are required to have quarterly external network vulnerability scans. Some organizations see "vulnerability scan" and think they're getting intrusion protection, but they're not. Intrusion protection includes vulnerability scanning, but intrusion protection occurs 24x7, detects network intrusions, and more. So if your requirement is for intrusion protection, don't settle for a periodic network vulnerability scan.

Another point to clarify before choosing a vendor is the support level they will provide if a breach occurs. Will they help trace the breach? Will they be available and willing to assist should law enforcement have to be called in?

Finally, find out up front how much time it typically takes to configure and implement the intrusion protection and how much of your current staff's resources will be required. For example, someone on your staff may be required to help the company fine-tune the intrusion detection feature of intrusion protection to reduce the number of "false positive" intruder alerts received.

Gaining Access to Your Internal Network

One security-related purchase is often a solution to allow users or processes to gain access to your internal network. For instance, Virtual Private Network (VPN) connections allow employees to gain secure access to your internal network from their homes, ensuring that all traffic between their PC and your internal network is encrypted. When choosing a connection solution, make sure that you consider scalability. All of these solutions provide some authentication information to validate the workstation before making the connection. Make sure that the issuance of this authentication information is not onerous—in other words, be sure your current staff can easily manage it. For example, one authentication method some VPNs use is a digital certificate. The digital certificate must be loaded onto the PC making the connection. For some organizations that provide employees with laptops for their workstations, this process may be quite easy to accomplish. When the employee is in the office, the digital certificate is loaded onto the system and the VPN client is configured. However, for employees who use their own home computers to connect into the internal network, you'll have to determine how to get the digital certificate loaded and the VPN client configured. If you have only 5 or 10 users, you can probably walk them through the process via a phone call. However, if you have hundreds of users, this solution may not be feasible.

Also, whenever you use a digital certificate for authentication—whether it's for a VPN, single sign-on, Transport Layer Security (TLS), or other solution—you will want to understand who is going to issue the digital certificates: either someone internal to your organization or a third party. The issuer is called a Certificate Authority, or CA. Then, you need to understand the CA's response time—in other words, how quickly requests for a new certificate can be fulfilled and whether this meets your requirements. Finally, you need to understand how the CA will help your organization manage the digital certificates; for example, will they notify someone when an employee's certificate is about to expire and needs to be renewed, or will they just let it expire and allow the function to fail? The bottom line is this: Don't look solely at the solution; instead, make sure you understand the maintenance and administrative costs associated with the technology being used—in this case, digital certificates.

Encrypting Traffic

You may discover that you are sending private or confidential data over an unencrypted connection to a business or a trading partner or some outsourcer that performs financial transactions for your organizations. (I'm still surprised how often this occurs.) If you are looking at a solution to resolve this issue, first determine whether there are any laws or regulations with which your organization must comply that will dictate what algorithm is to be used as well as the length (i.e., strength) of the encryption key and encryption key management requirements. Next, determine whether the organizations (such as your trading partners) already have an encrypted transport method in place. If so, make sure you understand what encryption algorithm and key strength is being used so that the solution you purchase will "talk" to the other organizations' transport servers and meet any requirements they may have in place.

Accepting Payment over the Internet

More and more businesses are expanding into online payments. Some organizations choose to bring the transaction into an internal server and process it there. Other organizations route the transaction to a third-party payment-processing Web site where the payment is accepted. Whichever method you choose, make sure that the PCI Data Security Standards are adhered to. When investigating third-party payment-processing solutions, ask to see the results of their last Visa audit or PCI self-audit. If they refuse or the results show significant gaps, consider finding another solution provider. (Visa sends out auditors to assess merchants' and credit card processors' adherence to the PCI standards.) The intent of the PCI Data Security Standards is to ensure the security and privacy of credit card information. You don't want your organization's name dragged through the headlines because you or the payment-processing vendor you chose didn't secure the data or transmission of data properly, thereby allowing a breach to occur.

If you choose a third-party online payment-processing solution, you will want to understand the terms of the contract to determine where your security configuration requirements and responsibilities end and the solution provider's begin. You may also want your legal counsel to review the contract to make sure your organization cannot be held responsible for a breach that is the provider's fault. Finally, make sure the contract is clear as to who is responsible for notifying individuals under the various state notification laws should a data breach occur.

Consolidated Management Solutions for Security Administration

Products exist in the market that attempt to consolidate security functions such as access controls for databases and user account ("user profile" in the i5/OS world) administration. Sometimes these products work and play well with i5/OS, and sometimes they don't. Some are architected to work better in a Windows server environment than a robust, multi-user, multi-tasking operating system such as i5/OS. Exercise caution when purchasing one of these products to ensure that its interoperability with i5/OS really lives up to the vendor's claims and that it performs the functions on i5/OS as you would expect and doesn't attempt to usurp or contradict i5/OS security features.

One product that I encountered in the past attempted to consolidate the administration of database access control settings by routing all database accesses through this administration product. This worked well on paper and in their demonstrations because all database accesses were through a Web application. The technical marketing material associated with this product would lead you to believe that you only had to administer the access controls to all of your resources (including databases in your internal network) through this product. The claim was true as long as the database was accessed only via Web applications. But it is rare that an i5/OS database is accessible only through a Web site. Most systems running i5/OS are the primary data source for an organization's information, serving as a data repository for many applications. Data is accessed via native green-screen applications, data warehouse reports and queries, WebSphere applications, client/server applications, and more. If you only read the marketing material and don't think things through, you might believe that you no longer have to worry about i5/OS object-level security, that the product consolidates all access checks so native access controls are no longer required. Nothing could be further from the truth in the case of i5/OS. The product takes care of database accesses via a Web application but fails to consider other ways applications access data on i5/OS.

In addition, some products that attempt to consolidate function across multiple platforms don't provide the i5/OS configuration options required to make it worthwhile to run on i5/OS. For example, none of the consolidated security configuration products I've seen provide the ability to control all of the security-relevant system values, user profile settings, and object authority settings required to secure i5/OS. For example, some provide good user profile management yet only control half of the security-relevant system values. Others provide a method for granting *PUBLIC authority but not for securing an object with an authorization list.

My point is not to bash consolidated security management products. You may be able to find a product that will fulfill your requirements. To ensure this, however, you must determine what tasks a consolidated product will perform on i5/OS. Then envision—or, if possible, try—the product in your current environment. Finally, analyze whether the product fulfills your list of requirements. Note whether any gaps in the function will leave your network or system configurations vulnerable or whether function is missing that will require your administrators to perform configuration tasks both in the new product and on the system itself.

Last but Not Least

Last but certainly not least, all purchase considerations should be made with the requirements of your organization's security policy in mind. Don't be surprised if the purchase that you're about to make triggers an update to your security policy. You may be considering a security-related purchase because your organization is falling under a new law or regulation or your organization is branching out into new technology or changing how it does business (going into more e-commerce, for example.) If that's the case and your security policy has not been updated in the last year, it's likely that it will need to be updated to address the security requirements of this new area of business.

The Goal Is More Security, Not Less

Just because you are looking to add a new solution or another layer of security to your configuration doesn't mean that the solution will actually help you achieve a higher level of security. Some solutions may actually leave your systems and data more vulnerable. However, with some careful requirements gathering and planning, as well as careful scrutiny of the solution itself, you can achieve that higher level of security that you're hoping to attain.

Carol Woodbury is co-founder of SkyView Partners, Inc., a firm specializing in security policy compliance and assessment software as well as security services. Carol is the former chief security architect for AS/400 for IBM in Rochester, Minnesota, and has specialized in security architecture, design, and consulting for more than 15 years. Carol speaks around the world on a variety of security topics and is coauthor of the book Experts' Guide to OS/400 and i5/OS Security

Carol Woodbury

 

Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.


MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

IBM i Security Administration and Compliance: Third Edition
Don't miss the newest edition by the industry’s #1 IBM i security expert.
List Price $71.95

Now On Sale

Mastering IBM i Security Mastering IBM i Security
Get the must-have guide by the industry’s #1 security authority.
List Price $49.95

Now On Sale

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: