27
Fri, Dec
0 New Articles

Security Patrol: Characteristics of a Security Administrator

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

One of my clients was looking for a new security administrator and asked me what characteristics I would look for if I were doing the hiring. I'll bet that many of you conjure up a picture of a rather nerdy, very paranoid, non-risk-taking person who takes great joy in telling people, "No! That's against our security policy!" I'll admit that I've met some security administrators who actually do resemble that person. But is that what I look for when hiring a security administrator? Not exactly. The following is a discussion of the characteristics I look for.

Has Security Expertise

If a person has experience in OS/400 security, that's a tremendous advantage, but what is more important is that the person be grounded in security principles and concepts and understand their importance. One example is the concept of "least privilege"--that is, giving users only the capabilities required and access only to the applications they need to perform their job duties. Security administrators need to understand security terminology such as identification, authentication, and authorization. They need to understand and appreciate why auditing is important. I would rather hire someone who is well-versed in general security principles and concepts and has no OS/400 experience than someone who knows OS/400 security features but understands none of the general security principles. People who are well-grounded in security principles can always learn the specifics of implementing those principles on OS/400.

If you are looking for a career change and have no security experience, I suggest that you study the basic security principles. The IBM iSeries Information Center has general security information under the Security -> Basic Security topic.

Enjoys Investigation Work

Several aspects of the security administrator role involve investigation. Sometimes, especially when a company is tightening its security implementation, an error occurs, and the security administrator has to be willing and able to dig through audit journal entries and job logs, cross-referencing the iSeries Security Reference manual and other reference material to determine the cause of the error and the appropriate fix. Steer clear of the security administrator who hates investigation and wants to always take the easy way out. This administrator might give users *ALLOBJ special authority to avoid future security issues or change the *PUBLIC authority of all objects on the system to *ALL so the "jobs will run and I won't get called in the middle of the night."*

* Actual quote from a former administrator. Note that I said "former."

Has a Good Sense of "Smell"

A good security administrator knows how to apply the old saying "If something smells fishy, it probably is." Administrators need to have a "sense" or "feeling" that tells them that a situation needs further investigation or a request doesn't sound "right" or the details of a report don't make sense. A security administrator who takes everything at face value and never asks questions is not an administrator I want on my staff.

Is Willing to Stick to Corporate Policy

A security administrator has to be familiar with the corporate security policy and be willing to comply with it as well as understand its implications for his or her job. For example, if the policy states that requests for new user access must have the area manager's signature, the security administrator must be willing to follow that procedure and not circumvent it--even for friends.

Also, the administrator must be willing to not be swayed by external influences. I heard of an administrator who did not follow the policy for allowing programmers access to the production system. He allowed the programmer to request access via a phone call rather than a management-approved email form because "her voice didn't sound like she had evil intent." The programmer received access to the production system and subsequently introduced a severe performance issue. Did she intend to do evil on the production system? Probably not. But whether the intent was there or not, "evil"--that is, a performance issue--was introduced because the administrator was coerced by the sound of the programmer's voice.

Doesn't Have to Be Popular

If a person's self-worth is fed by being popular, then that person is not cut out to be a security administrator. Face it, taking a stance on security--as many administrators must do--often does not win popularity points with end users and certainly not with programmers. Security administrators have to say no to many requests, deny access to files containing sensitive data, and tell people they cannot have as much power as they are asking for. I remember walking through one of the IBM Rochester Labs feeling as though I had a big target painted on my blouse. And since it was deer hunting season at the time, it was not a good feeling! We were imposing a rather stringent policy that affected how OS/400 programmers were going to have to write programs, and it wasn't a popular policy. I had to take satisfaction in knowing that my team and I were doing the right thing. Had my sense of self-worth been fed by popularity points, I would have starved to death.

Is Willing to Learn

The field of security is rapidly evolving. New technology, new regulations, and new threats appear almost daily. Someone who wants to implement a security solution and sit on it--rather than re-evaluate the solution on a regular basis and evolve it as new technology permits--is quickly going to be behind. Numerous avenues exist for staying current: newsletters, magazines, Web sites, and formal courses. Whether the administrator's preference is to subscribe to technical publications or to research specific topics or to sit in a classroom, the information is available to keep a security administrator technically up-to-date. If a person is not willing to learn and stay abreast of current issues, security administration is not the profession to pursue.

Wants to Be Proactive

Security administrators must be willing to keep up with current issues and take proactive measures to ensure that their organization is protected and is in compliance with new laws or regulations well before a compliance deadline. I worked with another (former) security administrator who ignored my warnings that steps needed to be taken to secure the company's files containing private data. Because of this administrator's inactivity and unwillingness to learn and keep current, the organization is now scrambling to get its security implementation into compliance.

Huge amounts of money can be saved by taking proactive steps. Think how much is saved by taking a proactive Anti-Virus (AV) stance rather than taking action after the virus has spread throughout the corporation. Keeping current with the latest security issues and taking mitigating steps is far more appropriate than waiting until the problem has affected your system.

Best Traits

I've mentioned characteristics such as security expertise and a willingness to not be "popular." However, in my opinion, the most important characteristics are a willing spirit and an investigative nature. Someone with a willing spirit will overcome a lack of security knowledge by digging into every resource possible to gain the necessary knowledge. Someone who is willing to investigate--better yet, enjoys investigation--can be taught what to look for.

Carol Woodbury is co-founder of SkyView Partners, a firm specializing in security consulting and services and offering the recently released software, SkyView Risk Assessor for OS/400. Carol has over 13 years in the security industry, 10 of those working for IBM's Enterprise Server Group as the AS/400 Security Architect and Chief Engineering Manager of Security Technology. Look for Carol's second book, Experts' Guide to OS/400 Security, to be released early next year. Carol can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: