IBM i HA and Security: Why They Need to Work Together
Download as PPTX, PDF0 likes59 views
The document discusses the importance of High Availability (HA) and security coordination for IBM i systems, highlighting their critical role across various industries. Key concerns include the increasing move to cloud deployment, the skills gap in security, and the need for effective automation and modernization strategies. It outlines essential practices for integrating security measures and HA functionalities, such as multi-factor authentication and encryption, to minimize downtime and risks during operations.
IBM i HA and Security: Why They Need to Work Together
- 1. How Security and HA Need to Work Together Bill Peedle | Principal Sales Engineer Barry Kirksey | Principal Sales Engineer
- 2. Today’s Topics • IBM i is mission critical • HA and Security coordination • Security • Switching • Replication • Reporting and monitoring • Minimizing downtime 2
- 3. IBM i is Mission Critical
- 4. Let’s talk about IBM Power Systems running IBM i 4 Reputation • IBM i has been a strategic platform for decades • IBM i has been able to adapt to a changing IT landscape • IBM i handles important, mission-critical workloads • Popular in manufacturing, retail, distribution, logistics, banking, healthcare, insurance, hospitality management, government management, and legal case management. Trends Concerns • Increasing move to cloud deployment • Existing customers continue to upgrade systems and OS versions • Customers continue to add more partitions -50% of companies have more than 3 LPARs • Remote work environments continue to grow • Security knowledge and skills gap • Security continues to be top priority • HA/DR cited as top concern for almost 2/3 of customers • Finding required staff with IBM i skills also a top concern • Automation and modernization are frequently cited concerns *Forta 2022 IBM i Marketplace Survey
- 5. IT Jungle 2023 IBM i Marketplace Predictions* Automation Modernization Automation is key in operations, job scheduling and regular complex and simple tasks, but the resources for skilled IBM Power Systems people are scarce and becoming even scarcer IBM i is the system of record and clients are implementing a hybrid approach to modernization Spending Cloud Many IT projects will be looking to optimize costs. We will see investment in tools on the platform (IBM i) to help move workloads to cloud/hybrid cloud environments 2023 will mark a year where customers finally make the move to cloud-based hosting of their IBM i 5 * IT Jungle-2023 IBM i Predictions, Part 1 - 1/16/2023
- 6. IBM i marketplace surveys • Virtually all surveys continue to point to Security as Number 1 concern • HA is usually 2nd or 3rd and is generally cited by more than 50% of survey respondents • Only 5% of IBM i users intend to remove all IBM i-based applications from their systems during the next two years • Downtime costs IBM i uses an average of $125k per event** • Remote operations has become the new normal for most organizations causing increased security risks** • 70% of respondents using their IBM i platform to run more than half of core business applications. 6 **Forrester Economic Impact Study
- 7. Tension Between Availability and Security 7 Conflict • Operations team generally focused on Availability • Security team focused on locking down a secure environment Causes • Conflicting Values • Complexity • Policy problems • Communication & coordination
- 8. How to coordinate IBM i Security and High Availability
- 9. Replication Topics to discuss • IBM i Security Product Modules required to be replicated • Switching considerations for HA and Security • Availability and security in a Cloud environment • Streaming HA and security data to IT Operations Analytics (ITOA) solutions • Managing risk and downtime for encryption of data at rest, while maintaining switch readiness 9
- 10. Security Modules
- 11. Multi-factor Authentication (MFA) Security Module Replication 11 • Enabling Multi-factor Authentication • Install MFA Product on target server • Configure IBM i replication product to replicate MFA • Authentication server considerations • External • Local • HA Server access when in read only mode
- 12. Encryption Security Module Replication 12 • Enabling Encryption • Install on target server • Configure IBM i replication product to replicate the encryption module • Encryption at the filed level with IBM i Field Procedures • Fields encrypted/decrypted on the fly • Field Proc procedure used on the fly • Procedures must be replicated
- 13. Exit Point Security Module Replication Managing Exit Points • Install on target server • Configure IBM i replication product to replicate the exit point software product • Exit Points must be turned on at the system level • Consideration for new exit points on source need to be introduced to backup server 13
- 15. Switching Your HA and Security Products 15 • Products need to be integrated • Procedure and steps needed to accommodate integrated switching • Automated notification of manual steps required • Regular testing to ensure HA and Security switch error free New LPARs Current LPARs From Anywhere To Anywhere Any Hardware Any Storage Physical, Virtual, Cloud Any IBM i OS Version
- 16. Replication in the Cloud
- 17. Presentation name 17 Cloud Considerations HA and security products need to be Cloud ready Many Cloud environments do not have tape access
- 18. Reporting and Monitoring HA and Security Data
- 19. Some definitions… 19 • Security Information and Event Management (SIEM) - offers real-time monitoring and analysis of events as well as tracking and logging of security data for compliance or auditing purposes • IT Operations Analytics (ITOA) - IT operations analytics involves collecting IT data from different sources, examining that data in a broader context, and proactively identifying problems in advance of their occurrence. • IT Operations Management (ITOM) - IT operations management (ITOM) is responsible for managing information technology requirements within an organization, overseeing the provisioning, capacity, performance, and availability of IT infrastructure and resources.
- 20. Leading IT analytics & security platforms lack native IBM i support 20 Distributed and Cloud environments IBM i Systems Online services Storage Online Shopping Cart Servers Desktops Web clickstreams Security Networks Telecoms Call detail records GPS location Messaging Databases RFID Web services Packaged applications APP Custom apps Energy meters Smartphones and devices On- premises Private cloud Public cloud IBM i
- 21. IT operations analytics Monitor the business for real-time operational intelligence • Monitor operational status of enterprise IT infrastructure • Monitor resource utilization and availability • Realtime visibility into IBM systems • Predict and avoid problems • Non-IBM users have access to IBM KPIs 21
- 22. Security monitoring Extend your security strategy to include the IBM i • Detect and prevent security threats • Report on security events • Prioritize on highest impact issues • Monitor privileged user activity • Automated reporting and simplified compliance 22
- 23. Minimizing IBM i Downtime while Encrypting Data
- 24. Implementing encryption has its challenges Exclusive Locks Small Window • IBM i Field Procedures (FieldProc) needs an Exclusive Lock on file data to add/remove an encryption program and encrypt/decrypt a column • Your maintenance window may be too small to encrypt/decrypt all files during the allotted time Application Risk • Encryption processing changes every record within a file – increasing risk to applications 24
- 25. Encrypt While Active is useful throughout the lifetime of your encryption project Initial Encryption Removing Encryption • Adding encryption to fields/files not currently encrypted • Removing encryption from fields/files currently encrypted Key Rotation • Cycling an encrypted file from one set of encryption keys to another (annually or on another regular interval to meet compliance requirements) 25
- 26. Benefits of Encrypt While Active • Minimizes downtime for encryption operations • Mitigates the risk of application failure after encryption • Ensures HA/DR-readiness throughout the encryption process 26 As an added benefit, deleted records can be removed from the file during the encryption – a Compress While Active service
- 28. Precisely IBM i Products • Protects against downtime and meets aggressive service level agreements • Flexible, scalable replication and failover automation • Scales from SMB to enterprise workloads • Minimizes impact on network bandwidth and CPU usage • Supports mixed i OS and hardware environments on physical, virtual and cloud platforms Integrates log data from IBM i into IT operations analytics and management platforms • Robust, multi-layered, and resilient defenses against advanced malware threats • Enforces strict security policies to protect your systems with automated access control • Generates generate clear, actionable alerts and reports • Protects sensitive and highly regulated data from unauthorized access using encryption, tokenization and masking technologies • Provides access to the log data to address IT operations analysis, security, and compliance • Unlocks real time operational intelligence from IBM i systems, • Improves access to data by breaking down silos • Increases value and observability of IT services & operations 28 Ironstream Assure HA Assure Security Protects IBM i systems and data from security breaches and assures regulatory compliance Protect IBM i servers from downtime and data loss
- 29. Questions
Editor's Notes
- #8: Conflicting values Because of the innate conflicting values between availability and security, there is also friction when choosing best practices to follow when teams are combined. For example, SecOps combines multiple teams with specific duties, goals, and responsibilities. There is no question that everyone wins when they can work together in balance, but their conflicting values make it especially difficult to agree on workflows and best practices. For example, when DevOps teams think about vulnerability patching, they think of it in terms of downtime and disruptions that cause problems and inconveniences for users. That’s why they often turn to regularly scheduled downtime in an attempt to prioritize security. However, maintenance windows and scheduled downtime can’t result in complete patching every time. Network updates are not released according to your organization’s timetable. And hackers certainly won’t wait until your next security update to launch an attack. Complexity Deciding on how often to patch and how quickly to respond when known vulnerabilities are released is just the beginning of the issues between availability and security. And sometimes, reducing risk is more complicated than running an update or patching a specific vulnerability. For example, some vulnerabilities occur at the programming language level. These vulnerabilities impact all of the apps written with the affected language. Sometimes operations and security teams are oblivious to the inner workings of certain programming languages. If they don’t know how to log in with Python, how will they patch a PHP vulnerability? This is where developers get involved, and DevSecOps teams are formed, further adding to the complexity of balancing availability and security. Not only must teams update the language version to patch the vulnerability, but they also must rewrite application code with the language-level changes in mind. At this level of complexity, developers have doubled their workload, IT teams cannot serve their primary functions, and security specialists are faced with hours of rework securing an entirely new application. Policy problems It is at this point that processes break down. Everything is on fire, no one is clear on how to proceed, and organizations often suffer from data incidents at this stage. In addition to a multi-layered conflict across the company, you also have to repair your reputation with customers. This is also where the idea of a top-to-bottom policy seems the best way to deal with the issues. And while policies can solve these problems to some degree, no team is truly happy with the outcome. The result? Mediocre products and services from a mediocre organization. Another problem with policies is that they often leave systems unpatched for long periods, giving hackers plenty of opportunities to sneak in and wait for the perfect time to launch an attack.