Security 101: Controlling Access to IBM i Systems and Data
0 likes53 views
The document outlines security measures for IBM i systems, focusing on vulnerabilities, access controls, and the use of exit points and programs to manage access to network, communication, database, and command functions. It discusses the challenges posed by increasing connectivity and legacy systems, and emphasizes the importance of proper controls to prevent unauthorized access or data breaches. Additionally, it explores the advantages of utilizing third-party solutions like Syncsort for enhanced security, compliance monitoring, and ongoing support.
Security 101: Controlling Access to IBM i Systems and Data
- 1. Security 101: Controlling Access to IBM i Systems and Data Barry Kirksey, Senior Solutions Architect 1
- 2. Agenda 1 – IBM i Access Vulnerabilities 2 – Exit Points and Exit Programs 3 – Four Levels of Access Control 4 – Tradeoffs: DIY or Packaged Solutions? How Syncsort Can Help5 –
- 3. • The IBM i is increasingly connected • Prior to the 1990s, the IBM i was isolated • In the 1990s IBM opened up the system to TCP/IP • The numbers of ways the system could be accessed grew • Legacy, proprietary protocols now cohabitate with new, open- source protocols – creating access point headaches • The worldwide hacker community now recognizes the IBM i as a high-value target • 4 important levels of access must now be secured • Network access • Communication port access • Database access • Command access Why Secure Access Points? 3
- 4. • What are exit points and exit programs? • Exit points and exit programs are powerful tools for access control • Introduced in 1994 to the AS/400 in V3R1 of the operating system • Exit points provide “hooks” to invoke one or more user-written programs—called exit programs—for a variety of OS-related operations • Exit programs are registered to particular exit points • How can exit points be used? • Exit programs can allow or deny access based on parameters such as permissions, date/time, user profile settings, IP addresses, etc. • Command exit points can allow or deny command execution based on context and parameters • Exit programs can also trigger actions such as logging access attempts, disabling user profiles, sending an alert, etc. 4 Exit Points and Exit Programs
- 5. Securing Network Access Security Challenges • Network protocols make it possible for users to connect directly to backend databases on the IBM i • Network protocols include FTP, ODBC, JDBC, DDM, DRDA, NetServer and others • Without proper controls, the system is open to hackers or internal users who may create problems • Without network controls, it is also possible to remotely execute commands (e.g. RCMD or REXEC) via FTP, ODBC and RMTCMD functions • SQL statements could also be remotely executed via ODBC, JDBC and DRDA if not locked down How Exit Points Can Help • IBM i provides dozens of exit points that cover most network access protocols • Exit programs can be created and assigned to these exit points • Exit programs can control access by a variety of criteria and monitor and log activity • When access is controlled through network exit programs, only the specific operations defined by the exit program can occur • Application Administration provides a partial solution that can control which users can access particular network functions, but does not provide logging and cannot be controlled via granular rules 5
- 6. Securing Com Port Access Security Challenges • Some network protocols don’t have their own exit points and can’t be protected in the same way • These network protocols include SSH, SFTP, SMTP and others • IT teams may also wish to control communication access in a way network or other types of exit points cannot (for example, specifying a port number) How Exit Points Can Help • IBM provides socket exit points • Socket exit programs secure connections by specific port and/or IP addresses • Socket exit programs have limits; e.g. fewer parameters are available to control inbound connection • Socket exit points paired with the other types of exit point access control methods provide stronger protection 6
- 7. Securing Database Access Security Challenges • Object-level security only goes so far in controlling access to sensitive data • Open-source protocols that access data create particular vulnerabilities • Open-source protocols include JSON, Node.js, Python, Ruby and others • Open-source protocols don’t have their own exit points • Without properly securing database access, data could be viewed or changed without proper authorization or even stolen How Exit Points Can Help • A powerful exit point called Open Database File allows exit programs that protect data from any kind of access • The exit program can be invoked whenever a physical file, logical file, SQL table or SQL view is opened • The exit program can contain a granular set of rules that control under what conditions the file can be accessed and by whom • The exit program can also be defined to audit all activity 7
- 8. Securing Command Access Security Challenges • The incorrect use of commands by users can cause considerable damage (deleting files, ending processes, or worse) • Access to commands can be controlled to some extent through user profiles and object-level security • A more refined approach to command control is often required – especially for powerful profiles How Exit Points Can Help • IBM i provides exit points that cover the use of commands • Exit programs can be developed to allow or disallow access to any command within very specific circumstances • Command control can be performed regardless of whether it is performed within the IBM i or through network access • Command exit programs supersede normal object-level security to provide an additional, very useful layer of security for users with powerful authorities 8
- 9. Tradeoffs Do-It-Yourself In-House • Resources may be stretched and pulled off project • May need to bring in consultants or hire new employee because of lack of knowledge • Need to stay on top of new PTFs or updates to the OS • Knowledgeable resource may leave or retire Third-Party Solutions • Frees up your resources for more important projects • Provides separation of duties • Leverages experts in the field • Vendor is in the business of releasing updated software • Vendors ensure exit programs stay current to the latest threats and OS capabilities • Ensures optimal performance of exit programs 9
- 11. Data Privacy Protect the privacy of data at-rest or in-motion to prevent data breaches Access Control Ensure comprehensive control of unauthorized access and the ability to trace any activity, suspicious or otherwise Compliance Monitoring Gain visibility into all security activity on your IBM i and optionally feed it to an enterprise console Security Risk Assessment Assess your security threats and vulnerabilities 11 Syncsort can address the issues on the radar screen of every security officer and IBM i admin
- 12. Assure System Access Manager Comprehensive control of external and internal access • Network access (FTP, ODBC, JDBC, OLE DB, DDM, DRDA, NetServer, etc.) • Communication port access (using ports, IP addresses, sockets - covers SSH, SFTP, SMTP, etc.) • Database access (open-source protocols - JSON, Node.js, Python, Ruby, etc.) • Command access Powerful, flexible and easy to manage • Easy to use graphical interface • Standard configuration easy deployment • Powerful, flexible rules for controlling access based on conditions such as date/time, user profile settings, IP addresses, etc. • Simulation mode for rules testing • Provides alerts and produces reports • Logs access data for SIEM integration Secures IBM i systems and enables regulatory compliance • Supports regulatory requirements for SOX, GDPR, PCI-DSS, HIPAA, and others • Satisfies security officers by securing access to IBM i systems and data • Significantly reduces the time and cost of achieving regulatory compliance • Enables implementation of security best practices • Quickly detects security incidents so you can efficiently remediate them • Has low impact on system performance 12
- 13. Expert services are available for • Security risk assessment • Quick start services • Quick check services • Security update services (hot fixes, PTFs, new releases, etc.) • System update services (ensuring security solution is properly configured after system changes to IP addresses, OS versions, etc.) • Auditor assist (supporting internal or external auditors) • Managed security services • A la carte consulting Leverage the seasoned security experts in Syncsort Global Services! The Syncsort Services Team Is Here for You 13