Herzliya, Israel – August 6, 2009 – Raz-Lee Security, a leading supplier of information security solutions for IBM System i, and IBM Italy, held a seminar at the IBM Forum in Segrate, Milan on July 23, 2009, in which Raz-Lee provided information on compliance with the new Italian Privacy Code 196/2003 relating to System Administrators’ role in corporate data security.

 The seminar included technical and marketing presentations and demos by:

• Nicola Fusco – South Europe Area Manager, Raz-Lee Security
• Adriano Berneri – Independent expert in security regulations
• Elvio Cappelli – Technical Support Manager, Raz-Lee Security
• Massimo Maggioni, IBM Manager

 The event was well-attended by end-users in Italian enterprises and System i technology resellers. This event follows another Raz-Lee venture which included 30 free Round Table meetings covering the requirements of the new legislation and how best to implement it on System i. The round table meetings were conducted across Italy.

The new Italian privacy legislation specifies procedures for data protection, including technical and administrative measures which companies are required to implement. It holds IT departments directly responsible for user access and actions relating to companies’ information systems. The legislation is expected to come into effect on  December 15^th 2009.

“Raz-Lee’s close partnership with IBM enabled us to jointly provide this valuable session to Italian enterprises,” said Nicola Fusco, South Europe Area Manager, Raz-Lee Security. “We are committed to providing ongoing support to Italian companies as they undertake the complex challenge of becoming compliant with the new legislation.”

Raz-Lee Security has launched an innovative educational venture, in order to help Italian enterprises understand and implement the new amendments to the Italian Privacy Code 196/2003, concerning System Administrators’ role in company’s data security.

The new legislation specifies procedures for data protection, including technical and administrative measures which companies are required to implement. It holds IT departments directly responsible for user access and actions relating to companies’ information systems. Obviously, this has significant implications on System i Security as well. The legislation is expected to come into effect on June 30th 2009, after being publicized on 14 January 2009, followed by subsequent delays in its enforcement.

In the framework of the new venture, Raz-Lee has been holding free seminars explaining the requirements of the new legislation and how to implement it on System i. The sessions are conducted by Raz-Lee System i Security experts residing in Italy, who also provide ongoing technical support to Raz-Lee’s Italian customers. The meetings are conducted in intimate forums, with up to seven companies attending, in order to enable effective interactive discussions.

So far, Raz-Lee has held over 30 Round Table meetings across Italy, from Milan and Como to Naples and Sicily. Following the success and enthusiastic feedback from attending companies, Raz-Lee will continue to host such meetings. The meetings are attended by IT staff as well as top management of Italian companies.

The Round Table meetings cover the following topics:

- Security Assessment of System i
- Access monitoring & Control (FTP, ODBC, SQL)
- System auditing
- Centralized Management
- Reporting

“We are glad to be contributing tangible value to Italian enterprises in the area of our expertise, System i Security,” said Nicola Fusco, South Europe Area Manager, Raz-Lee Security. “We have a large, long-standing installed base in Italy, and it has widened further since we began this exceptional tour.”

For more information on Round Table meetings in Italy, email info.southeurope@razlee.com

Written by Shari Masafy, MarCom Manager at Raz-Lee Security
Email Shari Masafy at marketing@razlee.com

Finally, CyberSecurity is getting the importance it warrants, and by none other than the President of the United States, Barack Obama. The new administration announced on May 29th the launch of a major CyberSpace Security Project, headed by a top-level office to better protect information networks and critical infrastructure.

“From now on, our digital infrastructure — the networks and computers we depend on every day — will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority.” President Barack Obama

Hopefully, Obama’s enthusiastic drive for change will help alter overly complacent attitudes toward security. Amazingly, such attitudes are prevalent not only among the general public, but even at top government offices, as seen in the article Does the State Dept. Ignore Security? (Datamation.com). The article describes the frequency of incidents in which State Department employees access celebrities’ personal information out of curiosity. Moreover, an audit conducted at the State Department’s Office of the Inspector General (OIG) discovered “many control weaknesses – including a general lack of policies, procedures, guidance, and training” relating to information security.

The Obama administration’s Cyberspace Policy Review cites substantial damages caused by security hazards:

• Failure of critical infrastructures. CIA reports malicious activities against information technology systems have caused the disruption of electric power capabilities in multiple regions overseas, including a case that resulted in a multi-city power outage.

• Exploiting global financial services. In November 2008, the compromised payment processors of an international bank permitted fraudulent transactions at more than 130 automated teller machines in 49 cities within a 30-minute period, according to press reports. In another case reported by the media, a U.S. retailer in 2007 experienced data breaches and loss of personally identifiable information that compromised 45 million credit and debit cards.

• Systemic loss of U.S. economic value. Industry estimates of losses from intellectual property to data theft in 2008 range as high as $1 trillion.16

With such heavy tolls recognized, perhaps more conscientious approaches to information security will trickle down from government officials to private companies and IT managers.

Written by Shari Masafy, MarCom Manager at Raz-Lee Security
Email Shari Masafy at marketing@razlee.com

The Hardships of Security
Corporate security can be a hassle… (especially if you don’t have the right security system)
Click here to view clip

  
Security – Just a Continent Away…
Better check the reliability of your Security Provider!
Click here to view clip

Greetings from a Hacker
Sound scary? Well, get protected…
Click here to view clip

Storytime: Repeated Mistakes in Info Security
In Security, each mistake can cost…
Click here to view clip

For information on System i Security, please visit www.razlee.com

By Shari Masafy, MarCom Manager at Raz-Lee Security
Email Shari Masafy at marketing@razlee.com

"We don't need security"

I would like to share the story of one of our customers, the Belgium subsidiary of a major bank in Germany.

When we first approached this bank, the managers said they don’t really need System i Security, since “everything is OK” with their system. This is actually a typical response of many companies and organizations, who tend to embrace a “what you don’t see can’t hurt you” policy.

We then proceeded to demonstrate our iSecurity Audit on the bank’s System i. Audit provides monitoring and reporting on all activity in the System i environment, as well as real-time server security auditing and detailed server audit trails. We quickly gathered the bank’s information from the previous two weeks, as provided by the OS400 audit log.

To the bank’s total surprise, within seconds we could see that one of the bank’s users tried to enter a password 15 times, while another user entered his password 21 times! Seems just a little suspicious, doesn’t it?

Not surprisingly, the bank decided to immediately purchase and implement a full iSecurity solution, to control and protect its System i. Now, five years later, with all their reports automated, the bank staff doesn’t even remember that iSecurity is doing the job. It is the result that counts: safety and control.

Written by Shari Masafy, MarCom Manager, Raz-Lee Security
Email Shari Masafy at marketing@razlee.com

Before selecting a System i Security solution, you must first determine the best security approach for your needs. Some systems offer an Object-level security approach, while others have a Transaction-based approach. What does this difference really mean?

Essentially, Object-level security enables you to define a “white list” of the objects (such as files) which can be accessed by all or specific users; such an approach enables specifying the exact access type (Read, Write, Update,…) for each object as well.

Transaction-based security, however, does not have this capability. Instead, this approach uses a mechanism called Memorized Transactions. With this mechanism, certain transactions are kept in a separate area (not in the log), and analyzed to check if the a pattern or particular template can be used as a security rule, or as the structural basis for allowing or disallowing access to objects. Naturally, pattern recognition is a CPU intensive task which can negatively affect process time for each transaction.

Our flagship product, iSecurity, uses Object-level security together with an intuitive algorithm in which more specific rules are analyzed before generic ones are referenced. Using this algorithm, iSecurity requires only one successful I/O with minimal CPU to find the exact rule.

The advantages of Object-level security are:

Better Performance
Object-level security is far superior in the area of performance. With Transaction-based security, the greater the number of memorized transactions, the larger the number of comparisons needed for each incoming TCP transaction (FTP, SQL, etc.). And more applications in use means more transactions generated, more rules that need to be defined, and more transactions that need to be memorized.

Less Security Exposures
Unlike Object-based security, Transaction-based security compares transactions character by character, which means that unimportant differences between transactions may render important security rules useless.

Installation & Maintenance Issues
With Transaction-based security, the administrator needs to carefully review each transaction, determine which transactions require rules, and memorize those transaction definitions. The above procedure is time consuming and, more importantly, extremely error prone. Errors in defining the rules can easily lead to actual security breaches and serious monetary and reputation losses to your company.

Written by Eli Spitz, VP Business Development, Raz-Lee Security
Email Eli Spitz at marketing@razlee.com

I’ve often wondered about what IT Managers – and their superiors – really need in the areas of security and compliance.

The importance of security is pretty obvious: A security breach, be it a hacking trick done by a teenage kid from across the globe or an embezzlement carried out by “an enemy from within“, can easily make the company’s stock value and “bottom line” take a huge nose dive. And don’t forget the personal damage to the manager’s career… That alone is enough to get you to make sure that systems are totally secure and that audit trails exist!

Also, as auditors become more and more powerful in their organization, demanding answers, figures and proof of everything that happens, IT Managers have no choice but to “supply the goods” and the means for these auditors to get their jobs done.

So here are my thoughts on the 5 “must-haves” for IT Managers these days:

1) Click Click – Single click access to a single page summary report, presenting, in a “top-down” manner, all exceptions to security policies on all systems in the environment. One example of such an interface is Raz-Lee’s iSecurity GUI.

2) Take it Easy – Easily enable system administrators, auditors- and managers!- to define, run and schedule compliance reports running over selected systems in their environment.

3) A Picture’s Worth a Thousand Words – Single screen graphical (i.e. business intelligence oriented) access to security-oriented data warehouse with on-line drill down capabilities to isolate and identify security breaches and related events. See iSecurity GUI Screens for an example of this.

4) Know Where you Stand – Single click assessment of how the site is complying with defined policies (either IBM’s, best practices or the site’s defined baseline policies).

5) Automate It – Automatic responses to potential security breaches and events which will enable identifying the intruder and accumulating court-acceptable evidence.

Raz-Lee’s iSecurity, an advanced System i Security product suite, addresses all 5 “Must Haves” .  Email marketing@razlee.com for a free consultation on the best security solution for you.

Written by Shmuel Zailer, CEO, Raz-Lee Security
Email Shmuel Zailer at marketing@razlee.com