"Everything is OK here, we don't need System i Security"

"We don't need security"

"We don't need security"

I would like to share the story of one of our customers, the Belgium subsidiary of a major bank in Germany.

When we first approached this bank, the managers said they don’t really need System i Security, since “everything is OK” with their system. This is actually a typical response of many companies and organizations, who tend to embrace a “what you don’t see can’t hurt you” policy.

We then proceeded to demonstrate our iSecurity Audit on the bank’s System i. Audit provides monitoring and reporting on all activity in the System i environment, as well as real-time server security auditing and detailed server audit trails. We quickly gathered the bank’s information from the previous two weeks, as provided by the OS400 audit log.

To the bank’s total surprise, within seconds we could see that one of the bank’s users tried to enter a password 15 times, while another user entered his password 21 times! Seems just a little suspicious, doesn’t it?

Not surprisingly, the bank decided to immediately purchase and implement a full iSecurity solution, to control and protect its System i. Now, five years later, with all their reports automated, the bank staff doesn’t even remember that iSecurity is doing the job. It is the result that counts: safety¬†and control.

Written by Shari Masafy, MarCom Manager, Raz-Lee Security
Email Shari Masafy at marketing@razlee.com

How Sufficient is IBM i's Integrated Security Infrastructure?

Is integrated IBM i Security Sufficient?

How sufficient is integrated IBM i security?

I recently ran into an interesting quote in System i News Magazine, January 2009:

“Not only is IBM i virus resistant, its object-based architecture provides integrated security based deep into the heart of the system. You don’t need to apply a multitude of security patches – because security is not an afterthought with IBM i”.

I couldn’t agree more. As VP Business Development at Raz-Lee Security, which has focused on software and security products for AS/400/IBM i since 1983, I can testify that security is indeed built into the IBM i to an extent that is unequaled on any other platform.

However, it’s important to emphasize the areas where IBM i only provides the infrastructure for security solutions, leaving it to each company – or to software providers like ourselves – to turn this infrastructure into something manageable and beneficial to CIOs, CSOs, auditors and system administrators.

Certainly the exit point architecture for protecting network access exists in vanilla OS/400; but were it not for a solution such as iSecurity Firewall, most organizations would not have the qualifications or resources to utilize these exit points.

The same goes for QAUDJRN log information; the information may all be there but its esoteric codes are unreadable without a solution such as iSecurity Audit which provides a useable front end to all this extremely valuable information.

OS/400 provides a wealth of password related system values and options; so many in fact, that a solution such as iSecurity Audit, which provides built-in password-related reports, a report generator and scheduler, is an absolute must.

And then there are capabilities that OS/400 simply does not provide; for example, an automatic operator facility (part of iSecurity Action) which can send real-time alerts and execute CL (command language) scripts in the case of a security breach.

And finally we reach the area I’ll call “Application Security”: using OS/400 facilities to secure the company’s business critical data. We’ve actually seen a growing trend over the past 2-3 years of companies’ growing interest in securing applications, as opposed to “infrastructure” (i.e. network access, QAUDJRN ).

iSecurity’s flagship product in the area of “Application Security” is AP-Journal. This product utilizes the information in OS/400 journal receivers, which fill up quickly and become unmanageable, and stores it in special purpose containers. These containers store only updates/fields which were defined by the user as “significant” and are therefore much smaller than journal receivers.

For example, AP-Journal can “trap” changes to application fields which are beyond a user-defined threshold, so that when a change occurs, an e-mail or operator message are sent to notify management. And, because the containers can store years worth of data, AP-Journal can easily provide a timeline report of all changes made to a mortgage over numerous years.

Another capability touching on application security is iSecurity’s ability to “capture” (via iSecurity Capture) user green screen images, store them and play them back at a later date.

In conclusion, while the IBM System i does lay out a groundwork for security, you still need additional, professional applications such as those offered by iSecurity in order to actually exploit the features/information provided by IBM.

Written by Eli Spitz, VP Business Development at Raz-Lee Security.
Email Eli Spitz at marketing@razlee.com