Regulate File Editors in Production Environments
Security systems that protect data by preventing the access of programmers to production environments are not enough. Occasionally programmers need to conduct specific missions and temporarily get *ALLOBJ authority. As there is no way to restrict them to that mission, they became a potential risk.
iSecurity Safe-Update’s new security layer ensures that only authorized programs are used to update business critical files.
Safety in Production Environments with iSecurity Safe Update
When the organization needs to update data with tools that are usually prohibited, some users are stubborn about using the tools allowed by IT Departments. This “Shadow IT” is always a risk
- With Safe Update, workflows consist of work orders, which specify who can work with the data, the reason for the work, and the limited time during which the work order is valid.
- If an unauthorized update is attempted, a window appears requesting the entry of a ticket.
iSecurity Safe Update restricts what users can do. If they attempt unauthorized updates a window appears requesting the entry of a ticket.
How Does it Work?
Adding a New Security Layer
iSecurity Safe-Update implements a workflow that consists of work orders, created by management, that specify who can work with the data, the reason for the work, and the limited time during which the work order is valid.
Based on the work order, the specified programmer can then open a ticket and perform the requested updates interactively or in batch. All work under the tickets is logged, even if the data files themselves are not journaled.
iSecurity Safe Update Benefits
- Monitors and protects updates to data according to the program used.
- Uses either a whitelist of allowed programs, or a blacklist of programs that are not allowed.
- Ensures that DFU, Start SQL and file editors are not used in production environments even when *ALLOBJ is in effect.
- Restriction of updates can be removed when the update is only for fields marked in advance as “insignificant”.
- Programs that may not update data can read it. They will be stopped when an update is issued.
- Comprehensive workflow of management-approved work orders with tickets opened by preassigned programmers.
- Allows authorized users to create ad-hoc tickets, which are tracked in the same way as work orders.
- Work orders specify the programmer, the files, the updates required and the time frame.
- Tickets are automatically closed if inactive for a period of time.
- Allows updates to fields that are marked as insignificant.
- Subject to the organization policy, ad-hoc tickets may be permitted as well.
- Creates a record of updates, logging who updated the data, who authorized the update, and why it was done.
- Database journal information displayed by AP-Journal commands highlights updates made under Safe-Update permissions.