™
Compliance Assessment and Reporting Tool
PowerSC Tools for IBM i
© 2014 IBM Corporation
Security Services Delivery Team
“Some organizations will be a
target
regardless
of what they do,
but most become a target
because
but most become a target
because
IT Security Compliance – Why ?
© 2014 IBM Corporation
IT Security Compliance – Why ?
IT Security Compliance – Why ?
Data Loss (
Data Breach
) Prevention
Mitigate internal and external threats due to the costly and harmful impact to
reputation and business when customer data is exposed and must be
publicly reported due to compliance regulations
Data Assurance and Integrity
© 2014 IBM Corporation
Prevent unauthorized access and changes to sensitive data by privileged
and non privileged users
Probably a number of reasons, but that isn’t the point of this
presentation. However, so no one walks away without something to
contemplate, we offer the following for your consideration…
IT Security Compliance – Why ?
© 2014 IBM Corporation
7
IT Security Compliance – Why ?
Data is the key target for security breaches…..
and Database Servers Are The Primary Source of Breached Data
“Because that’s where
the money is.”
- Willie Sutton
Database servers contain your client’s most
Source:http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Database servers contain your client’s most
valuable information
•
Financial records
•
Customer information
•
Credit card and other account records
•
Personally identifiable information
•
Patient records
High volumes of structured data
Easy to access
W
H
Y
IT Security Compliance – Why ?
What Data are the Criminals After?
© 2014 IBM Corporation 9 Source: http://www.verizonbusiness.com/resources/report s/rp_data-breach-investigations-report-2012_en_xg.pdf
IT Security Compliance – Who Should Care?
Business and Information Owners
– must be assured that the
information and brand reputation of the business is protected
Chief Security Officer (CSO)
– as custodian of the business and
information owners, must answer for risks present on the system and that
they are being managed to an acceptable level
Security Administrators
– must insure that access is implemented
appropriately as designed
Compliance Officer
– must insure that the IT operations comply to
Compliance Officer
– must insure that the IT operations comply to
corporate rules and regulations as well as industry and government
regulations
Operations Managers
– must insure the correct policies/standards are in
place and being followed
Application Developers
– must insure applications are being designed
and placed in production correctly with sufficient controls to prevent
inappropriate access
IT Security Compliance – Inhibitors
For many IBM i IT departments, security is performed by an individual with multiple
responsibilities – operations, administration, programming, etc.
Security implementation “how to” is often not understood, is neglected or not
monitored due to time constraints.
Security setup inherited from the past - previous owners / application designers no
longer are available
Security policies/standards often do not exist. If they do, monitoring of compliance
to the policy is not done or understood and deviation from the policies/standards
© 2014 IBM Corporation
to the policy is not done or understood and deviation from the policies/standards
across the enterprise is unknown.
How do you measure security? What are Key Risk Indicators (KRI) ? How do I
prove due diligence to security monitoring?
Gathering of security information is time consuming and scattered in multiple
places on the system. The analysis of this data or monitoring of security changes
is often dated by the time it is read.
Is my data safe?
Is my brand and/or reputation safe?
IT Security Compliance – Measuring Security
“If you can’t measure it, how can you improve or fix it ?”
Provide evidence that risk is being managed according to enterprise defined risk
thresholds empowering Senior Management to make informed risk management
decisions on where best to allocate resource.
REQUIREMENTS
:
–
Centralized view of Security Compliance status across the enterprise
• No access to remote machines required• Maintain segregation of duties
• Maintain segregation of duties
• Provide management visibility, meaningful reports that drive action
–
Customizable Control Tests
• Measurable Results• Ability to define Key Risk Indicators (KRI’s)
• Traceability back to Security Standards and Company Policies
–
Dashboard Style Reporting
• Red, Yellow (Amber), Green (RAG) Metrics
• ‘Clickable’ reports – to drill down to the issue
“I just want to arrive in the morning, get a cup of coffee, and have a view of what systems
are in compliance and which are not.”
Compliance Assessment and Reporting Tool
© 2014 IBM Corporation
Compliance Assessment and Reporting Tool
Provides quick and easy check of system for major security exposures
Profile Analysis:
Special Authorities / Inherited Privileges
Group Profiles / Ambiguous Profiles
Default Passwords / Password Expiration
Inactive Accounts
Administration / Configuration:
System Values / Audit Control Settings
Invalid Signon attempts
*PUBLICLY Authorized Profiles
Privately Authorized Profiles
Initial Programs, Menus, and Attention Programs
Command Line Access
DDM Password Requirements
Registered Exit Points / Exit Programs
Invalid Signon attempts
Work Management Analysis
Service Tools (SST) Security
Network Settings:
Network attributes / Time Server
NetServer Configuration
TCP/IP servers / Autostart values
Digital Certificate Expiration
SSH / SSL Configuration
Registered Exit Points / Exit Programs
Function Usage
Library Analysis / *ALLOBJ Inheritance
Listening ports / Network Encryption
IP Datagram Forwarding
IP Source Routing
APPN Configuration (yes – for many it is still there)
High Level Architecture
DFFTCA 3P 0 DFRTBB 5A DFRTTB 5A DFMNTI 1A DFTG1B 1A DFTG2B 1A DFTG3B 1A DFTG4B 1A DFMNEE 25A DFMNEF 11P 2 DFRERP 11P 2 DFWELF 11P 2 DFWILF 11P 2 DFWILR 11P 2 DFWILS 11P 2 DFWILT 11P 2 DFQI1W 5A DFQ2IW 3A DFTRES 10A DFYT1LL 45A DFYT1LO 12A DFYT1LR 12A DFRRWA 5A DF6TYHA 1A DFTIIPQ 1P 0 DFDRTF 6P 0 DFDRTG 6P 0 DFDRTH 6P 0 DFTPPL 1P 0 DFTINM 3P 0 DFTIR2 30A DFTIGL 12A DFTTDT 6P 0 DFTTED 6P 0 DFHHIJ 4P 2 DFHHIK 4P 2 DFTYHI 5P 2 DFTYIA 1A DFTYKN 1A DFTTWK 1A DFTGHA 1A T00032P DSFTCA 3P 0 DSRTBB 5A DSRTTB 5A DSMNTI 1A DSVB1B 1A DSVB2B 1A DSYT1LO 50A DSYT1LR 12A DSRRWA 5A DS6TYHA 1A DSTIIPQ 3P 0 DSDRTF 6P 0 DSVBHA 1A DSVBSS 2A DSVBPE 3A DSVBYI 5P 2 DSMNTI 25A DSVR2B 25A DSVR3B 25A DSYT2WL 12A DSYTWLT 12A DSRRYUQ 6A T01045P KSFTCA 3P 0 KSGSBB 5A KSGDMB 5A KSMARI 1A KSYT3LA 50A KSYT3LE 6P 0 KSRRWA 5A KS6TYHA 1A KSTIIPQ 9P 0 KSDGSF 6P 0 KSVYHA 2A KSVFSS 2A KSVGTE 3P 0 KSVUYI 5P 2 KSMPTI 2A KSVR2B 2A KSVR3B 2A KSYTBEL 10A KSYTPIT 10A KSRQAU1 5A T01046P AGFRCA 3P 0 AGAC3EE 6P 0 AGRRWA 5A AG6RYHA 1A AGR22PQ 9P 0 AGDGSF 6P 0 AGVYHA 14A AGVFSS 12A AGVGRE 3P 0 AGVUY2 5P 2 AGMPR2 2A AGVR2B 2A AGVR3B 2A AGACBEE 1A AGACP2R 10A AGRQAU1 5A AGGSBB 1A AGGDMB 8A AGMAR2 1A AGAC3EA 50A AG6TTHA 1A AGRSAPQ 6P 0 AGHISF 6P 0 R02126P TLFTCA 3P 0 TLRTBB 5A TLRTTB 5A TLTNT3 1A TLKB1B 1A TLKB2B 1A TLTNT3 25A TLKR2B 25A TLKR3B 25A TLPT2WL 12A TLPTWLT 12A TLRRPUQ 6A T03140P FPPTWLT 12A FPLLPUQ 6A FPFTCA 1P 0 FPLTTB 5A FPTNTP 1A FPYB1B 1A FPTNTP 25A FPYL2B 1P 0 FPYLPB 25A T05001P ETL Processto Load Data Mart on Central System DAILY SUMMARY TABLEDB2 for i Reporting Data Mart
Compliance Assessment and Reporting Tool
DAILY
HISTORY
Remote systems
Data Mart system
© 2014 IBM Corporation 15 DFTGHA 1A DFTGSS 2A DFTGPE 3A DFTGYI 5P 2 Central System
DB2 Web QueryMeta Data DAILY SUMMARY TABLE
Created by Quick Security CheckCollection Tool
(One for every LPAR)
DB2 Web Query
Data Mart Tables
DFFTCA 3P 0 DFRTBB 5A DFRTTB 5A DFMNTI 1A DFTG1B 1A DFTG2B 1A DFTG3B 1A DFTG4B 1A DFMNEE 25A DFMNEF 11P 2 DFRERP 11P 2 DFWELF 11P 2 DFWILF 11P 2 DFWILR 11P 2 DFWILS 11P 2 DFWILT 11P 2 DFQI1W 5A DFQ2IW 3A DFTRES 10A DFYT1LL 45A DFYT1LO 12A DFYT1LR 12A DFRRWA 5A DF6TYHA 1A DFTIIPQ 1P 0 DFDRTF 6P 0 DFDRTG 6P 0 DFDRTH 6P 0 DFTPPL 1P 0 DFTINM 3P 0 DFTIR2 30A DFTIGL 12A DFTTDT 6P 0 DFTTED 6P 0 DFHHIJ 4P 2 DFHHIK 4P 2 DFTYHI 5P 2 DFTYIA 1A DFTYKN 1A DFTTWK 1A DFTGHA 1A DFTGSS 2A DFTGPE 3A DFTGYI 5P 2 T00032P DSFTCA 3P 0 DSRTBB 5A DSRTTB 5A DSMNTI 1A DSVB1B 1A DSVB2B 1A DSYT1LO 50A DSYT1LR 12A DSRRWA 5A DS6TYHA 1A DSTIIPQ 3P 0 DSDRTF 6P 0 DSVBHA 1A DSVBSS 2A DSVBPE 3A DSVBYI 5P 2 DSMNTI 25A DSVR2B 25A DSVR3B 25A DSYT2WL 12A DSYTWLT 12A DSRRYUQ 6A T01045P KSFTCA 3P 0 KSGSBB 5A KSGDMB 5A KSMARI 1A KSYT3LA 50A KSYT3LE 6P 0 KSRRWA 5A KS6TYHA 1A KSTIIPQ 9P 0 KSDGSF 6P 0 KSVYHA 2A KSVFSS 2A KSVGTE 3P 0 KSVUYI 5P 2 KSMPTI 2A KSVR2B 2A KSVR3B 2A KSYTBEL 10A KSYTPIT 10A KSRQAU1 5A T01046P AGFRCA 3P 0 AGAC3EE 6P 0 AGRRWA 5A AG6RYHA 1A AGR22PQ 9P 0 AGDGSF 6P 0 AGVYHA 14A AGVFSS 12A AGVGRE 3P 0 AGVUY2 5P 2 AGMPR2 2A AGVR2B 2A AGVR3B 2A AGACBEE 1A AGACP2R 10A AGRQAU1 5A AGGSBB 1A AGGDMB 8A AGMAR2 1A AGAC3EA 50A AG6TTHA 1A AGRSAPQ 6P 0 AGHISF 6P 0 R02126P TLFTCA 3P 0 TLRTBB 5A TLRTTB 5A TLTNT3 1A TLKB1B 1A TLKB2B 1A TLTNT3 25A TLKR2B 25A TLKR3B 25A TLPT2WL 12A TLPTWLT 12A TLRRPUQ 6A T03140P FPPTWLT 12A FPLLPUQ 6A FPFTCA 1P 0 FPLTTB 5A FPTNTP 1A FPYB1B 1A FPTNTP 25A FPYL2B 1P 0 FPYLPB 25A T05001PDB2 for i Reporting Data Mart
Compliance Assessment and Reporting Tool
Security
Collection
Details
Policy
Grading
Info
System
Info
ETL
Log
Detailed history ofsystem security grading - Best Practice - Policy - Policy Exception
How current is
the data I am
viewing?
Logging of success or failure of scheduled ETL processes with remote systemsHow do I wish to
filter on and
view the data?
System descriptive information such as location, usage, VRM level, etc.
How is Green,
Amber, and Red
defined?
User defined thresholds for aggregate security attribute grading.
Data Mart Views
Compliance Assessment and Reporting Tool
Security
Collection
Details
Policy Grading Info System Info ETL LogDB2 Views
Views over all the base data mart tables, PLUS:
© 2014 IBM Corporation
The last ETL
entries for each
remote system
Summary grading
information for the last
successful collection for
each remote system
Summary grading
information for each
remote system for all
collected history
Detailed grading
information for each
remote system for all
collected history
Detailed grading
information for the last
successful collection for
each remote system
History of all ETL
entries for each
remote system
DB2 Web Query Reports
Compliance Assessment and Reporting Tool
How current is the information?
- Which systems have not reported in the last two weeks? - How old is the data for System x?
- What problems are preventing successful data collection from System y?
- How long has there been a problem with collection of information from System z?
What is summary view of the last collected status for my enterprise ?
- Based on IBM Best Practices? - Based on my company’s policies?
- Based on (expiring) exceptions granted to company policy? - Based on some System value or attribute?
- System Name - System Name
- Location (hierarchy) - Version/Release level
- System Usage (development, test, QA, production, etc.) - Ownership, Administration responsibility
- Priority - Other?
What systems and areas need attention and speedy resolution?
- What are the details for each system in the enterprise?
- How is success measured? Adherence to company policy or policy exceptions, IBM Best Practice? - Which system attributes are being tracked and graded?
- What is the Priority of each item? High, Medium, and Low Prioritization - What is the grade for each item? Green, Amber or Red grading
Regional Review
(Drill down to overall grading and details)
Compliance Assessment and Reporting Tool
Overall System Status
(by Age, Policy Type and various system criteria)
Compliance Assessment and Reporting Tool
System Attribute Details
(By Age, Policy Type and System Name)
COLLECTION_DETAILS_LAST
Compliance Assessment and Reporting Tool
Last Reported Event Log
(Status by Age, System, Region, Data Center,
System Name)
Event Log Report
Shows status of most recent attempt to collect security data for each system
- Can be filtered by Region, Data Center, and System Name
Compliance Assessment and Reporting Tool
© 2014 IBM Corporation 1.4.1. Current Event Log Status by System - Active Report
Delinquency Reports
Systems that have not successfully reported in the over xx days
- Can be filtered by Region, Data Center, and System Name
Compliance Assessment and Reporting Tool
Enterprise Dashboard
- Summary of Overall System Status of all systems in the enterprise by various system attributes.
- Information is based on last successful collection for each system.
Compliance Assessment and Reporting Tool
System Dashboard
Key System and data collection information
- Status of last collection attempt – Success or Fail
- Key System attributes – VRM, Location, etc.
- Overall and detailed system grading based upon last successful collection.
Application to Provide Customization
Compliance Assessment and Reporting Tool
Application to Provide Customization – Dashboard Threshold
Application to Provide Scoring
Compliance Assessment and Reporting Tool
Application to Provide Scoring – Customer Policy
Application to Provide Scoring – Customer Policy
Compliance Assessment and Reporting Tool
Application to Provide Scoring – Customer Defined
APPENDIX
© 2014 IBM Corporation
Standard vs. Enterprise
Compliance Assessment and Reporting Tool
Feature
Standard EnterpriseAutomated individual LPAR reporting Enterprise LPAR dashboard / reporting
Best Practice Scoring
Customer Policy / Exception Scoring
Customer Policy / Exception Scoring
User Defined Items Scoring
Policy definition, scoring training and customization Web Query training, ETL customization
Prerequisites – Central Server
IBM i operating system version 7.1 or above
– Option 1 - Extended Base Support
– Option 2 - Online Information
– Option 3 - Extended Base Directory Support
– Option 12 - Host Servers
– Option 13 - System Openness Includes
– Option 14- GDDM
– Option 26 - DB2 Symmetric Multiprocessing (OPTIONAL)
– Option 29 - Integrated Server Support
– Option 30 - QSHELL
Compliance Assessment and Reporting Tool
© 2014 IBM Corporation – Option 30 - QSHELL
– Option 31 - Domain Name System
– Option 33 - PASE
– Option 34 - Digital Certificate Manager
– Option 39 - International Components for Unicode
5733WQE - DB2 Web Query Express v2.1
(Standard edition preferred - 5733WQS)
– Minimum 1 core license (for *Base and Option 1)
– 2 Licensed users (Option 4) – see Notes page – One Workbench License (Option 5)
Prerequisites – Central Server
(continued)
Compliance Assessment and Reporting Tool - Enterprise Component
Pre-requisite program products:
– 5770DG1 - IBM HTTP Server for i
– 5761JV1 - IBM Developer Kit for Java (*BASE and options 8 through 13)
– 5770NAE - IBM Network Authentication Enablement for i
– 5733SC1 - IBM Portable Utilities for i (*BASE and OpenSSH, OpenSSL, zlib)
– 5770TC1 - IBM TCP/IP Connectivity Utilities for i
Compliance Assessment and Reporting Tool
Pre-requisite PTFs
(as of January 8th, 2014):
– SF99710 Level 13298 or later – Cumulative PTF Package
– SF99709 Level 100 or later – Group HIPER
– SF99708 Level 30 or later – Security Group
– SF99707 Level 7 or later – Technology Refresh
– SF99701 Level 26 or later – DB2 Group
– SF99647 Level 6 or later – DB2 Web Query Hot Fix
– SF99572 Level 15 or later – Java Group
– SF99368 Level 24 or later – HTTP Group
Prerequisites – Remote Systems
IBM i operating system version 5.4 or above
Compliance Assessment and Reporting Tool - Remote Agent
Compliance Assessment and Reporting Tool
© 2014 IBM Corporation
For more information …
Terry Ford
, Team Leader
Security Services Delivery
507-253-7241
Doug Mack
, Business Programs Manager
DB2 for i Center of Excellence
360-481-1271
Compliance Assessment and Reporting Tool
360-481-1271
Mark Even
Mike Gordon
Opportunity Manager
Opportunity Manager
507-253-1313
507-253-3477
Our Mission and Profile
IBM Systems Lab Services and Training
Support the IBM Systems Agenda and accelerate the adoption of new products and solutions
Maximize performance of our clients’ existing IBM systems
Deliver technical training, conferences, and other services tailored to meet client needs
Team with IBM Service Providers to optimize the deployment of IBM solutions (GTS, GBS, SWG Lab Services and our IBM Business Partners)
Our Competitive Advantage
Leverage relationships with the IBM development labs to build deep
Mainframe Systems
Power Systems
System x & Bladecenter
System Storage
© 2014 IBM Corporation
39
Successful Worldwide History
18 years in Americas
10 years in Europe/Middle East/Africa
6 years in Asia Pacific
Leverage relationships with the IBM development labs to build deep technical skills and exploit the expertise of our developers
Combined expertise of Lab Services and the Training for Systems team
Skills can be deployed worldwide to assure client requests can be met
www.ibm.com/systems/services/labservices [email protected]
IT Infrastructure Optimization
Data Center Services
Leverage the skills and expertise of IBM's technical consultants to
implement projects that achieve faster business value
IBM Systems Lab Services and Training
Ensure a smooth upgrade
Improve your availability
Design for efficient virtualization
Reduce management complexity
Assess your system security
Optimize database performance
How to contact us
email us at [email protected]
Follow us at@IBMSLST
Learn moreibm.com/systems/services/labservices
Optimize database performance
Modernize applications for iPad