PowerSC Tools for IBM i

(1)

A service offering from IBM Systems Lab Services

(2)

PowerSC Tools for IBM i

PowerSC Tools for IBM i helps clients ensure

a higher level of security and compliance

Client Benefits

 Simplifies management and

measurement of security & compliance  Reduces cost of security

 Reduces cost of security & compliance

 Reduces security exposures  Improves the audit capability

to satisfy reporting requirements

PowerSC Tools for IBM i is a service offering from IBM Systems Lab Services

(3)

IBM Systems Lab Services

IBM Lab Services offerings for IBM i security:

 Simplifies management and measurement of security & compliance  Reduces cost of security & compliance

 Improves detection and reporting of security exposures

 Improves the audit capability to satisfy reporting requirements

PowerSC Tools for IBM i Benefits

Compliance Assessment Tool Demonstrate adherence to pre-defined security polices Security Diagnostics Reduces operator time involved in remediating exposures Privileged Access Control Ensures compliance with guidelines on privileged users Secure Administrator for SAP Eliminates sharing of SAP administrative profiles

 IBM i Security

Assessment

 IBM i Single Sign On

Implementation

 IBM i Security

Remediation

 IBM I Encryption

Secure Administrator for SAP Eliminates sharing of SAP administrative profiles

Access Control Monitor Prevents user application failures due to inconsistent controls Network Interface Firewall Reduces threat of unauthorized security breach and data loss

Audit Reporting Simplifies audit analysis for compliance officer and/or auditors Certificate Expiration Manager Prevents system outages due to expired certificates

Password Validation Ensures user passwords are not trivial

Single Sign On (SSO) Suite Reduces for password resets and simplifies user experience Encryption Suite Helps meet data security standards and protect critical data

For more information on PowerSC Tools for IBM i offerings and services, contact: Terry [email protected] Leader, IBM Systems Lab Services Security

(4)

PowerSC Tools for IBM i

Tools / Feature Function Benefit

Compliance Assessment and Reporting Tool

Daily compliance dashboard report/s at LPAR, system or enterprise level

Enables compliance officer to demonstrate adherence to pre-defined security polices Security Diagnostics Reports detailing security configuration settings and

identifying deficiencies

Reduces operator time involved in remediating security exposures

Privileged Access Control Controls the number of privileged users Ensures compliance with industry guidelines on privileged users

Secure Administrator for SAP Manages and controls access to powerful SAP administrative profiles

Eliminates sharing of SAP administrative profiles with enhanced security auditing Access Control Monitor Monitors security deviations from application

design

Prevents user application failures due to inconsistent access controls

design inconsistent access controls

Network Interface Firewall for IBM i Exit Points

Controls access to Exit Point interfaces such as ODBC, FTP, RMTCMD, etc

Reduces threat of unauthorized security breach and data loss

Audit Reporting Consolidates and reduces security audit journal information

Simplifies audit analysis for compliance officer and/or auditors

Certificate Expiration Manager Simplifies management of digital certificates expiration

Helps operators prevent system outages due to expired certificates

Password Validation Enhances IBM i operating system protection with stricter password validation

Enables security officers to ensure user passwords are not trivial

Single Sign On (SSO) Suite Simplifies implementation of SSO and password synchronization

Reduces password resets and simplifies end user experience

Encryption Suite Simplifies implementation of cryptography using IBM i operating system capabilities

Helps application developers meet data security standards and protect critical data

(5)

Positioning IBM i with PowerSC

PowerSC Feature Exp Std TS Source of comparable capability for IBM i

Security and Compliance Monitoring and Reporting

PowerSC Tools for IBM i includes a

Compliance Assessment and Reporting Tool Additional products available from ISVs, see

http://www-03.ibm.com/systems/power/software/i/security/partner_showcase.html

Trusted Logging _{PowerSC Trusted Audit Data Repository –}

Capability is built into IBM i operating system

Trusted Boot _{PowerSC Trusted Digital Signature Verification –}

Capability is built into IBM i operating system Trusted Network Connect

and Patch Management No equivalent IBM i functionality

Trusted Firewall PowerSC Tools for IBM i contains an optional Network Application Firewall

PowerSC Trusted Firewall feature supports IBM i VMs Trusted Surveyor

(6)

Compliance Assessment and Reporting Tool

Centralized reporting of IBM i security

 Covers:

- Password management - Profile administration - Special authorities

 An automated collection, analysis, and reporting tool on over 900 security related risks, information, statistics and demographics. All in one location and easy to use!

 Enables compliance officer to demonstrate adherence to pre-defined or customer-defined security polices.

 Security reporting made easy!

report/s at VM (partition), system or enterprise level

(7)

Security Diagnostics

In depth security collection and reporting

 Reduces security

administrator time involved in remediating exposures  Reports on: – User profiles – Adopted authority programs © 2013 IBM Corporation 7 programs – Trigger programs – Work Management – Auditing configuration – Network attributes – Integrated File System – Over 70 reports

(8)

Privileged Access Control

Ensures compliance to industry guidelines on privileged users

Without careful control, privileged users can pose a risk to your system security. This tool enables the security administrator to reduce privileged accounts, with a mechanism to temporarily elevate privileges to users when needed.

ownership requirements  Fully audited

 Automated email notifications sent to

distribution list when tool is invoked that includes a log of activities

(9)

Secure Administrator for SAP on IBM i

Eliminates sharing of powerful SAP administrator user profiles

SAP provided administrator user profiles are often shared leading to security exposures and ineffective auditing. Secure Administrator for SAP on IBM i addresses this exposure by providing a secure and auditable mechanism enabling multiple SAP administrators to utilize the same SAP administrator user profile without sharing the profile itself.

Benefits:

 SAP administrators now only need their IBM i user profile for SAP

administrative tasks

Before Secure Administrator for SAP on IBM i:

After Secure Administrator for SAP on IBM i:

9

administrative tasks

 Provides the ability to effectively audit SAP administrator user profiles

 Limits access to authorized users  SAP administrator user profiles no

longer shared

 Interactive use of SAP administrator user profiles eliminated

 Manage multiple SAP installations (running on the same partition) from the same interactive session

Commands:

 CRTSUDOENV and DLTSUDOENV

Create/delete the Secure Administrator environment

 GRTSIDSUDO and RVKSIDSUDO

Grant/revoke use of administrator functions for different SAP installations

 LSTSIDSUDO

List Secure Administrator environments and users that have access to each SAP installation

 SIDSUDO

Execute commands under the authority and environment of the specified SAP administrative user profile

(10)

Access Control Monitor

Monitor security deviations from application design

 Ad hoc or scheduled reporting to check and report on application objects that are out of corporate security policy standards, data classifications, or other security related

configurations

 Prevents user application failures due to inconsistent access controls

10

 Monitors compliance of libraries, objects, and authorization Lists

(11)

Network Interface Firewall for IBM i Exit Points

Reduces threat of unauthorized network access

 Users denied by default for greater security

 Users allowed are added via menu

 Allow access through Group Profiles

 Restrict by IP Address  Exit programs allow system administrators to control which

activities a user account is allowed for each of the specific servers. This easy to use interface addresses the most commonly used network interfaces.

11

 Log only mode

 Current exit point coverage:

– DRDA / DDM – IFS – FTP – ODBC/JDBC/File Transfer – REXEC – RMTCMD (honors LMTCPB!) – SQL CLI

– TELNET*customization required – Host Server (Multiple)

 Customization for additional network interfaces available

(12)

Audit Reporting

Security and user auditing management and analysis

 Work with QAUDJRN journal entries and statistics to understand the demographics that define your security operations.

 Easily view system and user auditing statistics to demonstrate to management and auditors that security violations are being observed and handled.

– User object and action auditing values

– Library/File/IFS object auditing

– Auditing system values – Journal receivers

 Scheduler to automate actions and reports  Quick Audit of Users

(13)

Certificate Expiration Manager (CEM)

Simplifies the management of digital certificates

 Maintains a log of all expiration activities

 Sends notification via eMail.  Easy to use configuration GUI

is included for managing the XML settings.

 Runs on any platform that supports Java.

13

supports Java.

 Prevent outages due to expired certificates

Certificate

University of the Internet Issue Date Distinguished Name Public Key Expiration Date Digital Signature of CA

(14)

Password Validation

Enhanced protection through strict password criteria

 Checks the password to see if it contains: – The user profile itself

– Any words from the customer defined dictionary of disallowed words

 Customization available for additional password validations. Password is not changed, command returns message © 2013 IBM Corporation 14 validations. CHGPWD command is called QIBM_QSY_VLD _PASSWRD exit program is automatically run Command completes, password is changed Does password

meet exit program requirements?

NO

YES  Assures the security administrator that passwords

(15)

Single Sign On (SSO) Suite

Simplify SSO implementation reducing help desk costs

Suite of tools sold individually or à la carte with or without

implementation services:

Single Sign On (SSO) Suite for Domino

 Domino Synchronization  DSAPI Plug-in

15

Single Sign On (SSO) Suite for EIM

 EIM CL Commands  EIM Populator

 EIM Management Utility  EIM Based Password Reset  EIM Based CRTUSRPRF

 Windows AD Profile Synchronization

Password Synchronization Tool Single Sign On (SSO) for SAP

An effective alternative to manual configuration

(16)

Encryption Suite

Simplify implementation of IBM i cryptographic capabilities

Set of procedures and techniques to simply the implementation of cryptography using IBM i Operating System capabilities. Choice of service provider:

 Cryptographic Services APIs  Cryptographic Coprocessor

Field SQL Type DDS Type Length Index

Encrypted Data BINARY HEXADECIMAL Multiple of 16 ≥ data length Key Version CHARACTER CHARACTER ≤ 32

Initialization Vector BINARY HEXADECIMAL 16

Encryption applications:

16

Initialization Vector BINARY HEXADECIMAL 16

Hash BINARY HEXADECIMAL 32

Masked Value Consulting assistance:  Application design  Key management  Custom procedures  Tape encryption  Cryptographic techniques  Symmetric key encryption  Asymmetric key encryption  Secure hash

 Key exchange Encryption applications:

 Data at rest  Data in motion

Other Encryption Tools  Cryptographic Support

(CR1) Emulator Tool  Credit Card Management

(17)

1. IBM i Security Assessment

An experienced IBM i consultant will collect and analyze data using PowerSC Tools for IBM i. The engagement results in a comprehensive report with findings and recommendations for improved compliance and security remediation.

2. IBM i Single Sign On Implementation

SSO improves end user productivity and saves help desk costs. In this services engagement, an experienced IBM consultant will advise on SSO options and provide implementation assistance leveraging the SSO suite components of the

IBM i Security Services from IBM Systems Lab Services

For more information on PowerSC Tools for IBM i offerings and services, contact: Mark Even [email protected], 507-253-1313 Mike Gordon [email protected], 507-253-3477 Terry Ford [email protected], 507-253-7241 © 2013 IBM Corporation 17

leveraging the SSO suite components of the PowerSC Tools for IBM i.

3. IBM i Security Remediation

An experienced IBM consultant will advise on best practices to address IBM i security and compliance issues. The consultant will provide remediation assistance leveraging the PowerSC Tools for IBM I

4. IBM i Encryption Services

An experienced IBM consultant will advise on best practices to implement data encryption on IBM I leveraging the PowerSC Tools for IBM i Encryption Suite as appropriate. Tape Encryption

implementation services are also available.

www.ibm.com/systems/services/labservices [email protected]

[email protected], 507-253-7241 Practice Leader, Security Services