PowerTech Debuts ComplianceMonitor, Studies Security Practices

by Alex Woodie

PowerTech is gearing up to launch a new product aimed at helping iSeries shops demonstrate their security controls as a means of achieving regulatory compliance. PowerLock ComplianceMonitor, which is due for release in December, saves administrators time and effort by automating the collection and analysis of audit reports from multiple iSeries. In related news, the Kent, Washington, software company released its "State of iSeries Security" report for 2005, which details some troubling trends.

Like other tools in PowerTech's PowerLock suite of products, ComplianceMonitor builds off OS/400's rich collection of security capabilities, and is designed primarily as a time-saving device for administrators faced with regulatory audits, according to PowerTech chief executive, Bruce Leader, who says putting together the reports needed to satisfy new regulations like Sarbanes-Oxley and HIPAA has become an "enormous burden" on companies.

"In many organizations, the expertise does not exist to adequately assess the security status of iSeries servers," Leader says. "One of our goals in designing this product [ComplianceMonitor] was to make it easy for personnel who are not familiar with the iSeries to retrieve and interpret relevant audit information."

ComplianceMonitor helps overworked (or under-skilled) computer personnel by generating reports designed to satisfy the security audit components of regulations like Sarbanes-Oxley and HIPAA. These reports compare the OS/400 security settings of one or more iSeries servers against industry best practices, which are determined by PowerTech's OS/400 security experts, and which are largely based on standards like COBIT and ISO-17799.

A single command given from ComplianceMonitor's GUI can launch security assessments across multiple OS/400 servers, including user ID configurations and system values, and the results of these assessments can be tabulated into a single report output in PDF, Excel, or CSV formats. Alternatively, users can schedule the tool to collect audit data at night or during off-peak hours.

Less-skilled personnel can use a set of audit reports recommended by PowerTech, while advanced users can create their own reports. The tool, which PowerTech says can scale to hundreds of servers, includes functionality to group servers according to business needs. Users are also given the capability to set storage limits on the amount of audit data gathered and stored by the tool, and to compare audits from different points in time on the same report.

Regulatory compliance has been a fruitful area for PowerTech lately (as it has for other OS/400 security tool vendors), and ComplianceMonitor is the company's second recent offering aimed at helping OS/400 shops deal with audits, auditors, and auditing requirements. Last month the company launched PowerLock SecurityAudit version 2.0, which gave users access to an online tool called the AuditAdvisor that maps OS/400 security settings to COBIT and ISO-17799 standards, which some Big 4 auditors are relying on for regulatory compliance.

The big difference between ComplianceMonitor and the AuditAdvisor function is in how users access the tools and their reports. ComplianceMonitor offers a PC-based GUI, while AuditAdvisor is only available through SecurityAudit's green-screen interface. ComplianceMonitor also supports multiple servers, and outputs report in multiple formats, which makes the tool easier to use for people who aren't familiar with iSeries systems, company officials say. See "PowerTech Translates SOX Requirements Into iSeries Terms" for more on AuditAdvisor.

ComplianceMonitor was unveiled last month at the COMMON conference in Orlando, Florida. The product was scheduled to enter managed availability in November, with general availability following in December, company officials say. Pricing has not yet been set.

State of iSeries Security: 2005

In addition to launching ComplianceMonitor, PowerTech used the COMMON conference to showcase research the company has done in the area of real-world OS/400 security practices. The 15-page report, "State of iSeries Security 2005," details the results of security audit data gathered by PowerTech from 159 OS/400 shops running 181 iSeries machines between August 2004 to July 2005.

PowerTech's study looked at OS/400 security settings and practices in six key areas, including the use of powerful user profiles; passwords; object and file protections; network access controls; system auditing; and system security values. The results are not pretty, and back up the widely held consensus that many iSeries shops are failing to adequately secure their servers.

Among the most anxiety-inducing findings:

• OS/400 shops average more than 60 user profiles with ALLOBJ authority, an "unacceptably high number"
• 11 percent of all user profiles have default passwords, and more than 50 percent of systems have more than 20 user profiles with default passwords
• virtually all iSeries users have access to data "far beyond their demonstrated need"
• too many iSeries shops are "dangerously unaware" of the "wide open network access problem"
• only one-third of iSeries shops use the audit journal, and only 10 percent use tools to sift through the volumes of data it generates

The news was not entirely bad, however. For example, PowerTech found that most iSeries shops were using either Level 30 or Level 40 security, with just a few using Level 20 or Level 50. Also, the company found that the majority of companies are requiring passwords with six digits or more (although nearly 60 percent of shops did not require a number in the password, which makes it harder to guess).

PowerTech chief executive Leader says the results of this year's study are consistent with last year's findings, and reflect what most iSeries shops would find if they audited their systems. Leader's main concerns, he says, are that "most organizations do not have appropriate IT controls in place to support the separation of duties required for security compliance."

This was the second study conducted by PowerTech, which hopefully will continue the practice. PowerTech published its first "State of iSeries Security" last October (see "PowerTech Security Survey Says Most IT Departments Could Do Better").

To download the 2005 security study, go to PowerTech's Web site at www.powertech.com.