|
SkyView Updates Policy Minder for i5/OS
Published: November 28, 2006
by Alex Woodie
One of the challenges of securing an iSeries or System i machine is that things rarely stay the same for long. Just as you think you have all the security settings nailed down against a solid policy, along come another thousand objects, user profiles, libraries, and commands to contend with. With the release of Policy Minder version 1.2 from SkyView Partners, former IBM OS/400 security architect Carol Woodbury has provided an automated way to keep these new items from escaping your watchful eye.
SkyView Partners first launched Policy Minder about a year ago to help OS/400 and i5/OS shops make sure they're following their own security policies and to quickly fix items that are out of compliance. The product is similar in some ways to another SkyView product, called Risk Assessor, which also checks security settings but then goes a step further to compare the user's security posture against industry best practices and to make recommendations on fixing them.
Policy Minder uses a template-based configurations process that also helps a company sketch out a basic security policy based on its current settings, if it doesn't already have a formal security policy. If it does have a formal policy, the tool creates a baseline of those settings so it can see how they change over time. In either case, the administrator tells Policy Minder where and what to check during this initialization phase.
Once the initialization is complete, the real work of Policy Minder kicks in. With the click of a button, Policy Minder scours an AS/400, iSeries, or System i for any changes or violations of the initial security policy. As the product runs, it checks a range of OS/400 settings against the templates, including: user profiles; libraries, objects, and directory authorities; system values; adopted authority; command authorities; exit points; file shares; TCP/IP servers; user-created objects in QSYS; job descriptions; and authorization lists. When this job ends, the product generates a report in PDF format or as an output file or streamfile.
However, there was a hitch with this technique: As a system grows and applications are loaded or changed, those templates and baselines generated in the initialization phase become obsolete, according to Woodbury, president and co-founder of Seattle-based SkyView.
"The new release of Policy Minder goes to the heart of a problem that I see so often with our consulting customers. I spend a lot time developing procedures for dealing with increasing numbers of profiles, libraries, objects, and directories that suddenly appear," Woodbury says. "With the new release of Policy Minder, it's very easy to discover new items that appear on the system, whether it's a new user profile, vendor installed libraries and commands, or objects added to system libraries or an application library by developers."
With Policy Minder 1.2, the product can now automatically identify new user profiles, directories, libraries, and objects that appear a system, so administrators don't have to manually add them, which would be an overwhelming task, especially on large boxes. The feature is controlled by toggling the "allow new XXX" setting in the templates, where XXX corresponds to profiles, directories, libraries, and objects.
There are many uses of the new feature. For example, to discover when a new library has been created on the system, a user can create a library template that includes all libraries and sets the "allow new libraries" setting to "no." From that point on, any new library created after taking an initial baseline check will be identified, SkyView says.
The company says other potential uses include: creating a template for the objects in QGPL to discover what programmers are placing in the library; creating a template for all user profiles having *ALLOBJ special authority to discover any new powerful profiles that get created or changed; creating a template for the root (/) directory to discover newly created directories; and identifying new items and cross-referencing these with the HA system to ensure the HA replication process is working as expected. The feature can also be used to streamline the migration to a new system by identifying new objects being created on the existing system so they can also be duplicated on the new system until the cut-over.
One Policy Minder user finding benefits from the new detection facilities is Contrans, a Canadian logistics company. "We run Policy Minder on a weekly basis to ensure that our applications stay properly secured," says Kim Barnes, IS manager for Contrans. "This new release will help us even more, by quickly identifying new objects--particularly new profiles that have been created or changed to have *ALLOBJ special authority. Now these profiles have no chance of going unnoticed."
The new functionality was used during the testing phase in ways SkyView didn't expect, Woodbury says. "We are seeing them use it to document exceptions to policies, discover newly created or changed programs that adopt authority, and monitor authorities to restricted commands," she says. "This release is helping our customers cut down the amount of time spent on compliance duties as well as every-day security configuration verification to a very manageable level."
SkyView Policy Minder 1.2 is set to ship on November 30. The software works with OS/400 V5R1 and higher, and will range in price from $3,495 to $7,495; these prices are set to increase by $500 in 2007. For more information, visit www.skyviewpartners.com.
RELATED STORIES
SkyView Taps Mycom to Resell OS/400 Security and Compliance Software
New SkyView Security Tool Assists with Regulatory Compliance
New SkyView Software Assesses OS/400 Security Risks
|
