Midrange Stuff, OS/400 Edition

Perimeter security doesn't work. But wait. Don't unplug those firewalls and routers and throw them in the closet. You can't do without them. You do need perimeter security to build a good security model. But if that's the only kind of security you have, the fact is, there are tons of people getting inside of the firewall. And you need to let them in to do business. Trouble is, that pokes a lot of holes in the perimeter security model.

Security inside the firewall, at the host, should be a higher priority. That's where the important data is stored, and that's where, according to the statistics, 70 to 90 percent of security problems arise. You have how many employees and how many customers and suppliers at your company? And you trust how many of them with all the companies assets?

A lot of folks believe that all the security you need is built into OS/400, and the problem is that people are not using it. That's true, to a certain extent.

"It is theoretically possible to button down all the hatches with the tools available on OS/400 and get yourself really secure," says John Earl, vice president of PowerTech Group, a leading security software company in the OS/400 market. "The problem is that nobody actually does it. Why? Lots of time people are working with legacy code, stuff that's been around for a long time, or they are working with purchased applications. I don't know of a single purchased business application that comes with a security model that you just implement. They all come with pretty much wide-open security.

"If you are responsible for security on an iSeries box," Earl continues, "you are not being given any security models to work with from your business application provider. You have to use the menu security, or build your own." (For more on this topic see "Vendor-Inflicted Security Exposures," in the August 19 special security edition of The Four Hundred.)

As an example, Earl says, a J.D. Edwards package has approximately 13,000 objects that sit on OS/400. "Say a company has 2,000 users, and you have to figure out the security relationship between those 2,000 users and those 13,000 objects. The OS/400 tools will let you do that, if you want to spend the time and energy to re-architect your business software, understand what those various models do, and then apply an authority scheme to it," Earl says. That's not an indictment against object-level authority, he says, but unless it is built into an application from the start, it can become a very daunting task.

It's also true that a lot of applications--homegrown and off-the-shelf--were designed before people opened the AS/400 to the network. The risks are also different now than they were 20 years ago. It's made the job of nailing down security much bigger than it used to be. That's why, PowerTech says, a good set of tools is needed to handle that job.

At the COMMON fall 2003 conference and expo, which opens Sunday in Orlando, Florida, PowerTech will be demonstrating its newest product release, NetworkSecurity Version 4.7, and giving attendees a look at what the company has coming down the road.

One of the highlights of NetworkSecurity Version 4.7 is a Dynamic Authority Manager, which allows administrators to restrict the number of people with powerful user profiles. It does this on the fly, so a manager can regulate more or less authority to a particular user at any time. An example would be a person who has one function that requires a high level of authority, but it is necessary to monitor and restrict how that authority is used. It could be used, for example, with Query/400, where there is a level of exposure to a DB2 database.

Another feature that PowerTech is touting is Transaction Analyzer. It simplifies and consolidates the transaction data so its easier to pick out specific transactions that need security rules.

At COMMON, PowerTech also will be demonstrating a WebFaced interface to network security. The company has had a GUI for iSeries Navigator (formerly known as Operations Navigator), but it will soon provide a more visual representation of features inherent in its network security products. This is specifically designed for network administrators and security officers who are unfamiliar with OS/400 and who don't know a thing about iSeries Navigator or a 5250 interface. It will present report information on network security in a more friendly format that can be interpreted in an Excel file, for instance.

This GUI feature will be rolled out in Network Security 5.0, which is scheduled for a beta release in October and for general availability around the first of the year. Earl says the GUI will also be added to PowerTech's centralized administration tool--another tool designed for use by non-OS/400 administrators and security professionals--later in 2004.

PowerTech is also expanding its products that report security events and security settings to third-party consoles. These efforts are in place with the console management software produced by Tango/04 Computing Group, a PowerTech business partner in the OS/400 world. And although no other partnership arrangements have been made, Earl says this type of security reporting could work with other system management consoles as well.

Outside the OS/400 market, PowerTech has a partnership arrangement with Internet Security Systems. That cooperative venture has led to a product, which becomes generally available this week, that sends security events to Internet Security Systems' Site Protector 2.0, a monitor of network appliances, network traffic, plus Windows and Unix boxes, used in many large organizations.

Although Earl says OS/400 systems administrators are the core group of PowerTech customers, the company is designing products to help network administrators and monitors who are responsible for active events that occur throughout the network--the people who watch over the multiple Windows, Unix, and Linux boxes. "There is a hole for these people," Earl says, "because they cannot watch the OS/400 boxes. As you go into larger organizations, there is a mix of boxes, particularly in the Fortune 1,000 companies. The iSeries boxes are critical to core business functions, and there is a need to bring them into the security fold."

In the near future, Earl says, "Expect us to move in this direction with some other third-party console vendors outside the OS/400 world as well."