Midrange Stuff, OS/400 Edition--New SkyView Software Assesses OS/400 Security Risks

Carol Woodbury's security consulting firm, SkyView Partners, introduced new software last week designed to give companies a greater understanding of the security risks present in their OS/400 servers. The new product, Risk Assessor for OS/400, looks at the same settings that Woodbury, former IBM OS/400 security architect, would check in a client engagement, but it doesn't require her presence and can be run repeatedly, for $3,500 per logical partition.

Woodbury designed Risk Assessor for OS/400 to help users take a first step toward understanding and improving their OS/400 servers' security settings. "Security is one of those things administrators tend to run from because they never had anybody to explain it to them," says Woodbury, president and cofounder of SkyView, based in Seattle. "With Risk Assessor for OS/400, the goal is to give them the information they need to make a decision. We tell them why we think it's a problem and let them make a judgment."

When it's activated, Risk Assessor checks a variety of security-related settings in a partition of the operating system, including settings related to system values, user profiles, object authorities, TCP/IP settings, job descriptions, adopted authority, and more. After checking the values, it generates customized reports that assess the partition's security vulnerability. These reports, generated in rich text format, include a comparison of the company's security settings to industry best-practices, how the company's security settings could pose a risk, and potential actions the company could take to address the security risk. "It's the same assessment somebody gets if we were on-site," Woodbury says.

Risk Assessor's reports are heavy on education and information but go lightly on making firm recommendations, because there are so many variables that go into making the correct security-related decision for a particular company. "You can set the system to be the most secure server in the world, and it may not be usable for your particular business needs," Woodbury says. "A company may choose to accept the risk to have data viewable or updatable by users. That's their choice, but at least now they have the information to make an informed decision."

While there is no widely recognized standard on OS/400 security best-practices, Woodbury's knowledge and experience with the system give her an excellent sense of what best-practices are when it comes to OS/400 security. Besides her own experience, the best-practices-comparison feature of Risk Assessor relies on the practices advocated by the Computer Security Institute and the National Institute of Standards and Technology, Woodbury says.

One thing that Risk Assessor definitely does not do is make product recommendations. "We are neutral," Woodbury says. "They count on us to give them realistic and accurate advice. We're not trying to sell them another bit of software."

Woodbury and her partner, SkyView cofounder John Vanderwall, both have experience with OS/400 security tools and vendors. They worked together at PowerTech Group, an OS/400 security tool vendor near Seattle, before leaving to start SkyView about a year and a half ago. Woodbury left her position at IBM in 2000 to join PowerTech.

While SkyView and Risk Assessor do not recommend particular vendors' products, that doesn't mean OS/400 security tools don't have a place in an OS/400 shop with good security practices, Woodbury and Vanderwall say. There are three areas where security tools could be a key ingredient for strong security, Woodbury says: network security (exit points), auditing journal entries, and antivirus protection for OS/400 servers. Beyond that, a lot of what companies need to secure their OS/400 server, they can get from OS/400, Vanderwall says.

Vanderwall says that SkyView's position as a neutral party lends greater credence to its risk assessments, especially for auditors. When a company is working to comply with industry mandates, like HIPAA, GLBA, or the Sarbanes-Oxley Act, a security-risk assessment is typically required, and SkyView's Risk Assessor fits the bill, he says.

Risk Assessor is SkyView's first packaged product, and chances are good it will have a large impact on the business model of what has been, until now, a pure play consultancy. One beta tester reportedly called the program "Carol in a can," an affectionate reminder that Woodbury's world-renowned OS/400 security expertise has been, in large part, digitized and productized. But the change will likely be positive, as a good percentage of company's that have purchased security-risk assessments have gone on to purchase Woodbury's security mitigation services, Vanderwall says. "We think it's going to drive services," he says.

Risk Assessor for OS/400 is available now. The product supports OS/400 V4R4 and later versions. SkyView has elected to price its software according to how many logical partitions it will run on. Pricing is $3,500 per partition; machines without logical partitioning (LPAR) are considered to have one partition. Annual maintenance is 15 percent. For more information, go to www.skyviewpartners.com.