tfh
Volume 15, Number 20 -- May 15, 2006

System i5 Security: What's New, and What the Future Holds

Published: May 15, 2006

by Mary Lou Roberts

For lots of reasons, the push for IT to implement better and better system and data security continues to be at or at least near the top of the to-do list for most IT shops. While certain industries--financial services, healthcare, and government, for example--have been grappling with tightening up security for years, virtually all IT organizations today, regardless of size or industry, are being forced to take a closer look at just how secure their systems and data really are.

For one thing, the regulatory environment (SOX, HIPPA, PCI standards, to name just a few) are mandating many of the changes. For another, companies that may previously have run their systems as islands are now connecting to the Internet and Web-enabling those same applications. As these systems link to the wider outside world, new threats are possible. Further, the whole post-September 11 focus on security has heightened everyone's awareness. We now understand all too well the cost of failing to imagine the possibilities of those who might seek to harm us, individually, corporately, or nationally.

Finally, talk with just about anyone you know and you'll hear a first-hand, second-hand, or third-hand story of identify theft. Even those of us who have not been compromised directly (anyone out there smart enough to tap into someone's bank account would certainly be smart enough to go after one bigger than mine), have probably had some indirect experience with data security issues. Just the other day, my bank sent me a new credit card with a new number, telling me that it was concerned that its data may have been compromised. As a result, the bank was replacing all cards.

Christopher Jones, marketing manager for Bytware, points to the number of high-profile security breaches that have been in the news, including those at Bank of America and Wells Fargo, that have heightened public awareness and concern and have made companies more attuned to how these concerns might affect customer confidence.

Another area that's not getting enough attention from System i users, according to Jones, is the threat of viruses and malicious code. He points out that, increasingly, the System i is connected to client PCs and the Internet, and the system's use as a file server and as a host for multiple operating systems with multiple partitions. "System i operators want their systems to be as secure and well maintained as possible," he says, "and their concerns are evolving as well. But there is some lag between the real-world security needs and the reaction to those needs. The area where this lag is most significant is the virus threat. There is still this dangerous attitude that the System i is immune to viruses."

But the security issue is larger than even this, and there's every indication that security will continue to be a list-topper for a long time to come.

IBM has acknowledged heightened interest in security with a set of related enhancements to i5/OS V5R4. According to Jeff Uehling, chief technical engineering manager for System i5 security, the new features fall into three different primary categories. The first is the protection of iSeries objects. Uehling says that this category was made possible due to advancements in the hardware technology, and involves "putting a shield around the iSeries objects to protect them from a program that has been tampered with or patched. In previous releases, there was good protection for objects, but it required a system administrator to control it. Now this will be done automatically, and everyone will benefit."

The second category involves intrusion detection. Uehling points out that the TCP/IP stack-based intrusion detection support in previous versions of OS/400 detected the same kinds of intrusions as it does in the new release, but previously it basically just threw those packets away without any notification at all. "The support we added in V5R4 allows us both to detect and to audit attacks that might be occurring on the system through the TCP/IP stack--things like scans and packets that are flowing into the machine that may have been tampered with. We are now able to audit the actual attack."

The third category is cryptography and builds on the APIs that were released in i5/OS V5R3 to facilitate encryption of data. "What was lacking," Uehling says, "was the ability to manage encryption keys. In V5R4, there is a new set of APIs that allows the system to manage the encryption keys for you and protect those keys with a 'master key' that adds a level of security over and above that of storing your encryption keys off in a database somewhere, unprotected."

While the object protection enhancement is automatic, both the intrusion detection support and the cryptography support need to be enabled by the user. Uehling has no information yet on how many shops have done so and are using these features, but he notes that the security sessions that focused on topics like this at COMMON were heavily attended, indicating a significant amount of interest.

And there does seem to be little doubt that the interest is there. Uehling attributes this to several changes that have taken place in the past several years. "More and more customers are using our audit capabilities because they are being forced to by many of the regulations out there, such as SOX and HIPPA. In addition, encryption is becoming a very hot topic. These two issues are causing a pretty drastic change in the way our customers are doing things."

John Vanderwall, CEO of SkyView Partners, concurs. "Whether it's SOX or PCI, people are seeing deadlines or consequences (fines) for poor security implementation and they are realizing that spending money up front to fix things could potentially save them lots of money in the long run. Audit 'findings' are popping up all over and people don't know exactly what to do. The first step is to find out what they don't know by educating themselves."

How are OS/400 shops--who are not known for having a wealth of excess technical resources in house--handling the increase in emphasis on security?

Uehling reports that some of the larger shops are adding or training security staff members, while others are reaching out to security consultants to help them. "Companies that have complex networking environments probably need outside help. The System i becomes more complicated to manage when you start loading Web applications onto the system and opening it to the Internet. But," he adds, "when you compare it with other systems out there, it is still less costly to manage and easier to use."

Vanderwall agrees that larger shops are likely to have some sort of information security team in place, typically made up of people from all implemented computing platforms within the company. In small- to medium-size shops, however, he typically finds administrators with very good intentions for addressing security issues who eventually realize that they probably can't squeeze out the time to come up to speed on security and architect a solution. "That's when they come to us," he says. "In both large and smaller shops, we get asked for help when the realization hits that security affects not just a single application, but takes into account the entire system. They step back and it looks overwhelming and they go outside and ask, 'Where do I start?'"

For all of the increased emphasis on security, the experts still see areas where some System i shops need to be more vigilant. According to Uehling, IBM still sees some percentage of customers who do not run at the highest levels of security. "We always recommend that customers change the setting to run at more secure levels. Certainly a lot of customers are moving that way, but we know that there are still many customers who do not, usually due to lack of resources of lack of understanding of the benefits."

On a similar note, Carol Woodbury, president of SkyView Partners, says that she sees many OS/400 and i5/OS administrators who want to protect their data and to remove the excess authority that many (especially programmers) have. "To protect their data, they need to use object-level security. Over the years, that's been touted as 'too hard' to accomplish. Well, that's simply not true, and most users' excess special authorities can also be removed. All you have to do is write a simple utility that adopts authority so they can continue to do their jobs. Yes, these things take planning, but we are helping our clients with those two issues all the time."

What issues, services and product enhancements can we look for in the near future? While, as always, Uehling declined to outline any specific product plans for IBM, he did note that cryptography is a big area of concentration. "You will see some solutions coming in the future that will help customers more easily get their data encrypted. This is an area that IBM as a whole is very focused on, and there's a lot of work going on in our research areas."

Vanderwall agrees that the topic of encryption is hot and, while it's not really a new topic, it's starting to gain a lot of steam, due in part to the fact that Visa is starting to enforce its security standards and handing out fines with much more vigor. As a result, companies are trying to apply encryption technology more and more frequently.

Uehling also points to the increasing amount of work that IBM is doing to help customers with regulatory environments, including the development of security policies and assistance with audits. And, while he acknowledges that much of this work is currently done through Global Services and declines to offer specifics, he hints that, "There are some capabilities that we [Systems Group] can add to the systems that might help customers in these areas as well."

In offering assistance with the development of policies, SkyView Partners is already on that bandwagon with a new product called Policy Minder, says Vanderwall, who notes that auditors are now driving the idea that security policies need to be written down and applied to each specific platform. Most people, he says, look puzzled when you ask them how the written security policy is applied to the iSeries, and they wonder what details they have to show to demonstrate implementation of the corporate security policy on the iSeries--and remain in compliance over time. Policy Minder helps with that process. "When the auditor comes knocking, asking questions about security policy, it's a relief for IT to be able to run a report and show them current status," Vanderwall explains. "Security policy is a huge topic and it's the basis from which a good, solid foundation for security in general on an iSeries system begins."

Uehling wraps up his discussion of System i security by noting that IBM is working closely with its security ISVs, which market a variety of products that "help with the audit capabilities of the system or build on the strengths of the iSeries built-in security via exit programs to add controls to networking capabilities. We work closely with them on where their products are going."


RELATED ARTICLE

V5R4 Security: Rochester Rests Not on Its Laurels, Part 1

Sponsored By
NUBRIDGES

Take Control of Securing Your Transactions

Take control of any secure FTP process with the most comprehensive FTP client/server solution available. truExchange FTP offers solid security, an abundance of encryption options and unmatched firewall navigation capabilities to give you total control of the way you exchange FTP transactions. truExchange FTP allows you to automate, control and manage FTP processes with any remote FTP server, as well as manage your internal FTP processes.

truExchange FTP's command-driven interface for FTP client scripting makes it possible to automate any FTP process through one script that includes user defined recovery within the session. The FTP Server can either replace, or run next to, the native iSeries server. The difference is that unlike the native server, truExchange FTP provides host-based control for file naming, formatting tracking, automatic application processing and features that allow you to run your FTP processes while allowing your iSeries to be as secure as possible.

truExchange FTP is perfect for connecting to EDI VANs, EDI trading partners, banks and other financial organizations, as well as healthcare related organizations who are mandating HIPAA compliancy. Also compliant with Sarbanes-Oxley requirements, the software offers add-on encryption bundles that keep transmitted information secure-critical for organizations trying to protect their own data, as well as guaranteeing security to customers and partners.

At nuBridges, security is a key component in the design and delivery of our solutions and services. Businesses that rely on digital exchanges depend on secure, reliable connections. That's why we take security so seriously. nuBridges' security software locks down information at every level in the pipeline.

Encryption Bundles
Encryption is a popular and effective method for providing security over the Internet. The encryption process alters data so only the intended recipient can read or use it. The recipient of the encrypted data must have the proper decryption key and program to decipher the data back to its original form. With the most encryption options in the market, our solutions secure businesses from losing valuable information and keeping it out of the hands of intruders. Our AS3 certification validates our approach to enhanced features such as built-in support for firewall navigation.

Do you need S/MIME (Secure/Multipurpose Internet Mail Extensions) to provide encryption and digital signatures for Internet mail messages? Perhaps SSL/TLS (Secure Sockets Layer/Transport Layer Security) provides the security encryption you want to secure message transmissions between two applications. The standard for a number of organizations, most notably financial services and healthcare is PGP (Pretty Good Privacy). And, SSH (Secure Shell) encrypts all traffic through secure tunnels between companies and their trading partners. Whatever encryption method suits your particular requirements, truExchange products offer the broadest range of options available.

About PGP and SSH
Written and ported specifically for the iSeries platform, truExchange PGP offers the same capabilities found in PGP Corporation's product line, but it has the look and feel that iSeries users expect. Many organizations adopt PGP as their encryption standard to secure confidential and critical transactions.

Offering customers the quickest, most cost-effective solution for implementing SSH on the iSeries platform, truExchange SSH fits directly into any environment. Our solution eliminates the need to understand encryption, easily addresses critical customer security mandates and provides immediate ROI.

Whether transacting with a financial services firm, complying with multiple mandates or connecting with your trading partners, nuBridges' FTP solution offers the one solution to fit your needs.

Contact nuBridges or visit our Web site.
Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik, Shannon O'Donnell,
Mary Lou Roberts, Victor Rozek, Kevin Vandever, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Bytware:  Network security, anti-virus, monitoring, notification/alerts, file recovery, & compliance
COMMON:  Join us at the Fall 2006 conference, September 17-21, in Miami Beach, Florida
ProData Computer Services:  Use Server Proven DBU-on-demand for $10 a day anytime, anywhere!

 
THIS ISSUE SPONSORED BY:

BCD
iTera
nuBridges
SafeData
BVSTOOLS



TABLE OF CONTENTS
IBM Announces New System i5 Collaboration Edition

IBM Delivers iSCSI Connection, Pushes Blades to OS/400 Shops

System i5 Security: What's New, and What the Future Holds

As I See It: Betrayal

But Wait, There's More:
Big Blue Raises Rates on Low Rate Financing Deal . . . Sun Microsystems Sues Azul Systems Right Back . . . IBM Adds 13 New Members to OpenAJAX Group . . . New COBOL-to-SAP NetWeaver Adapters On Tap from Software AG . . . IBM Acquires BuildForge to Fill Gaps in Change Management . . . TMW Systems Gets New CEO . . .

The Four Hundred

BACK ISSUES

The Linux Beacon
Silicon Graphics Files for Chapter 11 Bankruptcy

Unisys Launches New Unified ES7000 Server

Stonesoft Unveils New Generation of Firewall, IPS Products

The X Factor: If Sun Builds a Grid, Will They Come?

Big Iron
IBM Repositions the Mainframe as Central to SOA

Top Mainframe Stories and Vendor Announcements

Chats, Webinars, Seminars, Shows, and Other Happenings

The Windows Observer
Yankee Group Gives Mixed Review of Vista Security Features

Critical Windows Security Updates Released by Microsoft

Azul, Mainsoft Bring .NET Code to Compute Appliances

Unisys Launches New Unified ES7000 Server

The Unix Guardian
Free Advice for Unix Vendors: Fujitsu-Siemens

IBM Explains New p5 Boards, Offers Upgrade Protection to Power6

Silicon Graphics Files for Chapter 11 Bankruptcy

As I See It: Fearless Leaders


 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement