Newsletters   Subscriptions  Forums  Store   Career  Media Kit  About Us  Contact  Search   Home 
tfh
Volume 14, Number 29 -- July 25, 2005

Is Security the First Step Toward Regulatory Compliance?


by Mary Lou Roberts


Companies everywhere are spending more and more of their time and budget to plan, analyze, install software tools, and write code in order to meet the burgeoning stack of regulatory compliance mandates and standards. As reported by The Four Hundred three weeks ago, iSeries ISVs of all types are dedicating much of their efforts (in one case, 100 percent) to enhancing product offerings in ways that are directly related to compliance issues.

The results of these efforts--at least in terms of the number of products on the market that promise to help IT shops ease the path to compliance--is evident. There's nary a vendor Web site that doesn't offer a "compliance pill" of some sort. And few and far between are the vendors who have not published at least one (and often a series) of white papers to boost their own credibility on the issue, and direct current and potential customers to head in their direction for solutions. Google "iSeries SOX" and you'll come up with 40,200 hits. Google "SOX" and you'll get 11,800,000. And SOX is only one (albeit a big one) of the many regulatory compliance mandates facing today's post-Enron, post-September 11, compliance-nervous companies.

Naturally, the approaches vary--often depending on the industry and the key drivers. To be sure, the high-availability vendors are enjoying a heyday as a result of the rush to meet external and internal mandates and service-level agreements. "We hear from IBM that 10 to 15 percent of its iSeries customers are going to high availability solutions," says Rick McNees, vice president of marketing for Lakeview Technology, "and much of that business is being driven by regulatory or compliance obligations." McNees also reports that one of their strategic partners expects 6 percent of the servers it ships to be for high availability clustering, while another partner reports that number to be 12 percent. "We clearly see that our customers are implementing high availability because they can better manage a state of readiness in an HA environment."

But across the board, there seems to be some agreement that security is the first step towards and the mainstay of compliance. Without it, compliance cannot be achieved.

The real first step, argues Paul Culin, director of professional services for Bsafe Solutions, is the audit. "Before security can be implemented, you must first determine the factors that allow users to access production data. Users and groups with special authorities must be identified, as well as programs that adopt authority. It is also vital to identify any IP access to the machine. Transactions facilitated via FTP, ODBC, and RMTCMD can be highly autonomous because there is no discernable audit trail--and you cannot be compliant without an audit trail."

Chris Jones, marketing manager for Bytware, believes that, while security and related software solutions are key components of compliance, the overriding element that will bring about success is the creation and implementation of sound internal procedures. The impression one gets from reading the IT media, he says, is that Sarbanes-Oxley is a technology-focused act. However, "in reality, only portions of SOX relate to technology. The central key is human behavior. Companies need to assess the atmosphere of their organizations as part of laying the foundation for compliance. Inadequate processes and lax corporate atmospheres will ultimately undo any technological solutions that are put into place."

John Earl, chief technology officer for The PowerTech Group, argues that security and monitoring are the necessary first steps. Only after a company has a basic security policy in place that addresses who can read, change, and delete data will it be able to address "the more nuanced privacy issues. First you have to secure the data, and then you have to monitor to prove to yourself and your auditors that you got it right."

Of course, when addressing compliance specifically, how critical security is depends on the standards or regulations that are key to the customer. As Carol Woodbury, co-founder of SkyView Partners, points out: "SOX is first and foremost about financial information, so security becomes just something that's on the checklist. If you are talking about Payment Card Industry compliance in the credit card industry, that's all about data security."

Jones points out, though, that, "While 'security' is the buzzword in SOX marketing, 'privacy' is more the spirit of the act in the area of protecting individuals. There's also the more important facet of forcing accountability in fiscal affairs, which is what brought the whole thing on in the first place--but that seems to be largely lost in tech discussions. That said, the same processes that provide strong security protection will also provide strong privacy protection. There may be a distinction between the two, but the methodologies in addressing each are similar."

Security and privacy are, of course, closely related, but too often confused. Earl considers privacy to be a subset of security. "Proper security handles who can change and delete data, and it monitors what has been done. Who can or has read data is a matter of both privacy and security."

"You can't have privacy without security," according to Woodbury. "But just because you have security does not guarantee privacy. Privacy is not exposing data that should remain private. Security is looking at architecture and access and preventing access from unauthorized individuals. In other words, you may have authorized access to data, but you still shouldn't be unable to see a Social Security number. Security and privacy go hand in have, but they are really different disciplines."

Bytware's Jones adds, "The additional step [beyond security] in the area of privacy involves procedures on how personal data is handled and shared--for example, providing data to a third party for marketing purposes, or unnecessarily collecting social security numbers, and whether access to personal data is open to too many people within the organization, or limited to those who really need access. But this additional step is a cultural issue, not a technological one. Technology can be used to enforce policies, but it can't create them."


If security and its sister, privacy, are in any sense the backbone of the creation of a regulatory-compliant organization, it appears that iSeries shops still have a great deal of work to do.

"Not many are very far along at all," says Earl. "We estimate that fewer than 4,000 iSeries customers have done any kind of serious security work on their systems, and I can count on one hand the number of customers that have dealt with privacy separately from security."

John Vanderwall, CEO and co-founder of SkyView Partners, agrees. "I'm sure all iSeries shops have some sort of privacy statement, but how many actually do something to keep data private is another story."

Jones hesitates to offer a definitive answer to the question of how far along iSeries shops are on the road to security their data, but he does say, "My feeling is: not as far along as they need to be." Take viruses as an example. "Over the past year or so we have seen a move by virus writers to target vertical markets, including financial markets," says Jones. "iSeries shops still don't take seriously the threat of viruses. They believe they do not need to protect themselves and think that having anti-virus software on their PCs is sufficient. However, a virus can easily store itself on the iSeries and use the server as a safe haven from which to continually reinfect the PCs that connect to the iSeries. We've seen iSeries shops go down for three days and lose 25,000 files at the hands of a virus. The threat is absolutely real."

There is good reason for user confidence in the iSeries, Jones explains, because of the platform's long history of solid security. But that history has led to a tendency in shops to be less accepting of threats than companies that run other platforms such as Windows. He cautions that the iSeries is no longer isolated. Interconnectivity and online access have come to be the norm in iSeries shops, and these have brought with them the risk of real threat.

The inherent capabilities of the iSeries and OS/400 may be both a blessing and a curse. The internal security and reliability features of the iSeries are some of the reasons that the platform has its strong following and loyal customer base.

PowerTech's Earl notes that the iSeries reputation for being a secure platform may be lulling some iSeries users into a false sense of satisfaction with the status quo. "Too many iSeries customers are lulled into the belief that the iSeries is in some magical way already secure and that they don't have to do any independent effort relative to security," he believes. "Unfortunately for them, the auditor group and the security group in their companies are saying, 'Sure you are secure. Now prove it,' and most iSeries people just don't know where to start."

Randy Shaw, director of operations for Goering iSeries Solutions, praises the inherent object-level security of the iSeries as "nearly bulletproof, if implemented properly." He cautions, however, that the vast majority of applications that run on the iSeries prohibit the implementation of security beyond the menu. Shaw also praises the soundness of the iSeries platform for security. "It is the processes and the maintenance of those processes that dictate the viability of security measures. Being able to create groups and customized individual security levels doges a long way towards justifying OS/400 as a stable platform for implementing security and privacy procedures."

iSeries customers shouldn't take too much for granted. "The tools that you need are available. People are under the impression that OS/400 is inherently secure, when it fact, it is really securable--but not secure out of the box," Woodbury explains.

Earl points out that the iSeries is very good in the areas of security, user authentication, and auditing. "There are some great security mechanisms both in OS/400 and those enabled by third-party tools such as PowerLock. The SecurityAudit Journal is just a gem when it comes to doing deep dives on what actually happened on your system, even though the volume of data can be a little intimidating if you are trying to tackle it on your own. And the Single Sign-On architecture that uses Kerberos and EIM is really world class when it comes to authenticating users and simplifying password management. There is much about OS/400 security to recommend it to customers."

On the privacy side, however, Earl believes there's more work to do. "OS/400--or really DB2/400--is doing a little catch up. Encrypting hyper-sensitive pieces of information is becoming a repetitive customer requirement, even though it is extraordinarily difficult to implement technically--and twice as difficult to retrofit. Privacy initiatives such as the California Privacy Act (and similar acts that 14 other states passed this year), the Payment Card Industry requirements, HIPAA, and so forth are going to drive customers to encrypt data. This will probably happen over the screaming of iSeries programmers and administrators--but it's going to happen."

And what about security within those pesky applications? That's "where the real monstrous problems" lie, says Earl. "iSeries application vendors have almost universally ignored security when building and deploying their software packages, putting their customers' data at risk. This is hurting the growth and livelihood of the platform. Somehow we have to help these people understand that security is their concern too."

Shaw stresses the duty of companies to protect the data that they are responsible for. "Information is power. That power must be carefully managed or it will be taken away by those who provide the data. Companies that don't protect their customers' information will be shunned by those that are tired of having their financial and personal information abused."

"The weak link in the iSeries security chain is management that fails to recognize or take seriously the need or the threat, because the tools are there and they are solid and reliable," Jones concludes. "But iSeries vendors cannot guarantee compliance when the corporate culture hasn't been addressed and put into proper order. A lot of SOX is cultural, and organizations should view technology as in important tool--not an elixir."


RELATED STORY

iSeries ISVs Make Big Investments in Regulatory Compliance


Mary Lou Roberts, a 35-year veteran of the information systems industry, is a new contributor to IT Jungle. In addition to her work as a reporter in the iSeries space, she has spent her career as a marketing and communications professional working exclusively with information technology publications and companies. She can be reached at WriterNewf@aol.com.

Sponsored By
CALIFORNIA SOFTWARE

Freedom for your iSeries apps...same source, multiple platforms, choose your platform, your database, your future.

Migrate iSeries applications to Windows, Linux or Unix in days without rewriting your RPG or COBOL apps. Infinite iSeries from California Software uses the latest SOA technology to Web-enable, integrate and provide future development.

                  · Migrate your iSeries applications to Windows
                  · Extend your applications to the Web
                  · Expand your applications via SOA technology to other environments
                  · Develop new functionality using Visual Studio

www.californiasoftware.com
Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik, Shannon O'Donnell,
Victor Rozek, Kevin Vandever, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

THIS ISSUE
SPONSORED BY:

T.L. Ashford
California Software
BCD Int'l
Computer Keyes
Affirmative Computer


The Four Hundred

BACK ISSUES

TABLE OF
CONTENTS
iSeries Programmers Irate Concerning CGIDEV2 Limbo

Is Security the First Step Toward Regulatory Compliance?

iSeries Sales Increase by 10 Percent in Q2

As I See It: In Defense of Entitlement

But Wait, There's More


The Linux Beacon
Debian Linux to Get Down to Business?

OpenLogic Delivers BlueGlue 3.2 Open Source Stack

Intel Cranks Up the Clocks on Madison Itaniums

Dell Debuts First Dual-Core PowerEdge Server

The Windows Observer
Hurd on the Street: HP Cuts 14,500 Jobs in Reorganization

RDP Flaw Exposes Windows to DOS Attacks

Mad Dog 21/21: Live Gates

Alternative to Exchange Boosts Security and Groupware Features

The Unix Guardian
Sun Firms Up Its Sparc Chip Plans

Hurd on the Street: HP Cuts 14,500 Jobs in Reorganization

IBM Profits Up Some as Sales Decline Some in Q2

Intel Cranks Up the Clocks on Madison Itaniums


Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc. (formerly Midrange Server), 50 Park Terrace East, Suite 8F, New York, NY 10034
Privacy Statement