System i5 Security: What’s New, and What the Future Holds
May 15, 2006 Mary Lou Roberts
For lots of reasons, the push for IT to implement better and better system and data security continues to be at or at least near the top of the to-do list for most IT shops. While certain industries–financial services, healthcare, and government, for example–have been grappling with tightening up security for years, virtually all IT organizations today, regardless of size or industry, are being forced to take a closer look at just how secure their systems and data really are.
For one thing, the regulatory environment (SOX, HIPPA, PCI standards, to name just a few) are mandating many of the changes. For another, companies that may previously have run their systems as islands are now connecting to the Internet and Web-enabling those same applications. As these systems link to the wider outside world, new threats are possible. Further, the whole post-September 11 focus on security has heightened everyone’s awareness. We now understand all too well the cost of failing to imagine the possibilities of those who might seek to harm us, individually, corporately, or nationally.
Finally, talk with just about anyone you know and you’ll hear a first-hand, second-hand, or third-hand story of identify theft. Even those of us who have not been compromised directly (anyone out there smart enough to tap into someone’s bank account would certainly be smart enough to go after one bigger than mine), have probably had some indirect experience with data security issues. Just the other day, my bank sent me a new credit card with a new number, telling me that it was concerned that its data may have been compromised. As a result, the bank was replacing all cards.
Christopher Jones, marketing manager for Bytware, points to the number of high-profile security breaches that have been in the news, including those at Bank of America and Wells Fargo, that have heightened public awareness and concern and have made companies more attuned to how these concerns might affect customer confidence.
Another area that’s not getting enough attention from System i users, according to Jones, is the threat of viruses and malicious code. He points out that, increasingly, the System i is connected to client PCs and the Internet, and the system’s use as a file server and as a host for multiple operating systems with multiple partitions. “System i operators want their systems to be as secure and well maintained as possible,” he says, “and their concerns are evolving as well. But there is some lag between the real-world security needs and the reaction to those needs. The area where this lag is most significant is the virus threat. There is still this dangerous attitude that the System i is immune to viruses.”
But the security issue is larger than even this, and there’s every indication that security will continue to be a list-topper for a long time to come.
IBM has acknowledged heightened interest in security with a set of related enhancements to i5/OS V5R4. According to Jeff Uehling, chief technical engineering manager for System i5 security, the new features fall into three different primary categories. The first is the protection of iSeries objects. Uehling says that this category was made possible due to advancements in the hardware technology, and involves “putting a shield around the iSeries objects to protect them from a program that has been tampered with or patched. In previous releases, there was good protection for objects, but it required a system administrator to control it. Now this will be done automatically, and everyone will benefit.”
The second category involves intrusion detection. Uehling points out that the TCP/IP stack-based intrusion detection support in previous versions of OS/400 detected the same kinds of intrusions as it does in the new release, but previously it basically just threw those packets away without any notification at all. “The support we added in V5R4 allows us both to detect and to audit attacks that might be occurring on the system through the TCP/IP stack–things like scans and packets that are flowing into the machine that may have been tampered with. We are now able to audit the actual attack.”
The third category is cryptography and builds on the APIs that were released in i5/OS V5R3 to facilitate encryption of data. “What was lacking,” Uehling says, “was the ability to manage encryption keys. In V5R4, there is a new set of APIs that allows the system to manage the encryption keys for you and protect those keys with a ‘master key’ that adds a level of security over and above that of storing your encryption keys off in a database somewhere, unprotected.”
While the object protection enhancement is automatic, both the intrusion detection support and the cryptography support need to be enabled by the user. Uehling has no information yet on how many shops have done so and are using these features, but he notes that the security sessions that focused on topics like this at COMMON were heavily attended, indicating a significant amount of interest.
And there does seem to be little doubt that the interest is there. Uehling attributes this to several changes that have taken place in the past several years. “More and more customers are using our audit capabilities because they are being forced to by many of the regulations out there, such as SOX and HIPPA. In addition, encryption is becoming a very hot topic. These two issues are causing a pretty drastic change in the way our customers are doing things.”
John Vanderwall, CEO of SkyView Partners, concurs. “Whether it’s SOX or PCI, people are seeing deadlines or consequences (fines) for poor security implementation and they are realizing that spending money up front to fix things could potentially save them lots of money in the long run. Audit ‘findings’ are popping up all over and people don’t know exactly what to do. The first step is to find out what they don’t know by educating themselves.”
How are OS/400 shops–who are not known for having a wealth of excess technical resources in house–handling the increase in emphasis on security?
Uehling reports that some of the larger shops are adding or training security staff members, while others are reaching out to security consultants to help them. “Companies that have complex networking environments probably need outside help. The System i becomes more complicated to manage when you start loading Web applications onto the system and opening it to the Internet. But,” he adds, “when you compare it with other systems out there, it is still less costly to manage and easier to use.”
Vanderwall agrees that larger shops are likely to have some sort of information security team in place, typically made up of people from all implemented computing platforms within the company. In small- to medium-size shops, however, he typically finds administrators with very good intentions for addressing security issues who eventually realize that they probably can’t squeeze out the time to come up to speed on security and architect a solution. “That’s when they come to us,” he says. “In both large and smaller shops, we get asked for help when the realization hits that security affects not just a single application, but takes into account the entire system. They step back and it looks overwhelming and they go outside and ask, ‘Where do I start?'”
For all of the increased emphasis on security, the experts still see areas where some System i shops need to be more vigilant. According to Uehling, IBM still sees some percentage of customers who do not run at the highest levels of security. “We always recommend that customers change the setting to run at more secure levels. Certainly a lot of customers are moving that way, but we know that there are still many customers who do not, usually due to lack of resources of lack of understanding of the benefits.”
On a similar note, Carol Woodbury, president of SkyView Partners, says that she sees many OS/400 and i5/OS administrators who want to protect their data and to remove the excess authority that many (especially programmers) have. “To protect their data, they need to use object-level security. Over the years, that’s been touted as ‘too hard’ to accomplish. Well, that’s simply not true, and most users’ excess special authorities can also be removed. All you have to do is write a simple utility that adopts authority so they can continue to do their jobs. Yes, these things take planning, but we are helping our clients with those two issues all the time.”
What issues, services and product enhancements can we look for in the near future? While, as always, Uehling declined to outline any specific product plans for IBM, he did note that cryptography is a big area of concentration. “You will see some solutions coming in the future that will help customers more easily get their data encrypted. This is an area that IBM as a whole is very focused on, and there’s a lot of work going on in our research areas.”
Vanderwall agrees that the topic of encryption is hot and, while it’s not really a new topic, it’s starting to gain a lot of steam, due in part to the fact that Visa is starting to enforce its security standards and handing out fines with much more vigor. As a result, companies are trying to apply encryption technology more and more frequently.
Uehling also points to the increasing amount of work that IBM is doing to help customers with regulatory environments, including the development of security policies and assistance with audits. And, while he acknowledges that much of this work is currently done through Global Services and declines to offer specifics, he hints that, “There are some capabilities that we [Systems Group] can add to the systems that might help customers in these areas as well.”
In offering assistance with the development of policies, SkyView Partners is already on that bandwagon with a new product called Policy Minder, says Vanderwall, who notes that auditors are now driving the idea that security policies need to be written down and applied to each specific platform. Most people, he says, look puzzled when you ask them how the written security policy is applied to the iSeries, and they wonder what details they have to show to demonstrate implementation of the corporate security policy on the iSeries–and remain in compliance over time. Policy Minder helps with that process. “When the auditor comes knocking, asking questions about security policy, it’s a relief for IT to be able to run a report and show them current status,” Vanderwall explains. “Security policy is a huge topic and it’s the basis from which a good, solid foundation for security in general on an iSeries system begins.”
Uehling wraps up his discussion of System i security by noting that IBM is working closely with its security ISVs, which market a variety of products that “help with the audit capabilities of the system or build on the strengths of the iSeries built-in security via exit programs to add controls to networking capabilities. We work closely with them on where their products are going.”