PowerTech Tools Build Trust By Decreasing Authority
April 24, 2007 Alex Woodie
It’s 7 p.m., and all your users are supposed to be logged off the system, but do you know where your security officer is? While you trust your security officer to hold the keys to the i5/OS kingdom, today’s regulatory environment simply doesn’t permit all-powerful users to traverse corporate IT systems unseen and unmonitored. A new release of PowerTech Group‘s AuthorityBroker gives i5/OS shops the capability to monitor the monitors, and get back into the good graces of the auditors.
AuthorityBroker helps i5/OS and OS/400 shops lessen the need for users to run with profiles granting them special authorities, such as All Object (ALLOBJ), Spool Control (SPLCTL), and Job Control-System Operator (JOBCTL). While these special authorities at times are necessary to accomplish given tasks on iSeries and System i servers–such as loading a new program, initiating a system save, or configuring network access–they are overkill for day-to-day usage, and pose a security risk to organizations.
AuthorityBroker decreases the security risk and gets iSeries shops on the track to regulatory compliance by setting up separate user profiles that users can adopt for short periods of time. When a user needs a special authority to accomplish a task, they can go into AuthorityBroker and swap into a “switch” profile, which temporarily gives them the special authority. In this way, users don’t need the special authorities in their everyday profile, which lessens security risks. It also helps implement separation of duties, which is necessary for SOX compliance.
With version 3.1, PowerTech has made it easier for organizations to integrate AuthorityBroker into their existing environments, and to initiate other business processes when a profile swap or release occurs. The new integration points enable a customer to run a program of their choice immediately before or after a profile swap is executed. Programming skills are not necessary, but can be utilized, and a recompile is required. Sample code is provided to get users started.
The customization offers numerous benefits. For example, the new capability could be used to associate a library list with a powerful user profile when a swap or release is executed, giving a programmer access to the objects he needs to get his job done while logged on using the powerful user profile. Alternatively, the functionality could be used to change an accounting code when a swap is performed, keeping billable hours in line with actual job duties performed.
The integration points could also be used to automatically distribute reports detailing the activities of users when they’re logged in as powerful users, says John Earl, PowerTech’s chief technology officer.
“This allows them to get notifications that I’ve become QSECOFR, and while John was QSECOFR, here’s exactly what he did,” Earl says. “The big story is, everything I do now is done under the light of day. The security officer is the most knowledgeable and powerful user, but nobody knows what they’re doing, and this is why auditors have a problem.”
Too many OS/400 and i5/OS shops have too many users with powerful authorities, Earl says. “PowerTech’s recently released ‘State of System i’ study showed that the average number of user profiles with *ALLOBJ authority on a system i server is 82,” he says. “Companies can fix this exposure with Authority Broker.”
The new integration points could also be used to verify that a valid call ticket has been implemented correctly, or to require a manager’s approval before allowing a swap to continue, according to PowerTech. Better tracking of AuthorityBroker use was started last year when PowerTech unveiled the new emergency access “FireCall” feature with version 3.0, which was aimed at empowering helpdesk personnel to grant higher authority levels.
Version 3.1 also brings new “job spawn” tracking capability. In the past, it could be difficult to attribute certain batch jobs, or jobs started under Q shell, to the user and the user profile responsible for starting the job, Earl says. With this release, AuthorityBroker can more accurately track these types of jobs.
AuthorityBroker puts controls in place for the eight special authorities in OS/400 and i5/OS, including Security Admin (SECADM), Network Services (IOSYSCFG), Audit Rights (AUDIT), Hardware Administrator (SERVICE), Backup Operator (SAVESYS), JOBCTL, SPLCTL, and the big one, ALLOBJ.
AuthorityBroker is fully logged and tracks all switches through an audit trail. The software also generates reports on switch activity, and can be set up to automatically send e-mail notifications when users swap into their powerful “switch” profile.
AuthorityBroker supports OS/400 V4R4 and later versions. Pricing is tier-based and ranges from $2,700 to $15,000. For more information, visit www.powertechgroup.com.