Raz-Lee Flushes Out Fraud with Application Security Tool
April 15, 2008 Alex Woodie
The System i security experts at Raz-Lee have developed a new product called AP-Journal that’s designed to detect fraudulent field-level changes to DB2/400-based application files that could indicate inside fraud. The new tool, which Raz-Lee first unveiled two weeks ago at the COMMON conference in Nashville, Tennessee, is based on IBM journaling and will be most useful for companies in the healthcare and financial services industries, the company says.
One of the most pressing security issues affecting System i shops is that too many organizations grant way too much authority to their users. According to a recent security survey performed by PowerTech (which sells security tools that compete with Raz-Lee’s), the average shop has close to 70 users with *ALLOBJ authority, or nearly 10 percent of all their users. While the vast majority of these users will not abuse their authorities (such as by manually changing a field-level value in a critical application), the fact remains that they can.
And when a user decides to change a field–to perpetrate fraud or even for a legitimate (but misguided) business reason–it can be difficult to find out who made the change, when the change was made, and what the change entailed. It’s possible to trace the changes if the journaling feature in i (the operating system formerly known as i5/OS and OS/400) is activated and the organization has skilled personnel working with journal receivers. But for those without those technical skills, details about field-level changes are not available.
Raz-Lee decided this was a problem that needed a more elegant solution, so it developed the AP-Journal, which it claims is a first-of-its-kind product on the market. The software works with IBM journaling and journal receivers, but instead of requiring users to write special programs to obtain usable information, the AP-Journal extracts the usable data (which is marked with a “commonality key”) and indexes it in a separate container, thereby creating a highly targeted database of changes to field-level values that is more efficient to search and monitor.
Filters are then created to determine how far a field-level value can be changed before it will trigger an alert. AP-Journal allows filters to be created based on numeric value change or percentage change. If a change to a field exceeds the limit–such as a product’s price being reduced by more than 20 percent, or a salary being increased by more than 10 percent–AP-Journal automatically sends an e-mail to the administrator notifying him or her of the change.
The software can also be used in batch mode to create reports that display changes made over a period of years, including before and after views of the data. The product also supports a “quick view” mode that lets managers see all field-level changes made in one or two files.
Raz-Lee CEO Shmuel Zailer says one early adopter is using AP-Journal to monitor order values in its ERP system. “If I had an order that was worth $1 million, and now I go to the computer and see that it’s worth $50,000, can you tell me how it came that that order changed so dramatically?” Zailer said during an interview at the COMMON conference.
While fraud detection is definitely a big part of AP-Journal, it’s not the product’s only goal. According to Eli Spitz, vice president of business development for Raz-Lee, the software can be used to maintain a level of compliance and control over the potential for unauthorized changes. “Maybe somebody changed something and didn’t have rights to,” Spitz said. In this case, AP-Journal would be used to record the violation.
Other possible non-fraud uses of AP-Journal can be found in the financial services and healthcare industries. As people refinance their mortgages and move from one house to another over a period of years, AP-Journal can be used to track changes to the original contract, Zailer says. Similarly, the software could be used in a hospital setting to track the activities of a doctor–what patients he saw and what drugs he prescribed–potentially years after the fact.
AP Journal is available now. Pricing is tier-based and ranges from $10,000 to $70,000. For more information, visit www.razlee.com.