Safestone Gives i Security Officers Greater Control
January 6, 2009 Alex Woodie
Despite declining IT budgets, companies should think twice before slashing security spending. Cyber criminals are becoming more proficient by the week, while the poor economy elevates the temptation for insiders to cheat. To that end, i OS security experts Safestone last month rolled out several updates to its DetectIT suite of security software that should give security officers greater control and deeper insight into System i activities.
DetectIT is a suite of integrated security tools for the IBM i operating system (IBM i OS). About 500 organizations around the world currently use DetectIT, including well-known firms such as the Royal Bank of Scotland, Secure Trust Bank, and Kleinwort Benson. The software is developed at Safestone’s headquarters in England, and the majority of customers reside in Europe and North America.
Seven modules make up the suite, and they include the Security Audit and Detection module, the Risk and Compliance Monitor, the Network Traffic Controller, the User Profile Manager, Password Self Help, and the Multiple Systems Administrator console. Last March Safestone introduced the Smart Security Console, a graphical interface intended to simplify some aspects of security management and regulatory reporting.
On December 15, Safestone unveiled enhancements to three modules, including Security Audit and Detection, User Profile Manager, and Risk and Compliance Manager components.
The Security Audit and Detection module will now track requests by users, in addition to modifications and deletions made by users. This will enable security professionals to keep better tabs on who is accessing sensitive data, even if users are not changing the data. After all, plenty of damage can be done simply by reading data off a screen. Using this feature to monitor who is accessing sensitive records can help a security officer gain a better understanding of user behavior.
This DetectIT module will also gain the capability to monitor and report on the activities of users with powerful user profiles, such as users who have been granted *ALLOBJ authority, which gives users practically unfettered access to change or delete any data on the System i server. Monitoring of users with powerful user profiles can be turned on and off with just a few simple commands, giving security officials a measure of control over the potentially hazardous use of authorities.
Safestone will be rolling out support for monitoring of other special authorities in early 2009, the company said in its December 15 newsletter. While ALLOBJ is the most well-known special authority, there are others that could cause security headaches, including SECADM (security administrator), IOSYSCFG (network services), AUDIT (audit rights), SPLCTL (spool file authority), SERVICE (hardware administrator), JOBCTL (system operator), and SAVESYS (backup operator).
Safestone has also enhanced the existing integration between RSA Security‘s two-factor authentication solution, SecureID, and the User Profile Manager component of DetectIT. With this release, the SecureID authentication process can be started at any time, instead of only upon first sign-on, which is how the product was previously used. SecureID processes can be summoned at any time, either from an i OS command line or programmatically.
It’s worth noting that Safestone claims DetectIT is the only i OS security solution that integrates directly with the SecureID from RSA, which is a subsidiary of EMC. SecureID typically combines a password or PIN with a hardware-based authenticator (such as a key card or a key fob that automatically changes security codes every 60 seconds), and is a popular choice among PC and network administrators. Thanks to the integration work by Safestone, the SecureID system can be used by System i shops, too.
DetectIT’s Risk and Compliance Monitor module has also been enhanced with better file system compliance checks. With this release, the software will perform deeper checks across the entire IFS. Now, all directories and folders are checked, as opposed to just the QDLS (the folders files system), which was the only part of the IFS that was checked previously.
For more information, visit the company’s Web site at www.safestone.com.