Safestone Cracks Down on Excessive Authority with PUP
February 17, 2009 Alex Woodie
Safestone Technologies last week unveiled a new System i security product aimed at reducing the risk posed by users with excessive authorities. Called Powerful User Passport, or PUP, the new software gives administrators a way to grant users powerful authorities for a short period of time, and then force them back to a user profile with less authority when they have completed the tasks requiring special powers.
“This particular product addresses the problem of powerful users on the System i,” says Terry Heath, chief operating officer for Safestone, which is based in the UK and has an office in Seattle, Washington. “Powerful users on the System i are the auditors’ number one concern, because if somebody has something like ALLOBJ authority, then they have authority over all objects, which means they are all powerful, almighty, on the System i, and auditors don’t like that.”
Auditors have good reason to be concerned with excessive use of powerful user profiles in corporate computer systems. For one thing, studies have shown that employees account for anywhere from 50 to 80 percent of computer break-ins, so leaving the server wide open for employees to explore is an invitation for fraud. Another reason for auditors to worry is that companies too often grant too many powerful authorities to too many employees. While it’s easier in some cases from a programming or management perspective to give users full access to the System i, it’s almost always a bad idea from a security standpoint.
System i administrators and security officers have a dozen or so special authorities to worry about. ALLOBJ is the most powerful, and grants users access to everything on the system. But there are less well known authorities that administrators and programmers occasionally need to make changes to the system, such as Security Admin (SECADM), Network Services (IOSYSCFG), Audit Rights (AUDIT), Hardware Administrator (SERVICE), Backup Operator (SAVESYS), Job Control (JOBCTL), and Spool Control (SPLCTL).
The operative word here is “occasionally.” And that’s the central idea behind Safestone’s new Powerful User Passport.
With PUP, users are provided a user profile that contains the minimum amount of authorities they need on a day-to-day basis. If they have a need for one of the special authorities, they can log in under a different user profile that grants them these authorities. PUP makes this transition seamless.
PUP also provides a time limit for the use of the special authorities. As the time limit nears, the user is flashed a warning on his screen that he will need to log out of the special user profile soon. If the user does not log out in time, PUP can take action to end any active jobs gracefully.
Auditing is turned on while the user is working with the special authorities, providing a way for administrators to replay the user’s session after the fact, if required. In addition to ensuring that none of the powerful user’s deeds go untracked while he or she is logged in with PUP, it also protects the user from accusations of wrongdoing, because there’s a full audit trail.
If there is a need to go back through the audit trail, Safestone provides tools to make it easier. “We have some really good filtering in the product itself,” Heath says. “So we can say, ‘Just give me all the key commands that the user performed, such as copy or delete. Or just give me the specific files they touched, like payroll or customer files.'”
One of the most compelling uses of the product will be to monitor user activities after hours or on weekends, says Simon Bott, Safestone product manager. “Say you have a system support guy making sure your RPG applications are running on your production machine,” he says. “Those guys typically will say ‘I must have ALLOBJ authority, because you want me to support it on off hours and weekends.’ Clearly in the eyes of the auditor, that’s a risky policy to have.
“So what the Powerful User Passport can do is allow a management or compliance or auditing officer to make a decision, to say to the development guy, ‘I will trust you to use that special authority extensively if and when you need it. I’ll grant you into the system temporarily to have that access.’ You can actually remove the ALLOJB authority from that user profile. He then has a command that he can use in his environment, which will then give him temporary access.”
When a user swaps into a powerful user profile with PUP, he can be prompted to provide an explanation for the need for special authorities. PUP also ties into ticketing and help desk applications, and alerts the administrator that a user with special authority is on the AS/400.
Using a third-party vendor such as Safestone also eliminates any potential conflict of interest issues for programmers, Heath says. “Some companies have recognized this problem, and what they’ve done is they’ve written their own routines to be able to protect against it,” he says. “But what’s happened more recently is auditors are beginning to switch onto this thing and the idea that there’s a solution that’s been written by somebody within the firewall, and that doesn’t protect the business, because that person could have written a logic bomb or a backdoor or any kind of thing in there. As we say, who polices the policemen?”
Powerful User Passport is the latest addition to Safestone’s DetectIT suite of i OS security solutions, which is now composed of nine core modules. The software is available now, and ranges in price from $2,000 to $22,000. For more information, visit www.safestone.com.