Raz-Lee Adds Object-Level Security to i OS Security Suite
November 17, 2009 Alex Woodie
Raz-Lee Security last week announced two new security modules for its i OS security suite. Native Object Security will allow i OS shops to implement object-level security on their systems without the hassle of manually configuring it through the operating system, while User Profile and System Value Replication will allow shops to easily replicate security settings across multiple servers or LPARs. The Israeli software company also made changes to other modules of its iSecurity suite, including its anti-virus software.
iSecurity is a collection of about 17 products designed to automate the configuration and management of i OS servers, ranging from exit point control and analysis of i OS’s audit journal to virus scanning and password enforcement. Everything is accessed through an Eclipse-based graphical user console, called the iSecurity GUI, making Raz-Lee’s offering one of the most comprehensive and feature-rich security suites available to System i and Power Systems customers.
The new Native Object Security module significantly boosts the capabilities of the iSecurity suite. The software aims to simplify the process of implementing object-level security, which is one of the most powerful security features of IBM i OS, i5/OS, and its predecessor operating systems.
Raz-Lee’s software allows administrators to set up rules that define security levels for specific objects or groups of objects of a specific type. It gives administrators power to define variables such as the object’s owner, its authorization lists, what group it’s part of, and whether there are any specific user authorities associated with the object.
Native Object Security also includes reporting features, and allows users to check for inconsistencies between actual and planned object security settings. This should be a very helpful feature for i OS administrators who are implementing object-level security for the first time, and may have overlooked something in the process.
It can be difficult to implement object-level security, which is one of the biggest reasons why many shops avoid setting it up in the first place. Getting something wrong in object-level security–which prevents all forms of access to objects unless they are specifically granted (or the user has a special authority, such as ALLOBJ, which overrules object-level security)–can render a previously stable machine inaccessible to regular users.
IBM tried to address the difficulty of implementing object-level security with a tool called Secure Perspectives. However, IBM basically killed the product earlier this year (although it is still available through IBM Systems Lab Services). One must assume that a lack of interest in the product had a hand in its short, two-year lifetime.
In developing Native Object Security, Raz-Lee attempted to maximize flexibility and the number of configuration options, according to Eli Spitz, vice president of business development for Raz-Lee. “Accordingly, iSecurity supports both general and specific security settings, be it individual security levels for each and every object, or special temporary authorities for emergency cases,” he says in a press release. “This allows the security settings to reflect the customer’s exact needs, with little or no constraints.”
Closely related to object-level security (in the i OS scheme of things) are user profiles and system values, and Raz-Lee’s new User Profile and System Value Replication module should make life easier for administrators at large shops.
This new module is aimed at organizations that have multiple servers or multiple logical partitions (LPARs) that users need to access. It can be a chore to manually replicate all the user profile definitions, passwords, and system values among all the different systems and LPARs. Now, Raz-Lee’s new module does it for them.
User Profile and System Value Replication allows administrators to create replication rules that govern the replication of profiles, passwords, and system values. From any system or LPAR in the environment, administrators can execute bulk updates of user profiles. They can also “revive” deleted user profiles, and choose system values that are based on “baseline” settings or “optimal” settings, depending on the specific environment.
Raz-Lee also announced new features in several other iSecurity modules, including AP-Journal, Audit, Compliance Evaluator, Anti-Virus, and Authority on Demand. For more information, see www.raz-lee.com.