Single-Platform, Technology-Focused Security Unwise Says Ex-IBMer Botz
December 1, 2009 Dan Burger
Pat Botz sees security from the perspective of an entire IT environment. Looking for solutions from a platform-specific point of view is a stumbling block that trips many organizations that attempt to go at this issue from within their platform silos. “When you start looking at where the security issues tend to be,” he says, “they are at the seams where different applications, different platforms, and different networks meet. That is almost always because there is seldom one individual looking at security from an integrated point of view.”
Botz is an ex-IBMer who has worked with a lot of IBM i shops. During his tenure as team lead for IBM Lab Services Security Consulting, his view of security was always a multi-platform perspective. Now, as a consultant and president of Botz & Associates, his message continues to be that a single-platform approach to security is often near-sighted.
“The seams between a Windows user trying to exploit data managed on an iSeries is likely to be more than a client server application boundary,” Botz points out. “There could be network boundaries also. Or, in larger organizations, the user may be in another location–another subnet–and it could be protected by various routers and/or firewalls. The seams between the routers and the firewalls are often places where the security falls apart because two different people are focusing on their own platforms and protecting their network. They lose site of protecting the corporate information.”
In IBM i environments, for example, there may be limitations on the non-i side related to the applications and the environments unrelated to the requirements on the i side. His point is that unless those differences are understood and taken into consideration, the configuration of one platform can have unintentional consequences–not always favorable–on the other platform.
In the case of regulatory compliance, becoming compliant on the IBM i can be driven by the other components in the environment.
“I don’t want to suggest that someone who only knows iSeries security isn’t valuable,” Botz says. “They are valuable, but too often customers don’t realize that one tool doesn’t fix everything.”
Prior to his position at IBM Lab Services Security Consulting, Botz was the lead architect for OS/400 security. He was in that position when single sign on (SSO) and enterprise identity mapping (EIM) were introduced in 2003. Both remain important security solutions in the IBM i environment and both are widely misunderstood, according to Botz.
“Single sign on is one of those things in security that if you look at it purely from an iSeries point of view, you sort of miss the boat,” Botz says.
The emphasis, Botz says, needs to be on the cost of managing passwords in the entire IT environment and understanding the problem outside the specific platform environment before determining what to do on any one platform to address that problem.
“It’s when password management is approached as a purely technical problem that the issue becomes confusing,” Botz warns. “And technical people will say that if all of the multiple passwords can’t be eliminated, there is no solution.”
The “all or nothing” technical solution can get very complicated, very expensive, and very unnecessary, according to Botz.
“By figuring out how much password management is costing, it becomes possible to determine what can be done to significantly reduce that cost,” he says. “This percentage will be different from one company to the next, but let’s say 60 percent is significant at a given company. Then you can look the cost of acquiring, implementing, and managing technology over time and determine if the solutions make sense.”
People who think SSO means providing a password only once or providing the same password each time they are asked are missing the point. And this, Botz says, may shock some folks.
“The goal is not single sign on. The goal is cost reduction,” Botz emphasizes.
“If I can take a person managing 10 passwords and reduce the cost of managing those passwords by 60 percent–even if the person ended up with more passwords–it would be worth it,” he says. “That’s an absurd example, but it makes a point about not focusing on the number of passwords, but on the cost reduction. If I can reduce the cost 60 percent by only getting rid of one password, it would be worth it. And if this is accomplished for multiple people who all have to waste time managing passwords, the savings becomes significant. If the solution cost is minimal and the savings is great, the endeavor makes sense.”
In the case of IBM i customers, there has always been technology that can be used to reduce password management without buying anything new. Botz says this is often overlooked because of the technology search for an answer that sweeps aside the business cost issue.
“You may need more than one tool or more than one set of tools to solve the problem, but if one tool that is really cheap solves the problem 80 percent, and to get the last 20 percent it is necessary to buy a very expensive tool, you might choose to solve 80 percent of the problem,” he says.
“The problem I have found is that technical people turn away from solutions that solve less than 100 percent of the problem. They look for 100 percent solutions, even if it costs a lot of money and the return on investment was much better when solving something less than 100 percent. It’s not that the problems can’t be solved. It’s the expense required.”
Botz is offering one-hour consulting sessions to help organizations estimate their return-on-investments by moving to a single sign-on security strategy. The sessions are conducted as private online meetings that examine: how much the organization currently spends on user ID and password management; password management alternatives that will reduce costs; estimated costs for implementing an alternative; and a calculated return on investment for the selected alternative.
The no-cost consulting sessions can be arranged online at this sign-up page. Botz & Associates also offers free downloads of several educational presentations related to information and password security at the Botz & Associates Web site.
Previously written IT Jungle articles have covered Botz’s career after leaving IBM. It has included short stints at a consulting company known as Group8 Security and as president of Valid Technologies. See the Related Stories section for links to those articles.