ALL Out Security Roots Out Fraud with New Audit Tool
May 10, 2011 Alex Woodie
One of the new exhibitors at last week’s COMMON conference and expo was ALL Out Security, a software company that comes out of the JD Edwards world. At the show, ALL Out Security debuted a new auditing tool called TRACE that’s designed to track down unauthorized changes made to data on IBM i systems, whether it stems from an innocent error or criminal intent.
ALL Out Security is well versed in the security needs of JD Edwards World and EnterpriseOne customers. The Colorado Springs, Colorado-based company’s core product, called ALL Out Security, helps administrators lock down their JD Edwards ERP systems, which can be difficult to do using the ERP suites’ native security tools, the company says. More than 240 JD Edwards customers around the world have adopted its security offerings, the vendor claims.
Security is all about building walls around users and what they can access, said Richard Belton, a co-founder and senior consultant with ALL Out Security. “But what happens when they breach our controls and get in and do something they shouldn’t do?” he said during a press conference at the COMMON show in Minneapolis last week.
That is where the company’s new TRACE product comes into play. The software, which uses the IBM i audit journal, is designed to automatically notify internal auditors when suspicious events have occurred on their IBM i server, such as changes made to sensitive fields in DB2/400, the use of SQL or ODBC to change data, and the bypass of application-level controls.
These events could indicate one of two things: That an inexperienced user was lost in the application and accidentally did some things he shouldn’t have, or an experienced user was exploiting weaknesses in the IBM i application environment to enrich himself at the company’s expense.
The lure of easy money can be too much for users who lack moral values and think it’s OK to steal from their employers. And all too often, IBM i shops unknowingly assist these criminals by not adequately securing their servers, applications, and data. While a correctly configured IBM i server can be practically impossible to break into, surveys conducted year after year show the average IBM i shop is woefully under secured.
There is a thin line separating an experienced employee who has the knowledge to exploit IBM i’s security weaknesses but doesn’t, and a would-be criminal who begins to acts on his urges.
For example, a warehouse manager may think he can get away with selling some of his company’s products on the black market, then using unmonitored SQL to cover his tracks by changing the quantity of product listed in the ERP system. Or a manager at a bank may think she can get away with using an anonymous ODBC session to change an account number in the payroll system, so that she collects additional paychecks.
In each of these cases, TRACE can serve as a safety net for under-secured IBM i shops, and save these companies the embarrassment and monetary loss that results from internal fraud.
“It’s fraud,” said Belton, who previously worked at IBM and JD Edwards, and has worked with customers all over the world. “The whole idea of getting management involved is to make them aware of it.”
IBM i shops could discover these events on their own by analyzing the millions of records in the audit journal, but it would be more difficult, Belton said. In addition to helping auditors detect fraudulent activity, TRACE also generates compliance reports and assists with separation of duties (SOD) requirements, he said.
ALL Out Security acquired the TRACE product about two months ago from its original developer, an auditor who discovered he didn’t want to be in the software business. There are currently about three customers.
TRACE is available now. The software can be obtained through a traditional perpetual license, which ranges from about $2,000 to $25,000 depending on P group, or through a monthly subscription. For more information, see www.alloutsecurity.com.