Cilasoft Monitors Additional Exit Points with IBM i Security Tool
February 19, 2013 Alex Woodie
IBM i security software developer Cilasoft last week unveiled enhancements to two of its products, including CONTROLER, its exit point monitoring solution, and EAM, its Elevated Authority Manager solution. Cilasoft says the capability to monitor two additional exit points in CONTROLER–the open database file and socket exit points–as well as new commands in the tool, will give IBM i shops a powerful new way to enforce data-centric security policies, which it claims is “an enormous breakthrough.”
CONTROLER is a network security tool that monitors and controls all inbound and outbound activity going through the various exit points that IBM built into the IBM i OS to augment traditional 5250 access. Cilasoft has covered all of the most popular exit points, like FTP, ODBC, DDM, and SQL, as well as some of the more obscure ones, including the Distributed Relational Database Access (DRDA) protocol.
With the new version unveiled last week, Cilasoft has made several changes that it claims will provide a significant upgrade in IBM i security enforcement–namely, the capability to enforce security from a single, data-centric policy.
A key component in this claimed data-centric breakthrough is the addition of support for the open database file exit point, which was introduced with i5/OS V5R3. Coverage of this exit point gives CONTROLER the capability to approve or reject any application or user requests to open tables in DB2 for i, whether they come from the CQE (traditional I/O) or SQE (the SQL database engine).
Meanwhile, the addition of the socket exit points, which were introduced with IBM i 7.l, gives CONTROLER the capability to shut down transactions occurring across socket APIs. IBM enables exit programs (such as CONTROLER) to allow or deny sockets connections based on the characteristics of the requesting job, such as user ID, job type, etc.
Cilasoft says the addition of these two exit points will give customers something they couldn’t get before: the ability to control access using a single data-centric security policy, as opposed to enforcing policies based on each of the various protocols. The vendor–which claims to be the only IBM i security vendor providing coverage of these exit points (a claim that hasn’t been verified)–says this could allow customers to completely replace their traditional access control methods, or just augment them.
Cilasoft president Guy Marmorat says the capability to implement a data-centric security policy is “an enormous breakthrough,” and that expert IBM i users and security managers will recognize the significance of this announcement. “… [O]ur blend of IBM i security solutions continues to stay ahead of new security threats,” he states in a press release. “At Cilasoft, our focus is actively and solely centered on the security of IBM i environments.”
Cilasoft also introduced new ways of working with CONTROLER through additions to its vocabulary, including the capability to set policies according to port and SQL attributes. The company says these enhancements will provide more granular access control capabilities, and that they go hand-in-hand with implementing a data-centric security policy.
The final CONTROLER enhancement is the capability identify CPU consumption for SQL queries, and then adjust job priority, kill the job, or take any other action if usage exceeds preset limits.
Meanwhile, Cilasoft also enhanced EAM, the authority control product that it shipped less than a year ago. EAM gives organizations two ways to temporarily grant powerful authorities to IT professionals who need to work on an IBM i server, including swapping users into different user profiles, or modifying users’ individual profiles to adopt the necessary authority or authorities.
With this release, Cilasoft says that EAM now has full compatibility with 5250 and ODBC/JDBC environments. The product will monitor all activities undertaken by users while in a state of elevated authority, down the SQL statement level, the company says.
Cilasoft also claimed another first with the new release of EAM, namely that it’s the first vendor to support 5250 and ODBC/JDBC environments with an authority management tool. Like the other claims, it hasn’t been verified. Cilasoft obviously wants to push the security envelope, take on new challenges … and maybe do a little trash-talking along the way.
“Some security vendors in the community collect maintenance fees without doing significant product improvements,” Marmorat says, “yet we continuously invest in expanding the capabilities of our security products so they provide our customers the best possible protection.”