Boost Your IBM i Security by Tracking Config Changes
November 18, 2014 Alex Woodie
One of the most important aspects of IBM i security is having the right configuration. But configurations rarely stay static, and as they change, so does your level of security protection. Kisco Information Systems last week launched a new tool called iSecMap that helps IBM i shops map how configurations change over time and how they might have opened up security problems along the way.
The IBM i server has a great reputation as a very secure platform on which to run your business. However, the server does not ship from the factory with a strong security turned on by default. Instead, achieving that high level of security requires some careful configuration. Leaving default passwords in place (oopsie!), giving every user *ALLOBJ authority (sorry!), or failing to lock down exit points (my bad!) will make IBM i as vulnerable to external hackers and internal criminals as your worst Windows nightmare.
Now that you know the secret to good IBM i security, you’re set, right? Unfortunately, setting a good solid configuration is just the starting point. To ensure your security lasts, you have to maintain that strong configuration over time.
Kisco’s new iSecMap tool can help in that regard. The product “maps” key elements of IBM i security to create a baseline configuration. As the system evolves over time, iSecMap lets users know exactly how those initial configurations changed, and gives them options for responding to those changes.
iSecMap keeps a close watch on a variety of settings, including security system values, user profiles, group profiles, authorization lists, and library level security. It can also track object security within libraries and object security within Integrated File System (IFS) paths.
iSecMap will periodically scan the IBM i configuration settings to find out whether they’ve changed. When it detects a change, the product lets users decide if they want to accept the change and make it part of the new baseline, or revert back so that it conforms to the initial configuration setting.
iSecMap users can set the tool to run on a predefined schedule. The Security Monitor functions runs in the background as a batch job and monitors for changes. The results are sent to the administrator via email or system message. Auditors will also be happy to see that iSecMap maintains a comprehensive listing of the baseline map information stored in the system, which essentially defines the organization’s security policy for the IBM i server. This information can be used for audits, Kisco says.
The product was prompted by recent experiences Kisco had with two customers, says Kisco CEO Rich Loeber. “In both cases, they had a good security plan in place but were not monitoring it and some changes were implemented that they were not aware of,” he tells IT Jungle.
IBM i shops that are actively developing their software are perhaps most susceptible to slipping security postures, Loeber says. “I think that if there is any application development going on or new application roll outs going on, then there is an exposure to things getting changed,” he says. “Also, at some locations, when a security problem causes an end user to not be able to get their work done, a ‘patch’ is put in place to allow some work to get done, but then not fixed after the fact. Our product is looking for just such an issue.”
The insight helped Kisco improve the security of its own development box in Saranac Lake, New York. “We are finding the iSecMap is issuing warnings to us that we have never considered before and we have even changed our work process now to take security into closer account than before,” Loeber says.
Kisco sells a variety of security tools for the IBM i server, including SafeNet/i, an exit point monitoring tool; iFileAudit, an auditing tool for IBM i; a self-service password reset tool called iResetMe; and ScreenSafer/400, a security-oriented screen saver.
iSecMap pricing starts at $495 for a single-partition, 100-user license, and tops out at $1,295 for a single-partition unlimited-user license. For more information see www.kisco.com.