New Service Combats Complacency In IT Security

September 19, 2016 Dan Burger

The chilling reality of IT security weaknesses is widely overlooked and often assumed to be something that only affects someone else’s business. A close look at our own organizations makes us uncomfortable. So do stories that include expert opinions that every business should begin its security review with the realization that a security breach has already occurred. That’s how real the threat is. And your current security policy, if you even have one, is probably obsolete.

Security is an ongoing process. It’s not inherent in the system, not even the legendary IBM i platform.

“Attackers and their targets and objectives are changing,” explains Patrick Botz, a former security architect at IBM who understands the IBM i system’s security capabilities as well as just about anyone. “No longer are they script kiddies trying to make a name for themselves. It’s now organized crime rings and even nation-states looking to make money or establish the ability to cripple critical infrastructure. That means establishing an ongoing, covert presence without being caught. Attacks on at least two small utility companies have already been identified, and ransomware attacks against small businesses have been rampant this year.”

Smaller businesses, Botz warns, make ideal targets because they have no way of telling if their systems have been breached. They have few security processes in place and most do not actively monitor their systems for potential issues.

“The IBM i’s legendary security capabilities have made many organizations complacent. They think the system protects them. The simple truth is that the IBM i is highly securable, but you need to know how to apply those capabilities to potential vulnerabilities to keep your systems secure.”

Because of the growing risk, Botz believes the time is right for cybersecurity management as a service. His company, Botz & Associates, brings a level of security expertise most small to midsize companies could never achieve on their own at a cost that is reasonable. He calls the ongoing security package TeamSecurity.

“There are tools of the profession, but beyond that are the skills to know what needs to be fixed,” Botz says. “Many small and midsize companies don’t have anyone on staff that knows how to fix security. Adding another piece of security software isn’t going to do them much good if they don’t have a framework in which to deploy that software.”

Botz believes all businesses need a security/risk management process in order to manage security in a rational way, but they are ill equipped to do that. His company specializes in determining the policies and the steps needed to put the processes in place. Because, as he says, there’s no such thing in security as “set it and forget it,” his TeamSecurity package includes ongoing help with processes that deal with constantly changing new threats.

Some might think there’s not much to do once the processes are in place and the system is secured. But Botz emphasizes the importance of continuous monitoring by someone who knows what to do with the information that the monitoring provides and who can make decisions based on current information about threats, vulnerabilities, and risks.

There are three levels of TeamSecurity contracts.

The highest level includes what Botz calls the virtual chief information security officer (CISO). It provides assistance in designing and implementing a security plan that manages risk; for architecting the processes, developing a roadmap, and implementing related projects. Included is an annual security assessment and monthly monitoring reports of key indicators. Botz says it’s like hiring a CISO at a fraction of the cost.

The mid-level service provides help monitoring an existing security system. Includes an annual security assessment and monthly monitoring reports of key indicators and an hour of consulting or security services each month.

The basic level simply involves an annual security assessment and key indicator monitoring and reports.

The service is not designed to catch a breach as it happens. Botz says that would be far more expensive. This process reduces the risk at a small cost. The monthly monitoring is designed to identify when something isn’t quite right–something that is not supposed to be there. A good plan begins by establishing what is normal and then searching for anomalies. Most breaches occur over a long period of time. It’s not a smash and grab, Botz says.

Complacency is common among small shops, Botz says.

“The idea that nobody is going to want to steal from a small company is ludicrous. Small companies are being targeted because they are easy targets. They may not have proper backups, so they have to pay the ransom to get the info back or it will be lost. It’s almost like saying, ‘Why would a small bank in small town have a bank vault.’ Do they need a vault or a guard? No one is going to want to steal from them, right?”

IBM i 7.3: High Time For High Security

Testing For Security Inadequacies

Clearing Up IBM i Security Confusion

State of IBM i Security? Still Horrible, After All These Years

Security Risks Avoided By The Development Team

Tags:

Do the Math When Looking at IBM i Hosting for Cost Savings

COVID-19 has accelerated certain business trends that were already gaining strength prior to the start of the pandemic. E-commerce, telehealth, and video conferencing are some of the most obvious examples. One example that may not be as obvious to the general public but has a profound impact on business is the shift in strategy of IBM i infrastructure from traditional, on-premises environments to some form of remote configuration. These remote configurations and all of their variations are broadly referred to in the community as IBM i hosting.

“Hosting” in this context can mean different things to different people, and in general, hosting refers to one of two scenarios. In the first scenario, hosting can refer to a client owned machine that is housed in a co-location facility (commonly called a co-lo for short) where the data center provides traditional system administrator services, relieving the client of administrative and operational responsibilities. In the second scenario, hosting can refer to an MSP owned machine in which partition resources are provided to the client in an on-demand capacity. This scenario allows the client to completely outsource all aspects of Power Systems hardware and the IBM i operating system and database.

The scenario that is best for each business depends on a number of factors and is largely up for debate. In most cases, pursuing hosting purely as a cost saving strategy is a dead end. Furthermore, when you consider all of the costs associated with maintaining and IBM i environment, it is typically not a cost-effective option for the small to midsize market. The most cost-effective approach for these organizations is often a combination of a client owned and maintained system (either on-prem or in a co-lo) with cloud backup and disaster-recovery-as-a-service. Only in some cases of larger enterprise companies can a hosting strategy start to become a potentially cost-effective option.

However, cost savings is just one part of the story. As IBM i expertise becomes scarce and IT resources run tight, the only option for some firms may be to pursue hosting in some capacity. Whatever the driving force for pursing hosting may be, the key point is that it is not just simply an option for running your workload in a different location. There are many details to consider and it is to the best interest of the client to work with an experienced MSP in weighing the benefits and drawbacks of each option. As COVID-19 rolls on, time will tell if IBM i hosting strategies will follow the other strong business trends of the pandemic.

When we say do the math in the title above, it literally means that you need to do the math for your particular scenario. It is not about us doing the math for you, making a case for either staying on premises or for moving to the cloud. There is not one answer, but just different levels of cost to be reckoned which yield different answers. Most IBM i shops have fairly static workloads, at least measured against the larger mix of stuff on the public clouds of the world. How do you measure the value of controlling your own IT fate? That will only be fully recognized at the moment when it is sorely missed the most.

CONTINUE READING ARTICLE

Please visit ucgtechnologies.com/IBM-POWER9-systems for more information.

800.211.8798 | info@ucgtechnologies.com

Article featured in IT Jungle on April 5, 2021