Will Security As A Service Relieve The Pressure On IBM i Shops?
January 17, 2018 Dan Burger
Security is all about control. Either you are in control of your data or you are out of control, possibly unaware that security exposure and vulnerabilities exist, and most importantly unable to respond in a coordinated and logical manner. Lack of security acumen and a fear of what a data breach could do to cripple or destroy a business has many companies searching for answers. It gets mentioned often enough by iTech Solutions Group customers that it led to iTech offering security as a service, which helps companies devise a security policy, puts controls in place, and monitors system security to identify security breaches, threats, and unwanted or unauthorized access or access attempts.
Although attacks that originate from outside the company and penetrate via the Internet get massive media attention, it’s an understated fact that most data breaches are generated from inside organizations. Either way, it’s the internal servers that hold the gold. Lock them and your defense is solid.
“The vulnerability at the edge allows bad guys into the system. But if security is rock solid on the inside, the attackers can’t get to the data they seek,” says Phil Pearson, chief information security officer for iTech Solutions. “As long as we control everything that happens on the inside, then if access was gained through the network, there’s little that the bad guys can do.”
Pearson joined iTech in October 2017 with the job of setting up a security as a service business. He previously worked as a security officer for a managed service provider that included IBM i shops as clients. He and iTech President Pete Massiello have known each other for years. By Pearson’s reckoning, he’s done more than 100 security assessments.
“There are lots of ways to put controls against vulnerabilities or exposures. There are a lot of patches for vulnerabilities. It results in a system that, over the years, has become more secure by necessity. The problem is that it’s fragmented and illogical. It’s not a good architecture that covers all objects and all users and all of the system values,” he says. “A better way is to have a policy document and then monitor for violations and create exceptions for those who require exceptions to do their jobs.”
Security as a service, as defined by iTech, provides near-real-time security monitoring, management, and the analysis of IBM i security alerts and logs. It’s focused on protection of mission-critical systems, including data, systems-settings, and system resources. Controlling access to the server is the top priority.
It offers service at two levels. The first is basic protection and the second is protection plus compliance. The protection level includes exit point management and control over native objects on the server. In addition, there is protection from misused user authority, system configurations, and system values. Monitoring, detailed reporting, and incident response is part of the package.
The second level incorporates level one and adds more detailed analysis for a deeper understanding of the IBM i server. It also ramps up the monitoring to identify every key stroke and takes action against misdeeds. This is tied to compliance mandates–such as Sarbanes Oxley, PCI, HIPAA and state-mandated policies to protect the privacy of citizens–or stringent internal processes that are self-imposed best practices.
Components of the security service include: auditing, compliance analysis on all partitions and systems, object controls that define target security levels for objects and object types, network access security, journal analysis, monitoring of access rights and elevated privileges, screen reporting for users with elevated privileges, control over system commands and user-defined CL commands.
Massiello believes security as a service will stimulate organizations’ focus on risk management planning and free them from acquiring new skills and tools that divert attention from core business activities. The service also allows “separation of duties,” which prevents the user creating unwanted activity from overseeing the security activity and managing the logs.
Security has become a top concern for IBM i shops. IBM i surveys started discovering this in late 2016. The surveys support the opinion that organizations are inattentive to security dangers. Many organizations open their systems to third parties–customers and suppliers and more are realizing the convenience of the internet comes with a security cost.
iTech has scheduled a series of security seminars titled “Taking Back Control of your IBM i” that will be held during February in the Northeast United States. The dates and locations are:
February 5 – Providence, Rhode Island
February 6 – Framingham, Massachusetts
February 7 – Waitsfield, Vermont
February 8 – Manchester, New Hampshire
February 12 – Westbury, New York
February 13 – Norwalk, Connecticut
February 14 – New York, New York
February 15 – Fairfield, New Jersey