Weak Internal Security Causes Weak External Security
September 10, 2018 Dan Burger
Editor’s Note: Our dear friend and colleague, Dan Burger, passed away in August. We grieve. The last story that Dan worked on was about long-time security expert, Pat Botz, joining HelpSystems, the conglomerate that focuses on systems management, monitoring, security, high availability clustering, and performance management for the IBM i platform, along with a bunch of tools for complementary AIX and Linux platforms.
Botz goes way back in the computer industry. He wrote the Basic compiler and CAD tools for Control Data supercomputers and then lead the development of CAD tools for its AIX workstation line three decades ago. He eventually became a lead security architect for the IBM i platform, and left Big Blue a number of years ago to start his own security firm, Botz & Associates. Dan sat down to have a chat with Chris Heim, chief executive officer of HelpSystems, and John Vanderwall, vice president and business unit manager for security services at the company, as well as Botz, who now has a senior security services consultant position at the company.
Dan Burger: Why hire Pat? I realize he has tremendous expertise with single sign-on (SSO), but what else does he bring to the HelpSystems team that it doesn’t already have?
John Vanderwall: We have seen a lot of growth in the security field and we see single sign-on as an opportunity area. Pat has a particularly strong skillset in SSO, as you point out. But more than anything else, Pat is a known quantity that can be of immediate help to us as we grow security services and our security practice in general, including both software and services.
Chris Heim: We have a deep bench of security expertise already with Carol Woodbury and Robin Tatam. When we got a chance to add Pat to that bench, we jumped at it. He brings deep IBM i experience. But the other thing that Pat brings is deep IBM i experience, but what we are finding with our customers is that they have needs that go beyond IBM i. Pat has done work on a lot of different platforms, whether it is AIX, Linux, and event Windows. And having that generalist skill that can speak to all platforms is a real positive.
Dan Burger: Do you tend to look at these as separate entities or are they all managed together?
Chris Heim: It is a little bit of both. We have customers who want to protect it all, not just the IBM i, they have partitions with AIX and Linux. That is a pretty common scenario that we are running into today.
Dan Burger: HelpSystems sells software, but it also has aspirations in the services business. Robin Tatum, Carol Woodbury, and now Pat Botz will go out into the field, doing consulting engagements I presume, but we have talked in the past about HelpSystems offering to be a security team as a service for IBM i shops. How does this help that cause?
Chris Heim: There is really a spectrum out there. There are customers that have a need and download our software and install it and go. Then there are shops that are not sure if they have the expertise, and they want HelpSystems to come out and do a risk assessment and then they either install the software themselves or ask for a little help. On the other end of the spectrum is a managed security service. But we really find companies with needs all across that spectrum.
John Vanderwall: We introduced managed security services years ago, and plan to introduce SSO as a service as well, but out there in the IBM i space, people have a lot of different things that they do and the security expertise is always on the list of important things, but they need help. We are becoming more of a trusted advisor for the enterprise security as a whole rather than just the IBM i platform, whether it is software or services or a combination of both. We can bring all of our talent to bear.
Dan Burger: I see such people being primarily face-to-face with the customers, becoming the trusted advisor for security.
Chris Heim: When I go out there in the market, there is nobody else that can do this. People know that their security is being handled by the best of the best. Their roles are all encompassing. They have roles beyond the trusted advisor role include service to the IBM i community – speaking at COMMON and local user groups, they work one-on-one with our customers, and they do weigh in on product development. Product enhancements and new products arise from customer feedback and things seen by Robin and Carol. Pat will have a similar responsibility.
Dan Burger: I want to talk a little about single sign on and what is going on out there that shows SSO is a growth area. I have not seen a lot of uptake on with it. Why is SSO now a big opportunity?
Pat Botz: I ran a business where single sign-on was a big part of that for about 10 years. One of the things John talked to me about before I joined HelpSystems was that they were getting requests a couple of times a week asking for help with SSO. I think there are still a lot of companies out there who have not stuck their toes in the water yet, and frankly a lot of the larger IBM i companies were skeptical of working with small companies like Botz and Associates for something so important. HelpSystems now has many more resources, which larger companies typically want.
As for why now, it is for the same reason as always: It is very costly to manage passwords, and single sign-on done right eliminates passwords on most of your systems. And rather than synchronizing passwords on your systems, which is necessary sometimes in certain applications. When you synchronize passwords, instead of eliminating the cost of managing that set of passwords, you really are transferring that cost to the IT department, because they have to manage the software and the issues when it gets out of synch which is going to happen sooner or later. Companies are getting so squeezed now that they realize that if they can eliminate passwords, they can eliminate all of those calls to the help desk and let people work on more pressing problems.
Dan Burger: Is this opportunity multi-platform? I assume the answer is yes.
John Vanderwall: The opportunity is cross-platform, not just IBM i.
Pat Botz: I have existing customers that have many different kinds of platforms.
Dan Burger: Over the years, when you did security surveys, it has always proved that the biggest threats come from the inside. Is this still accurate?
John Vanderwall: Going back a lot of years, there has been no evidence to suggest that this has changed. But one thing that you have to take into account there is the broad definition of what a security threat or a security breach is. I don’t think you have a ton of nefarious actors internally trying to steal information and sell it on the dark web, but we do see situations where people do not have their security house in order – they don’t understand security configurations and settings like role-based access controls so they can start to protect against internal, accidental breaches.
Pat Botz: I would further that by saying that if you have your system set up so that the average person internally has too much access, then that means the average attacker has too much access. This is an important fact that doesn’t get talked about much. The internal threats have not decreased, but the external threats are starting to catch up. The external threats are much larger than they were 10 years ago.
Chris Heim: Limiting access helps on both sides. The IBM i box can be made secure and it helps both sides.
Dan Burger: Applications that used to be internal to the company have been modernized and put out on the web, and more people are using the Apache web server than before. Still, companies that are worried about security, they don’t think about IBM i, they think about Windows servers.
Pat Botz: I would disagree with that. This idea that you look at security differently from one platform to another is an invalid concept. You have to look at security from the viewpoint of your information system assets – period. It really doesn’t matter if you have an IBM i or Windows system or a Unix system. They are all just as valuable and are all just as vulnerable based on how you secure them. And I think the Department of Homeland Security takes a very non-platform point of view and much of what it says tries to address the situation regardless of what platform they are on.
Dan Burger: If people are using the platform differently, by exposing applications on the web, for instance, is this a new or undiscovered vulnerability and an opportunity for IBM i shops to have to raise their security.
Pat Botz: Let me put it to you this way: Every time you put another door into a bank, you have to raise your level of security awareness. The IBM i platform is no different. Regardless of what kind of a door or window or an air vent that might not be so obvious, but all of those change the security posture. You now have a new vulnerability. It doesn’t matter that it is an Apache web server. What does matter is that it is a new access point in your system. And you need to figure this out before you add the new door or window, and often it is more costly to make necessary security changes after you have opened that door or window.
Dan Burger: Pat, you recently got a master’s degree in security, which is a funny thing considering that you have been in this industry for a long time. What did you learn in the academic world that you didn’t learn out there in the trenches?
Pat Botz: I got a master’s degree in cybersecurity and leadership – with a concentration in governance oversight. I always knew that executives have a vital role to play in managing security, but I didn’t have a real handle on what that looked like and how it is done. And this degree helped me understand how executives need to be involved, and without being technical people. This filled in a lot of the blanks.
I have always thought that I have skills on both sides of that fence, and what I am really looking forward to being able to do is being a translator, helping executives tell technical people what they need and then helping technical people translate this into what they need to do.
Chris Heim: All you have to do is pick up the newspaper every day and see the impact that breaches have on business, stock prices, reputation, and everything else. Target had a black eye for several years because of their breach. I think there is a higher awareness among executives, and they want to protect their companies and their legacies.