Raz-Lee Reels In The File Editors
April 10, 2019 Alex Woodie
File editors can be great time-savers in certain situations. Who wouldn’t want developers to be able to quickly get into a database file, fix some errors, and then jump back out? Clearly, the answer is the security department. But thanks to a new solution from Raz-Lee Security called iSecurity Safe Update, file editors can be used without giving the security officer nightmares.
File editors are among the most popular products on the IBM i platform, thanks to their capability to developers and administrators to make changes to data quickly and easily, without requiring programming. The IBM i operating system comes with Data File Utility (DFU), not to mention the Start SQL (STRSQL) command.
There are plenty of IBM i professionals who absolutely swear by products like ProData‘s Database Utility (DBU) as an indispensable tool on their belt. Other popular products include HelpSystems Surveyor/400, WRKDBF, and even Raz-Lee Security’s own Filescope offering, which is focused on exploring security.
However, with great power comes great responsibility, and that’s a problem when it comes to file editors and the Start SQL (STRSQL) command. While the better file editors like DBU track all activity, it’s still possible for an ill-informed (or malicious) user to do some damage with a file editor or direct SQL access to the database, especially when working on a live production system.
What’s more, government regulations, including the Sarbanes-Oxley Act, explicitly require covered computers to be modified only by allowed programs. In that sense, the ad-hoc, one-off nature of file editor use is in direct conflict with today’s corporate environment, which demands strict adherence to rigor and process.
“File editors can be considered as a threat as it allows users to bypass the organization application rules, which are implemented in the programs that are normally used in the organization,” Raz-Lee CEO Shmuel Zailer tells IT Jungle. “Actually, the easiest way to conduct a fraud is by usage of a file editor. Most companies, and of course banks, insurance companies, and others in the financial sector, ban file editor use.”
Raz-Lee has tried to address the file editor conundrum before by using object authorities and user access authorization, according to Zailer. However, those attempts came up short. But now the company has a new way of enabling file editors to be used without violating security rules. The new product called Safe-Update provides that capability.
“We talk about protecting business critical files from file editors, but end up using the existing authority system to prevent programmers from accessing the files,” he says. “That isn’t what we wanted. With the added security layer that Safe-Update provides, we finally can ensure that file updates are done by allowed programs only, unless specific temporary permission was set.”
Raz-Lee says Safe-Update protects IBM i shops by ensuring that updates are done by a preset list of programs, which can include or exclude file editors or the STRSQL command. The company says file editors can be used, as long as they don’t issue any updates. But if there is a need to allow updates by file editors, Safe-Update can allow it by using a new permission system.
Safe-Update allows a developer to get access to a file editor or STRSQL only if a work order has been entered into the system. The task that’s to be performed is specified in the work order, and the programmer can begin fulfilling the work order through a ticket.
As long as that ticket is open, the programmer “can use any program to accomplish the mission, knowing that all updates are fully documented,” Raz-Lee says. The ticket can limit the scope of the work to be done according to files, time, and the number of operations that are allowed. If the programmer stops using the ticket, the ticket is automatically closed.
Safe-Update can be configured to automatically kick-in whenever a programmer attempts to update a production system. When an update is attempted, a window will pop up requesting the ticket, Raz-Lee says. The ticket may or may not require permission from a manager. “Less security-focused organizations can allow programmers to open ad-hoc tickets directly while specifying the reason for them,” the company says.