Is Authority Collection The Right Thing For IBM i Security?
August 12, 2019 Alex Woodie
In the past two releases of IBM i, Big Blue has added new security capabilities in the form of the authority collection that allow administrators to see exactly what authorities users need to use their applications. While some welcome authority collection as helping to tighten the security of IBM i applications, others in the IBM i community wonder if the new information is helping at all.
Authority collection debuted in 2016 with the launch of IBM i version 7.3. When the feature is activated, it monitors what authorities (such as ALLOBJ, SECADM, and so forth) are being called as users interact with their applications. When the monitoring is over, it generates a list of all the authorities that particular users utilized in their course of their sessions.
Armed with this information, it was IBM’s hope that system administrators, security specialists, or developers of third-party tools could modify the applications to eliminate the use of special authorities, such as ALLOBJ. Instead of utilizing special authorities all day long, the users would run with a lower authority level most of the time, and if needed, use adopted authority as needed to gain authority for certain functions, as then IBM i security architect Jeff Uhling explained to the late Dan Burger in this April 2016 article.
IBM augmented authority collection with this spring’s launch of IBM i 7.4 by adding the capability to monitor what authorities are used on an object basis. So in addition to monitoring authority usage by user, administrators can get a view into what authorities are being used with each object that’s accessed. It also added SQL query capabilities to authority collection.
That feature was added at the request of users as a way to boost their auditing capability, according to IBM i chief architect Steve Will. “You can say for any given object, I can prove to you that there’s nobody touching it who has more authority than they need,” Will told IT Jungle earlier this year. “This kind of completes that story.”
For the most part, the authority collection has been warmly received. The feature showed that IBM was taking action to crack down on the poor security postures of many IBM i shops. We know from PowerTech‘s annual State of Security surveys over the years that too many IBM i systems are vulnerable, and that too few IBM i shops are taking advantage of the security features that the platform makes available to them. Overuse of powerful authority levels, in addition to weak password rules and a lack of oversight of exit points have been highlighted as major problems over the years.
The excessive authority problem is largely a byproduct of the legacy application situation. In the old days (i.e. before the Internet), IBM i developers weren’t concerned with using good security practices when building their applications, and so they did things like using ALLOBJ to allow regular users to access applications and data. As the world became more connected and dangerous, following good security practices became a higher priority. But that gap between the legacy IBM i applications and the current security environment remained in place.
Adopted authority represents one way that IBM has tried to tackle the problem. Instead of opening up the applications and undertaking a major overhaul of authorities, IBM’s Uhling recommended that users address the problem by utilizing adopted authority. IBM i is one of the most secure-able platforms on the market, and adopted authority – by way of the authority collection – provides one way for IBM i shops to boost their security.
But is this the best approach? Some folks in the community have a difference of opinion, including Schmuel Zailer, chief technology officer at Raz-Lee Security, which develops IBM i security software. According to Zailer, the authority collection generates so much information that it’s practically unusable.
“What do you do with that information? That’s the question,” Zailer explained to us recently. “Now you have so many details. Every time that each one of us touch the files, we have all the possible authorities, and all the authorities needed for the file, and we have to compare it by how?”
The data generated by the authority collection is too voluminous and complex for your average system administrator to do much with, he said. “The authority collection information is several thousands of records, if not tens of thousands or hundreds of thousands,” he said. “It’s very complex.”
While Zailer dubs authority collection a “mistake,” he still oversees the development of Authority Investigator, which is a tool released in 2017 that helps IBM i users to make sense of the data generated by the authority collection. “We need a tool to compress the data so that we can see the forest and not the trees,” he says. “We see too many trees.”
Part of the problem is that there are multiple paths that administrators, users, developers, and even IBM can take to address the security problem. Authority collection was created, ostensibly, as a bridge to use the adopted authority mechanism that IBM makes available in IBM i. But there’s also debate as to whether adopted authority is the best approach for eliminating the excessive authority problem.
The adopted authority mechanism brings its own set of limitations, the biggest of which is the IFS. If the user has objects stored in the IFS, the operating system will ignore adopted authority when checking whether the user has authority to access the object.
An alternative to adopted authority is profile swapping, in which a user temporarily switches in a more powerful user profile that has the necessary authority to accomplish some task, then switches back when it’s over. Many IBM i vendors, including Raz-Lee, offer some version of a profile swap or profile switch.
At the same time, some folks in the IBM i community argue that authority levels shouldn’t be handled according to user profiles, but should be managed by the job. And they also maintain that it’s the responsibility of the developer to ensure these jobs have the appropriate authority levels, not the job of an administrator.
Authority collection remains a work in progress. IBM is adamant that the new object-based views added in IBM i 7.4, not to mention new SQL capabilities, will boost is usefulness. It will take some time for the user community to use the product and decide whether it fits the bill, and, if necessary, make further changes, which Alison Butterill, IBM i offering manager, suggested could be made if needed.
In the meantime, the debate will continue over how best to handle the vexing IBM i security challenge of excessive authorities on the IBM i.
Meet IBM’s New Security Architect for IBM i
How IBM i 7.4 Improves Security
While I agree a lot of information has been provided by the Authority Collection, it is THE BEST tool I have ever seen from IBM. We have used it extensively while helping our clients to remediate wide-open access control settings. It’s invaluable because it takes the guess-work out of what authority is required. And all you have to do is use the Run SQL Scripts feature of Access Client Solutions and run an SQL to filter out the information you don’t need. ACS even has several examples provides in their ‘Insert from Example’ feature to aide us. It not only helps determine what authority is required but also helps debug security failures because it shows the current source of authority plus what authority is required. Again, our clients have found this tool invaluable. I can’t wait until more of our clients have upgraded to V7R4 to be able to use the features added that release.