Four Hundred Monitor, June 15

Four Hundred Monitor, June 15

June 15, 2020 Jenny Thomas

We survived another week, which in 2020 is probably something to celebrate. And it appears our industry is beginning to wake up as we are starting to see a little more news that isn’t directly related to COVID-19, although it will be some time before the pandemic is out of the conversation and its impact has forever changes the way we will do many things. Travel is still not on the radar for most, but it will be interesting to see what the summer brings. In the meantime, the online game is strong so be sure to check out what’s coming to a computer near you in our calendar section below.

Top Stories From Outside The Jungle

(The Street) Is IBM lining up another acquisition? This analyst thinks something is in the works.

(CIO) Need for more reasons to go for digital transformation? Look no further than COBOL.

(TechRadar) 2020 hasn’t been good for server and storage sales.

(TrendMicro) IBM Cloud had a rough week when users reported an outage that brought down their websites.

(FastCompany) Now that we can all work from home, what will become of Silicon Valley?

Redbooks, White Papers, Blogs, and Other Resources

(Raz-Lee Security) This free eBook, “Ensuring your IBM i is compliant with government and industry regulations,” offers an overview of major government and industry regulations, penalties, and the security and monitoring measures that need to be implemented to comply.

(Profound Logic) With Profound’s React capabilities, application renderings can be done quickly by pointing to Rich Display definition.

(Go Anywhere) If you currently use FTP scripts or a similar method for transferring files, or if you’re just looking for a better, quicker, and more secure way to transfer data, watch this webinar to learn more about replacing outdated methods with Managed File Transfer.

(Fresche Solutions) How are you leveraging your systems and innovating for the future? Fresche’s 2020 IBM i in Business Survey will provide critical understanding into the role that IT plays in business. Participants will receive a report and invitation for a live session about the results.

Chats, Webinars, Seminars, Shows, and Other Happenings

June 15-June 18 – Webinar Series – The Summit Lunch & Learn series is free online technical sessions for IBM i developers. RPG & DB2 Summit teammates Jon Paris, Paul Tuohy and Susan Gantner host live sessions led by guest instructors, including IBM Champions, IBMers from the Rochester and Toronto labs, and ISVs with developer-focused tools. Review and register for any or all of the topics here.

June 16 – Webinar – This information session from Fresche Solutions, “Achieving Quick IBM i Modernization Wins with Web and Mobile Development,” will give the business case for IBM i UI modernization and web development with real world examples and strategies for getting it all done.

June 18 – Webinar – Not a front end web developer? No worries! This course from MAGiC (Mid-Atlantic Group of IBM i Collaborators) will give you an overview of client-side web UI frameworks, in particular, Bootstrap 4 and Datatables on IBM i. You will learn about grids and responsive design, Bootstrap CSS, and JavaScript components.

June 23 – Virtual Conference – Log in, learn, and have fun at this year’s Michigan IBM Power Systems Technical Education Conference (MITEC). View more than 70 sessions from world class presenters, visit virtual booths, and connect with students and educators. Access all sessions for 30 days for only $125!

June 23-24 – Virtual Conference – OpenJS World is a virtual experience from OpenJS Foundation. This annual event brings together the JavaScript and web ecosystem including Node.js, Electron, AMP, and more.

July 22-24 – Virtual Conference – OCEAN TechCon20 is three days of inspiration and innovation featuring such many expert speakers including Liam Allan, Patrick Behr, Rob Bestgen, Jim Buck, Erwin Earley, Charles Guarino, Mark Irish, Scott Klement, Doug Mack, Aaron Magid, Dan Magid, Eamon Musallam, Mike Pavlak, Steve Pitcher, Alan Seiden, and Carol Woodbury!

June 25 – Webinar – If Db2 on i is your primary database, but you run business applications on other platforms or the cloud, let New Generation Software and ProData show you an affordable, easy way to access it all from IBM i during this free webinar.

POSTPONED – August 31-September 3 – Tampa, Florida – POWERUp 2020 will offer between 350-400 sessions presented by more than 100 IT professionals, and features the largest exposition of its kind. This conference structured to give you the pure education and professional connections needed to best enhance your career.

May 3-5, 2021 – Framingham, Massachusetts – Plan now for the 2021 Northeast User Group (NEUGC) Conference. NEUGC is the largest technical conference in New England for IBM i.
Share this:
Reddit
Facebook
LinkedIn
Twitter
Email
Tags: Tags: FHM, Four Hundred Monitor, IBM i, Monitor
Sponsored by
Kisco Information Systems
The Case For Implementing Exit Points

By Rich Loeber

Someone recently asked me if there was someplace on the Internet where they could see a case made for implementing exit points on their IBM i system. I was at a loss for a comprehensive source and this got me thinking that it might be a good idea to just create one here.

Security exit points on the IBM i (and its predecessor OS/400) have been in existence since the mid-1990s. When the system was opened up to network access, the need for additional security over and above the standard IBM i OS security was apparent. IBM’s solution was to let their customers solve the issues on their own by giving them access to specific decision points in the various network server functions that were being rolled out. Server functions were being added to the IBM i OS to support network access to the system like FTP, ODBC, SQL, mapped drives in the IFS, file upload and download, remote command calls and a lot more. Since that time, even more network functions have been added along with related new exit points.

To be fair and above board, I must also disclose here that my company, Kisco Information Systems, jumped on the exit point bandwagon right away when the exit points were initially rolled out. Since 1996 we have been selling a comprehensive general use exit point solution called SafeNet/i, now in its 11th release.

The question I was asked was “Why does my shop need to implement exit point controls?” That is what I want to address here. I will do so by describing several cases where additional security is needed over and above the already excellent security features that are built into the IBM i OS.

Case #1: The classic case for exit point implementation comes from the 5250 terminal application days. If you have a Payroll Application that runs on your IBM i and is maintained by one or more clerks, OS security has to give access to the payroll files for those clerks, but the application and terminal menu system can easily be used to restrict what operations they can do on the payroll master files. That access will probably grant then *USE access so they can update files and generate payroll checks and reports.

The above scenario is secure from an application perspective, but you would never want your payroll clerk to be able to download the payroll master files and take them home on a USB drive, would you? An exit point implementation can prevent this access. The exit point process runs on top of the IBM i OS and can be used to restrict server functions by user profile, source IP address and even by objects accessed. This leaves the IBM i OS security intact for the 5250 terminal application and also prevents unauthorized access via the network connection.

Case #2: Many IBM i shops have one or more “regular users” defined with *ALLOBJ access in their user profile. This can happen for lots of reasons and in many cases, it would take a very long time to correct. I never recommend granting *ALLOBJ access to regular users, but if your system has evolved with this issue, it cannot be fixed overnight. In many cases, the application itself is providing the security. The issue, however, is that these users literally have access to ALL OBJECTS on your system. With network access to your system, one of these users could easily download sensitive data from your system, including credit card information and customer identity information, and hide it on a USB drive and walk out the front door and nobody would be the wiser.

An exit point implementation can address this issue. Using exit points, you can restrict object access by user profile even though the user is set up with *ALLOBJ. In fact, object access can even be restricted for the QSECOFR security user profile. This can help to protect your system from abuse by a user profile that has been granted more access rights than they really need.

Case #3: Since the TCP/IP communications utility FTP was added to the IBM i OS, a very easy to use network application lets users interact with the IBM i system without using a 5250 interface. The FTP user can browse objects on your system and upload or download them. A talented FTP user and even execute IBM i commands through FTP. For some shops, you want a user to have these capabilities, but you wouldn’t want them granted on a broad basis.

Exit points can help with this, too. First, you can easily restrict which user profiles are allowed to use FTP. Then, you can further restrict which FTP commands they are allowed to use letting them do a PUT, for example, but disallowing a GET. Then, you can even give the user contextual access rights by only allowing an FTP connection from a known and trusted IP address, such as an internal IP address. Then, if the user’s credentials are compromised, the FTP connection will still have to be established from a trusted source.

To sum up: These are just a few examples of why IBM i shops should consider exit point implementation for additional security on your IBM i system. There are literally dozens of additional scenarios that can be described, but these should get you started on making a case for exit points. It is my belief that every IBM i shop should have some form of exit point controls in place in order to be secure. If you are interested, I can heartily recommend Kisco’s SafeNet/i software if you want to jump in and get started.

If you have questions about details of this tip, feel free to contact me directly by email, download our FREE utilities, or visit our website for more information.
Share this:
Reddit
Facebook
LinkedIn
Twitter
Email
IBM i PTF Guide, Volume 22, Number 24 Guru: SUBSET on EXECUTE and OPEN

Leave a Reply Cancel reply

This Issue Sponsored By

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search

Four Hundred Monitor, June 15

Top Stories From Outside The Jungle

Redbooks, White Papers, Blogs, and Other Resources

Chats, Webinars, Seminars, Shows, and Other Happenings

Share this:

Share this:

Leave a Reply Cancel reply

This Issue Sponsored By

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search