iTech Solutions Keeps You In The Know With VERIFi
February 22, 2021 Alex Woodie
“An ounce of prevention is worth a pound of cure.” That time-tested bit of advice from Ben Franklin has many applications, including, it turns out, IBM i systems management. And through its new VERIFi offering, iTech Solutions is set to provide many ounces of prevention by keeping customers on top of what is happening with their IBM i servers.
iTech Solutions’ VERIFi comes in three flavors. With VERIFi Weekly Status Reporting, the company remotely monitors key aspects of IBM i server health and summarize those findings in a PDF sent once a week for $295 per year. It offers an in-depth security version of the reporting service, called VERIFi Security Advisor, which is sent every other week for $1,200 per year. At $1,450 per year for both services, VERIFi+ has the potential to prevent the types of IT calamities that can cost undisciplined admins one or more pounds of flesh.
The VERIFi program is driven by iTech Solutions IBM i Systems Engineer Steve Pitcher. The IBM i specialist had been cobbling together security information about customers’ systems, such as the use of special authorities, password levels, and encryption certificates. Pitcher would spend hours gathering this information and then compiling it into reports sent to the iTech Solutions’ managed services customers, who lean on the Danbury, Connecticut-based IBM business partner to manage IBM i servers around the globe.
“We used to collect all that stuff manually, which was a bloody nightmare for any type of statistical analysis,” Pitcher tells IT Jungle. “I didn’t want to spend five to six hours manually grabbing information from the system and then typing up a report. I want to run a job that takes literally three to four seconds to run, and then I have nearly everything I want to see on that report to tell a customer where they stand.”
The key to automating the data collection turned out to be the collection of Db2 Services that Scott Forstie, IBM’s Db2 for i Business Architect, and his team have built into the platform. These SQL-based services provided the core functionality that allowed Pitcher to automate most of the information-gathering that VERIFi demanded.
“We started tapping all the Db2 Services,” says Pitcher, who is also a COMMON board member and an IBM Champion for Collaboration Solutions. “Most of the stuff that I want to see is easily attainable by way of SQL.”
For example, if Pitcher wanted to look into user profiles, ten years ago he would have executed a Display User Profile (DSPUSRPRF) command to an output queue, and then run some query over it. That still works, with but Db2 Services, it can be executed via SQL.
“I can get all that information by way of a SELECT * FROM QSYS2.User_Info,” Pitcher says. “I can get the amount of users with default passwords. I can get users with a default password that have special authority. I can get everything in between as well, from encryption information to audit journal information to how many people have ALLOBJC, SPLCTL, JOBCTL – it’s pretty handy.”
Pitcher has been known to request new SQL-based services from Forstie and his crew. Considering the number of new Db2 services (not to mention IBM i services) that IBM added with the last Technology Refresh, he’s not the only one asking for new functions. “He’s been quite perceptive,” Pitcher says.
The VERIFi Weekly Status Reporting presents important information that should be checked frequently, such as disk usage, the date of the last SAVESYS, the total number of jobs, and the maximum number of jobs.
But the weekly report can also provide a heads up to IBM i components that are often overlooked, such as when a TLS encryption certificate is set to expire or to detect when a cache battery is starting to die. It can also detect big discrepancies in software licensing, such as when a box is licensed for 10 users but is being used by 5,000.
VERIFi Security Advisor measures about 120 different security-related aspects on the IBM i server. It generates SQL to investigate system settings related to encryption, the audit journal, system values, user profiles, private authority on libraries, authorization lists, and group authorities. The queries are executed on the customers’ machine, and raw data is boiled down to information that’s presented in a single PDF (one for each LPAR) that’s generated by iTech Solutions and emailed on the first and the 15th of each month.
If there is an obvious deficiency in a given area of security, the VERIFi report will highlight it. Security settings typically change slowly, Pitcher says, and so the idea is to provide a historical reference that demonstrates how customers are improving their security posture over time.
“If I see you’ve got 65 people with ALLOBJ authority on your system, that’s going to be highlighted in red,” Pitcher says. “That’s going to tell you, you’ve got a problem. Hopefully, a year from now, you’ll have that number down to a reasonable amount.”
For companies that must pass an IT audit, the VERIFi reports can be used to demonstrate that the customer has brought in an independent third-party to assess the strength of its security protections and is taking action to remedy any deficiencies.
“What we do is provide you with a report proactively to say ‘Look, here’s where the holes were. Here’s what it was when we got the report initially four or five months ago, and here’s what we’re doing, what our plan is,’” Pitcher says. “By doing that, it shows your auditors that you’re being proactive, that you’ve consulted with an expert in the field, and you got a third-party, non-biased opinion on what we’re doing and how we’re doing it. There’s value to that.”
Pitcher recognizes there’s nothing preventing readers at home from tapping into the same SQL-based commands that IBM ships with the server. That’s the mad genius behind the hundreds of IBM i Services and SQL Db2 Services that Forstie and his team are generating: They’re free for any IBM i customer to use.
But there’s a difference between taping into a pre-build Db2 Service and the VERIFi offering, Pitcher says. “Forstie and his team have provided some good examples,” he says. “But the SQL commands are all ones I’ve put together. So if they have views, tables and user defined functions wrapped in a views, or APIs wrapped in a view call, then I’m just going to hit that with my own SQL and pull out whatever I want to see out of it.”
If customers don’t have the time to fix the problems that iTech Solutions finds, they can tap into the company’s professional services.
For more information on VERIFi, check out info.itechsol.com/verifi.