How Fresche Fills Security Gap with Trinity Guard
March 21, 2022 Alex Woodie
We live in a world full of security threats. Black hat hackers – some working for themselves and some working for the governments of China and Russia – are constantly probing the Internet, looking for weak links in the information supply chain. With its acquisition of Trinity Guard, Fresche Solutions is determined to prevent your IBM i server from being one of them.
It can be hard to fathom the impact that cybersecurity attacks have on the world, and the enormous pains that some organizations are taking to thwart them. In 2021, ransomware grabbed our attention thanks to large attacks that brought down chunks of industry, including gasoline pipelines, hospitals, food processing plants, and schools. IBM i shops, as we all know, are not immune to these threats.
While ransomware attacks were down 37 percent in January compared to December, according to NCC Group, they’re still occurring at a high level and remain top of mind for chief information security officers (CISOs). When you factor in incidents like the Log4j vulnerability disclosed in December and the potential for a wider cyberwar with Russia, the potential impact of security breaches only grows. The direct cost of cybercrime topped $1 trillion for the first time last year, according to a December 2020 report from McAfee, and it would be surprising if the costs went down in 2022.
This is the backdrop against which Fresche Solutions executed its acquisition of Trinity Guard, which we reported last week. Trinity Guard was one of the last remaining independent providers of security tools for IBM i. The Houston, Texas, company is the spiritual successor to PentaSafe, an early provider of security tools for the AS/400 and iSeries platforms.
As Fresche executives looked at their own offerings for IBM i and the growing need for security tools, they found Trinity Guard fit quite nicely into their current and future plans.
“We always had this portfolio gap with security,” says Marcel Sarrasin, chief product officer at Fresche. “When we look at what our customers want, at surveys, whether it’s our own, or whether it’s HelpSystems surveys, security is number one. And we always had a bit of a gap the overall portfolio.”
The acquisition of Trinity Guard gives the Montreal, Quebec-based company a full suite of security tools designed predominantly for IBM i, but also with some Linux and AIX capabilities. At the top of the list is TGSecurity Suite for IBM i, which contains the big three products (you could call it the “Holy Trinity”) for locking down IBM i environments.
This includes TGSecure, which brings control over exit points, user profile management, resource control, access escalation, and locking down inactive sessions, among other capabilities. TGDetect, meanwhile, automates the monitoring IBM i security events and lets the users generate custom alerts so humans can react quickly. TGAudit rounds out the suite with tools for finding security vulnerabilities in how IBM i systems have been configured, as well as complying with industry regulations. Bringing it all together is TGCentral, which functions as a centralized control point for managing security on multiple IBM i LPARs. Trinity Guard also offers TGAudit for Linux, which can help customers assure their Linux servers do not have gaping security holes or are out of compliance. Lastly, the company has TGEncrypt, which it launched in late 2020 and which provides 256-bit AES encryption to data stored in Db2 for i.
Having the Trinity security tools available will be a boon for Fresche as it looks to help IBM i shops embark upon application modernization initiatives and digital enablement, but without creating new vulnerabilities in the process, Sarrasin says.
“The lack of confidence and knowledge in security is a detractor to people modernizing applications, going to the Web, having a Web server on your system, using open source technologies,” he tells IT Jungle. “They can be hesitant because they don’t understand it. So that gives us a great tie-in there, whether there are vulnerabilities in your open source software, the Web servers, ports, sockets, whatever – we can monitor those specific things through Trinity Guard.”
Sarrasin recalls discussions he had with prospects on the platform when he first broke into the business with BCD Software, which developed and sold the WebSmart line of products.
“I remember back 20 years ago, we were just entering the Web world with WebSmart, and our biggest challenge at the time was if it was okay to have a Web server on IBM i,” he says. “That was our whole thing. Nobody wanted to have a Web server on the IBM i. ‘Oh, I’m opening up my whole system.’ Back in that day, they didn’t know SSL, encryption. The world is way different now, and there’s way more to know.”
Web technology has improved immensely since the year 2000, and the quality of our security tools has gone up, too. But misconceptions in the installed base still run rampant, and that makes selling security software or services on IBM i more of a challenge than it should be.
“We run into it all the time. One of the common things is, ‘Oh, we have a firewall. We don’t need security on the IBM i,’” says Pauline Brazil Ayala, a Trinity Guard co-founder and its vice president of operations. “The thinking is shifting a little bit. We’re slowly getting there. But there’s still so much room for education.”
A skilled IBM i professional can configure the operating system to maximize security without using power tools, such as what Trinity Guard and other security software companies offer. When you start adding multiple LPARs or systems, the complexity factor and the time commitment goes up proportionally.
Considering the big concerns that IBM i shops have expressed around security, it’s a wonder why more of them haven’t adopted power tools to help guide them through the process of setting up good security controls and keeping them in place. By some accounts, the penetration rate of security automation tools is only 10 percent, which is extremely concerning to security professionals.
Some of the conversations that Brazil Ayala hears about security on the platform and the astonishingly low adoption rate leave her with no choice but to scratch her head in veritable wonder.
“It’s very hard to believe. I see posts about this kind of stuff. What do you say? Yes, you need security on IBM i. I don’t know how else to say it. You absolutely need it, and you should be enforcing your security,” she says. “It’s really time for people to wake up and get serious about this stuff. You can’t play ‘as usual’ in this environment.”
One of the reasons Fresche was drawn to Trinity Guard was the technical acumen of its developers.
“When we at the portfolios, we look for really strong technical companies with great products, and see how our sales, marketing, reach, reputation, and brand recognition can help, and that’s why this makes so much sense,” Sarrasin says. “One of the things that really impressed us with Trinity Guard is how current and updated they are. If there’s a new operating system, they’re all over the new features. What are the auditing capabilities? What are the new compliance requirements? And they keep their reports up-to-date, always current, and I think that’s a bit rare sometimes in the IBM i security space.”
Brazil Ayala acknowledges that Trinity Guard focused primarily on the task of developing security software, rather than trying to sell it.
“One of the things that we have struggled with is the sales and marketing side We’re primarily developers. We love product development, we love the engineering side,” she says. “We’ve leveraged partners quite a bit over the years, which has been awesome and we can we plan to continue to do that as well. But we were very excited with just the whole breadth of what Fresche has to offer and how they can take our products up to the next level and really get them in front of people.”
The plan calls for Trinity Guard to continue operating as an independent unit. Fresche, which just acquired managed service provider (MSP) Abacus Solutions in October, is eager to take the Trinity Guard products to that installed base, which includes managing customer IBM i environments in the Abacus datacenters as well as in customers’ own shops. The company is currently analyzing how the Trinity Guard offerings may integrate with existing products.