The Easy Button for Provisioning IBM i Users

All trademarks and registered trademarks are the property of their respective owners.© HelpSystems LLC. All rights reserved.

The “Easy” Button forProvisioning IBM i Users

© HelpSystems. All rights reserved.

• Introduction

• The Profile Challenge• Why Policy Matters• Power Admin Demonstration• Security Scan

Today's Agenda


ROBIN TATAM, CISM CBCA PCI-PDirector of Security Technologies

[email protected]

Today's Speakers


PAUL CULINSr. Information Security Engineer

[email protected]

Today's Speakers


• Expansive Multi-Platform Software Portfolio.• Comprehensive Professional Services.• World-Class Security Experts:

– Robin Tatam, CISM CBCA PCI-P– Carol Woodbury, CRISC

• Member of PCI Security Standards Council.• Authorized by NASBA to Issue CPE Credits for Security Education.• Publisher of the Annual “State of IBM i Security” Report.

About HelpSystems’ Security Investment

http://www8.software.ibm.com/bpconnections/bpcms.nsf/BPE/0D129368771B9F9786256C4A0067C0A3?OpenDocument&OpenFrameset


Comprehensive Security Solutions


Best of Breed Security Products


Data Security Lifecycle

Professional Security Services


• Introduction• The Profile Challenge

• Why Policy Matters• Power Admin Demonstration• Security Scan

Today's Agenda


The State of IBM i Security Study

HelpSystems uses anonymous audit data from our Security Scan tool to compile an annual study of security statistics.

This study (available online) provides a picture of what IBM i shops are currently doing with their security controls.

And, year after year, it shows that there is definitely still room (and a need) for improvement!

(The study sample consists of security-aware environments.)


• Special authorities are only for administrators!– *ALLOBJ: Complete control of the system

– *SAVSYS: Save, restore, and delete anything

– *SPLCTL: Complete control of spooled files

– *SERVICE: Alter hardware, storage, and clear disks

– *SECADM: Create and delete user profiles

– *JOBCTL: Manage jobs, PWRDWNSYS, and more

– *IOSYSCFG: Configure communication services, TCP/IP

– *AUDIT: Modify system audit values

• Learn more at:www.helpsystems.com/resources/guides/managing-privileged-users-ibm-i

Special Authorities: What's So Special?


2016 State of IBM i Security Study

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS0

50

100

150

200

250

300

350

400

450

500

Type of Authority

No. o

f Use

rs (A

vera

ge)


2016 State of IBM i Security Study

Default passwords are banned by compliance mandates, and for GOOD reason! Review and resolve using ANZDFTPWD

Not the fault of the “end” user


• Introduction• The Profile Challenge• Why Policy Matters

• Power Admin Demonstration• Security Scan

Today's Agenda


• Legislatures create laws– Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, SB1386, and more

• Laws are open to interpretation– Sarbanes-Oxley Section 404:

“Perform annual assessment of the effectiveness of internal control over financial reporting…”

“…and obtain attestation from external auditors”

• Auditors are the interpreters

Legislative Reactions


• Auditors interpret regulations:– Auditors focus on frameworks and processes

– Auditors have concluded that IT is lacking when it comes to internal controls

• Executives tend to follow auditor recommendations

The Auditor's View


• Distributed Provisioning:– Ensure that users are created on (and only on) the necessary systems

Programmers only onboarded on development partitions Rapid deployment of new users in defined roles Audit and realignment during profile lifecycle Simple end-of-life processing

The Auditor's View


• Resolve Inconsistencies:– Ensure that users are created using a standardized template

Special authorities Command line restrictions Initial program and menu Accounting code

The Auditor's View

Applicable to both uni- and multi-partition servers


Endless News Reports of Insider Breaches


ROLE-BASEDSECURITY

EVENT HISTORYAND REPORTING

HIGHLIGHTPOLICYEXCEPTIONS OR UNAUTHORIZEDUPDATES TOPROFILES

Solution: Power Admin

TEMPLATE-BASED MANAGEMENT


• Government regulators and IT auditors demand accountability.• Legislatures have created laws that require us to prove that our IT

infrastructure is secure.• Non-compliance penalties range from public disclosure and fines to

prison sentences for executives.• Executives are finally taking IBM i security very seriously.

Why Power Admin?


• Allows you to reclaim the user lifecycle to ensure a consistent, managed profile environment– Power Admin lets you specify where and how users are deployed.

– Power Admin removes the complexity and costs associated with managing profiles across many virtual machines.

– Power Admin works with IBM i security to correctly protect assets.

– Power Admin audits the configuration of users between their creation and deletion.

Why Power Admin?


• Introduction• The Profile Challenge• Why Policy Matters• Power Admin Demonstration

• Security Scan

Today's Agenda


• Introduction• The Profile Challenge• Why Policy Matters• Power Admin Demonstration• Security Scan

Today's Agenda


YOUR PC YOUR IBM i SERVER YOUR VULNERABILITIES

Automated Vulnerability Testing


• IT Security has executive attention– This is the best opportunity to solve long-standing problems

– Gain management approval now

• Control users with broad authority to production data– Leaving user configuration to chance is both an audit exception and an

accident waiting to happen

• Limit the deployment of powerful profiles– Monitor and report when profiles are non-compliant

– Consistent provisioning of users

Summary


• Please visit www.helpsystems.com to access:– Demonstration Videos & Trial Downloads

– Product Information Data Sheets

– Guides & Technical Articles

– Customer Success Stories

– How-To Articles

– To request a FREE Security Scan

Additional Resources

www.helpsystems.com(800) 328-1000

https://www.helpsystems.com/


Questions
