PowerSC Tools for IBM i

Transcription

1 PowerSC Tools for IBM i A service offering from IBM Systems Lab Services

2 PowerSC Tools for IBM i PowerSC Tools for IBM i helps clients ensure a higher level of security and compliance Client Benefits Simplifies management and measurement of security & compliance Reduces cost of security & compliance Reduces security exposures Improves the audit capability to satisfy reporting requirements PowerSC Tools for IBM i is a service offering from IBM Systems Lab Services 2

3 PowerSC Tools for IBM i IBM Systems Lab Services Simplifies management and measurement of security & compliance Reduces cost of security & compliance Improves detection and reporting of security exposures Improves the audit capability to satisfy reporting requirements IBM Lab Services offerings for IBM i security: IBM i Security Assessment PowerSC Tools for IBM i Compliance Assessment Tool Security Diagnostics Privileged Access Control Secure Administrator for SAP Access Control Monitor Network Interface Firewall Benefits Demonstrate adherence to pre-defined security polices Reduces operator time involved in remediating exposures Ensures compliance with guidelines on privileged users Eliminates sharing of SAP administrative profiles Prevents user application failures due to inconsistent controls Reduces threat of unauthorized security breach and data loss IBM i Single Sign On Implementation IBM i Security Remediation IBM I Encryption Audit Reporting Certificate Expiration Manager Password Validation Single Sign On (SSO) Suite Encryption Suite Simplifies audit analysis for compliance officer and/or auditors Prevents system outages due to expired certificates Ensures user passwords are not trivial Reduces for password resets and simplifies user experience Helps meet data security standards and protect critical data PowerSC Tools for IBM i is a service offering from IBM Systems Lab Services For more information on PowerSC Tools for IBM i offerings and services, contact: Terry Ford taford@us.ibm.com Practice Leader, IBM Systems Lab Services Security

4 PowerSC Tools for IBM i Tools / Feature Function Benefit Compliance Assessment and Reporting Tool Security Diagnostics Privileged Access Control Secure Administrator for SAP Access Control Monitor Network Interface Firewall for IBM i Exit Points Audit Reporting Certificate Expiration Manager Password Validation Single Sign On (SSO) Suite Encryption Suite Daily compliance dashboard report/s at LPAR, system or enterprise level Reports detailing security configuration settings and identifying deficiencies Controls the number of privileged users Manages and controls access to powerful SAP administrative profiles Monitors security deviations from application design Controls access to Exit Point interfaces such as ODBC, FTP, RMTCMD, etc Consolidates and reduces security audit journal information Simplifies management of digital certificates expiration Enhances IBM i operating system protection with stricter password validation Simplifies implementation of SSO and password synchronization Simplifies implementation of cryptography using IBM i operating system capabilities Enables compliance officer to demonstrate adherence to pre-defined security polices Reduces operator time involved in remediating security exposures Ensures compliance with industry guidelines on privileged users Eliminates sharing of SAP administrative profiles with enhanced security auditing Prevents user application failures due to inconsistent access controls Reduces threat of unauthorized security breach and data loss Simplifies audit analysis for compliance officer and/or auditors Helps operators prevent system outages due to expired certificates Enables security officers to ensure user passwords are not trivial Reduces password resets and simplifies end user experience Helps application developers meet data security standards and protect critical data PowerSC Tools for IBM i is a service offering from IBM Systems Lab Services 4

5 Positioning IBM i with PowerSC PowerSC Feature Exp Std TS Source of comparable capability for IBM i Security and Compliance Monitoring and Reporting PowerSC Tools for IBM i includes a Compliance Assessment and Reporting Tool Additional products available from ISVs, see Trusted Logging PowerSC Trusted Audit Data Repository Capability is built into IBM i operating system Trusted Boot PowerSC Trusted Digital Signature Verification Capability is built into IBM i operating system Trusted Network Connect and Patch Management No equivalent IBM i functionality Trusted Firewall Trusted Surveyor PowerSC Tools for IBM i contains an optional Network Application Firewall PowerSC Trusted Firewall feature supports IBM i VMs PowerSC Trusted Surveyor offering supports IBM i VMs

6 Compliance Assessment and Reporting Tool Centralized reporting of IBM i security An automated collection, analysis, and reporting tool on over 900 security related risks, information, statistics and demographics. All in one location and easy to use! Covers: - Password management - Profile administration - Special authorities - Group inheritance - Network configuration - Netserver attributes - Operational security - Security risks and more Enables compliance officer to demonstrate adherence to pre-defined or customer-defined security polices. Security reporting made easy! Daily compliance dashboard report/s at VM (partition), system or enterprise level

7 Security Diagnostics In depth security collection and reporting Reduces security administrator time involved in remediating exposures Reports on: User profiles Adopted authority programs Trigger programs Work Management Auditing configuration Network attributes Integrated File System Over 70 reports 7

8 Privileged Access Control Ensures compliance to industry guidelines on privileged users Without careful control, privileged users can pose a risk to your system security. This tool enables the security administrator to reduce privileged accounts, with a mechanism to temporarily elevate privileges to users when needed. Option to change identity for troubleshooting, IFS access and object ownership requirements Fully audited Automated notifications sent to distribution list when tool is invoked that includes a log of activities performed 8

9 Secure Administrator for SAP on IBM i Eliminates sharing of powerful SAP administrator user profiles SAP provided administrator user profiles are often shared leading to security exposures and ineffective auditing. Secure Administrator for SAP on IBM i addresses this exposure by providing a secure and auditable mechanism enabling multiple SAP administrators to utilize the same SAP administrator user profile without sharing the profile itself. Before Secure Administrator for SAP on IBM i: Benefits: SAP administrators now only need their IBM i user profile for SAP administrative tasks Provides the ability to effectively audit SAP administrator user profiles Limits access to authorized users SAP administrator user profiles no longer shared Interactive use of SAP administrator user profiles eliminated Manage multiple SAP installations (running on the same partition) from the same interactive session 9 After Secure Administrator for SAP on IBM i: Commands: CRTSUDOENV and DLTSUDOENV Create/delete the Secure Administrator environment GRTSIDSUDO and RVKSIDSUDO Grant/revoke use of administrator functions for different SAP installations LSTSIDSUDO List Secure Administrator environments and users that have access to each SAP installation SIDSUDO Execute commands under the authority and environment of the specified SAP administrative user profile

10 Access Control Monitor Monitor security deviations from application design Ad hoc or scheduled reporting to check and report on application objects that are out of corporate security policy standards, data classifications, or other security related configurations Prevents user application failures due to inconsistent access controls Monitors compliance of libraries, objects, and authorization Lists Customer extensible to allow automation of objects back into compliance 10

11 Network Interface Firewall for IBM i Exit Points Reduces threat of unauthorized network access Exit programs allow system administrators to control which activities a user account is allowed for each of the specific servers. This easy to use interface addresses the most commonly used network interfaces. Users denied by default for greater security Users allowed are added via menu Allow access through Group Profiles Restrict by IP Address Log only mode Current exit point coverage: DRDA / DDM IFS FTP ODBC/JDBC/File Transfer REXEC RMTCMD (honors LMTCPB!) SQL CLI TELNET *customization required Host Server (Multiple) Customization for additional network interfaces available 11

12 Audit Reporting Security and user auditing management and analysis Work with QAUDJRN journal entries and statistics to understand the demographics that define your security operations. Easily view system and user auditing statistics to demonstrate to management and auditors that security violations are being observed and handled. Filter journal entries by: User Profile Date/Time Manage: User object and action auditing values Library/File/IFS object auditing Auditing system values Journal receivers Scheduler to automate actions and reports Quick Audit of Users 12

13 IBM Systems Lab Services Certificate Expiration Manager (CEM) Simplifies the management of digital certificates Maintains a log of all expiration activities Sends notification via . Easy to use configuration GUI is included for managing the XML settings. Runs on any platform that supports Java. Prevent outages due to expired certificates Certificate University of the Internet Issue Date Distinguished Name Public Key Expiration Date Digital Signature of CA 13

14 IBM Systems Lab Services Password Validation Enhanced protection through strict password criteria Checks the password to see if it contains: The user profile itself Any words from the customer defined dictionary of disallowed words Customization available for additional password validations. CHGPWD command is called QIBM_QSY_VLD _PASSWRD exit program is automatically run Password is not changed, command returns message NO Does password meet exit program requirements? YES Assures the security administrator that passwords being entered are not trivial. 14 Command completes, password is changed

15 IBM Systems Lab Services Single Sign On (SSO) Suite Simplify SSO implementation reducing help desk costs Suite of tools sold individually or à la carte with or without implementation services: Single Sign On (SSO) Suite for Domino Domino Synchronization DSAPI Plug-in Single Sign On (SSO) Suite for EIM EIM CL Commands EIM Populator EIM Management Utility EIM Based Password Reset EIM Based CRTUSRPRF Windows AD Profile Synchronization Password Synchronization Tool Single Sign On (SSO) for SAP An effective alternative to manual configuration 15

16 IBM Systems Lab Services Encryption Suite Simplify implementation of IBM i cryptographic capabilities Set of procedures and techniques to simply the implementation of cryptography using IBM i Operating System capabilities. Choice of service provider: Cryptographic Services APIs Field Cryptographic Coprocessor Index SQL Type DDS Type Length Encrypted Data BINARY HEXADECIMAL Multiple of 16 data length Key Version CHARACTER CHARACTER 32 Encryption applications: Initialization Vector BINARY HEXADECIMAL 16 Data at rest Data in motion Hash BINARY HEXADECIMAL 32 Masked Value Consulting assistance: Other Encryption Tools Cryptographic Support (CR1) Emulator Tool Credit Card Management Subsystem Tool 16 Application design Key management Custom procedures Tape encryption Cryptographic techniques Symmetric key encryption Asymmetric key encryption Secure hash Key exchange

17 IBM Systems Lab Services IBM i Security Services from IBM Systems Lab Services 1. IBM i Security Assessment An experienced IBM i consultant will collect and analyze data using PowerSC Tools for IBM i. The engagement results in a comprehensive report with findings and recommendations for improved compliance and security remediation. 2. IBM i Single Sign On Implementation SSO improves end user productivity and saves help desk costs. In this services engagement, an experienced IBM consultant will advise on SSO options and provide implementation assistance leveraging the SSO suite components of the PowerSC Tools for IBM i. 3. For more information on PowerSC Tools for IBM i offerings and services, contact: Mark Even even@us.ibm.com, Mike Gordon mgordo@us.ibm.com, Terry Ford taford@us.ibm.com, Practice Leader, Security Services IBM i Security Remediation An experienced IBM consultant will advise on best practices to address IBM i security and compliance issues. The consultant will provide remediation assistance leveraging the PowerSC Tools for IBM I 4. IBM i Encryption Services An experienced IBM consultant will advise on best practices to implement data encryption on IBM I leveraging the PowerSC Tools for IBM i Encryption Suite as appropriate. Tape Encryption implementation services are also available stgls@us.ibm.com