Successful Identity Management for IBM i

Transcription

1 Exorcising the Ghosts in the Machine Successful Identity Management for IBM i White Paper from Safestone Technologies and PowerTech Implementing adequate Identity Management forms an integral part of regulatory and standards compliance. This paper will discuss the key elements of Identity Management and the relating issues faced by all organizations, irrespective of size or global reach.

2 Overview What is Identity Management? Profiles in Motion Exorcising the Ghosts of Orphaned Accounts Overwhelmed by Audit Trails Who am I? What Happened to my Data? Oops, I Disabled Myself Conclusion About Safestone and PowerTech

3 A sinister threat is lurking within your systems; a disgruntled ex-employee can still gain access because their account remains live; when a current employee moved to a new department, their user rights got increased and previous access rights were not changed so now this person has access to both HR and Finance department files. It s a potentially dangerous scenario. Furthermore, your IT helpdesk is spending unnecessary time resetting users passwords, something users could do for themselves to save time, money and frustration all round and also increase security. User access control is a vital tool in managing employee-orientated security, and forms an integral component of regulatory compliance. These aspects of Identity Management are becoming increasingly important, particularly as the current economic squeeze is inciting more security breaches from insiders the ghosts in the machine. The recent case of the French bank, Société Générale, is a prime example. It was reported that the organization did not have in place effective Identity Management controls and paid heavily for its weaknesses, when Jerome Kerviel, a long-term employee, was able to defraud the bank of 4.9bn EUR. Kerviel himself was sentenced in Oct 2010 to five years in prison for forgery, unauthorized computer use and breach of trust. And for the bank itself, punishment for the security exposure and weaknesses of its controls has been manifold; it was fined 4m EUR by French regulators for failures in its systems. And the bank s reputation has certainly suffered this episode has, dealt a blow to reputation of one of France s most prestigious financial institutions. (BBC news - Clearly, the potential risk of security breach is a compelling enough reason alone to take this topic seriously, but there are many additional benefits associated with a successfully implemented Identity Management system: Security achieved by knowing who needs access to what, deploying it accurately, and revoking those access rights when necessary Regaining control of the user community via central or delegated administration responsibilities Increased accuracy automation of tasks ensures accuracy of the access assignment Freed time and resource as a result of the automation of many tasks. Furthermore, administrators will spend less time correcting mistakes and can therefore allocate more time to productive activities User empowerment simple administration duties, such as password reset and synchronization can be deployed as a self-help facility 2

4 The primary function of Identity Management is to provide a framework for managing user profiles. It determines how profiles will be created, what rights to objects and applications they will have, how often their password must be reset, and any special rights they may need to perform their job responsibilities. Identity Management covers the entire process of identity management over time. It includes the technologies used for provisioning and password resets, and includes the processes and policies associated with these technologies. It also has a broader scope which includes auditing user activity, monitoring objects which the user accesses on the system, and enabling remote sign-on in a secure and easily-managed environment. Companies are increasingly focused on Identity Management because it can simplify the process of making their environments more secure, enabling compliance with government and industry regulations, and also with their auditor s demands. Identity Management provides return on investment (ROI) by empowering users to perform mundane and repetitive tasks themselves, such as password resets. IBM i provides native support for profile lifecycle management. capabilities to: Force password changes for all users Schedule disabling profiles, automatically deleting them in V7.1 Define password complexity rules Define inactivity duration for telnet sessions Audit commands for specific users Allow a user to change their identity on-the-fly Monitor file access when records are read and/or changed Extend profile management using exit points The operating system ships with Independent Software Vendors (ISVs) enhance the functionality of IBM i to enable additional functionality and greater ease-of-use than as shipped by IBM. While these capabilities are available natively in the operating system, many only provide limited functionality. And others, such as exit points or APIs, require system and programming skills to be implemented. This is where Independent Software Vendors (ISVs) enhance the functionality of IBM i, to enable additional functionality and greater ease-of-use than as shipped by IBM. Extending IBM i functionality will make your company run more efficiently, make it easier to meet compliance regulations, and can provide ROI for your business. Here are some examples of extensions that ISVs have created: 3

5 Today many companies have more than one IBM i environment. Logical Partitions, or LPAR s, have become very common and are the way that virtual environments are implemented on IBM i. They are flexible and less expensive than standalone systems, enabling companies to run more efficiently. Creating separate development, test and production partitions is more Users privileges can remain for an average of four months, after the user had left the job. (Computer Emergency Response Team (CERT), Carnegie Mellon University, June 2009) productive and more secure than locating them all on the same system. However, this new paradigm adds administrative complexity. Administrators and programmers need user profiles on all the partitions so they can maintain them, and having their passwords synchronized across all systems makes them more productive. This functionality is not native to IBM i however, and is very inefficient to perform manually. It is neither easy nor cost-effective to create custom software in-house in order to automate these functions. ISVs have created applications and utilities that use TCP/IP to connect systems, making it easy to communicate amongst them and move profiles and synchronize passwords in real-time. An efficient way to de-provision profiles must be built into this architecture because un-used, or orphaned accounts, and accounts that are linked to people who no longer need access, continue to be a major source of security breaches. Indeed, it is claimed that users privileges can remain for an average of four months after the user had left the job. Clearly, instances such as these can leave a company exposed to a high security risk. The IBM i auditing capability is recognized as among the best of all operating systems. It allows the capture of user profile activity, with further visibility as to who the user was, what they did, and when they did it. There is granularity available when auditing is configured, so only specific users are audited. Therefore, users who never leave a company s applications will be ignored by the system audit, and won t add to the volumes of audit data that is collected. Sensitive data files can be audited, so that if a user looks at a record it will be logged, regardless of what tool or program they used to view it. Data that is changed can be also be logged to capture both the before and after images. And all changes to the operating system itself can be tracked. The consequence of such tracking is that a huge amount of data is being produced; even a system of only moderate size may generate gigabytes of data per day. Indeed, the Data Deluge, as it has been coined, is starting to make a significant impact on business, government, science and everyday life

6 There is great potential for good, in terms of gathering and exploiting data. However, analyzing it to spot patterns and extract useful information is quite a challenge. And for an organization trying to detect a system security breach, sifting through reams of audit trails to find the proverbial needle in a haystack, is an onerous undertaking. The task of setting up system auditing so that only the necessary data is captured is a complicated one. An ISVs query-based and automated reporting tool can simplify this activity. Some companies use products which schedule reports on a daily or weekly basis, and produce a document formatted with easy-to-read graphics, to give a clear and accurate account of any breach of security by users on the system. Having configured your auditing, you can begin using it. Auditors need to see reports which demonstrate that you have security policies in place and follow them. Security administrators need to see how objects are secured, and that any changes to the way they are secured is identified in exception reports. Exception reporting is the only practical way for security administrators to manage the volume of audit data they work with. As LPAR s proliferate, reporting functionality needs to allow you to consolidate data on a single report, so for example, you could see all the powerful users on all your systems on one report. Yet, the reporting also needs to be flexible enough to allow you to view an individual system. Creating a reporting environment that is flexible, filters audit data and meets auditors demands, allowing you to focus on the exceptions, is a challenge for most organizations. To summarize, the IBM i has an extremely powerful capability to capture audit data, but doesn t provide much functionality to report on it. IBM has left this responsibility for others to address. The ability to demonstrate segregation of duties is an important element of an audit. And although many companies have set up their own reporting systems, auditors typically frown on reports that are created by administrators or programmers themselves, as they are the very subjects of much of the auditing. The solution to this issue therefore, is to use an externally created reporting tool. Auditors will look for users with elevated levels of authority. In the current economic and business climate it is becoming more likely that security breaches will come from insiders. According to PriceWaterhouseCoopers report on the 2011 Global State of Information Security Survey, this isn t a surprise. Last year, we expected to see more incidents traced to employees, in line with the higher risks to security associated with salary freezes, job instability, layoffs, terminations and other HR challenges that rise during periods of economic stress

7 In IBM i these authorities are typically assigned using special authorities in the user s profile. Depending on the special authorities assigned, the user can have root or administrator rights to the system. Programmers and system administrators tend to resist auditors demands that their special authorities be removed because they believe doing so makes their jobs more difficult to perform. The hostility between auditors and technical people is very real, and both sides have valid arguments for their view. Last year, we expected to see more incidents traced to employees, in line with the higher risks to security associated with salary freezes, job instability, layoffs, terminations and other HR challenges that rise during periods of economic stress. (PWC The 2011 Global State of Information Security Survey ) The solution is to remove permanent special authorities from the powerful profiles, but allow them to assume a temporary powerful profile when, and for as long as, it is required. This can be done manually if their sign-on profile has no special authorities they request a powerful profile from the helpdesk when they need it. Obviously, problems arise if they need to fix a problem at 3:00am and helpdesk personnel have gone home. A better solution is to allow them to change to a powerful profile by simply running a command, and then releasing the profile when the task is completed. If implemented correctly, the powerful profile being used will be audited so all the activity it performs will be logged and reported on. IBM i provides APIs that allow a user to swap to a powerful profile on-the-fly, and it will subsequently audit that profile, as previously mentioned. Additionally, ISVs have created some sophisticated applications based on the APIs which add levels of control over who can swap, time limits on how long the swap lasts, and flexible filtering of the audit data that the powerful profiles generate. As financial services firms gain a much clearer perspective on the actual extent of security incidents, they re discovering that the greatest compromises are to data. (PWC - The 2011 Global State of Information Security Survey ) IBM i provides security and database administrators the ability to log database file accesses and changes. This is important for organizations having to comply with the Health Insurance Portability and Accountability Act (HIPAA), but is also valuable for any business that wants to monitor what happens to sensitive data. This functionality is enabled using journaling, where any access or change to the file can be recorded in a journal. Journaling is flexible, allowing an administrator to define who has read records in a file, or log it only when data is actually changed. There is additional definition as to whether the before and after images of the data will be written to the journal or only the after image. Regardless of what type of journaling is configured, the user who forced the entry to be created is recorded, as is a timestamp of when it happened

8 Journal entries are cryptic and difficult to understand in their raw format. Whilst it is easy to dump them from the journal using IBM i commands, the output is not acceptable to auditors or other non-technical people. ISVs have reporting tools that format the journal data so it is easy to interpret; these tools also simplify the setup of the files that are to be journaled. Password resets are the bane of IT departments. Users disable themselves constantly because password complexity has increased to extend security, and authenticating to multiple systems is the norm, not the exception. Gartner Group has stated that 20% to 50% of helpdesk calls are for password resets and Forrester has calculated that a password reset can cost as much as $70. Even if that number is high for your company, it is pretty easy to understand how expensive and disruptive resetting disabled profiles can be. Automating password resets can have a positive ROI for a company so many are very interested in implementing it. As has been discussed, home-grown solutions seem like an inexpensive way to do this, but there are hidden costs, and auditors resist security tools being developed in-house. The solution should be to reset their password to something they know and then force them to change it to something no one else would know. This should be an automatic process, with no intervention or assistance from the helpdesk or a security administrator required. But most importantly, all activity must be audited and reported. The password reset process typically uses challenge questions for authentication, and the answers should be encrypted so there is no chance of someone hijacking another user s profile. This is even more of a concern if the profile has elevated authority. Johan Veestraeten, responsible for the logistics infrastructure and technology worldwide at Nike, speaks of the far-reaching There are plenty of benefits for users - they can change their own password without having to call the helpdesk first. This results in far less frustration, a higher level of security, enhanced compliance and gains in productivity. Johan Veestraeten, responsible for the logistics infrastructure and technology benefits of users being able to reset their own passwords, There are plenty of benefits for ordinary users, too. For example, they can change their own password themselves without having to go looking for a phone to call the helpdesk first. This results in far less frustration, a higher level of security, enhanced compliance and gains in productivity. IBM i is recognized as being a very secure operating system. IBM created a framework to allow extending security functionality rather than creating it themselves. This approach makes sense as the extended functionality can be complex to implement and tends to be unique to specific vertical industries. The challenges of extending Identity Management in IBM i are a good example. Auditors demand that the extensions be secure and administrators demand that they are easy to use

9 The heart of Identity Management is user profile maintenance, but this is much more than just creating and deleting profiles. It includes synchronizing profiles across multiple partitions, analyzing user s rights to objects and applications, resetting disabled profiles cost effectively, and managing powerful profiles. These extensions are not native to IBM i and are added by using functions IBM provides, such as exit points, APIs, and operating system services. Organizations with in-house development talent can exploit this functionality themselves but may find their auditors don t support it. Indeed, an in-house set-up runs the risk of enabling ghosts to exist within the system. Furthermore, the time and technical skills required to create secure and useful extensions, could be better focused in growing the core functions of the business, and not in the re-creation of extensions that are already commercially available. The obvious solution is to utilize the enhanced functionality offered by an ISV, such as Safestone Technologies, to help with exorcising the ghosts from the machine

10 Safestone is one of the leading supplier of security, audit and compliance solutions for IBM Power Systems (i, AIX, Linux). Their module-based solutions are flexible, scalable, easy to implement and use, and they address all varying degrees of audit, compliance and security requirements. An Advanced IBM Business Partner and long-standing member of the IBM i ISV Advisory Council, Safestone helps businesses meet compliance regulations (Sarbanes-Oxley, PCI DSS, Basel II, HIPAA ) and information ` Partner of choice for global financial and banking institutions with the most stringent security and compliance requirements, Safestone provides the most comprehensive solution in System i security to over 500 blue-chip customers worldwide. Their global network, developed over more than 21 years provides localized sales, consultancy and professional services to help organizations manage all their System i security requirements. Safestone Technologies Limited. TEL UK: 44(0) Because Power Systems servers are used to host particularly sensitive corporate data, every organization needs to practice proactive compliance security. As an IBM Advanced Business Partner with over 1000 customers worldwide, PowerTech understands corporate vulnerability and the risks associated with data privacy and access control. To learn more, visit to find white papers, case studies, and product demonstrations. Or, call (USA) to speak to a Security Advisor