Successful Identity Management for IBM i
|
|
- Jasmin Barbara Cunningham
- 8 years ago
- Views:
Transcription
1 Exorcising the Ghosts in the Machine Successful Identity Management for IBM i White Paper from Safestone Technologies and PowerTech Implementing adequate Identity Management forms an integral part of regulatory and standards compliance. This paper will discuss the key elements of Identity Management and the relating issues faced by all organizations, irrespective of size or global reach.
2 Overview What is Identity Management? Profiles in Motion Exorcising the Ghosts of Orphaned Accounts Overwhelmed by Audit Trails Who am I? What Happened to my Data? Oops, I Disabled Myself Conclusion About Safestone and PowerTech
3 A sinister threat is lurking within your systems; a disgruntled ex-employee can still gain access because their account remains live; when a current employee moved to a new department, their user rights got increased and previous access rights were not changed so now this person has access to both HR and Finance department files. It s a potentially dangerous scenario. Furthermore, your IT helpdesk is spending unnecessary time resetting users passwords, something users could do for themselves to save time, money and frustration all round and also increase security. User access control is a vital tool in managing employee-orientated security, and forms an integral component of regulatory compliance. These aspects of Identity Management are becoming increasingly important, particularly as the current economic squeeze is inciting more security breaches from insiders the ghosts in the machine. The recent case of the French bank, Société Générale, is a prime example. It was reported that the organization did not have in place effective Identity Management controls and paid heavily for its weaknesses, when Jerome Kerviel, a long-term employee, was able to defraud the bank of 4.9bn EUR. Kerviel himself was sentenced in Oct 2010 to five years in prison for forgery, unauthorized computer use and breach of trust. And for the bank itself, punishment for the security exposure and weaknesses of its controls has been manifold; it was fined 4m EUR by French regulators for failures in its systems. And the bank s reputation has certainly suffered this episode has, dealt a blow to reputation of one of France s most prestigious financial institutions. (BBC news - Clearly, the potential risk of security breach is a compelling enough reason alone to take this topic seriously, but there are many additional benefits associated with a successfully implemented Identity Management system: Security achieved by knowing who needs access to what, deploying it accurately, and revoking those access rights when necessary Regaining control of the user community via central or delegated administration responsibilities Increased accuracy automation of tasks ensures accuracy of the access assignment Freed time and resource as a result of the automation of many tasks. Furthermore, administrators will spend less time correcting mistakes and can therefore allocate more time to productive activities User empowerment simple administration duties, such as password reset and synchronization can be deployed as a self-help facility 2
4 The primary function of Identity Management is to provide a framework for managing user profiles. It determines how profiles will be created, what rights to objects and applications they will have, how often their password must be reset, and any special rights they may need to perform their job responsibilities. Identity Management covers the entire process of identity management over time. It includes the technologies used for provisioning and password resets, and includes the processes and policies associated with these technologies. It also has a broader scope which includes auditing user activity, monitoring objects which the user accesses on the system, and enabling remote sign-on in a secure and easily-managed environment. Companies are increasingly focused on Identity Management because it can simplify the process of making their environments more secure, enabling compliance with government and industry regulations, and also with their auditor s demands. Identity Management provides return on investment (ROI) by empowering users to perform mundane and repetitive tasks themselves, such as password resets. IBM i provides native support for profile lifecycle management. capabilities to: Force password changes for all users Schedule disabling profiles, automatically deleting them in V7.1 Define password complexity rules Define inactivity duration for telnet sessions Audit commands for specific users Allow a user to change their identity on-the-fly Monitor file access when records are read and/or changed Extend profile management using exit points The operating system ships with Independent Software Vendors (ISVs) enhance the functionality of IBM i to enable additional functionality and greater ease-of-use than as shipped by IBM. While these capabilities are available natively in the operating system, many only provide limited functionality. And others, such as exit points or APIs, require system and programming skills to be implemented. This is where Independent Software Vendors (ISVs) enhance the functionality of IBM i, to enable additional functionality and greater ease-of-use than as shipped by IBM. Extending IBM i functionality will make your company run more efficiently, make it easier to meet compliance regulations, and can provide ROI for your business. Here are some examples of extensions that ISVs have created: 3
5 Today many companies have more than one IBM i environment. Logical Partitions, or LPAR s, have become very common and are the way that virtual environments are implemented on IBM i. They are flexible and less expensive than standalone systems, enabling companies to run more efficiently. Creating separate development, test and production partitions is more Users privileges can remain for an average of four months, after the user had left the job. (Computer Emergency Response Team (CERT), Carnegie Mellon University, June 2009) productive and more secure than locating them all on the same system. However, this new paradigm adds administrative complexity. Administrators and programmers need user profiles on all the partitions so they can maintain them, and having their passwords synchronized across all systems makes them more productive. This functionality is not native to IBM i however, and is very inefficient to perform manually. It is neither easy nor cost-effective to create custom software in-house in order to automate these functions. ISVs have created applications and utilities that use TCP/IP to connect systems, making it easy to communicate amongst them and move profiles and synchronize passwords in real-time. An efficient way to de-provision profiles must be built into this architecture because un-used, or orphaned accounts, and accounts that are linked to people who no longer need access, continue to be a major source of security breaches. Indeed, it is claimed that users privileges can remain for an average of four months after the user had left the job. Clearly, instances such as these can leave a company exposed to a high security risk. The IBM i auditing capability is recognized as among the best of all operating systems. It allows the capture of user profile activity, with further visibility as to who the user was, what they did, and when they did it. There is granularity available when auditing is configured, so only specific users are audited. Therefore, users who never leave a company s applications will be ignored by the system audit, and won t add to the volumes of audit data that is collected. Sensitive data files can be audited, so that if a user looks at a record it will be logged, regardless of what tool or program they used to view it. Data that is changed can be also be logged to capture both the before and after images. And all changes to the operating system itself can be tracked. The consequence of such tracking is that a huge amount of data is being produced; even a system of only moderate size may generate gigabytes of data per day. Indeed, the Data Deluge, as it has been coined, is starting to make a significant impact on business, government, science and everyday life
6 There is great potential for good, in terms of gathering and exploiting data. However, analyzing it to spot patterns and extract useful information is quite a challenge. And for an organization trying to detect a system security breach, sifting through reams of audit trails to find the proverbial needle in a haystack, is an onerous undertaking. The task of setting up system auditing so that only the necessary data is captured is a complicated one. An ISVs query-based and automated reporting tool can simplify this activity. Some companies use products which schedule reports on a daily or weekly basis, and produce a document formatted with easy-to-read graphics, to give a clear and accurate account of any breach of security by users on the system. Having configured your auditing, you can begin using it. Auditors need to see reports which demonstrate that you have security policies in place and follow them. Security administrators need to see how objects are secured, and that any changes to the way they are secured is identified in exception reports. Exception reporting is the only practical way for security administrators to manage the volume of audit data they work with. As LPAR s proliferate, reporting functionality needs to allow you to consolidate data on a single report, so for example, you could see all the powerful users on all your systems on one report. Yet, the reporting also needs to be flexible enough to allow you to view an individual system. Creating a reporting environment that is flexible, filters audit data and meets auditors demands, allowing you to focus on the exceptions, is a challenge for most organizations. To summarize, the IBM i has an extremely powerful capability to capture audit data, but doesn t provide much functionality to report on it. IBM has left this responsibility for others to address. The ability to demonstrate segregation of duties is an important element of an audit. And although many companies have set up their own reporting systems, auditors typically frown on reports that are created by administrators or programmers themselves, as they are the very subjects of much of the auditing. The solution to this issue therefore, is to use an externally created reporting tool. Auditors will look for users with elevated levels of authority. In the current economic and business climate it is becoming more likely that security breaches will come from insiders. According to PriceWaterhouseCoopers report on the 2011 Global State of Information Security Survey, this isn t a surprise. Last year, we expected to see more incidents traced to employees, in line with the higher risks to security associated with salary freezes, job instability, layoffs, terminations and other HR challenges that rise during periods of economic stress
7 In IBM i these authorities are typically assigned using special authorities in the user s profile. Depending on the special authorities assigned, the user can have root or administrator rights to the system. Programmers and system administrators tend to resist auditors demands that their special authorities be removed because they believe doing so makes their jobs more difficult to perform. The hostility between auditors and technical people is very real, and both sides have valid arguments for their view. Last year, we expected to see more incidents traced to employees, in line with the higher risks to security associated with salary freezes, job instability, layoffs, terminations and other HR challenges that rise during periods of economic stress. (PWC The 2011 Global State of Information Security Survey ) The solution is to remove permanent special authorities from the powerful profiles, but allow them to assume a temporary powerful profile when, and for as long as, it is required. This can be done manually if their sign-on profile has no special authorities they request a powerful profile from the helpdesk when they need it. Obviously, problems arise if they need to fix a problem at 3:00am and helpdesk personnel have gone home. A better solution is to allow them to change to a powerful profile by simply running a command, and then releasing the profile when the task is completed. If implemented correctly, the powerful profile being used will be audited so all the activity it performs will be logged and reported on. IBM i provides APIs that allow a user to swap to a powerful profile on-the-fly, and it will subsequently audit that profile, as previously mentioned. Additionally, ISVs have created some sophisticated applications based on the APIs which add levels of control over who can swap, time limits on how long the swap lasts, and flexible filtering of the audit data that the powerful profiles generate. As financial services firms gain a much clearer perspective on the actual extent of security incidents, they re discovering that the greatest compromises are to data. (PWC - The 2011 Global State of Information Security Survey ) IBM i provides security and database administrators the ability to log database file accesses and changes. This is important for organizations having to comply with the Health Insurance Portability and Accountability Act (HIPAA), but is also valuable for any business that wants to monitor what happens to sensitive data. This functionality is enabled using journaling, where any access or change to the file can be recorded in a journal. Journaling is flexible, allowing an administrator to define who has read records in a file, or log it only when data is actually changed. There is additional definition as to whether the before and after images of the data will be written to the journal or only the after image. Regardless of what type of journaling is configured, the user who forced the entry to be created is recorded, as is a timestamp of when it happened
8 Journal entries are cryptic and difficult to understand in their raw format. Whilst it is easy to dump them from the journal using IBM i commands, the output is not acceptable to auditors or other non-technical people. ISVs have reporting tools that format the journal data so it is easy to interpret; these tools also simplify the setup of the files that are to be journaled. Password resets are the bane of IT departments. Users disable themselves constantly because password complexity has increased to extend security, and authenticating to multiple systems is the norm, not the exception. Gartner Group has stated that 20% to 50% of helpdesk calls are for password resets and Forrester has calculated that a password reset can cost as much as $70. Even if that number is high for your company, it is pretty easy to understand how expensive and disruptive resetting disabled profiles can be. Automating password resets can have a positive ROI for a company so many are very interested in implementing it. As has been discussed, home-grown solutions seem like an inexpensive way to do this, but there are hidden costs, and auditors resist security tools being developed in-house. The solution should be to reset their password to something they know and then force them to change it to something no one else would know. This should be an automatic process, with no intervention or assistance from the helpdesk or a security administrator required. But most importantly, all activity must be audited and reported. The password reset process typically uses challenge questions for authentication, and the answers should be encrypted so there is no chance of someone hijacking another user s profile. This is even more of a concern if the profile has elevated authority. Johan Veestraeten, responsible for the logistics infrastructure and technology worldwide at Nike, speaks of the far-reaching There are plenty of benefits for users - they can change their own password without having to call the helpdesk first. This results in far less frustration, a higher level of security, enhanced compliance and gains in productivity. Johan Veestraeten, responsible for the logistics infrastructure and technology benefits of users being able to reset their own passwords, There are plenty of benefits for ordinary users, too. For example, they can change their own password themselves without having to go looking for a phone to call the helpdesk first. This results in far less frustration, a higher level of security, enhanced compliance and gains in productivity. IBM i is recognized as being a very secure operating system. IBM created a framework to allow extending security functionality rather than creating it themselves. This approach makes sense as the extended functionality can be complex to implement and tends to be unique to specific vertical industries. The challenges of extending Identity Management in IBM i are a good example. Auditors demand that the extensions be secure and administrators demand that they are easy to use
9 The heart of Identity Management is user profile maintenance, but this is much more than just creating and deleting profiles. It includes synchronizing profiles across multiple partitions, analyzing user s rights to objects and applications, resetting disabled profiles cost effectively, and managing powerful profiles. These extensions are not native to IBM i and are added by using functions IBM provides, such as exit points, APIs, and operating system services. Organizations with in-house development talent can exploit this functionality themselves but may find their auditors don t support it. Indeed, an in-house set-up runs the risk of enabling ghosts to exist within the system. Furthermore, the time and technical skills required to create secure and useful extensions, could be better focused in growing the core functions of the business, and not in the re-creation of extensions that are already commercially available. The obvious solution is to utilize the enhanced functionality offered by an ISV, such as Safestone Technologies, to help with exorcising the ghosts from the machine
10 Safestone is one of the leading supplier of security, audit and compliance solutions for IBM Power Systems (i, AIX, Linux). Their module-based solutions are flexible, scalable, easy to implement and use, and they address all varying degrees of audit, compliance and security requirements. An Advanced IBM Business Partner and long-standing member of the IBM i ISV Advisory Council, Safestone helps businesses meet compliance regulations (Sarbanes-Oxley, PCI DSS, Basel II, HIPAA ) and information ` Partner of choice for global financial and banking institutions with the most stringent security and compliance requirements, Safestone provides the most comprehensive solution in System i security to over 500 blue-chip customers worldwide. Their global network, developed over more than 21 years provides localized sales, consultancy and professional services to help organizations manage all their System i security requirements. Safestone Technologies Limited. TEL UK: 44(0) Because Power Systems servers are used to host particularly sensitive corporate data, every organization needs to practice proactive compliance security. As an IBM Advanced Business Partner with over 1000 customers worldwide, PowerTech understands corporate vulnerability and the risks associated with data privacy and access control. To learn more, visit to find white papers, case studies, and product demonstrations. Or, call (USA) to speak to a Security Advisor
Password Self Help Password Reset for IBM i
Password Self Help Password Reset for IBM i Nick Blattner, System Engineer White Paper from Safestone Technologies Contents Overview... 2 Making the Case... 2 Setting the Stage... 3 1. Configure Product
More informationExporting IBM i Data to Syslog
Exporting IBM i Data to Syslog A White Paper from Safestone Technologies By Nick Blattner, System Engineer www.safestone.com Contents Overview... 2 Safestone... 2 SIEM consoles... 2 Parts and Pieces...
More informationControlling Remote Access to IBM i
Controlling Remote Access to IBM i White Paper from Safestone Technologies Contents IBM i and Remote Access...2 An Historical Perspective...2 So, what is an Exit Point?...2 Hands on with Exit Points...3
More informationPassword Self Help Password Reset for IBM i
Password Self Help Password Reset for IBM i White Paper from Safestone Technologies Contents Overview... 2 Making the Case... 2 Setting the Stage... 3 1. Configure Product Settings... 4 2. Register Users...
More informationManaging Special Authorities. for PCI Compliance. on the. System i
Managing Special Authorities for PCI Compliance on the System i Introduction What is a Powerful User? On IBM s System i platform, it is someone who can change objects, files and/or data, they can access
More informationIDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience
IDENTITY & ACCESS Privileged Identity Management controlling access without compromising convenience Introduction According to a recent Ponemon Institute study, mistakes made by people Privilege abuse
More informationPrivileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More informationThe Role of Password Management in Achieving Compliance
White Paper The Role of Password Management in Achieving Compliance PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 617.674.2727 E-mail: sales@portalguard.com Website: www.portalguard.com
More informationThe Challenges of Administering Active Directory
The Challenges of Administering Active Directory As Active Directory s role in the enterprise has drastically increased, so has the need to secure the data it stores and to which it enables access. The
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationIBM Security Privileged Identity Manager helps prevent insider threats
IBM Security Privileged Identity Manager helps prevent insider threats Securely provision, manage, automate and track privileged access to critical enterprise resources Highlights Centrally manage privileged
More informationTripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER
Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were
More informationEnforcive / Enterprise Security
TM Enforcive / Enterprise Security End to End Security and Compliance Management for the IBM i Enterprise Enforcive / Enterprise Security is the single most comprehensive and easy to use security and compliance
More informationIBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet
IBM PowerSC Security and compliance solution designed to protect virtualized datacenters Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationThe Challenges of Administering Active Directory
The Challenges of Administering Active Directory As Active Directory s role in the enterprise has drastically increased, so has the need to secure the data it stores and to which it enables access. The
More informationSecure Data Transmission Solutions for the Management and Control of Big Data
Secure Data Transmission Solutions for the Management and Control of Big Data Get the security and governance capabilities you need to solve Big Data challenges with Axway and CA Technologies. EXECUTIVE
More informationDrawbacks to Traditional Approaches When Securing Cloud Environments
WHITE PAPER Drawbacks to Traditional Approaches When Securing Cloud Environments Drawbacks to Traditional Approaches When Securing Cloud Environments Exec Summary Exec Summary Securing the VMware vsphere
More information<Insert Picture Here> Oracle Identity And Access Management
Oracle Identity And Access Management Gautam Gopal, MSIST, CISSP Senior Security Sales Consultant Oracle Public Sector The following is intended to outline our general product direction.
More informationUsing PowerBroker Identity Services to Comply with the PCI DSS Security Standard
White Paper Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard Abstract This document describes how PowerBroker Identity Services Enterprise and Microsoft Active Directory
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationThe Age of Audit: The Crucial Role of the 4 th A of Identity and Access Management in Provisioning and Compliance
The Age of Audit: The Crucial Role of the 4 th A of Identity and Access Management in Provisioning and Compliance Consul risk management, Inc Suite 250 2121 Cooperative Way Herndon, VA 20171 USA Tel: +31
More informationLots of workers, many applications, multiple locations......and you need one smart way to handle access for all of them.
Lots of workers, many applications, multiple locations......and you need one smart way to handle access for all of them. imprivata OneSign The Converged Authentication and Access Management Platform The
More informationSecurity management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.
Security management White paper Develop effective user management to demonstrate compliance efforts and achieve business value. September 2008 2 Contents 2 Overview 3 Understand the challenges of user
More informationIBM Tivoli Netcool Configuration Manager
IBM Netcool Configuration Manager Improve organizational management and control of multivendor networks Highlights Automate time-consuming device configuration and change management tasks Effectively manage
More informationAddressing IT governance, risk and compliance (GRC) to meet regulatory requirements and reduce operational risk in financial services organizations
White Paper September 2009 Addressing IT governance, risk and compliance (GRC) to meet regulatory requirements and reduce operational risk in financial services organizations Page 2 Contents 2 Executive
More informationFusing Vulnerability Data and Actionable User Intelligence
Fusing Vulnerability Data and Actionable User Intelligence Table of Contents A New Threat Paradigm... 3 Vulnerabilities Outside, Privileges Inside... 3 BeyondTrust: Fusing Asset and User Intelligence...
More informationImplementing HIPAA Compliance with ScriptLogic
Implementing HIPAA Compliance with ScriptLogic A ScriptLogic Product Positioning Paper By Nick Cavalancia 1.800.424.9411 www.scriptlogic.com Table of Contents INTRODUCTION... 3 HIPAA BACKGROUND... 3 ADMINISTRATIVE
More informationWhite paper September 2009. Realizing business value with mainframe security management
White paper September 2009 Realizing business value with mainframe security management Page 2 Contents 2 Executive summary 2 Meeting today s security challenges 3 Addressing risks in the mainframe environment
More informationFormulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements
A Forrester Consulting Thought Leadership Paper Commissioned By Oracle Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements
More informationSecurity Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background
Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background What is a privileged user? A privileged user is an individual who, by virtue of function,
More informationDatabase Auditing and Compliance in a Mainframe Environment. Craig S. Mullins, Corporate Technologist, NEON Enterprise Software, Inc.
Database Auditing and Compliance in a Mainframe Environment Craig S. Mullins, Corporate Technologist, NEON Enterprise Software, Inc. Table of Contents Introduction................................................................................
More informationLog Management How to Develop the Right Strategy for Business and Compliance. Log Management
Log Management How to Develop the Right Strategy for Business and Compliance An Allstream / Dell SecureWorks White Paper 1 Table of contents Executive Summary 1 Current State of Log Monitoring 2 Five Steps
More informationWhitepaper: Manage Access Control for Network Resources with Securitay s Security Policy Manager
Whitepaper: Manage Access Control for Network Resources with Securitay s Security Policy Manager Introduction The past several years has seen an increase in the amount of attention paid to security management
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationActive Directory Auditing The Need and Result
Jai hanumaan www.lepide.com Active Directory Auditing The Need and Result Whitepaper 2013 What are IT Audits? Increasing number of cases of malpractices and lackadaisical approach towards handling sensitive
More informationFeature. Log Management: A Pragmatic Approach to PCI DSS
Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who
More informationIBM Security & Privacy Services
Enter Click Here The challenge of identity management Today organizations are facing paradoxical demands for greater information access and more stringent information security. You must deliver more data
More informationIBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems
IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems Proactively address regulatory compliance requirements and protect sensitive data in real time Highlights Monitor and audit data activity
More informationAdopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.
Security solutions To support your IT objectives Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services. Highlights Balance effective security with
More informationTOP 3. Reasons to Give Insiders a Unified Identity
TOP 3 Reasons to Give Insiders a Unified Identity Although much publicity around computer security points to hackers and other outside attacks, insider threats can be particularly insidious and dangerous,
More informationIBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet
IBM PowerSC Security and compliance solution designed to protect virtualised data centres Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance
More informationNavigating Endpoint Encryption Technologies
Navigating Endpoint Encryption Technologies Whitepaper November 2010 THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationwww.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!
Business Application Intelligence White Paper The V ersatile BI S o l uti on! Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas December 1, 2009 Sales Office: 98, route de la Reine - 92100
More informationNet Report s PCI DSS Version 1.1 Compliance Suite
Net Report s PCI DSS Version 1.1 Compliance Suite Real Security Log Management! July 2007 1 Executive Summary The strict requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) are
More informationprivileged identities management best practices
privileged identities management best practices abstract The threat landscape today requires continuous monitoring of risks be it industrial espionage, cybercrime, cyber-attacks, Advanced Persistent Threat
More informationIdentity and Access Management: The Promise and the Payoff
0 Identity and Access Management: The Promise and the Payoff How An Identity and Access Management Solution Can Generate Triple-digit ROI Netegrity White Paper June 18, 2003 Page 1 Identity and Access
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationTripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER
Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER Introduction A decade or more ago, logs of events recorded by firewalls, intrusion detection systems and other network devices were
More informationTop Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER
Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER Regulatory compliance. Server virtualization. IT Service Management. Business Service Management. Business Continuity planning.
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationSolving the Online File-Sharing Problem Replacing Rogue Tools with the Right Tools
White Paper Solving the Online File-Sharing Problem Replacing Rogue Tools with the Right Tools Introduction The modern workforce is on the hunt for tools that help them get stuff done. When the technology
More informationResults Oriented Change Management
Results Oriented Change Management Validating Change Policy through Auditing Abstract Change management can be one of the largest and most difficult tasks for a business to implement, monitor and control
More informationEnsuring security the last barrier to Cloud adoption
Ensuring security the last barrier to Cloud adoption Publication date: March 2011 Ensuring security the last barrier to Cloud adoption Cloud computing has powerful attractions for the organisation. It
More informationChange Management: Automating the Audit Process
Change Management: Automating the Audit Process Auditing Change Management for Regulatory Compliance Abstract Change management can be one of the largest and most difficult tasks for a business to implement,
More informationIdentity & access management solution IDM365 for the Pharma & Life Science
Identity & access management solution IDM365 for the Pharma & Life Science Achieve compliance with regulations such as FDA DEA Security Regulation Sarbanes Oxley 1 Challenges in your sector Pharmaceutical
More informationA Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards
A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security
More informationHow to Achieve Operational Assurance in Your Private Cloud
How to Achieve Operational Assurance in Your Private Cloud As enterprises implement private cloud and next-generation data centers to achieve cost efficiencies and support business agility, operational
More informationCompliance Management, made easy
Compliance Management, made easy LOGPOINT SECURING BUSINESS ASSETS SECURING BUSINESS ASSETS LogPoint 5.1: Protecting your data, intellectual property and your company Log and Compliance Management in one
More informationAddressing PCI Compliance
WHITE PAPER DECEMBER 2015 Addressing PCI Compliance Through Privileged Access Management 2 WHITE PAPER: ADDRESSING PCI COMPLIANCE Executive Summary Challenge Organizations handling transactions involving
More informationBeyond FTP: Securing and Managing File Transfers
A L I N O M A S O F T W A R E W H I T E P A P E R : Beyond FTP: Securing and Managing File Transfers EXECUTIVE SUMMARY: Every day, millions of files are exchanged all over the world by corporations, government
More informationDMZ Gateways: Secret Weapons for Data Security
A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security EXECUTIVE
More informationAn Introduction to Continuous Controls Monitoring
An Introduction to Continuous Controls Monitoring Reduce compliance costs, strengthen the control environment and lessen the risk of unintentional errors and fraud Richard Hunt, Managing Director Marc
More informationHow SUSE Manager Can Help You Achieve Regulatory Compliance
White Paper Server How SUSE Manager Can Help You Achieve Regulatory Compliance Table of Contents page Why You Need a Compliance Program... 2 Compliance Standards: SOX, HIPAA and PCI... 2 What IT Is Concerned
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationAD Management Survey: Reveals Security as Key Challenge
Contents How This Paper Is Organized... 1 Survey Respondent Demographics... 2 AD Management Survey: Reveals Security as Key Challenge White Paper August 2009 Survey Results and Observations... 3 Active
More informationMary E. Shacklett President Transworld Data
Transworld Data Mary E. Shacklett President Transworld Data For twenty-five years, Transworld Data has performed technology analytics, market research and IT consulting on every world continent, including
More informationManaging Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform
Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationHow to Develop a Log Management Strategy
Information Security Services Log Management: How to develop the right strategy for business and compliance The purpose of this whitepaper is to provide the reader with guidance on developing a strategic
More informationThree significant risks of FTP use and how to overcome them
Three significant risks of FTP use and how to overcome them Management, security and automation Contents: 1 Make sure your file transfer infrastructure keeps pace with your business strategy 1 The nature
More informationMcAfee Database Security. Dan Sarel, VP Database Security Products
McAfee Database Security Dan Sarel, VP Database Security Products Agenda Databases why are they so frail and why most customers Do very little about it? Databases more about the security problem Introducing
More informationA CPA recounts exponential growth in Compliance. Mary Ellen McLaughlin
Compliance TODAY September 2015 a publication of the health care compliance association www.hcca-info.org A CPA recounts exponential growth in Compliance an interview with Patricia Bickel Compliance and
More informationThe Benefits of an Integrated Approach to Security in the Cloud
The Benefits of an Integrated Approach to Security in the Cloud Judith Hurwitz President and CEO Marcia Kaufman COO and Principal Analyst Daniel Kirsch Senior Analyst Sponsored by IBM Introduction The
More informationF Cross-system event-driven scheduling. F Central console for managing your enterprise. F Automation for UNIX, Linux, and Windows servers
F Cross-system event-driven scheduling F Central console for managing your enterprise F Automation for UNIX, Linux, and Windows servers F Built-in notification for Service Level Agreements A Clean Slate
More informationAvoiding the Top 5 Vulnerability Management Mistakes
WHITE PAPER Avoiding the Top 5 Vulnerability Management Mistakes The New Rules of Vulnerability Management Table of Contents Introduction 3 We ve entered an unprecedented era 3 Mistake 1: Disjointed Vulnerability
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationProvide access control with innovative solutions from IBM.
Security solutions To support your IT objectives Provide access control with innovative solutions from IBM. Highlights Help protect assets and information from unauthorized access and improve business
More informationWindows Least Privilege Management and Beyond
CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has
More informationThe need for secure web development
The need for secure web development A whitepaper by encription limited Campbell Murray encription limited The Stables White Lodge Bevere Worcester WR3 7RQ www.encription.co.uk Introduction Having an interactive
More informationMeeting the Challenges of Remote Data Protection: Requirements and Best Practices
Meeting the Challenges of Remote Data Protection: Requirements and Best Practices A Whitepaper by Stefan Utzinger, NovaStor CEO (March 2011) Table of Contents EXECUTIVE SUMMARY... 2 INTRODUCTION: THE CHALLENGE
More informationSecurity Information Lifecycle
Security Information Lifecycle By Eric Ogren Security Analyst, April 2006 Copyright 2006. The, Inc. All Rights Reserved. Table of Contents Executive Summary...2 Figure 1... 2 The Compliance Climate...4
More informationReal-Time Security for Active Directory
Real-Time Security for Active Directory Contents The Need to Monitor and Control Change... 3 Reducing Risk and Standardizing Controls... 3 Integrating Change Monitoring... 4 Policy Compliance... 4 The
More informationSecurity management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.
Security management solutions White paper IBM Tivoli and Consul: Facilitating security audit and March 2007 2 Contents 2 Overview 3 Identify today s challenges in security audit and compliance 3 Discover
More informationLeveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP
P a g e 1 Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP December 24, 2015 Coalfire Systems, Inc. www.coalfire.com 206-352- 6028 w w w. c o
More informationIntegrated Threat & Security Management.
Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate
More informationOvercoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.
Overcoming Active Directory Audit Log Limitations Written by Randy Franklin Smith President Monterey Technology Group, Inc. White Paper 2009 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationThe Comprehensive Guide to PCI Security Standards Compliance
The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationTeleran PCI Customer Case Study
Teleran PCI Customer Case Study Written by Director of Credit Card Systems for Large Credit Card Issuer Customer Case Study Summary A large credit card issuer was engaged in a Payment Card Industry Data
More informationLogging the Pillar of Compliance
WHITEPAPER Logging the Pillar of Compliance Copyright 2000-2011 BalaBit IT Security All rights reserved. www.balabit.com 1 Table of Content Introduction 3 Open-eyed management 4 ISO 27001 5 PCI DSS 5 Sarbanes
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationPCI DSS Compliance: The Importance of Privileged Management. Marco Zhang marco_zhang@dell.com
PCI DSS Compliance: The Importance of Privileged Management Marco Zhang marco_zhang@dell.com What is a privileged account? 2 Lots of privileged accounts Network Devices Databases Servers Mainframes Applications
More informationDetailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems
Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems The Payment Card Industry has a published set of Data Security Standards to which organization s accepting and
More informationSolution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Publication Date: Jan 27, 2015 8815 Centre Park Drive, Columbia MD 21045 HIPAA About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized
More informationSystem Security and Auditing for IBM i
IBM Systems Lab Services and Training Power Services System Security and Auditing for IBM i Security breach prevention and protection 2 System Security and Auditing for IBM i Highlights Reduce the risk
More information