Introducing PowerSC Tools for IBM i PowerSC Tools for IBM i Service offerings from IBM Systems Lab Services IBM Systems Lab Services ibmsls@us.ibm.com
PowerSC Tools for IBM i PowerSC Tools for IBM i helps clients ensure a higher level of security and compliance Client Benefits Simplifies management and measurement of security & compliance Reduces cost of security & compliance Reduces security exposures Improves the audit capability to satisfy reporting requirements PowerSC Tools for IBM i are service offerings from IBM Systems Lab Services 2
IBM Lab Systems Services Lab Services Security Delivery for IBM i Simplify management and measurement of security & compliance Reduce the cost of security & compliance Improve detection and reporting of security exposures Improve auditing/monitoring to satisfy reporting requirements Guide your business toward a more secure operational model PowerSC Tools for IBM i Compliance Assessment and Reporting with Event Monitoring Security Diagnostics Benefits Demonstrate adherence to pre-defined and customer defined security polices, system component inventory. Centralize security management/monitoring and reporting via DB2 WQ Reduces operator time involved in remediating exposures IBM Lab Services offerings for IBM i security: IBM i Security Assessment IBM i Single Sign On Implementation IBM i Security Remediation IBM i Encryption Assistance PowerSC Tools for IBM i Privileged Access Control Access Control Monitor SYLOG Reporting Manager Network Interface Firewall Certificate Expiration Manager Password Validation Password Synchronization Two Factor Authentication (2FA) Audit Reporting Single Sign On (SSO) Suite Ensures compliance with guidelines on privileged users Prevents user application failures due to inconsistent controls Simplifies QAUDJRN / IFS file change events to syslog (CEF) Reduces threat of unauthorized security breach and data loss Prevents system outages due to expired certificates Ensures user passwords are not trivial Insure service accounts adhere to password policy and are in synchronization across all LPARs - including SVRAUTE. Enhance applications with TOTP 2FA service program. Simplifies audit analysis for compliance officer and/or auditors Reduces for password resets and simplifies user experience PowerSC Tools for IBM i are service offerings from IBM Systems Lab Services For more information on PowerSC Tools for IBM i offerings and services, contact: Terry Ford taford@us.ibm.com Practice Leader, IBM Systems Lab Services Security
PowerSC Tools for for IBM i i Tools / Feature Function Benefit Compliance Assessment Reporting and Event Monitoring Tool Security Diagnostics Privileged Access Control Secure Administrator for SAP Access Control Monitor Network Interface Firewall for IBM i Exit Points Audit Reporting SYSLOG Reporting Manager Certificate Expiration Manager Daily compliance dashboard report/s at LPAR, system or enterprise level with event monitoring Reports detailing security configuration settings and identifying deficiencies Controls the number of privileged users Manages and controls access to powerful SAP administrative profiles Monitors security deviations from application design Controls access to Exit Point interfaces such as ODBC, FTP, RMTCMD, etc Consolidates and reduces security audit journal information Simplifies QAUDJRN / IFS file change events to syslog (CEF) Simplifies management of digital certificates expiration Enables compliance officer to demonstrate adherence to pre-defined security polices Reduces operator time involved in remediating security exposures Ensures compliance with industry guidelines on privileged users Eliminates sharing of SAP administrative profiles with enhanced security auditing Prevents user application failures due to inconsistent access controls Reduces threat of unauthorized security breach and data loss Simplifies audit analysis for compliance officer and/or auditors Utility to allow the IBM i to participate with SIEM solutions Helps operators prevent system outages due to expired certificates Password Synchronization Aids users with enhanced PWD management Maintains consistent PWDs and SVRAUTE Password Validation Enhances operating system password validation Ensures that passwords are not trivial Two Factor Authentication Service Program to enable 2FA in applications Includes PWD Reset and Signon utilities Single Sign On (SSO) Suite Simplifies implementation of SSO and password synchronization Reduces password resets and simplifies end user experience PowerSC Tools for IBM i are service offerings from IBM Systems Lab Services 4
Compliance Assessment and Event Monitoring Tool Centralized reporting of IBM i security An automated collection, analysis, and reporting tool on over 1000 security related risks, information, statistics and demographics. All in one location and easy to use! Covers: - Event Monitoring - Password management - Profile administration - Special authorities - Group inheritance - Network configuration - NetServer attributes - Operational security - PTF Currency - Security risks and more! Enables compliance officer to demonstrate adherence to pre-defined or customer-defined security polices. Security reporting made easy! Daily compliance dashboard reports at VM (partition), system or enterprise level
Security Diagnostics In depth security collection and reporting Reduces security administrator time involved in remediating exposures Reports on: User profiles Adopted authority Trigger programs Work Management Auditing configuration Network attributes Integrated File System Password Analysis Over 70 reports 6
Privileged Access Control Ensures compliance to industry guidelines on privileged users Without careful control, privileged users can pose a risk to your system security. This tool enables the security administrator to reduce privileged accounts, with a mechanism to temporarily elevate privileges to users when needed. Service Ticket Manager Option to change identity for troubleshooting, IFS access and object ownership requirements Fully audited Automated email notifications sent to distribution list when tool is invoked that includes a log of activities performed Customizable 7
Network Interface Firewall for IBM i Exit Points Reduces threat of unauthorized network access Exit programs allow system administrators to control which activities a user account is allowed for each of the specific servers. This easy to use interface addresses the most commonly used network interfaces. Users denied by default for greater security Users allowed are added via menu Allow access through Group Profiles Restrict by IP Address, Range Log only mode Current exit point coverage: DRDA / DDM IFS FTP ODBC/JDBC/File Transfer REXEC RMTCMD (honors LMTCPB!) SQL CLI TELNET *customization optional Host Server (Multiple) Customization for additional network interfaces available 8
IBM i Password Synchronization Enhanced protection through strict password criteria Checks the password to see if it contains: Any words from a maintainable dictionary of disallowed words. Seeded with top 10,000 passwords found in reported breaches Previous passwords from all LPARs Federated DB of profiles across all LPARs Management across all IBM i LPARS Filters included for subset of users or systems NO Password is not changed, command returns message CHGPWD command is called QIBM_QSY_VLD_ PASSWRD exit program is automatically run Does password meet exit program requirements? Server authentication entries updated Assures the security administrator that passwords being entered are not trivial Checks against the password rules of each system Fully audited YES Command completes, password is changed 9
IBM i Password Validation Enhanced protection through additional password checking Checks the password to see if it contains: Any words from a maintainable dictionary of disallowed words. Seeded with the top 10,000 passwords found in globally reported breaches Originally written for customers unable to move from V5R4, it is useful for all customers wishing to prevent users from entering trivial passwords the first line of defense in administrative security. 50 Most Used Passwords password pepper access starwars qwerty biteme dragon p***y baseball football letmein monkey secret abc123 mustang michael shadow master jennifer hello zaq12wsx jordan superman harley abcd1234 f*****e hunter f*****u trustno1 ranger buster thomas tigger robert soccer f**k batman test pass killer hockey george charlie andrew michelle love sunshine jessica a****le asdfgh 10
Two Factor Authentication (2FA) Limit access to applications/systems to properly authenticated users Generates highly secure RFC6238 based one-time passwords (TOTP) ensuring that only properly authenticated users are authorized access to critical applications and data. IBM i based QR code generator No internet connection required Audit of registration and use Use as a sign on application, password reset tool, or use provided service program in your own applications 11
Access Control Monitor Monitor security deviations from application design Ad hoc or scheduled reporting to check and report on application objects that are out of corporate security policy standards, data classifications, or other security related configurations Prevents user application failures due to inconsistent access controls Monitors compliance of libraries, objects, and authorization Lists Customer extensible to allow automation of objects back into compliance 12
Certificate Expiration Manager (CEM) Simplifies the management of digital certificates Maintains a log of all expiration activities Sends notification via email and Syslog message. Easy to use configuration GUI is included for managing the XML settings. Runs on any platform that supports Java. Prevent outages due to expired certificates Certificate University of the Internet Issue Date Distinguished Name Public Key Expiration Date Digital Signature of CA 13
SYSLOG Reporting Manager Simplifies the management and reporting of IBM i SIEM events Monitors audit journal and IFS stream file changes Formats events to CommonEvent Format (CEF) for Security Information and Event Management consumption Reports CEF events via syslog message Easy setup 14
Single Sign On (SSO) Suite Simplify SSO implementation reducing help desk costs Suite of tools sold individually or à la carte with or without implementation services: Single Sign On (SSO) Suite for Domino Domino Synchronization DSAPI Plug-in Single Sign On (SSO) Suite for EIM EIM CL Commands EIM Populator EIM Management Utility EIM Based Password Reset EIM Based CRTUSRPRF Windows AD Profile Synchronization SSO Password Synchronization Tool Single Sign On (SSO) for SAP An effective alternative to manual configuration 15
Audit Reporting Security and user auditing management and analysis Work with QAUDJRN journal entries and statistics to understand the demographics that define your security operations. Easily view system and user auditing statistics to demonstrate to management and auditors that security violations are being observed and handled. Filter journal entries by: User Profile Date/Time Manage: User object and action auditing values Library/File/IFS object auditing Auditing system values Journal receivers Scheduler to automate actions and reports Quick Audit of Users 16
Secure Administrator for SAP on IBM i Eliminates sharing of powerful SAP administrator user profiles SAP provided administrator user profiles are often shared leading to security exposures and ineffective auditing. Secure Administrator for SAP on IBM i addresses this exposure by providing a secure and auditable mechanism enabling multiple SAP administrators to utilize the same SAP administrator user profile without sharing the profile itself. Before Secure Administrator for SAP on IBM i: Benefits: SAP administrators now only need their IBM i user profile for SAP administrative tasks Provides the ability to effectively audit SAP administrator user profiles Limits access to authorized users SAP administrator user profiles no longer shared Interactive use of SAP administrator user profiles eliminated Manage multiple SAP installations (running on the same partition) from the same interactive session 17 After Secure Administrator for SAP on IBM i: Commands: CRTSUDOENV and DLTSUDOENV Create/delete the Secure Administrator environment GRTSIDSUDO and RVKSIDSUDO Grant/revoke use of administrator functions for different SAP installations LSTSIDSUDO List Secure Administrator environments and users that have access to each SAP installation SIDSUDO Execute commands under the authority and environment of the specified SAP administrative user profile
IBM i Security Services from IBM Systems Lab Services 1. IBM i Security Assessment An experienced IBM i consultant will collect and analyze data using PowerSC Tools for IBM i. The engagement results in a comprehensive report with findings and recommendations for improved compliance and security remediation. 2. IBM i Single Sign On Implementation SSO improves end user productivity and saves help desk costs. In this services engagement, an experienced IBM consultant will advise on SSO options and provide implementation assistance leveraging the SSO suite components of the PowerSC Tools for IBM i. For more information on PowerSC Tools for IBM i offerings and services, contact: Carol Ward cpward@us.ibm.com, 224-465-2909 Mike Gordon mgordo@us.ibm.com, 507-253-3477 Terry Ford taford@us.ibm.com, 507-253-7241 Practice Leader, Security Services 3. IBM i Security Remediation An experienced IBM consultant will advise on best practices to address IBM i security and compliance issues. The consultant will provide remediation assistance leveraging the PowerSC Tools for IBM I 4. IBM i Encryption Services An experienced IBM consultant will advise on best practices to implement data encryption on IBM I leveraging the PowerSC Tools for IBM i Encryption Suite as appropriate. Tape Encryption implementation services are also available. 18 www.ibm.com/systems/services/labservices ibmsls@us.ibm.com
My Calling Card Terry Ford, Team Lead Senior Managing Consultant Security Services Delivery IBM Systems Lab Services Office: 1-507-253-7241 Mobile: 1-507-358-1771 taford@us.ibm.com 3605 Highway 52 N Bldg. 025-3 C113 Rochester, MN 55901 USA