2. Overview
Tivoli Access Manager for Operating Systems erects and enforces a seamless security
perimeter to UNIX/Linux systems to provide protection for business-critical systems and
auditing of all users. These controls even apply to “Root” super-users, a notoriously
difficult-to-secure UNIX/Linux group. Unchecked and unmonitored Root users are often the
source of considerable abuse. Tivoli Access Manager for Operating Systems prevents
misbehavior by Root users and all other users through the rigorous application of access
controls on resources, files, and data.
Further, hackers favor Root accounts as targets because Root users typically create
backdoor access routes in order to bypass basic protocols. As a result, while the majority of
cyber theft results from internal abusers, the application of adequate controls on Root
accounts will also prevent a significant amount of external cyber theft. Tivoli Access Manager
for Operating Systems ensures 24x7 protection from unauthorized access to business-critical
applications by providing bulletproof controls against malicious actions.
Most business-critical applications today are hosted on UNIX—or, increasingly, Linux—and
are deployed throughout the enterprise network environments as shown in Figure 1. These
applications include ERP, CRM, SCM, Human Resource Management applications, and
Middleware platforms such as IBM WebSphere. Most of these applications offer inadequate
out-of-the-box security and auditing for today’s enterprise.
AS/400 S/390
UNIX Security
M anagement 55% of data theft
NT
occurs here
Mission-Critical Servers Proxy-Server
W orkload
Core Network M anagem ent
Certificate Backup
W eb Authority Restore
Servers Internet VPN
Single
Sign-on Access
Security
Auditing
Merchant Perim eter Network Firew all
Server E-M ail
Intrusion Active
Detection Content Filtering
PC Security
Access Network Customers
PC Anti-Virus Suppliers
Distributors
Business Partners
M obile Employees
Figure 1 The IT security map
Policy-based security: peace of mind in troubled times
The heart of an effective security program lies in its security policy. The bottom line is that
everyone—partners, employees, customers, auditors, government regulators, and senior
management—is looking for a security policy that guarantees the privacy and confidentiality
of sensitive information. Never before have CIOs faced so many constituents demanding tight
protection and accountability. Management and boards of directors no longer accept the
2 IBM Tivoli Access Manager for Operating Systems
3. running of expensive applications on insecure operating systems and ineffective protocols.
Tivoli Access Manager for Operating Systems ensures that security policy is easily
implementable, robust, and comprehensive.
Easy-to-use: Because security policy is crucial to operational effectiveness, there’s no
forgiving a security policy that is difficult to understand and challenging to enforce. Tivoli
Access Manager for Operating Systems simplifies policy through multiple methods. The
first is through Web Portal Manager, a GUI-based, web-accessible management tool.
Security policy can now be managed in a point-and-click format. Command-line interfaces
and script accommodation afford UNIX and Linux experts even greater ease.
Simplicity is further ensured through Tivoli Access Manager for Operating Systems’ Fast
Track Policy Modules. Fast Track Policy Modules are pre-written, best-practice security
policies. They provide a method for demanding enterprises to quickly adopt effective
security. Security threats multiply daily, and CIOs cannot be expected to wait on slow
security policies. While enterprises can use Tivoli Access Manager for Operating Systems’
Web Portal Manager to design and set detailed policy if they wish, enterprises accelerate
their ROI through the use of Fast Track Policy Modules.
Fast Track Policy Modules also come in application-specific versions offering customers
out-of-the-box customization. These pre-written, best-practice policies make it easy to
tailor security policy for specific missions. These missions may include, for instance,
enhancing Web security or defending CRM, ERP, or other applications and databases.
Simplicity is crucial for an effective security policy. Through Web Portal Manager, shown in
Figure 2, security policies can be managed in a point-and-click fashion.
Figure 2 Web Portal Manager interface
IBM Tivoli Access Manager for Operating Systems 3
4. Powerful: Power is provided through Tivoli Access Manager for Operating Systems’
multi-threaded architecture. This enables Tivoli Access Manager for Operating Systems to
operate fully 22 times faster than its leading competitor. This performance also means that
CIOs no longer have to trade operating efficiency for security. Applications run smoothly
even with the rigorous security added by Tivoli Access Manager for Operating Systems.
With Tivoli Access Manager for Operating Systems, administrators can set and enforce
three types of security policy: password policy, login policy, and resource policy. In the
case of password policy, for instance, administrators can require the timely changing of
passwords, or passwords of a specified length and alphanumeric mix. In the case of login
policy administrators can determine where users can access systems or what files they
can access remotely. Resource policy enables administrators to restrict access to
systems, files, and data on a “need-to-know” basis.
Comprehensive: As a result of its industry-leading power, Tivoli Access Manager for
Operating Systems successfully scales throughout the enterprise, enforcing security
comprehensively. It enables management to set a single security policy that is
implemented and enforced worldwide. Centralization ensures adherence to corporate
guidelines and government regulations.
With Web Portal Manager, Tivoli Access Manager for Operating Systems policy can be
managed from a Web-based tool. The benefit of this approach is that it enables an
enterprise’s security managers to delegate limited authority for routine or emergency
matters to specified, local sub-domain administrators. This scheme offers maximum
control while affording flexibility when necessary. In a case of network interruption, control
can be delegated to local subdomain administrators without granting local administrators
excessive access or access to other subdomains.
Auditing: proof positive in a cynical world
Defending resources is equally as important as auditing resources. Gone are the days when
a CIO could simply attest that the network was secure. Amid unrelenting attacks, omnipresent
threats, and widely publicized failures, customers, partners, and regulators all demand proof
of effective security controls.
Tivoli Access Manager for Operating Systems responds to this need through Persistent
Universal Auditing, which maintains 24x7 audit logs on all programs, files, ports, resources,
and systems. This provides administrators with a centralized report on security events,
enabling administrators to review which users accessed what resources, how, and when.
Misbehavior rarely occurs just once. It occurs frequently. Regular audits prevent prolonged
abuse. The most successful information thieves endure through “creep and take” tactics.
Through incremental attacks over long periods of time they accumulate extensive amounts of
sensitive data and insidiously degrade system defenses. Because they typically are insiders,
such “CAT thieves” present significant risk—much more than regular Internet hackers.
Insiders, after all, know on which systems valuable information resides and how to best
circumvent security protocols. Recurrent auditing with Tivoli Access Manager for Operating
Systems prevents CAT attacks.
The United States government has responded to financial scandals and health care concerns
through the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). These two sets of legislation require the erection of
significant barriers to secure sensitive financial and health care data. In addition, regular
auditing is required to prove that confidential and private information is handled only on a
need-to-know basis. Countries around the globe have enacted similar legislation. European
legislation has gone even farther in its privacy and confidentiality requirements.
4 IBM Tivoli Access Manager for Operating Systems
5. Architecture: simple, lean, and muscular
Tivoli Access Manager for Operating Systems is built on a lightweight, powerful, easily
installed architecture. This simple architecture centers on the Tivoli Access Manager Policy
Server. This server houses all security policies and can also maintain the database of all
users in an LDAP directory.
Tivoli Access Manager for Operating Systems relies on its Security Agent for local policy
enforcement. The Security Agent locally protects and audits each server, acting as a
host-based firewall in physically preventing unauthorized users from accessing files.
Exceeding typical firewall capability, Tivoli Access Manager for Operating Systems restricts
both incoming and outgoing network traffic, providing a matchless level of security for TCP/IP
ports. The Security Agent also locally audits the use of applications, files, and resources.
Figure 3 is an overview of the architecture of Tivoli Access Manager for Operating Systems.
Access Manager Policy Server
Centralized server contains
• Policy database
• User IDs (LDAP)
SSL connection Management Server maintains policy
Policy Server maintains policy
Security Agent enforces policy
Security Agent
Erects security perimeter
• Intercepts system call
• Make access decision
Security Agent • Writes audit record
Figure 3 Tivoli Access Manager for Operating Systems architecture
For full security even during network interruptions, the Security Agent replicates the security
policy and user identifications locally. In the event that the network connection fails, the
Security Agent is fully able to make access decisions without the Policy Server being present.
Linux: bulletproof answer to open source questions
“Open source software is now the major source of elevated security vulnerabilities for IT
buyers.”
The majority of the 29 advisories issued from January through October 2002 by Carnegie
Mellon’s CERT Coordination Center addressed vulnerabilities in open source or Linux
products.
—eWeek, Nov. 22, 2002
Linux provides a revolutionary platform with superb flexibility, dependability, and value—and a
whole new set of security challenges. Typically, however, it is not the enterprise’s only
operating system. In today’s heterogeneous enterprise, an effective security solution must be
IBM Tivoli Access Manager for Operating Systems 5
6. able to secure and run on a variety of platforms. Tivoli Access Manager for Operating
Systems can secure a wide range of Linux and UNIX® operating environments, and
constantly expands its coverage. Tivoli Access Manager for Operating Systems supports
Linux on iSeries, xSeries, pSeries, and zSeries® platforms.
Integration: flexibility on demand
Tivoli Access Manager for Operating Systems provides unparalleled breadth in value through
full integration with the market’s leading identity management, identity provisioning, and
security management products. IBM Tivoli Identity Manager, IBM Tivoli Access Manager for
e-business, IBM Tivoli Privacy Manager, and IBM Tivoli Risk Manager all effectively
complement Tivoli Access Manager for Operating Systems. Use of a common approach and
infrastructure enables customers to rapidly meet demands for increased responsiveness,
improved efficiency, and greater economy.
3rd Party Network Intrusion
Software Firewalls Anti-Virus Detection VPN
Security
Tivoli Risk Manager
Management
Tivoli Tivoli Tivoli
Identity Access Privacy
Manager Manager Manager
User
Management
User Application Privacy
Provisioning Protection Assurance
IBM Directory Server
Directory
Management IBM Directory Integrator
Figure 4 IBM Tivoli Integrated Identity and Security Management
The IBM Tivoli Integrated Identity Management suite (shown in Figure 4) scales to precisely
meet customers’ needs, whether those needs are narrowly focused or broadly conceived.
These solutions work together to provide significant return on investment and exceptional
levels of service to internal and external users. Close cooperation with industry partners in
developing standards ensures that Tivoli’s Integrated Identity Management suite is both
widely interoperable and remarkably rigorous.
Summary: exceptional solution for an insidious threat
“The hacker who just stole your records is just as likely to be an insider as an outsider …
Computer break-ins by insiders often do more damage than when a remote hacker gets
into the system … They know what to take; they know what is important.”
—The Atlanta Journal-Constitution, May 14, 2003
6 IBM Tivoli Access Manager for Operating Systems
7. In a recent case involving a large consumer goods company, a hacker pilfered the confidential
financial, Social Security, and employee records of 450 co-workers. The employee bypassed
protocols to slip into the company’s computer system without authorization.
Incidents of insider cyber theft are rising rapidly. With increasing amounts of valuable
consumer, employee, and partner data being accumulated, the incentives for insider
misbehavior are increasing as well. Organizations face growing risk.
Simultaneously, regulators and legislators are targeting enterprises that do not implement
effective controls with fines and increased scrutiny. CIOs face unrelenting pressure for
improved security, auditability, and accountability.
The most economic and effective solution for CIOs is to combine comprehensive intrusion
prevention technology—host-based firewall capability, application and platform protection,
user tracking and controls—with persistent auditing capability. In a lightweight, powerful way,
Tivoli Access Manager for Operating Systems does exactly this.
No longer do organizations need to run business-critical applications on mainframes in order
to enjoy mainframe-class security. With Tivoli Access Manager for Operating Systems they
can enjoy mainframe-class security on distributed systems. And they can enjoy the peace of
mind that comes when valuable data is fully secured and all users are held fully accountable.
The team that wrote this Redpaper
This Redpaper was produced by a team of specialists from around the world working at the
International Technical Support Organization, Austin Center.
Axel Buecker is a Certified Consulting Software I/T Specialist at the International Technical
Support Organization, Austin Center. He writes extensively and teaches IBM classes
worldwide on areas of Software Security Architecture. He holds a degree in computer science
from the University of Bremen, Germany. He has 17 years of experience in a variety of areas
related to Workstation and Systems Management, Network Computing, and e-business
solutions. Before joining the ITSO in March 2000, Axel worked for IBM in Germany as a
Senior I/T Specialist in Software Security Architecture.
Shawn Young is the IBM Tivoli Access Manager for Operating Systems' worldwide product
manager. While at IBM he has contributed to the development of a number of leading edge
security products. He has an extensive background in management consulting and has
consulted with leading Fortune 500 companies on customer-centric approaches to improved
operational effectiveness. He holds a degree in Economics and Public Policy from Rice
University and a Masters degree in Business Administration from the University of California,
Los Angeles' Anderson School of Management.
Thanks to the following person for her contribution to this project:
Betsy Thaggard
International Technical Support Organization, Austin Center
IBM Tivoli Access Manager for Operating Systems 7
8. 8 IBM Tivoli Access Manager for Operating Systems
10. Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
IBM® Redbooks(logo) ™ zSeries®
ibm.com® Tivoli®
The following terms are trademarks of other companies:
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.
10 IBM Tivoli Access Manager for Operating Systems