One of the greatest challenges in IBM i security is managing the powerful users charged with its care, especially in hard-to-audit environments like SQL.
4. 4
• Premier provider of security solutions & services
– 17 years in the security industry as an established thought leader
– Customers in over 70 countries, representing every industry
– Security subject matter expert for COMMON
• Wholly-owned subsidiary of HelpSystems since 2008
• IBM Advanced Business Partner
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE credits for security education
• Publisher of the annual “State of IBM i Security Study”
6. 6
• Programmers
– Claim they need *ALLOBJ authority to fix production
applications
• System Administrators
– Claim they need authority to configure and change the system
• Operators
– Claim they need Special Authorities to do backups and other
specialized functions
• Vendors
– Can’t imagine running without Security Officer rights
9. 9
Date: January 9, 2005 2:37am
Author: A.F.
Subject: How to recover a deleted library?
PLS Help me! How can I recover a library I’ve just
deleted by mistake and I have no tape backup. I’ve
asked all users to sign off in order not to create any
new objects. PLS HELP ME AND I WILL UPGRADE
MY SUBSCRIPTION AT ONCE. THANKS
A posting at iSeriesNetwork.com
11. 11
Date: September 1, 2004 12:49pm
Author: R.H.
Subject: Oops!
HELP!!!
I've accidentally deleted program QCMD in
QSYS (spelling error using DLTPGM). The system
has crashed. Any suggestions? I assume an
IPL will be required, but is there anything else that
can be suggested? This is bad.
A posting at iSeriesNetwork.com
12. 12
• The #1 item cited by auditors is:
Control and monitoring of powerful users
What’s a powerful user?
• Someone with Special Authority or lots of private authority
• IT staff or other knowledgeable users with
direct access to production data
• A user with a way to execute commands
16. 16
• Legislatures create laws
– Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley,
SB1386, and more
• Laws are open to interpretation
– Sarbanes-Oxley Section 404:
• “Perform annual assessment of the effectiveness of
internal control over financial reporting…”
• “…and obtain attestation from external auditors”
• Auditors are the interpreters
17. 17
• Auditors interpret regulations:
– Auditors focus on frameworks and processes
– Auditors have concluded that IT is lacking when it
comes to internal controls
• Executives follow auditor recommendations
18. 18
Special Authority (aka Privileges)
All Object
The “gold key” to every object and almost every
administrative operation on the system, including
unstoppable data access.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
19. 19
Special Authority (aka Privileges)
Security Administration
Enables a user to create and maintain the system
user profiles without requiring the user to be in the
*SECOFR user class or giving *ALLOBJ authority.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
20. 20
Special Authority (aka Privileges)
I/O Systems Configuration
Allows the user to create, delete, and manage
devices, lines, and controllers. Also permits the
configuration of TCP/IP, and the start of associated
servers (e.g., HTTP).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
21. 21
Special Authority (aka Privileges)
Audit
The user is permitted to manage all aspects of
auditing, including setting the audit system values
and running the audit commands
(CHGOBJAUD / CHGUSRAUD).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
22. 22
Special Authority (aka Privileges)
Spool Control
This is the *ALLOBJ of Spooled Files and allows a
user to view, delete, hold, or release any spooled file
in any output queue, regardless of restrictions.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
23. 23
Special Authority (aka Privileges)
Service
This allows a user to access the System Service Tools
(SST) login, although they also need
an SST login since V5R1.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
24. 24
Special Authority (aka Privileges)
Job Control
This enables a user to start/end subsystems and
manipulate other users’ jobs. It also provides access
to spooled files in output queues designated as
“operator control.”
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
25. 25
Special Authority (aka Privileges)
Save System
This enables a user to perform save/restore
operations on any object on the system, even if there
is insufficient authority to use the object.
* Be cautious if securing objects at only a library level *
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
26. 30
Production Update Authority
Read / Change
Payroll
Accounts Receivable
Accounts Payable
Customer Information
• IT personnel often insist that powerful authorities
are necessary to do their job:
– Special Authorities like *ALLOBJ, *SPLCTL, *SECADM
– Rights to change critical production data
• Sometimes they are right!
27. 31
Read / Change
Read / Change
Read / Change
Read / Change
Payroll
Accounts Receivable
Accounts Payable
Customer Information
This is a top exception item reported by auditors!
28. 32
• To keep your business running, you need:
– Emergency access to repair data files
• To keep your system safe, you need:
– A way to monitor when powerful authorities are used
– A way to monitor user activities, including when they
enter the “command tunnel”
29. 33
• COBIT AI6.4 - Emergency Changes
– IT management should establish parameters defining
emergency changes and procedures to control these
changes (…)
• COBIT DS10.4 - Emergency and
Temporary Access Authorizations
– Emergency and temporary access authorizations
should be documented on standard forms and
maintained on file, approved by appropriate managers,
securely communicated to the security function and
automatically terminated after a predetermined period.
30. 34
• ISO 27002 Section 9.2.2: Privilege Management
– The allocation of privileges should be controlled
through a formal authorization process
– Privileges should be allocated to individuals on a
need-to-use basis and event-by-event basis
– An authorization process and a record of all
privileges allocated should be maintained
– Privileges should be assigned to a different user
identity than those used for normal business
32. 36
Management is
aware of all activity
Report
Message Custom Alert
PAYCHANGE
(Temp. Profile)
Payroll
Accounts Receivable
Accounts Payable
Customer Information
33. 37
• Government regulators and IT auditors demand
accountability
• Legislatures have created laws that require us to
prove that our IT infrastructure is secure
• Non-compliance penalties range from public
disclosure, to fines, to prison sentences for
executives
– Executives are finally taking security very seriously
34. 38
• Allows you to monitor and control users
with powerful authorities
– Authority Broker lets you specify when and how
users exercise powerful authority
– Authority Broker works with IBM i security to
protect assets
– Authority Broker provides notification, monitoring,
and control of powerful users
– Authority Broker provides visibility into non-
command-based environments
36. 40
• Allows you to intercept commands and
conditionally perform other actions
– Command Security lets you specify when and how
users execute commands
– Command Security is applicable to all users – even
QSECOFR and other *ALLOBJ users
– Command Security provides notification, monitoring,
and control of command environments
– Command Security can enforce the requirement to
obtain privileges via Authority Broker
38. 42
• Sign on as a limited-capability & as a powerful user
• Attempt to access restricted functions
• Use Authority Broker to elevate user authorities
on demand, and Command Security to control
commands
• Perform restricted functions, including access to
“tunnel” environments
• Report on user activities
39. 43
• IT security has executive attention
– This is the best opportunity to solve long-standing problems
– Gain management approval now
• Control users with broad authority to production data
– Leaving users unchecked is both an audit exception and an
accident waiting to happen
– Don’t accept that powerful users have to be limitless
• Limit the use of powerful profiles
– Monitor and report when power is used
42. 47
Please visit www.helpsystems.com/powertech to access:
• The State of IBM i Security Study
• Online Compliance Guide
• Webinars/Educational Events
• Articles & White Papers
• Product Datasheets
• Product Trial Downloads
www.helpsystems.com/powertech (800) 915-7700 info@powertech.com