Achieve Comprehensive Security with Multi-Level Access Control

Too many privileged users constitute a significant data management and security risk. However, providing users and systems with the least access necessary is complex. Administrators need tools for dynamic access management based on real-time behavior and context.

3 Multi-level access control features for comprehensive security

Every day, there are thousands of requests to access an IBM i system, and many of these requests are legitimate. Others, though, could be a risk to data security. This means that admins need the ability to distinguish between normal and suspicious access attempts.

Multi-level access control is a dynamic approach that’s based on risk. Assure Security expands IBM i security with features for multi-factor authentication, managing elevated authority, and controlling system access. 

1. Multi-factor authentication

Passwords alone are often not enough to secure sensitive data sets. Twenty-nine percent of data breaches last year involved weak, stolen, or brute-force passwords.

Assure Multi-Factor Authentication guards against access by stolen user accounts. Multi-factor authentication, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence when logging into an account. Assure Security may verify user identity by asking for at least two of the following: 

• Something they know: User ID, password, or PIN
• Something they have: Email, smartphone, token device
• Something they are: Fingerprint or iris scan

Failed multi-factor authentication requests can create an incident alert in the Security Incident and Event Management (SIEM) system, thereby ensuring that admins are aware of potential risks. Assure Multi-Factor Authentication supports compliance with PCI, HIPAA, and other regulations.

2. Elevated authority

There are legitimate business and process reasons to grant a higher level of authority to access a system. However, elevated access should be granted temporarily based on real-time need. Once the need is over, the elevated access should be removed. Managing these elevated authorities properly is necessary to comply with HIPAA, GDPR and other regulations.  

Auditors look for a clear trail of authority elevations. Compliance also requires privileged user activity logs. Assure Security provides continuous monitoring of user activities. It monitors elevated authority to identify data security risks; hackers or malicious insiders may request elevated access to steal data or cover their tracks.

Assure Elevated Authority Manager grants limited-time authority based on need and risk. This increased access can be granted automatically or be subject to manual approval based on day, time, job title, IP address, and more.  

3. System access

The modern IBM i system is highly connected to other points in the enterprise ecosystem. Every port is a potential point-of-entry for malicious systems and hackers. Assure System Access Manager detects access attempts to your IBM i systems and data, determines whether to accept or deny them, and optionally logs those decisions and trigger actions. 

Assure System Access Manager detects all IBM i systems and data access attempts and can accept or deny access based on system parameters and risk. Assure System Access Manager uses IBM i exit point technology to provide comprehensive control of external and internal access over: 

• Network access (FTP, ODBC, JDBC, OLE DB, DDM, DRDA, NetServer, etc.)
• Communication port access (using ports, IP addresses, sockets – covers SSH, SFTP, SMTP, etc.)
• Database access (open-source protocols – JSON, Node.js, Python, Ruby, etc.)
• Command access

Comprehensive access security

The enterprise needs sophisticated, powerful tools to identify insider and outsider access threats. 

Assure Security features for multi-factor authentication, elevated authority management, and system access are available for individual licensing or together via Assure Security. 

Read IBM i Security Insights for 2020 to learn more.