IBM i Solutions
IBM i access control solutions
IBM i access control requires strong password security, careful management of elevated authorities, and comprehensive analysis of all system access attempts to ensure regulatory compliance and protect your data
Controlling system and data access
IBM i systems contain the data that drives your business, including financial transaction information, healthcare records, and other personally identifiable information for customers, partners and employees.
Much of this data is subject to regulations such as SOX, PCI DSS, HIPAA, and GDPR. Therefore, any data breach can result in regulatory fines, lost revenue, remediation costs, legal fees, lost productivity, brand damage, and more.
To fully secure data and comply with regulations, you need overlapping layers of security to detect and respond to threats and address evolving requirements.
In addition, monitoring system events and encrypting data to protect its privacy, you need tools that control access to your IBM i and its data.
Access control solutions allow you to address three critical areas:
- Who can logon to your IBM i;
- What they have the authority to do;
- What commands they can run and what data they can access.
As hacking techniques become more sophisticated, and the costs and consequences of data breaches continue to rise, simple password policies are no longer enough to protect IBM i systems. Multi-factor authentication (MFA) strengthens logon security by requiring users to provide another form of identification in addition to a password. Several compliance regulations require MFA today, and it’s likely to become more widespread in the future.
Multi-factor authentication works by requiring a user to provide two (or more) forms of evidence to authenticate their identity. Those authentication factors can be something the user knows (e.g. a password or PIN), something they have (e.g. an authentication token or cell phone), or something they are biometric data (e.g. biometric data like a fingerprint or iris scan).
A one-time password delivered by a hardware token or software program is often used as an authentication factor. One-time passwords can be delivered by a wide variety of authentication services. Your IBM i MFA solution should integrate with existing solutions that provide tokens for other platforms, such as RSA SecurID or other RADIUS-compatible authenticators like Duo and the Microsoft Azure Authenticator. You may also choose an MFA solution that generates tokens on the IBM i without the need for software on other platforms.
An effective IBM i multi-factor authentication solution should also offer the flexibility to be invoked in multiple ways based on the context and the user authenticating. For example, your MFA solution should allow you to configure the situations, users, or groups of users that require MFA. It should also be able to be invoked from the logon screen or integrated into other workflows.
Lastly, IBM i MFA solutions must log any authentication failures, disable accounts after too many failed attempts and optionally alert administrators of potential security issues.
When too many user profiles on an IBM i system possess powerful permissions, it leaves the system and its data exposed to breaches and other forms of cybercrime. Regulations like SOX, HIPAA, the Federal and North American Information Practice Act, and GDPR require IT organizations to restrict access to powerful privileges and monitor those who have them.
On IBM i systems, special authorities define user privileges. They authorize users to create/change/delete user profiles, change system configurations, change/limit user access, and more. Special authorities such as *ALLOBJ and *SECADM are infamous for wreaking havoc as these authorities provide full access to all data on the system.
Compliance auditors recommend that users be given only the minimum set of authorities required to do their jobs. When special privileges are required, they should only be granted as needed and for a limited amount of time. And, while users are in possession of elevated authority, an audit log of their actions should be maintained.
Manually managing the process of granting authority and revoking it after the required period, is prone to error. As a result, user profiles are often left unmonitored with a high level of privilege. An effective authority management tool automates the process of granting elevated authorities when needed, maintaining comprehensive logs of the actions taken by privileged users, and revoking authorities at the end of the required period. Integration with your help desk solution enables end-to-end management of authority requests.
By automating the management of elevated authority and producing alerts, reports and an audit trail of activities performed by elevated profiles, you can reduce the risk posed by accounts with excess authority, demonstrate compliance and successfully enforce segregation of duties as a security best practice.
Intruders will look for any means of gaining access to your systems and data, whether through the network, a com port, an open-source database protocol, or a command line. Potential points of access only continue to expand, and regulations such as SOX, HIPAA, GDPR, and others require you to take steps to control all forms of access to your data.
Fortunately for IBM i shops, IBM allows user-written programs to be invoked for a wide variety of OS-related operations. The points where programs can be attached are called “exit points,” and the programs are called “exit programs.” Exit programs provide a powerful means to control access. By attaching them to various OS operations, you can inspect access attempts and allow or reject them based on the identity of the user and the context of the request.
For example, an exit program might monitor and log all FTP activity and allow or deny specific users the ability to transfer a file, based on parameters such as profile settings, IP address, object permission, time/date window, and more.
Given the breadth of modern methods for accessing IBM i data and the degree of skill required to create and maintain exit programs, third-party solutions are necessary to secure the points of entry into your IBM i system. An effective third-party solution must be continually expanded and enhanced to address new exit points and access methods.
Exit programs can be written with granular, rules-based logic that controls access under specific circumstances for a nuanced, contextual approach to security.
In addition to controlling access, exit programs must maintain a log of all access attempts, generate reports and raise alerts. This gives security officers full visibility into system access attempts, enforces separation of duties, and provides the compliance information auditors require.
Toyota Material Handling Australia
Toyota Material Handling Australia (TMHA) needed to establish an effective internal control system to maintain the reliability of financial reporting, based on the Financial Instruments and Exchange Law (the so-called Japanese Sarbanes-Oxley Act or J-SOX). After a period of growth, TMHA was required to meet more stringent audit and governance requirements.
One of its challenges was periodically granting outside vendors access to their Infor M3 application. Using Precisely’s Assure Elevated Authority Manager, TMHA grants vendors the level of access they need for a specified period. At the end of that time, access is automatically revoked, although it can easily be extended, modified or granted again, if necessary.
Read the full case study.
Stay safe and secure
The cybersecurity requirements of compliance regulations are largely written to compel companies to put technologies and processes in place to keep unauthorized users out of systems, while maintaining tight control over what authorized users can do once logged on. Ensuring your IBM i systems are secure and compliant is complex and requires a multi-faceted approach. You must strengthen logon security, manage the privileges users have within the system and restrict how they can access data, system settings, and command line options.
Implementing IBM i multi-factor authentication, elevated authority management, and system access control goes a long way toward ensuring your organization stays compliant and safe from data breaches and other cybercrimes.
It’s important to remember that complying with regulations doesn’t equate to rock-solid security since regulations don’t always focus on all the layers of security required for total protection. Minimizing the possibility of a breach requires a solid understanding of all potential vulnerabilities.
Read The Essential Layers of IBM i Security for a roadmap to securing your IBM i systems that walks you through six layers of security best practices and technologies.