Lock it Down: Access Control for IBM i
Download as PPTX, PDF0 likes160 views
IBM i is securable BUT not secured by default. To help protect your organization from the increasing security threats, you must take control of all access points to your IBM i server. You can limit IBM i security threats by routinely assessing your risks and taking control of logon security, powerful authorities, and system access. With the right tools and process, you can assure comprehensive control of unauthorized access and can trace any activity, suspicious or otherwise, on your IBM i systems. Watch this on-demand webcast to learn: • How to secure network access and communication ports • How to implement different authentication options and tradeoffs • How to limit the number of privileged user accounts • How Precisely’s Assure Security can help
More Related Content
What's hot (20)
Similar to Lock it Down: Access Control for IBM i (20)
More from Precisely (20)
Recently uploaded (20)
Lock it Down: Access Control for IBM i
- 1. Lock It Down Access Control for IBM i Bill Hammond | Product Marketing Director
- 2. Housekeeping Webinar Audio • Today’s webcast audio is streamed through your computer speakers • If you need technical assistance with the web interface or audio, please reach out to us using the Q&A box Questions Welcome • Submit your questions at any time during the presentation using the Q&A box. If we don't get to your question, we will follow-up via email Recording and slides • This webinar is being recorded. You will receive an email following the webinar with a link to the recording and slides
- 3. Agenda • The growing threat • Understanding your risks • Reducing your risks with Access Control • System Access • Authentication • Elevated Authorities • Q & A 3
- 4. Ransomware attacks • 51% of companies faced ransomware attacks • 26% of companies paid the ransom to cybercriminals • The average ransom amount in 2020 was $180,000 for big companies • The average ransom amount in 2020 for small businesses was $6,000 • A set of software tools needed to launch a ransomware attack costs about $50 on the darknet • A new ransomware attack is detected every 11 seconds 4
- 5. Impact of Covid-19 pandemic • Initial response to the pandemic was the transfer of a large number of employees to remote work mode • The security perimeter became blurred for many companies • Dramatic rise in malicious sites with the words like “covid” or “coronavirus” in their domain names • Many of these rogue websites host ransomware and other malware that is designed to capture login information 5
- 6. Looking for passwords • A significant part of malicious operations is devoted to obtaining passwords. • Legitimate accounts allow cybercriminals to remain undetected in a compromised system • Attackers use special tools to steal logins and passwords processed in browsers, as well as other places in the system where cached information is stored. 6
- 8. Too often risks are neglected • Lack of a Security Policy • Lack of regular security health checks (often a regulatory requirement) • Lack of expertise – a dedicated security officer doesn’t exist • Not using qualified external resources to validate security • No security or penetration testing • Too many powerful users • Auditing not turned on • Audit logs not checked • Patches not applied Is ignorance bliss? Security by obscurity? 8
- 9. Thinking the IBM i is secure by default? • IBM i often hosts the most critical data in a corporation. • IBM i is securable BUT not secured by default • Being compliant does not mean you are secure • Protecting the well-known interfaces is not enough for TODAY’s networks • The IBM i has become a target for hackers 9
- 11. System Access
- 12. Why Secure Access Points? 12 The IBM i is increasingly connected • Prior to the 1990s, the IBM i was isolated • In the 1990s IBM opened up the system to the network • The number of ways the system can be accessed has grown • Legacy, proprietary protocols now cohabitate with new, open-source protocols – creating access point headaches • The worldwide hacker community now recognizes the IBM i as a high-value target 4 important levels of access must now be secured • Network access • Communication port access • Database access • Command access
- 13. Exit Points and Exit Programs 13 What are exit points and exit programs? • Exit points and exit programs are powerful tools for access control • Introduced in 1994 to the AS/400 in V3R1 of the operating system • Exit points provide “hooks” to invoke one or more user-written programs—called exit programs—for a variety of OS-related operations • Exit point programs are registered to particular exit points How are exit programs used for access control? • Exit programs can allow or deny access based on parameters such as permissions, date/time, user profile settings, IP addresses, etc. • Command exit points can allow or deny command execution based on context and parameters • Exit programs can also trigger actions such as logging access attempts, disabling user profiles, sending an alert, etc.
- 14. Key Features to Look for in an IBM i Access Control Solution 14 Comprehensive control of external and internal access • Network access (FTP, ODBC, JDBC, OLE DB, DDM, DRDA, NetServer, etc.) • Communication port access (using ports, IP addresses, sockets - covers SSH, SFTP, SMTP, etc.) • Database access (open-source protocols - JSON, Node.js, Python, Ruby, etc.) • Command access Powerful, flexible and easy to manage • Easy to use graphical interface • Standard configuration easy deployment • Powerful, flexible rules for controlling access based on conditions such as date/time, user profile settings, IP addresses, etc. • Simulation mode for rules testing • Provides alerts and produces reports • Logs access data for SIEM integration
- 15. Authentication
- 16. Complex Password Issues 16 • Should we add more complexity to passwords? Not really. • Why not? Because we write them down! • Complex password increase costs and introduce weaknesses: • Management is complex • Management is expensive • Impacts productivity (re-enabling users, password changes, etc.) • Reliance on passwords alone puts all your eggs in the same basket! NIST’s latest Digital Identity Guidelines at https://pages.nist.gov/800-63-3/ recommend against complex passwords
- 17. Why Is Multi-Factor Authentication Required? 17 Multi-Factor Authentication supports the requirements of numerous industry and governmental regulations, such as: • PCI-DSS 3.2 and greater • 23 NYCRR 500 • GLBA / FFIEC MFA is also mentioned, or the benefits of MFA are implied, for: • GDPR • HIPAA • Swift Alliance Access Selective use of MFA is a good Security practice • Avoids issues with weak passwords • Avoids issues with complex passwords You may be required to use multi-factor authentication tomorrow, if you’re not already using it today. • SOX • And more
- 18. Multi-Factor Authentication Adds a Layer of Login Security 18 Multi-Factor Authentication (MFA), sometimes called Two-Factor Authentication (2FA), uses two or more of the following factors : • Something you know or a “knowledge factor” • E.g. user ID, password, PIN, security question • Something you have or a “possession factor” • E.g. smartphone, smartcard, token device • Something you are or an “inherence factor” • E.g. fingerprint, iris scan, voice recognition Typical authentication on IBM i uses 2 items of the same factor – User ID and password. This is not multi-factor authentication.
- 19. Authentication Options 19 Authentication options beyond the basic factor that the user knows, are delivered by: • Smartphone app • Email • Phone call • SMS/text message (see box) • Hardware device such as fobs or tokens • Biometric device Authentication services generate codes delivered to the user. For example: • RADIUS compatible (RSA SecurID, Entrust, Duo, Vasco, Gemalto, and more) • RFC 6238 (Microsoft Authenticator, Google Authenticator, Authy, Yubico, and more) • Others (TeleSign, and more) Use of SMS for Authentication – PCI DSS relies on industry standards, such as NIST, ISO, and ANSI, that cover all industries, not just the payment industry. While NIST currently permits the use of SMS authentication for MFA, they have advised that out-of-band authentication using SMS or voice should be “restricted” as it presents a security risk.
- 20. Key Features to Look for in an IBM i MFA Solution 20 • Option to integrate with IBM i signon screen • Ability to integrate MFA with other IBM i applications or processes • Multiple authentication options that align with your budget and current authenticators • Certification by a standards body (e.g. RSA, NIST) • Rules that enable MFA to be invoked for specific situations or user criteria such as: • Group profiles, Special authorities • IP addresses, Device types, Dates and times • And more • Real risk-based authentication policy (integrated with access control and elevated authority management capabilities)
- 22. What Is Elevated Authority? 22 • A user’s authorities define what they can do on an IBM i system, including • menus they can access • commands they can run and • actions they can take • Elevated authorities are those that give users more powerful privileges • Some people may refer to elevated authority as privileged access
- 23. Why Limit Elevated Authorities 23 • Having too many powerful users leaves the system and data exposed • Controlling user authorities is required by regulations such as SOX, HIPAA, the Federal and North American Information Practice Act, GDPR and more • Compliance auditors require that additional authority be granted only when needed and only for the time required • Security best practice is for users to only have the authorities required to do their jobs • Even administrators should have their actions monitored (separation of duties) as a best practice • Outsiders who obtain credentials will attempt to elevate authority unchecked unless you have control of that process
- 24. Challenges of Managing Elevated Authority 24 • Elevated authority should only be granted as needed – and then revoked • Manually granting and revoking elevated authority is time consuming and error prone • A log of the activities of users with elevated authorities should maintained so their actions can be monitored • Remember that administrators, who have elevated authority, also need to have their actions monitored I need to be *SYSOPR for this assignment! I need *ALLOBJ to do my job! Can I have *SPLCTL for my project?
- 25. Key Features to Look for in an IBM i Elevated Authority Solution 25 • Reduces the number of powerful user profiles to satisfy audit requirements • Makes it easy to manage requests for elevated authority on demand • Reduces risk of unauthorized access to sensitive data • Produces necessary alerts, reports and a comprehensive audit trail • Lowers security exposures caused by human error
- 26. Q & A 26
- 27. 27
Editor's Notes
- #5: eWeek – May 3, 2021 - New Ransomware Trends Causing Fear in 2021 – David Balaban https://www.eweek.com/security/new-ransomware-trends-causing-fear-in-2021/?utm_medium=email&utm_source=newsletter_it_scoop&utm_campaign=May.07.2021
- #6: More than half of companies have transferred from 50% to 100% of their employees to home offices.
- #7: 2nd most popular activity used by ransomware gangs after phishing and leave no traces, unlike attacks involving Trojans or exploitation of vulnerabilities…. Many times, a hacked user account can only be identified using behavioral analysis tools