eBook
5 IBM i Compliance and Security Success Stories
The “Security by Obscurity” Myth
Securing IBM i systems and complying with regulatory requirements at a level aligned with all your other corporate systems is critical. While the IBM i is among the most securable systems available, it is not inherently secure. If not secured at the highest level, it can become the weak link in your security chain, allowing entry into your broader network of systems and data. As for the belief that IBM i enjoys “security by obscurity,” today’s cybervillians and your company’s employees fully understand that IBM i servers hold a wealth of valuable data, including corporate intellectual property, financial transaction information, and sensitive database records for customers, partners and employees.
You need to leverage all of your IBM i system’s powerful security features, wrap layers of security around the OS and its data, and integrate these processes and protocols with those protecting your other systems and networks. Fully and actively securing your IBM i platform is critical to keeping your entire business protected, and is also necessary to achieve and prove regulatory compliance.
Top Level Challenges
When looking at security and compliance priorities from an IBM i vantage point, there are a few specific issues which often move to the top of the list, including:
- Monitoring and reporting on the rich security data in IBM i log sources
- Strengthening login security
- Securing all points of access to your IBM i system and its data
- Restricting IBM i user authorities
- Encrypting sensitive data at-rest and in-motion
Real World Examples
Organizations of all sizes have learned valuable lessons about managing IBM i security as they discovered and overcame security threats and compliance gaps. In this eBook we will explore five examples of companies that addressed their IBM i security and compliance issues with Precisely’s Assure Security.
Packaged Food Company
Employees: 1000+
Customer Base: Major food retailers, restaurants and institutional food services
With quality and operational efficiency being the key drivers of its global success, this U.S.-based producer of canned and bottled vegetable products maintains tight control over every link in the farm-to-table chain. Intense involvement with its grower-partners includes strict quality control of everything from seeds to farming practices. Its highly-automated processing and packaging operations are driven by numerous in-house developed systems and methods. It even manages all its primary transportation logistics, both inbound and outbound.
Because of its total dependency on advanced systems for running the business and need to maintain compliance with many regulations across numerous countries, it must maintain the highest levels of system and data security possible. Key applications run on IBM i servers, including its ERP system, BI/Reporting and Analytics, and Agriculture Management applications.
Security and Compliance Core Requirements
- Visibility into IBM i security activities such as authority errors, system value changes, profile add/change/delete activity and more
- Standardized approach to controlling network and command line access to IBM i servers
- Visibility into all access to IBM i systems and data Assure Security Capabilities Implemented
- Assure Monitoring and Reporting
- Assure System Access Manager
Key Results
- Real-time alerts for key IBM i security events such as system value changes, profile add/change/delete activity, authority errors and more
- Centralized control of access to 30+ IBM i Commands and 25+ other access points controlled by exit points
- Real-time email alerts for all rejected FTP or Client Access (ACS) file transfer access
- Restriction of access to a principle of “least privilege” with explicit user permissions now required for any ODBC access
- Visibility into how outside applications and end users are actually interacting with its systems
For more information, read our white paper: Four Powerful Ways to Use Exit Points for Securing IBM i Access
Large Multi-Chain Retailer
Employees: 100,000+
This multi-chain retailer is required to be fully compliant with the most stringent Level 1 requirements of the Payment Card Industry’s Data Security Standard (PCI DSS), designed to prevent breach of cardholder data stored in its systems and moving across internal and external networks. To comply with the standard, encryption and key management requirements must be addressed across all platforms, including data in IBM i Db2 databases.
In addition, this retailer prides itself on delivering a worry-free experience to online and in-store customers. That core value, and its relationships with customers, would be strongly impacted by any data breach.
The company had evaluated other IBM i encryption products. Given that their systems process up to two billion transactions per day, those products were unable to keep pace with the workload and slowed down transaction processing for its customers. Any impact to customer responsiveness is unacceptable to the business.
Security and Compliance Core Requirements
- AES encryption for data on IBM i servers
- Ability to keep up with peak workloads without impacting customer response times
- Interoperability with an existing encryption key manager
- Secure PGP-compatible FTP data transfer with banks and partners
Assure Security Capabilities Implemented
- Assure Encryption
- Assure Secure File Transfer
Key Results
- Successful attainment of Level 1 Merchant PCI DSS compliance
- Confidence that data is protected by NIST-certified AES encryption and robust key management
- Ability to encrypt and move files without impacting application performance and customer experience, something competitive solutions could not deliver
- Completion of overnight IBM i batch jobs in minutes instead of hours
- Seamless compatibility and integration with existing key manager, networks and data security packages
Insurance Company
Employees: 300+
Customer Base: Over 1 million covered individuals
In order to do business with residents of the State of New York, this large insurance provider, headquartered in the midwestern United States, must comply with the state’s Department of Financial Services Cybersecurity Regulation (23 NYCRR 500). While the company was already fully compliant with the federal FFIEC and Graham-Leach-Bliley Act, 23 NYCRR 500includes significant additional requirements for data privacy protection and IT cybersecurity procedures. One of these specifies that “Multi-Factor Authentication (MFA) shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network.”
While the company had already implemented MFA across most of its multi-platform infrastructure using RSA tokens, it needed a multifactor solution for IBM i that would secure Telnet access to its policy administration system in order to pass its 23 NYCRR 500 audit.
Security and Compliance Core Requirements
- RSA SecureID-certified multi-factor authentication for IBM i
- Compatibility with existing RADIUS server and RSA tokens
- Flexible, role- and context-specific configurability to allow for granular control of multi-factor authentication services and when they will be invoked
Assure Security Capabilities Implemented
- Assure Multi-Factor Authentication
Key Results
- Achieved compliance with 23 NYCRR 500, further strengthening compliance with federal regulations
- Leveraged existing RADIUS server and RSA tokens for Telnetaccessed IBM i applications
- Reduced costs by using Precisely’s built-in authenticator to deliver tokens via email to select users – rather than purchasing additional RSA tokens
- Implemented custom role- and activity-defined MFA configurations for multiple classes of users, ranging from staff and administrators using 5250 system consoles to end-user policy holders
- Invoked MFA based on specific factors, including IP addresses, IBM i special authorities, device types and other contextual factors
Government Agency
Employees: 100+
Customer Base: 40,000+ local county residents
Staffing and resources for IT administration and services for this U.S. county government are extremely limited. In addition to keeping the county’s core business systems running, the IT staff are also responsible for ensuring regulatory compliance and security for its systems and data, all while responding promptly to urgent requests for reports and data from numerous departments and county agencies.
IBM i journals and history files keep an audit trail of all changes to the county’s IBM i systems and land records. Its three-person IT team was spending a large amount of time manually sifting through those journals to find information required for ad hoc investigative reports, which could require data on changes made many months prior. IT time was also required to produce numerous reports to support ongoing regulatory compliance audits. The information necessary to monitor for security breaches was also contained in their large volume of cryptic journal data.
Security and Compliance Core Requirements
- Automated security monitoring and alerting
- Easier generation of detailed audit and security event reports
- Ability to manage and easily report on months’ worth of journal data
- Centralized control of access to their IBM i system
Assure Security Capabilities Implemented
- Assure Monitoring and Reporting
- Assure System Access Manager
Key Results
- Saved countless hours of IBM i programmer time that had previously been spent on inefficient manual generation of audit reports
- Easy design and generation of accurate, detailed and readable reports on database and system activity
- Ability to gather data from past points in time into a PDF-formatted report in minutes rather than hours
- Full control of access to systems through command lines, SQL statements and more
- Faster and more focused response to security policy exceptions, such as rejected access attempts, with real-time exception alerts
- Ability to simulate new security policy rules before implementation, without impacting live systems or inconveniencing users
Industrial Equipment Manufacturer
Employees: 30,000+
Customer Base: Heavy industry, manufacturing and logistics companies
This company’s operations and markets expanded to the point where it became classified as a Large/Global Enterprise in nearly all countries. With that designation came the requirement to comply with additional regulations and more stringent cybersecurity requirements for financial and data governance, including increased reporting and more rigorous compliance audits.
One of the many systems subject to increased compliance auditing is its Infor M3 ERP system, which runs on the IBM i platform. As a result of an initial “dry run” audit conducted by a major global accounting firm, the company identified deficiencies related to tracing changes to its financial database and managing vendor access to its M3 system. Because system access for vendors was administered manually, revocation of access was often overlooked, creating a potential security exposure.
Security and Compliance Core Requirements
- Ability to fully and accurately trace all changes to its financial database
- Detailed reporting on monthly changes to the M3 database
- Tighter control over revocation of user authorities for vendors
- High level of automation to eliminate administrative burden for security management
Assure Security Capabilities Implemented
- Assure Monitoring and Reporting
- Assure Elevated Authority Manager
Key Results
- Stringent control of user authorities for all vendors, including automated revocation of authority at a specific date and time
- Enhanced data security and compliance audit readiness through continuous monitoring and reporting of M3 database table changes
- Simplified design and generation of clear, readable compliance and security reports, without losing the granular detail required for effective auditing
- Increased confidence in their ability to audit and control access to its data and systems for the company and its auditors
Applying Lessons Learned
Keeping your IBM i security at par and integrated with all your other cybersecurity protocols is not as difficult as you might imagine. In fact, the security and data management functionality built into the IBM i operating system provides a robust foundation for implementation of advanced security methods. There is basically no reason that your IBM i systems shouldn’t be just as well-protected as all your other systems.
Whatever approach you take to overcoming IBM i security and regulatory compliance challenges, what matters most is that you act now. Any security gaps or deficiencies left open in your IBM i systems can render all your other security efforts moot. And, the sad fact is that internal threats also exist. Inadvertently or deliberately, employees or trusted partners with excessive access authority can provide bad actors with the most direct, efficient and hard-to-track pathways into your systems. So, there is no upside to ignoring or delaying your response to IBM i security issues.
Below are some sage bits of advice and guidance from IT leaders who have implemented rigorous IBM i security:
- Leverage all of your IBM i’s many powerful security capabilities and options. IBM has included many specialized security tools in the IBM i OS to address the platform’s unique system architecture.
- Further fortify your security stance by implementing additional third-party software solutions that leverage and extend IBM i’s native security capabilities and integrate them with all your other network and system security tools and protocols.
- Top-notch cybersecurity professionals are scarce, especially those with IBM i expertise. Automate as much as possible and don’t waste any of their precious time or talents.
- Embrace regulatory compliance as a golden opportunity to drive excellence not only into your security practices, but into all areas of your IT operations. Doing so results in a stronger security posture, higher operational efficiencies and higher customer trust and loyalty as well.
Assure Security for Comprehensive Security and Compliance
To help you address the full range of IBM i security vulnerabilities and successfully comply with cybersecurity regulations, Precisely’s Assure Security provides market-leading capabilities for:
- Monitoring system and database activity
- Detecting compliance deviations and security incidents
- Strengthening login security
- Effectively managing elevated user authority
- Controlling access to systems and data
- Protecting confidential data at-rest from unauthorized access or theft
- Securing data while it is in motion across networks
- Integrating IBM i security data with enterprise SIEM solutions
Assure Security can be applied as a comprehensive solution, or individual security capabilities can be implemented over time, to address your most critical exposures immediately while you plan a for further improvements in the near future.