29
Fri, Nov
0 New Articles

Technology Focus: Protect Your System i with Authorization and Authentication Tools

Compliance / Privacy
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

A key element of computer security is limiting access to computing resources to only authorized personnel. For the System i, nearly two dozen products assist with this function.

 

Protecting corporate information assets and sensitive data starts with a stout lock on the "front door" of IT systems. It begins with preventing unauthorized logins to systems and restricting access to information only to those with the right to view it. At the core of providing these protections are authorization and authentication software tools.

A&A: The Basics

Generally speaking, authorization is the function of defining and enforcing policies that concern access to computer resources (e.g., software, hardware, data), while authentication is the process of verifying that a particular user is actually who that user claims to be. These terms overlap with other concepts, particularly identity management, which is concerned with establishing a persona and defining the access privileges to which that individual is entitled, and user provisioning, which refers to automating user access to particular computer services, for example email and databases.

 

Each computer system, regardless of platform, handles this problem with user registries, which are databases that store identifying information about users (e.g., account names and passwords) that the system can use for authentication. The bottom line is how a computer system accurately determines whether user "Joe Smith" is the same Joe Smith the computer expects and whether the computer should provide access to the resources Joe Smith is asking for.

 

In the System i world, much of this is accomplished by use of i5/OS capabilities for user-profile management and control of user authorities. Simply put, these aspects of i5/OS let system managers categorize users, either individually or in groups, and set permissions and restrictions on those user identities. However, numerous third-party products expand on or automate some of the tasks associated with authorization and authentication (summarized below).

Complications to a Simple Idea

Of course, managing user identities isn't entirely straightforward. There are at least three major problems.

 

First is that the need for authorization and authentication processes to be accurate is somewhat in conflict with the need to automate those processes. Algorithmic procedures can be gotten around by clever intruders, but too much IT personnel intervention in authentication activity can be an incredible time sink, as evidenced by how many hours help desks spend simply helping users with elementary password problems. Second is that, if a particular user needs access to data or services on more than one computer system in the course of accomplishing work, it's disruptive and time-consuming for that user to have to stop and prove his or her identity any time they need to cross a system boundary. And what's worse, multiple user names and passwords for different systems encourage dangerous expedients for users with bad memories, such as writing down access information in their physical workspaces, where intruders can simply read and use it. Third, and a bit similarly, is that increasingly mobile users may need seamless access to multiple systems from potentially any location in the world. How can IT enable that without opening doors to everyone?

 

Some good answers to the first problem are applications that provide self-service password fixes for users and biometric methods that use such devices as fingerprint readers to avoid the password conundrum altogether. Password automation software often also helps with the problem of users employing easily guessed passwords such as anniversary dates or the names of children or pets.

 

An increasingly popular answer to the second and third obstacles is the establishment of single sign-on (SSO) environments, in which users can authenticate themselves once and then be able to access an assortment of networked systems and resources.

 

SSO is the practice of maintaining files that contain all identities and passwords for a particular user for an entire network of systems, and automating the process of authentication as a particular recognized user moves from resources on one system to resources on another. But while SSO is popular with users, it has its own problems from the administrator's point of view—in particular, the vulnerability of master password files to snooping or decryption, and the need for multiple-tier applications to maintain their own internal registries (e.g., enterprise resource planning apps in which suppliers may want to let their customers access shipping and routing information).

No Perfect Solutions

The important fact to take away here is that no authorization and authentication software provides the perfect answer. In making a selection among them, you will have to balance total computer security against user convenience, and there's really no sweet spot that fully answers both concerns.

 

Below is a quick summary of the major players and software products available in System i authorization and authentication applications. Each product includes the vendor name, the product name, a link to more information about each product, and a brief description. Obviously, these descriptions are incomplete information about the products. They are simply summaries of major features to help you decide where to focus your own research efforts first.

 

As always when looking for products or services, be sure to check the MC Press Online Buyer's Guide.

Authorization and Authentication Products for System i

A la Carte Menu and Security System (ALC)

Bug Busters Software Engineering

ALC lets system managers control access to objects and applications by building a customized menu through which all users must go to reach resources. Menus can be tailored based on user or group profiles, authorization lists, and *PUBLIC authority. Users can see only those options they are allowed to access. ALC lets managers set menu options to adopt the authority of another user profile and provides several reports on menu usage.

 

Authority Broker

Network Security

PowerTech Group

Authority Broker is a user-profile management application. It enables and automates swapping of authorities between profiles to accomplish specific tasks, logs all activities during swaps to secure journals, limits use of powerful authorities to predesignated dates and times, augments workflow management, and generates customizable alerts, messages, and reports.

 

Network Security restricts data access to specific users by letting administrators monitor and control more than 30 program exit points (e.g., FTP, ODBC, remote commands), records all transactions to a secure journal, and enables setting of security rules by user, group, or IP address. It also enables temporary switching of profile authorities, limiting of restrictions to specific objects and libraries, and sending of messages and reports to message queues or designated files.

 

bioLock

realtime North America

Built into SAP's R/3 ERP software, BioLock is a biometric user authentication system that uses a fingerprint reader and software to verify user identities in SSO environments, including System i.

 

Bsafe Enterprise Security for IBM i

Bsafe Software Solutions

Bsafe Enterprise Security for IBM i offers application access control, user-profile management, object-authorization management, external-port access restrictions, and session-timeout and inactive-user controls. It also includes a template-based policy compliance manager, a Sarbanes-Oxley compliance kit, and auditing tools for file and application access, system journaling activities, and database changes.

 

Califon Systems Security Module

Califon Systems

Califon Systems Security Module protects the System i from unauthorized access by clients. Designed to augment Client Access, the product logs system access events, provides access control for file and data transfers via multiple protocols, and restricts outside use of database access tools such as SQL.

 

DetectIT Security Manager Suite

Safestone Technologies

DetectIT Security Manager Suite is an integrated group of security products for System i. It includes Compliance Center for i, a query-based reporting solution that automates the data collection and conversion into reports of audit, compliance, and security events. Other major modules help administrators manage and audit users with powerful user profiles, identify policy discrepancies against major regulations and business standards, provide self-help for end-user password changes, detect intrusions, administer two-factor user authorization and authentication, and manage exit points and other network traffic vulnerabilities.

 

Enterprise Identity Mapping (EIM)

IBM Corporation

EIM is a component of i5/OS that lets administrators map multiple user identities in different user registries to each other. When used with a network authentication scheme, such as Kerberos, it enables SSO for users in environments containing multiple IBM systems.

 

Enterprise Random Password Manager

Random Password Manager

Lieberman Software

Enterprise Random Password Manager is a privileged identity management solution that discovers, changes, stores, and provides secure recovery of all local, domain, and process account passwords in a multiplatform network that includes System i machines. It automatically generates unique passwords for each account, updates every place in the network where these passwords are used, and lets authorized users retrieve current privileged passwords via a secure and audited Web console.

 

Similarly, Random Password Manager randomizes the passwords for local administrator and root accounts and makes the passwords available to authorized users on a temporary, as-needed basis.

 

Fortress/400

Castlehill Computer Services

Fortress/400 augments System i security in networked environments by supervising remote requests received from client and external systems and preventing authorized users from performing tasks that exceed their authority.

 

IdF Advanced Adapter for IBM-System i5

Identity Forge

The IdF Advanced Adapter is a native interface between multiplatform application and identity infrastructures and i5/OS. It helps automate user authentication and authorization activities such as password administration, user-profile synchronization, alias management, and role management.

 

iSecure

AS/SURE Software

The iSecure product is a password reset utility for System i that lets end users change their passwords without assistance by answering several challenge questions. The application also enforces password rules and logs all user activity.

 

iSecurity

Raz-Lee Security

iSecurity is a suite of 16 products designed to help with all facets of System i security concerns. Suite members identify security breaches, provide antivirus protection, analyze security policy, document audit journal (QAUDJRN) file activity, control user authorities, monitor suspicious user activities, administer multiple System i machines, automate checks of compliance with policies and standards, provide firewalls, check password strength, mask sensitive files and fields, and address requirements for meeting regulations and standards.

 

NetIQ Secure Configuration Manager

NetIQ Security Manager

NetIQ

NetIQ Secure Configuration Manager is a system-security configuration assessment and compliance monitoring tool that helps administrators compare system security settings against regulatory and best-practice requirements. It provides reporting capabilities to satisfy legal and industry standards requirements, operates using customizable policy templates, identifies flaws, and presents data via a dashboard-style interface.

 

NetIQ Security Manager provides real-time monitoring of

system changes and user activity, detection of threats and

intrusions, security event management and correlation, log

management, and incident-response automation. It consolidates and logs event information from across a network (including multiplatform networks), helps satisfy legal log-retention requirements, facilitates data mining of logged data, and provides real-time alerts of violations and problems.

 

Oracle Identity and Access Management Suite

Oracle Corporation

The Oracle Identity and Access Management Suite protects applications, systems, and objects from access by unauthorized parties. Compatible with IBM WebSphere environments on the System i, the suite offers identity administration, federated ID management, user provisioning, and cross-domain SSO features.

 

PCSACC/400

Busch & Partner

PCSACC/400 is an application that protects access to System i databases from FTP, TCP/IP, DDM, and other remote-access methods. The product sets up an intermediate database that filters access to protected objects, similar to a network firewall, with access authorities controlled by users with QPCS and QSECOFR designations.

 

SafeNet/400

ScreenSafer/400

Kisco Information Systems

SafeNet/400 protects System i from unauthorized access via networks or the Internet. It halts exposure of data via FTP, ODBC, and other protocols. It logs all client requests, generates audit reports, controls use of remote commands, limits access to objects based on user profile, controls exit processing from applications, and offers controls based on time of day and day of the week.

 

Screensafer/400 monitors System i workstations when they have been inactive for a set period and prevents their use by unauthorized users. The product takes control of workstation jobs, preventing viewing of data by passersby and loss of transactions, as well as avoiding possible user-profile hijacking.

 

SecurForce

Pro:Atria

The SecurForce suite of identity management applications that provides a SSO environment for enterprises using a variety of platforms, including the System i. Suite members enable user provisioning, identity and password synchronization, and self-service password resetting and registration.

 

VSSA Strong Biometric User Authentication

Valid Technologies

VSSA offers biometric user identification for a wide variety of platforms, including System i. The system uses a fingerprint reader attached to a client PC for authentication, provides an optional SSO environment for multiplatform sites, and is flexible enough to let developers build custom SSO designs.

 

 

 

 

 

John Ghrist

John Ghrist has been a journalist, programmer, and systems manager in the computer industry since 1982. He has covered the market for IBM i servers and their predecessor platforms for more than a quarter century and has attended more than 25 COMMON conferences. A former editor-in-chief with Defense Computing and a senior editor with SystemiNEWS, John has written and edited hundreds of articles and blogs for more than a dozen print and electronic publications. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: