The recently released utility from Halcyon gives system administrators the ability to grant temporary authorities to users and then monitor their activities during a limited period.
A friend of mine had her identity stolen and suddenly started receiving thousands of dollars in random credit card charges before she knew what hit her. It turned out that a disgruntled employee working at the financial institution holding her mortgage had downloaded and sold her personal information—along with that of thousands of other customers—to an international crime ring. Could this happen at your company, and should you be so unlucky, how long would it take you to realize there was a security breach?
I suppose it's forgivable that the company had hired an employee who subsequently went rogue, but it's really not forgivable that IT wouldn't immediately realize that someone had downloaded thousands of files and copied them to Excel. It's situations like this that have caused the government to get intimately involved in the workplace, resulting in a dramatic increase in the cost of doing business for any company that collects personal or financial information. Audits are expensive but perhaps not as costly as the damage from such a breach to the company's reputation.
The days when system administrators leave IBM i security at the default settings and never define different authorities for different users appear to be waning. In the past two years, IT security has tightened up considerably, according to Donnie MacColl, Director of Technical Services at Halcyon Software. "IT teams are under closer scrutiny to ensure that no one has greater levels of access than they need to carry out their everyday tasks," he says.
Also in the last two years, vendors have introduced a number of system management tools that make it easier for administrators to control and monitor what is going on with authorities and what is happening on the system in general. Would you get a text message on your cell phone if the above scenario involving downloading—or uploading—of financial records were in process? With today's monitoring tools, you easily can get such an alert.
One powerful new utility that was introduced just before Christmas, and thus somewhat overlooked in our scramble to leave for the holidays, is Authority Swapper from Halcyon, a company that has been investing heavily in refreshing its extensive collection of tools for the IBM i as well as other Power Systems platforms. Authority Swapper permits the security officer to control when users have access to additional authorities and then logs precisely what the user did while using that temporary higher authority.
Halcyon developed Authority Swapper after extensive research with IBM i customers who had a pressing need to tighten procedures in light of rules, regulations, and even legislation demanding better security over consumer and employee personal information. The company managed to build Authority Swapper in a very short time span considering its features—a mere five months—but had great cooperation from existing Halcyon clients who were very active in the company's beta program. Users, needless to say, had a vested interest in seeing the utility released to general availability due to its relevance to today's security challenges.
Among the features of Authority Swapper is its ability to create a temporary authority and then save it for repeated use, say, at specific times. Once created, the authority times out after a specified number of minutes. The application does this by creating the "swap profile" and a "swap permit," the latter joining the swap profile to the "job user." Being able to control the duration and the time when the authority is in use gives the security officer far more control over user access to the system than granting the user a consistently higher level of authority than she needs just for the occasional task. Swap sessions can even be restricted to certain times of the day. Let's say you have a contract worker that has a low security level; you can provide him with a temporary higher authority during a specified time period and monitor his activities during that session. The system administrator also has the power with Authority Swapper to immediately end a swap session if she doesn't like what the user is doing.
The other major capability of Authority Swapper is its logging feature, which has granular controls so you can log exactly the types of commands and user activity that you need to monitor, whether all commands, all typed commands, or individual specified commands. This avoids having to monitor all the other activity occurring on the system. Yes, the audit journal in IBM i gives you the ability to track everything going on in the system, but if you have trouble drinking from a fire hose, then you might have trouble discerning a single user's activities among the potential of thousands of journal entries every hour or even every minute.
You can also have specified commands written to a message queue and, when linked to other Halcyon software modules, such as the new Audit Journal Manager, be alerted by text message or email (and other means) that a given specified command has been logged into the message queue.
The practices that Authority Swapper helps avoid are, shall we say, generally repugnant to system administrators because they represent running a less than tight ship. Granting someone a higher level of authority than they actually need—or should have—can be a little scary. One can't help but imagine users downloading financial information to an Excel file, loading it onto a flash drive, and walking out the door. Giving access to sensitive data to contractors when they haven't gone through the rigorous vetting process that a regular employee undergoes can leave an uncomfortable feeling in the back of one's mind. And providing help desk staff the authority to create new user profiles or grant authorities to other users to resolve an issue also gives one pause. How many companies have their help-desk staff residing overseas today? Quite a few based on some of the accents I hear these days.
Now think of a situation where the user has a temporary authority for the brief period that they need it to perform a given task. Imagine actively monitoring their activities during that brief period. Imagine sleeping better at night.
Authority Swapper fills what has been a pressing need among system administrators for a utility that controls user authorities on the IBM i in a more granular way than is provided for in the operating system. I suspect that IBM will recognize the need and benefit of such a tool and may consider incorporating it into a future release of the OS. Until that day, and for the thousands of users still on an older release of OS/400 or IBM i, Authority Swapper is a timely and welcome tool to increase internal security.
as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7,
LATEST COMMENTS
MC Press Online