29
Fri, Nov
0 New Articles

Technology Focus: The IBM i Isn't Immune to Security Problems (Continued)

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The box we love is well-known for its excellent security, but ensuring that tight security requires a little planning, effort, and knowledge.

 

Editor's note: Last month, we published the first part of this very comprehensive article, which included interviews with prominent security vendors who addressed the issues IBM i shops face today. Today, we finish it up with the rest of the list of vendors and products that we started last month.

Identity Forge, an IDMWorks Company

Advanced Adapter for IBM System i

The Advanced Adapter for IBM System i provides a standard and seamless interface between applications and identity infrastructures to the IBM i Security Manager to support automated provisioning, reconciliation, compliance attestation, and other functions. The adapter acts as a trusted virtual administrator, performing tasks such as creating login IDs, changing passwords, managing file access, and supporting custom command calls.

Innovatum

DataThread

DataThread captures all changes to target databases and records them in an auditable database of its own. It lets one or multiple end users electronically sign changes to data to facilitate workflow environments, is scalable to any System i environment, and can combine data from multiple systems into a single report or GUI. It is also designed to meet U.S. Food and Drug Administration Part 11 requirements for auditability.

Kisco Information Systems

iFileAudit

The iFileAudit product logs and tracks data updates and file changes to System i objects. The product records which user profiles and programs made the change and what the changes were. It also tracks file-read operations with custom filtering and produces audit reports that show global or selected data for each change.

SafeNet/i

SafeNet/i guards System i servers from unauthorized access via network connections. It logs all requests, limits access to server functions based on user profiles, and gives system managers control over exit-processing for applications. It lets managers limit use of server commands and functions and restrict Internet use to enterprise-defined IP addresses. The product is available in Lite, Basic, Advanced, and Enterprise versions.

ScreenSafer/400

ScreenSafer/400 is a security tool that takes control of unattended workstations during idle time, restricting access to information and functions to the user logged on to the device. In addition, the product doesn't terminate users during workstation idle time, but instead makes any displayed information illegible to passersby.

Liaison

Liaison Exchange i

Liaison Exchange i is a suite of products for handling secure file-transfer, connectivity, and Internet electronic data interchange (EDI) transactions for System i. It lets administrators manage file-transfer scripts and activities. The product also protects data transmissions between machines and business partners and provides error notifications and other reports.

Liaison Protect

Liaison Protect is an encryption product for data at rest in databases, applications, and backup storage. It features centralized key management, user choice between two data-protection methods, and complete audit logging.

Linoma Software

Crypto Complete

Crypto Complete is a data-protection system for database fields, IFS files, and backups. It protects sensitive data via multiple strong encryption algorithms (e.g., AES128, AES192, AES256, TDES) at the field level and lets administrators rotate keys without having to change applications or re-encrypt data. It also provides encryption-key creation, management, and auditing features.

GoAnywhere Director

GoAnywhere Director is a managed file-transfer solution that automates data retrieval, translation, encryption, compression, and distribution. It automates FTP processes, exchanges data with HTTP and HTTPS servers, connects to many leading database servers, and includes a scheduler.

Surveyor/400

Although primarily a database and file editor, Surveyor/400 includes security features that protect System i databases from unauthorized access via Open Database Connectivity (ODBC). Surveyor/400 lets administrators restrict access to libraries and database files, fields, and records to prevent unauthorized or accidental changes and deletions.

NetIQ Corporation

NetIQ Change Guardian

NetIQ Change Guardian is designed for servers running Linux. It is a privileged-user activity and change-monitoring solution that helps companies detect and respond to potential threats in real time through intelligent alerting of unauthorized access and changes to critical files, systems, and applications.

NetIQ PSAudit

PSAudit runs on IBM i servers and reports security exposures caused by user profiles, files, objects, and system values. It monitors access to sensitive data, tracks specific user access to System i machines, and analyzes changes over time to libraries, documents, program temporary fixes (PTFs), and network and device configurations.

NetIQ PSDetect

PSDetect monitors System i servers for specific system and security events and sends alerts to the appropriate personnel. For example, it notes whether the system is running low on particular resources (such as disk space), whether someone is trying to access the system with an invalid password, and whether the auditing level of the system has been changed.

NetIQ PSSecure

NetIQ PSSecure secures network access to i servers by enforcing rules over when and how access to an object is allowed and who has that authority. It securely manages user activity through enhanced object-level security, governing what a user can do while on the system, and enhanced privileged delegation for job-specific and time-specific activities. It also simplifies user administration and profile management by synchronizing user profiles and passwords across multiple servers.

NetIQ Secure Configuration Manager

Secure Configuration Manager audits system configurations and compares them to corporate policies, previous configurations, and other systems to help identify problems, meet compliance obligations, automate some security operations, and enable the best allocation of security resources. 

PowerTech Group, Inc.

Authority Broker

Authority Broker attacks the problem of power users with special authorities who have too much power. By letting security officers reduce the number of user profiles with special authorities, enabling certain users to adopt higher authorities only in particular situations, and generating alerts if a user's authority changes, the product helps enterprises avoid excessive authority proliferation.

Network Security

Network Security monitors traffic through i5/OS exit points, which enables system managers to control data access from client machines, audit end user access to network services, and close security loopholes not handled by traditional menu-based security methods. The product features a browser interface.

Raz-Lee Security

iSecurity

Raz-Lee's iSecurity is a suite of 20 products that provides a broad spectrum of help for System i security concerns. Product modules identify security breaches and activate automated responses to them, provide antivirus protection, assess system security, and offer reporting and auditing facilities. Other modules control user authorities, track and monitor suspicious users, enable multiple-system monitoring from a central console, prevent intrusions, control password activity, mask sensitive data, and analyze system-log data.

Safestone, a HelpSystems Company

Agent for RSA SecurID

Agent for RSA SecurID for IBM i users enables two-factor authentication that uses both passwords and hardware authenticators. Administrators can apply the agent for initial access or use of networked access points (e.g. FTP, ODBC) and have the flexibility to use the agent regularly or on a selective basis.

Compliance Center

Compliance Center is a query-based reporting system that collects data about security events and compiles them into compliance reports. Data collection includes network events, object authorities, user profiles, privileged user actions, QAUDJRN entries, SQL commands, QHST log entries, and system values.

iConnect

iConnect lets users monitor, capture, and send IBM i security events to any Security Information and Event Management (SIEM) console. It converts raw security data from QAUDJRN and QHST files into relevant security event information. iConnect covers over 300 IBM i events, including network access, object changes, user profiles, systems security journal entries, and SQL command use.

Multiple Systems Administrator (MSA)

MSA works with all Safestone Security Manager modules to centralize administration of networked IBM i servers and partitions through a single point of control. From one designated machine, administrators can set up, deploy, and manage the security configurations of all networked systems to control security auditing and reporting, manage network traffic, sync profile access authorities and passwords, centrally monitor remote event notification, consolidate selected reports, and utilize single sign-on capability.

Network Traffic Controller

Network Traffic Controller monitors and controls up to 34 exit points (e.g., FTP, ODBC, TELNET) on IBM i servers. The module lets administrators customize how and when users access the system via remote connections, records all transactions to a secure repository (separate from QAUDJRN), and enables creation of access rules by user, group, library, object, or IP address.

Password Self Help

Password Self Help lets IBM i users reset their own passwords without requiring assistance of a help desk. The utility also presents users with challenge questions to verify their identity and resets approved new passwords automatically.

Powerful User Passport

Powerful User Passport enables system administrators to limit the number of powerful users and provide a full audit trail of their activities. Administrators predefine which users are permitted a temporary higher level of authority. Users swap into this powerful profile only when needed for a specific period of time, and comprehensive reports on all swap activity are available for management and auditors.

User Profile Manager

User Profile Manager provides centralized user profile management across entire IBM i environments by controlling the user lifecycle, only allowing access to system resources relevant to a user's role, and instituting best practice standards for access control. 

Shield Advanced Solutions

FTP Guard 4i

FTP Guard 4i helps administrators restrict access to FTP functions and log FTP activity while providing a user-friendly GUI that lets authorized users employ FTP for legitimate purposes.

SkyView Partners, Inc.

SkyView Audit Reporter for IBM i and i5/OS

SkyView Audit Journal Reporter generates predefined, auditor-ready reports based on events recorded in QAUDJRN. It can provide ongoing compliance reports or provide means of investigating issues discovered by SkyView Policy Minder.

SkyView Policy Minder for IBM i and i5/OS

SkyView Policy Minder automates security policy compliance and documents security implementation with templates. It automatically checks compliances for user profiles, objects, libraries, directories, and other system attributes and objects and then reports on discrepancies without requiring human analysis of data.

SkyView Policy Minder OPEN

SkyView Policy Minder OPEN provides the features of Policy Minder for IBM i and i5/OS for servers running IBM AIX, Red Hat Enterprise Linux, Oracle Linux, and other operating systems.

SkyView Risk Assessor for IBM i

Risk Assessor automates analysis of more than 100 risk points in a system to provide a risk assessment from an objective, third-party view. It generates a report that specifies compliance shortfalls.

SoftLanding Systems, Inc., a division of UNICOM Global

CENTRAL for iAccess v100

CENTRAL for iAccess controls access to System i applications via menu systems across one or multiple servers. CENTRAL for iAccess lets administrators restrict access to sensitive options, standardize management of all application menus, and use application exit points to customize menu-administration tasks. It also lets managers delegate administration of application menu systems to nontechnical personnel if desired.

CENTRAL for iMenu V100

CENTRAL for iMenu V100 provides secure menu-management capabilities across one or more IBM i servers. Administrators can enroll any number of users and manage what each one does, while the end users see only the options they're authorized to use.

SpaceTec

Fortress/400

Fortress/400 prevents unauthorized access to data and server functions from client machines. It uses the exit program facilities of i5/OS, records activity to a separate security database, provides a GUI interface, recognizes group and *PUBLIC authorities, and records an audit trail of all remote instructions.

Symantec

Symantec IT Management Suite

Symantec IT Management Suite operates on IBM i servers running AIX, Linux, Microsoft SQL Server, and Windows to provide centralized security and other server management features, software license audits, end-user self-service, IT asset-tracking reports, patch and mobile-device management, and secure software distribution services.

System Support Products, Inc.

Screen Manager II

Screen Manager II addresses the problems of signed-on workstations that are left unattended and inactive jobs that consume system resources uselessly. The product lets administrators manage inactive jobs by multiple criteria and specify actions (such as disconnection) after a specific time interval. It maintains a security log of actions for auditing.

Tango/04 Computing Group

Tango/04 Data Monitor

Tango/04 Data Monitor helps detect and resolve security breaches of data in real time by auditing all read, insert, update, and delete transactions performed on records and fields in DB2 UDB databases on IBM i servers.

Townsend Security

Alliance AES/400

Alliance AES/400 is a system of strong encryption for databases, unstructured data, reports, and offline storage. It includes facilities for managing encryption keys, encrypting backup media and spooled files, and logging compliance activities.

Alliance FTP Manager

Alliance FTP Manager automates and secures tasks involved with exchanging database files, IFS files, and spooled files between IBM i servers and other platforms.

Alliance Key Manager for IBM Cloud

Alliance Key Manager for IBM Cloud is a centralized encryption-key management solution for enterprises operating in the cloud. Features include backup and recovery, data encryption that meets major data-security standards, and key-management tools.

Alliance Key Manager for IBM PureSystems

Alliance Key Manager for IBM PureSystems offers full-lifecycle encryption-key management for any encryption library, on-board encryption services, and features similar to Alliance Key Manager for IBM Cloud on PureSystems servers.

Alliance LogAgent for IBM i

Alliance LogAgent for IBM i collects security events and places them in a log server for consolidation with security event information from other enterprise platforms. It translates QAUDJRN and QHST entries to a common log format and can handle more than 800 log entries per second.

Alliance LogAgent Suite for IBM i

Alliance LogAgent Suite for IBM i lets administrators monitor the health and security of their servers. Among other features, users can monitor file read or change access by column, detect and alert administrators to changes in configuration files and sensitive data, set floor and ceiling values for events, and route file integrity events to QAUDJRN or SIEM applications.

Alliance Secure TCP for the IBM i

Alliance Secure TCP for the IBM i offers secure TCP sockets data transfers between i servers and other internal and external platforms. It uses the native IBM i Digital Certificate Manager to create and distribute SSL certificates, provides preconfigured interfaces for passing data to other OSs, and provides an option for 128-bit SSL/TLS encryption.

Alliance Token Manager for IBM i

Alliance Token Manager for IBM i helps protect sensitive data by replacing it with a token that maintains the data's original characteristics but doesn't include data values. If the tokens are lost, the sensitive data remains safe. The product also includes a masking option for contents of data fields.

Alliance Token Manager for IBM PureSystems

Alliance Token Manager implements tokenization on IBM PureSystems servers. It provides an independent and encrypted repository accessible by authorized applications and can be used by enterprise and customer users to provide a secure, scalable token repository.

Alliance Two Factor Authentication

Alliance Two Factor Authentication offers a method of implementing two-factor authentication mechanisms based on voice and mobile SMS text technologies to IBM i servers.

PGP File Encryption

The product provides a native i5/OS version of the PGP file-encryption algorithm. It protects sensitive data, automates encryption procedures, and provides encryption key-management features.

  

Valid Technologies

Valid Secure System Authentication (VSSA)

VSSA is a biometric user-authentication system that uses USB-attached sensor peripherals to validate user identities based on their fingerprints. Users undergo an enrollment process that creates a unique biometric template, which is encrypted so that no actual user fingerprints are stored on the system. Once enrolled, users can log on to any networked system without using passwords.

John Ghrist

John Ghrist has been a journalist, programmer, and systems manager in the computer industry since 1982. He has covered the market for IBM i servers and their predecessor platforms for more than a quarter century and has attended more than 25 COMMON conferences. A former editor-in-chief with Defense Computing and a senior editor with SystemiNEWS, John has written and edited hundreds of articles and blogs for more than a dozen print and electronic publications. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: