There's more to security than just data privacy and confidentiality.

Recently, I was helping one of our clients compile a list of reasons to present to upper management as to why they needed to implement object-level security. One of the reasons I mentioned was data integrity. As we talked through this point, I realized that, with all of the emphasis on data privacy and confidentiality, the fact that appropriate access control settings can provide data integrity has been forgotten.

When people hear me talk about object-level security, some incorrectly assume that I mean that the data must be set to *PUBLIC authority of *EXCLUDE. But that's not the case. Data needs to be classified and secured appropriately. Just because data isn't classified as confidential or private doesn't mean that its access controls should be ignored. Even if the general public is allowed to view the data, it's rare that you would ever want the general user community to be able to change the data outside of the protection or bounds of the application logic. When the access control settings provide users with the ability to change the data through any interface, the integrity of the data comes into question. Most organizations want to ensure the integrity of their data. This means that the *PUBLIC authority of the data is set to no more than *USE authority.

Does this really happen, you ask? Yes, it does. I've helped several clients set all of their application files to be *PUBLIC *USE. The issue they wanted to address was not one of confidentiality or privacy. As long as the user had a profile on the system, users were allowed (by policy) to view all company data. So why did these clients feel that they had an issue that needed to be fixed? Because they were concerned about the integrity of their data--that is, given the access control settings on their files, anyone could have changed the data from outside of the application. So we used Policy Minder to help them set all of their application files to *PUBLIC *USE.

Whether you're trying to determine the state of your current configuration, about to start changing the settings, or simply want to ensure the system stays secured according to your policy, Policy Minder can help.

Determining Your Current Configuration

You can use Policy Minder to determine the state of your current object-level security implementation. Do your current access control settings provide data integrity (are they set to *PUBLIC *USE or less)? To find out, define a library and object template or a directory and object template. In the template definition, you can check the object's owner, the owner's authority, the authorization list, the *PUBLIC authority, the private authorities, and the auditing values. You can specify to check all of these values or just one of them. For example, for the first "wave" of discovery, you may want to determine the owner and *PUBLIC authority setting of all objects in the finance application and leave the private authority analysis for later. No problem. Simply define the attributes to analyze and run a compliance check. I recommend running the CHECK command and sending the results to a streamfile or outfile, allowing you to bring the list of the non-compliant objects into an Excel spreadsheet or to run queries for further analysis.

Fixing Your Current Configuration

After investigating the current configuration and determining how to accommodate outside processes so nothing breaks, you can use Policy Minder's FixIt function to make the changes to the object's security settings (e.g., set the files to *PUBLIC *USE.) FixIt provides documentation for auditors on exactly what was changed as well as a record of the previous value. Using Policy Minder to make security configuration changes provides a repeatable process should the changes have to be re-applied (such as when the vendor upgrades the application.)

Ensuring Your Configuration Remains Compliant

Once the new security configuration is in place, you'll want to make sure it stays in place. To do that, run regular Policy Minder compliance checks. If any settings are out of compliance, you can use FixIt to set them back so that they match your policy.

It's a Matter of Integrity

Remember, just because the data on your system isn't private or confidential doesn't mean that applying the appropriate object security is a waste of time. On the contrary, setting appropriate access controls will ensure the integrity of your data.

 

Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3^rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.

---

MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

		IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
		Mastering IBM i Security Get the must-have guide by the industry’s #1 security authority. List Price $49.95 Now On Sale