410 likes | 584 Views
Crowd Control: Managing Access for Powerful Users. Introduction Managing Powerful Users Why Policy Matters Authority Broker Demonstration Free Resources. Today ’ s Agenda. Today ’ s Speaker. ROBIN TATAM Director of Security Technologies 952-563-2768 robin.tatam@powertech.com.
E N D
Introduction Managing Powerful Users Why Policy Matters Authority Broker Demonstration Free Resources Today’s Agenda
Today’s Speaker ROBIN TATAMDirector of Security Technologies 952-563-2768robin.tatam@powertech.com
Premier Provider of Security Solutions & Services 16 years in the security industry as an established thought-leader Customers in over 70 countries, representing every industry Security subject-matter-expert for COMMON IBM Advanced Business Partner Member of PCI Security Standards Council Authorized by NASBA to issue CPE Credits for Security Education Publisher of the Annual “State of IBM i Security” Report About PowerTech
Today’s Agenda • Introduction • Managing Powerful Users • Why Policy Matters • Authority Broker Demonstration • Free Resources
Programmers Claim they need *ALLOBJ authority to fix production applications System Administrators Claim they need authority to configure and change the system Operators Claim they need Special Authorities to do backups and other specialized functions Vendors Can’t imagine running without Security Officer rights Who are Powerful Users?
2013 State of IBM iSecurity Study Number of User Profiles
Accidents Happen Date: January 9, 2011 2:37am Author: A. F. Subject: How to recover a deleted library? PLS Help me! How can I recover a library I’ve just deleted by mistake and I have no tape backup. I’ve asked all users to sign off in order not to create any new objects. PLS HELP ME AND I WILL UPGRADE MY SUBSCRIPTION AT ONCE. THANKS A posting at iSeriesNetwork.com
Oops, Now What? Date: September 1, 2012 12:49pm Author: R. H. Subject: Oops! HELP!!! I've accidentally deleted program QCMD inQSYS (spelling error using DLTPGM). The system has crashed. Any suggestions? I assume anIPL will be required, but is there anything else thatcan be suggested? This is bad. A posting at iSeriesNetwork.com
The #1 item cited by auditors is: Control and monitoring of powerful users What’s a powerful user? For IBM i, it’s someone with Special Authority IT staff or other knowledgeable users withdirect access to production data The Most FrequentlyCited Audit Issue
Today’s Agenda • Introduction • Managing Powerful Users • Why Policy Matters • Authority Broker Demonstration • Free Resources
Legislatures create laws Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, SB1386, and more Laws are open to interpretation Sarbanes-Oxley Section 404: “Perform annual assessment of the effectiveness of internal control over financial reporting…” “…and obtain attestation from external auditors” Auditors are the interpreters Legislative Reactions
Auditors interpret regulations: Auditors focus on frameworks and processes Auditors have concluded that IT is lagging when it comes to internal controls Executives follow auditor recommendations The Auditor’s View
Why is *ALLOBJ a problem? No control, scant visibility A user with malicious intent could be devastating Accidental damage can hurt just as bad Have you ever seen the SLTCMD command? SLTCMD DSP* SLTCMD RST* DLTCMD RST* Special Authorities: What’s So Special?
*SECADM Special Authority Ability to create, delete, change user profiles *AUDIT Special Authority Ability to turn system auditing on and off Specify the types of events that are audited Special Authorities: What’s So Special?
*JOBCTL Special Authority Control jobs of other users Control all spooled objects on the system(can be managed) JOBQ entries, OUTQ entries, more Able to use PWRDWNSYS and start and stop subsystems *IOSYSCFG Special Authority Configure communications TCP/IP SNA Can open new, unmonitored routes into system Special Authorities: What’s So Special?
*SPLCTL Special Authority Complete control of spooled objects on the system JOBQ entries, OUTQ entries, and more A user with SPLCTL can look at all checks that have been sent to the printer *SERVICE Special Authority Able to run the system service tools Display Alter Storage Disk configurations, disk mirroring, and so forth Only appropriate in limited situations Special Authorities: What’s So Special?
Why is *SAVSYS a problem? Users can restore illegitimate objects Save files (*SAVF) have altered the security equation The STG(*FREE) option will empty the contents ofdatabase files SAVOBJ OBJ(PAYROLL) LIB(PAYPROD) DEV(*SAVF) SAVF(MYLIB/MYSAVF) STG(*FREE) Special Authorities: What’s So Special?
System Values Index: *ALLOBJ: Complete control of the system *SAVSYS: Save, restore, and delete anything *SPLCTL: Complete control of spooled files *SERVICE: Alter hardware, storage, and clear disks *SECADM: Create and delete user profiles *JOBCTL: Manage jobs, PWRDWNSYS, and more *IOSYSCFG: Configure communication services, TCP/IP *AUDIT: Modify system audit values Learn more at:powertech.com/powertech/PowerTech_PrivUsers_WP.asp Special Authorities: What’s So Special?
IT personnel often insist that powerful authorities are necessary to do their job: Special Authorities like *ALLOBJ, *SPLCTL, *SECADM Rights to change critical production data Sometimes they are right! Real-World Environments Production Update Authority Payroll Accounts Receivable Accounts Payable Customer Information Read / Change
Too Many Powerful Profiles Read / Change Payroll Accounts Receivable Accounts Payable Customer Information Read / Change Read / Change Read / Change This is a top exception item reported by auditors!
To keep your business running, you need: Emergency access to repair data files To keep your system safe, you need: A way to monitor when powerful authorities are used A way to monitor user activities, including when they enter the “command tunnel” The Problem
COBIT AI6.4 - Emergency Changes IT management should establish parameters defining emergency changes and procedures to control these changes (…) COBIT DS10.4 - Emergency andTemporary Access Authorizations Emergency and temporary access authorizations should be documented on standard forms and maintained on file, approved by appropriate managers, securely communicated to the security function and automatically terminated after a predetermined period. Why FireCall?
ISO 27002 Section 9.2.2: Privilege Management The allocation of privileges should be controlled through a formal authorization process Privileges should be allocated to individuals on a need-to-use basis and event-by-event bases An authorization process and a record of all privileges allocated should be maintained Privileges should be assigned to a different user identity than those used for normal business Why FireCall?(ISO 27002 version)
Solution:Authority Broker Manage, audit, and control powerful profiles on the IBM i User profile lacksnecessary authority COMPREHENSIVE REPORTING PROFILE SWAP ALERT SEPARATION OF DUTIES Switch profilerequest submitted Authorityincreased
Solution:Authority Broker Report Message Custom Alert Payroll Accounts Receivable Accounts Payable Customer Information PAYCHANGE(Temp. Profile) Management is aware of all activity
Government regulators and IT auditors demand accountability Legislatures have created laws that require us to prove that our IT infrastructure is secure Non-compliance penalties range from public disclosure, to fines, to prison sentences for executives Executives now take security very seriously Why Authority Broker?
Allows you to monitor and control users with powerful authorities Authority Broker lets you specify when and how users exercise powerful authority Authority Broker works with IBM i security toprotect assets Authority Broker provides notification, monitoring, and control of powerful users Authority Broker provides visibility into non-command-based environments Why Authority Broker?
Today’s Agenda • Introduction • Managing Powerful Users • Why Policy Matters • Authority Broker Demonstration • Free Resources
Today’s Agenda • Sign on as a limited-capability user • Attempt to access a restricted function • Use Authority Broker to elevate user authorities on demand • Perform restricted functions, including access to “tunnel” environments • Report on user activities
IT Security has executive attention This is the best opportunity to solve long-standing problems Gain management approval now Control users with broad authority to production data Leaving users unchecked is both an audit exception and an accident waiting to happen Limit the use of powerful profiles Monitor and report when power is used Summary
Today’s Agenda • Introduction • Managing Powerful Users • Why Policy Matters • Authority Broker Demonstration • Free Resources
AutomatedVulnerability Testing YOUR IBM i SERVER YOUR VULNERABILITIES YOUR PC
Compliance Resources Security Policy Online Compliance Guide
Other (FREE) Resources • Please visit www.PowerTech.comto access: • The 2012 State of IBM i Security Study • Online Compliance Guide • Webinars / Educational Events • Articles & White Papers • PowerNews (powertech-news.com) • Robin’s Security Blog (powertechblog.com) • Product Datasheets www.powertech.com (800) 915-7700 info@powertech.com
www.powertech.com (800) 915-7700 info@powertech.com