1 / 41

Crowd Control: Managing Access for Powerful Users

Crowd Control: Managing Access for Powerful Users. Introduction Managing Powerful Users Why Policy Matters Authority Broker Demonstration Free Resources. Today ’ s Agenda. Today ’ s Speaker. ROBIN TATAM Director of Security Technologies 952-563-2768 robin.tatam@powertech.com.

galena
Download Presentation

Crowd Control: Managing Access for Powerful Users

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Crowd Control:Managing Access for Powerful Users

  2. Introduction Managing Powerful Users Why Policy Matters Authority Broker Demonstration Free Resources Today’s Agenda

  3. Today’s Speaker ROBIN TATAMDirector of Security Technologies 952-563-2768robin.tatam@powertech.com

  4. Premier Provider of Security Solutions & Services 16 years in the security industry as an established thought-leader Customers in over 70 countries, representing every industry Security subject-matter-expert for COMMON IBM Advanced Business Partner Member of PCI Security Standards Council Authorized by NASBA to issue CPE Credits for Security Education Publisher of the Annual “State of IBM i Security” Report About PowerTech

  5. Comprehensive SecuritySolutions for Power Systems

  6. Today’s Agenda • Introduction • Managing Powerful Users • Why Policy Matters • Authority Broker Demonstration • Free Resources

  7. Programmers Claim they need *ALLOBJ authority to fix production applications System Administrators Claim they need authority to configure and change the system Operators Claim they need Special Authorities to do backups and other specialized functions Vendors Can’t imagine running without Security Officer rights Who are Powerful Users?

  8. 2013 State of IBM iSecurity Study Number of User Profiles

  9. Accidents Happen Date: January 9, 2011 2:37am Author: A. F. Subject: How to recover a deleted library? PLS Help me! How can I recover a library I’ve just deleted by mistake and I have no tape backup. I’ve asked all users to sign off in order not to create any new objects. PLS HELP ME AND I WILL UPGRADE MY SUBSCRIPTION AT ONCE. THANKS A posting at iSeriesNetwork.com

  10. Oops, Now What? Date: September 1, 2012 12:49pm Author: R. H. Subject: Oops! HELP!!! I've accidentally deleted program QCMD inQSYS (spelling error using DLTPGM). The system has crashed. Any suggestions? I assume anIPL will be required, but is there anything else thatcan be suggested? This is bad. A posting at iSeriesNetwork.com

  11. Mistakes Are Made 11

  12. The #1 item cited by auditors is: Control and monitoring of powerful users What’s a powerful user? For IBM i, it’s someone with Special Authority IT staff or other knowledgeable users withdirect access to production data The Most FrequentlyCited Audit Issue

  13. Endless News Reportsof Insider Breaches

  14. Today’s Agenda • Introduction • Managing Powerful Users • Why Policy Matters • Authority Broker Demonstration • Free Resources

  15. Legislatures create laws Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, SB1386, and more Laws are open to interpretation Sarbanes-Oxley Section 404: “Perform annual assessment of the effectiveness of internal control over financial reporting…” “…and obtain attestation from external auditors” Auditors are the interpreters Legislative Reactions

  16. Auditors interpret regulations: Auditors focus on frameworks and processes Auditors have concluded that IT is lagging when it comes to internal controls Executives follow auditor recommendations The Auditor’s View

  17. Why is *ALLOBJ a problem? No control, scant visibility A user with malicious intent could be devastating Accidental damage can hurt just as bad Have you ever seen the SLTCMD command? SLTCMD DSP* SLTCMD RST* DLTCMD RST* Special Authorities: What’s So Special?

  18. *SECADM Special Authority Ability to create, delete, change user profiles *AUDIT Special Authority Ability to turn system auditing on and off Specify the types of events that are audited Special Authorities: What’s So Special?

  19. *JOBCTL Special Authority Control jobs of other users Control all spooled objects on the system(can be managed) JOBQ entries, OUTQ entries, more Able to use PWRDWNSYS and start and stop subsystems *IOSYSCFG Special Authority Configure communications TCP/IP SNA Can open new, unmonitored routes into system Special Authorities: What’s So Special?

  20. *SPLCTL Special Authority Complete control of spooled objects on the system JOBQ entries, OUTQ entries, and more A user with SPLCTL can look at all checks that have been sent to the printer *SERVICE Special Authority Able to run the system service tools Display Alter Storage Disk configurations, disk mirroring, and so forth Only appropriate in limited situations Special Authorities: What’s So Special?

  21. Why is *SAVSYS a problem? Users can restore illegitimate objects Save files (*SAVF) have altered the security equation The STG(*FREE) option will empty the contents ofdatabase files SAVOBJ OBJ(PAYROLL) LIB(PAYPROD) DEV(*SAVF) SAVF(MYLIB/MYSAVF) STG(*FREE) Special Authorities: What’s So Special?

  22. System Values Index: *ALLOBJ: Complete control of the system *SAVSYS: Save, restore, and delete anything *SPLCTL: Complete control of spooled files *SERVICE: Alter hardware, storage, and clear disks *SECADM: Create and delete user profiles *JOBCTL: Manage jobs, PWRDWNSYS, and more *IOSYSCFG: Configure communication services, TCP/IP *AUDIT: Modify system audit values Learn more at:powertech.com/powertech/PowerTech_PrivUsers_WP.asp Special Authorities: What’s So Special?

  23. IT personnel often insist that powerful authorities are necessary to do their job: Special Authorities like *ALLOBJ, *SPLCTL, *SECADM Rights to change critical production data Sometimes they are right! Real-World Environments Production Update Authority Payroll Accounts Receivable Accounts Payable Customer Information Read / Change

  24. Too Many Powerful Profiles Read / Change Payroll Accounts Receivable Accounts Payable Customer Information Read / Change Read / Change Read / Change This is a top exception item reported by auditors!

  25. To keep your business running, you need: Emergency access to repair data files To keep your system safe, you need: A way to monitor when powerful authorities are used A way to monitor user activities, including when they enter the “command tunnel” The Problem

  26. COBIT AI6.4 - Emergency Changes IT management should establish parameters defining emergency changes and procedures to control these changes (…) COBIT DS10.4 - Emergency andTemporary Access Authorizations Emergency and temporary access authorizations should be documented on standard forms and maintained on file, approved by appropriate managers, securely communicated to the security function and automatically terminated after a predetermined period. Why FireCall?

  27. ISO 27002 Section 9.2.2: Privilege Management The allocation of privileges should be controlled through a formal authorization process Privileges should be allocated to individuals on a need-to-use basis and event-by-event bases An authorization process and a record of all privileges allocated should be maintained Privileges should be assigned to a different user identity than those used for normal business Why FireCall?(ISO 27002 version)

  28. Solution:Authority Broker Manage, audit, and control powerful profiles on the IBM i User profile lacksnecessary authority COMPREHENSIVE REPORTING PROFILE SWAP ALERT SEPARATION OF DUTIES Switch profilerequest submitted Authorityincreased

  29. Solution:Authority Broker Report Message Custom Alert Payroll Accounts Receivable Accounts Payable Customer Information PAYCHANGE(Temp. Profile) Management is aware of all activity

  30. Government regulators and IT auditors demand accountability Legislatures have created laws that require us to prove that our IT infrastructure is secure Non-compliance penalties range from public disclosure, to fines, to prison sentences for executives Executives now take security very seriously Why Authority Broker?

  31. Allows you to monitor and control users with powerful authorities Authority Broker lets you specify when and how users exercise powerful authority Authority Broker works with IBM i security toprotect assets Authority Broker provides notification, monitoring, and control of powerful users Authority Broker provides visibility into non-command-based environments Why Authority Broker?

  32. Today’s Agenda • Introduction • Managing Powerful Users • Why Policy Matters • Authority Broker Demonstration • Free Resources

  33. Today’s Agenda • Sign on as a limited-capability user • Attempt to access a restricted function • Use Authority Broker to elevate user authorities on demand • Perform restricted functions, including access to “tunnel” environments • Report on user activities

  34. IT Security has executive attention This is the best opportunity to solve long-standing problems Gain management approval now Control users with broad authority to production data Leaving users unchecked is both an audit exception and an accident waiting to happen Limit the use of powerful profiles Monitor and report when power is used Summary

  35. Today’s Agenda • Introduction • Managing Powerful Users • Why Policy Matters • Authority Broker Demonstration • Free Resources

  36. AutomatedVulnerability Testing YOUR IBM i SERVER YOUR VULNERABILITIES YOUR PC

  37. Compliance Resources Security Policy Online Compliance Guide

  38. Other (FREE) Resources • Please visit www.PowerTech.comto access: • The 2012 State of IBM i Security Study • Online Compliance Guide • Webinars / Educational Events • Articles & White Papers • PowerNews (powertech-news.com) • Robin’s Security Blog (powertechblog.com) • Product Datasheets www.powertech.com (800) 915-7700 info@powertech.com

  39. Questions

  40. www.powertech.com (800) 915-7700 info@powertech.com

More Related