1 authority on demand flexible access control solution
TRANSCRIPT
1
Authority on DemandFlexible Access Control Solution
2
The Challenge
• Emergency access to critical application data and processes is a very common security breach which is uncovered in System i audits.
• Currently, manual approaches to this problem are not only error-prone, but do not comply with regulations and auditor’s often stringent security requirements.
• System i sites define user’s security levels and allocate security rights corresponding to the different job responsibilities in the organization.
3
AOD Features
• Easy to Use - simplifies granting special authorities when necessary, and incorporates easy-to-use reporting and monitoring mechanisms.
• Add/Swap Security Levels (unique to iSecurity AOD) - grants a new security authority level or adds additional security rights on request.
• Authority Transfer Rules & Providers - enables pre-defining special authority "providers" and special authority transfer rules.
• Safe Recovery from Emergency - enables recovering from different types of emergency situations with minimum risk of human error.
• Full Monitoring Capabilities - logs and monitors all relevant activities, and sends audit reports and real-time e-mail alerts when employees request higher authority.
• Part of End-to-End Solution - solidifies iSecurity's position as the most comprehensive security solution for System i environments.
• Intuitive GUI Interface –suitable for non-technical staff.
• Controlled Access – allows only relevant personnel to access critical data
4
Part 1 Authority on Demand Scenario
5
Without Authority on Demand: Inefficient Work Mode
Sam EvansProgrammerHas authorities for Test & DevelopmentNeeds authorities for Production once a week
Richard GarnerBusy IT Manager
Hi Sam… temporary authorities for the Production folder? Hmmm, I don’t have time now… maybe next week.
Authority Request Rejected
6
With Authority on Demand: Automatic Granting of Special Authorities
Let’s define authority rules: When Sam Evens requests authority for Production Folder between
8AM-16:30PM, the system will automatically grant it…
Uh, Richard, I need authorities for the Production folder again…
7
Requesting Special Authority…
Now that we have AOD, I’ll request authority… Wow, this is so much easier than calling up Richard…
8
Instantly & Automatically Receiving Authorities
Got the authorities!
9
Finally, I don’t have to waste my time on granting special authorities… the whole process is automatic and I can see a full log of Sam’s authority requests and even screen captures!
Effective Monitoring of Special Authorities
10
Part 2 Authority on Demand Screens
11
AOD Welcome Screen
12
Authority on Demand Log
DANA start add authority of user QSECOFR in job 456789/DANA/QPADEV0003. Reason: Need to check problem in production system.Confirmation ID: 5634Time: 11/03/08 22:40
DANA end add authority of user QSECOFR in job 456789/DANA/QPADEV0003. Time: 11/03/08 23:19
ID: 653
Attachment 1 – Command entered Attachment 2 – Captured Screens Attachment 3 – DB Records changes
Command entered
ID: 653, Attachment 1
DB Records changes
ID: 653, Attachment 3
Captured Screens
ID: 653, Attachment 2
* Other attachment options available (all QAUDJRN information, summary of changes made by Ad-Hoc utilities…)
13
Authority on Demand Main Menu
14
Work with Authority Rules
Select Authority Rule to modify.
15
Modify an Authority Rule
Each field needs to be explained individually;“Add authority of Provider” is unique to AOD & ensures that logged info relates to requester .
16
Modify an Authority Rule
Important note below .
17
Work with Authority Providers
Select an Authority Provider to modify.
18
Modify definitions for an Authority Provider
19
Define (Option 6) and Change a Time Group
20
Activation menu (Option 11)
21
Request to obtain Authority (GETAOD)
Requestor must enter the name of theAuthority provider and either a PIN Code (with Reason *BYPIN) or Reason text.
22
GETAOD was successful
Feedback message below.
23
E-mail messages for Start/End Authority
24
GETAOD was not successful
Feedback message below.
25
Unsuccessful GETAOD: log and e-mail
26
Unsuccessful GETAOD- full explanation
27
Request AOD Console Messages
Enter command.
28
Sample AOD Console Messages
29
Option 41 from the Main Menu is used to DisplayAOD log entries; can be filtered by requester or provider.
Display AOD Log Entries
30
Sample AOD Log Entries
Sample AOD Log Entries; F10 provides details.
31
Select type of AOD Log entries to Display
Note the numerous possibilities for displaying AOD log entries.
32
This is the QAUDJRN log for one AOD request.
Audit Log for one Get AOD request
33
AOD log contains “pointers” (i.e. attachments) to the appropriate QAUDJRN log.
Option 43: Print Log
34
This is the printed QAUDJRN log for a singleAOD request.
Print output of QAUDJRN
35
This is an actual screen “Capture” of using AOD (back version).
Showing “Captured” Screen Image
36
This is one of the user screens “Captured”(frame 11 in the Capture log file).
Another “Captured” Screen Image
37
AOD System Configuration Screen
Option 81 from the AOD Main Menu.
38
General Definitions Configuration Screen
Note various general definition parameters.
39
Exit Programs Configuration Screen
AOD allows for site-specific exit programoverrides.
40
AOD Log Retention Configuration Screen
Set the Log Retention period using this screen.
41
E-mail Definitions Configuration Screen
An appropriate license must be signed witha local ISP.
42
SYSLOG attributes are defined using Option 8121 from the main menu.
SYSLOG Definitions
43
These are the SYSLOG messages writtenwhen authority was added.
SYSLOG Messages
44
Work with AOD Operators
Select an AOD Operator to modify.
45
Modify AOD Operator Rights
Full product usage, Emergency usage or useas an Auditor (read-only).
46
Emergency Operator Screen
Current user has been defined as Emergencyoperator, only 1 rule can be modified.
47
Modify Rule by Emergency Operator
Modify the rule which relates this Emergencyoperator; other rules cannot be modified.
48
Auditor Screen
No changes may be made to rules.
49
Modify Authority Rules screen disabled
All input fields are disabled in this mode.
50
Please visit us at www.razlee.com
Thank You !