ibm i security best practices - common.org.pl
TRANSCRIPT
Today’s Topics▪ Security assessment, staying current and physical security
▪ Staying current on fixes
▪ Virus and ransomware protection
▪ System security levels
▪ System value settings
▪ Security audit journal
▪ Resource security, authority collection and RCAC
▪ Cryptography
▪ Network security and intrusion detection
▪ How Syncsort can help
2 | IBM i Security Best Practices
Perform a periodic security assessment of all infrastructure by: • Your corporate security team
• IBM X-Force security team (network experts)
• IBM i Security consultants, Syncsort, Partners
This is NOT just an IBM i statement, it’s everything. Perform a security assessment and penetration testing on:
• Networks
• Laptops, desktops & mobile devices and strategy
• Servers
• Applications
Security Assessment Recommendation
3 | IBM i Security Best Practices
Do you have the necessary skills?
If not, resources do exist to help you!
Physical Security, Networking
• Firewalls, routers, switches, cabling, power
• Prevent configuration changes and sniffing equipment
• Wireless poses a challenge – secure networks are necessary (WPA, WPA2. etc.)
Physical Security, Server
• Front panel
• Power, cabling
• Racks/Storage devices
Physical Security, Peripherals
• Tape drives/cartridges, Printers/output, Fax, etc.
• Printed output and backup media
• SAN; attached DASD
Physical Security, Mobile Devices
• Mobile Device Management considerations (ownership, “Secure Wipe”, etc.)
Physical Security – a Necessity
5 | IBM i Security Best Practices
Stay Current with Technology Staying current is vitally important for security
IBM i release level
• Older releases cannot be kept current
• New technology changes cannot move backward
Open Source technology
• Changes rapidly and fixes for old versions are not developed by the open source community
• Includes Java, OpenSSL/SSH, Apache, etc.
Hardware technology
• Like everything, hardware advances with new technology
• Includes routers, switches, firewall, laptops/desktops/mobile devices, servers and more
7 | IBM i Security Best Practices
Statistics
There are 24,000 malicious mobile apps blocked every day. (Symantec)
A new organization will fall victim to ransomware every 14 seconds in 2019, and every 11 seconds by 2021. (Source: Cyber Security Ventures)
34% of businesses hit with malware took a week or more to regain access to their data. (Source: Kaspersky)
The 2018 global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million (Ponemon).
9
According to 2018 statistics, there are over 130 large-scale, targeted breaches in the U.S. per year, and growing by 27 percent per year. (Accenture)
Ransomware attacks are growing more than 350 percent annually. (Cisco) 1.5 million new phishing sites are
created every month. (Source: webroot)
The number of cyber attacks is growing. In 2018, 758 million malicious attacks occurred according to KasperskyLab, (an attack launched every 40 seconds) and there is no doubt that 2019 will break the record.
77 percent of compromised email attacks in 2017 were file less (click URL to malicious website rather than email attachment).
Security Vulnerabilities
• Numerous independent researchers
• Lots of open source so easy to review code and look for issues
• Common OS in many products (Linux, Unix, Windows) • When a vulnerability is found, it’s likely to be everywhere
• Tools are available to exploit technology (look for holes)• Hacker tools, penetration testing tools, code scanners
• High use technology, like Java, SSL, OpenSSL, is scrutinized
• Vendors are doing more penetration testing and thus finding bugs
Many security vulnerabilities are being reported…Spectre/Meltdown, ILOVEYOU, Heartbleed, Bash/Shellshock, Poodle, Ghost, Freak, Bar Mitzvah plus many, many more!
What’s happening and why so many?
10 | IBM i Security Best Practices
Security Vulnerabilities – IBM i
11 | IBM i Security Best Practices
• Java (quarterly updates, you need to stay current)
• OpenSSL / SSH
• Web and Application Servers
• Samba
• Networking technology and (infrequently) cryptographic algorithms
• IBM i OS
IBM i technology with multiple (recent) reported vulnerabilities
Typically, apply the PTF/Fix/Product Update and the vulnerability is fixed, but not always.
Additional actions may be required.
Security Vulnerabilities –Not just the OS
• IBM i OS, LIC and Products
• VIOS, IBM i, AIX, Linux partitions
• HMC & Firmware
• 3rd party (Vendors) applications
• SAN/Storage, Tape, Printers
• Networking Switches, Firewalls & Routers
• Each and every server, client (including mobile) and HW component in your enterprise
• Nearly everything includes an OS and/or FW
• Where there is code, a vulnerability is a possibility & likely exists
Staying Current on Fixes is not just a client and server problem.The vulnerabilities affect most everything in your enterprise.
12 | IBM i Security Best Practices
IFS Security Considerations, Virus/RansomwareVirus/Ransomware can affect IBM i objects
• Mapped drives with write access to files
• Virus can be inserted into a file (IBM i as a “carrier”)
• Ransomware can encrypt data on IBM i
• IBM i native files can be deleted
Recommendation• Virus scan software, on the client device, is required
• IBM i virus scanner enablement with 3rd party scanner
• Virus is executable on the Windows/Linux client device so regardless of origin such as email attachment, link from a web browser or downloaded from IBM i, “Client” virus scan software is required.
13 | IBM i Security Best Practices
IFS Security Considerations, Virus/Ransomware
IBM i File shares (NetServer / Samba)
• Define read/write shares ONLY if updates needed from client
• Share only what is needed
• When shared, the entire subtree is accessible
• Avoid sharing root (‘/’)
• Access to all objects on the system
• If needed - share read-only
• Use QPWFSERVER *AUTL to protect QSYS.LIB and iASPQSYS.LIB (special checks in NetServer jobs)
14 | IBM i Security Best Practices
Security Levels ̶Why Run at a High Level?
System security level 50... Good reasons to run there.
The System Integrity support, listed here, is activated:
17 | IBM i Security Best Practices
1. Object Domain Checking
2. Hardware storage protection
3. Parameter validation
Running at security level 40 or 50 is required as these two security levels support the integrity protection
that all other security levels DO NOT!
Authority Checking and Integrity Support at Levels 40 & 50User written programs, running at security level 40 or 50, MUST use system interfaces (commands and APIs) to gain access to the objects.
• Authority checking is enforced by the system interface
• Parameter Validation is enforced
• Object Domain checking is enforced
• Object Hardware Storage Protection checking is enforced
18 | IBM i Security Best Practices
Direct access [defined as “direct object access via address”] by user programs to system objects is not
allowed at Security Levels 40 and 50 due to domain and hardware storage protection attributes
Securing Service ToolsControlling access to the Service Tools is necessary for a secure system
• Create as few Service Tools User IDs (SST/DST) as possible
• Create a Service Tool user with the same privileges as QSECOFR (QSECOFR can become disabled)
• Never use QSECOFR Service Tool USERID (save the password in a secure location)
DSPSSTUSR (Display Service Tool User CL command)
• Command line interface to “audit” service tool users and privileges
20 | IBM i Security Best Practices
Set these system values on your production machine when NOT
in the maintenance window – control the restore of a program
QALWOBJRST - Consider value *NONE
QFRCCVNRST - Consider value 6 or 7
• 6 – for executables without valid digital signatures, recreate the instruction stream thus removing any patch
• 7 – for all executables, recreate the instruction stream thus removing any patch (would also remove the digital signature)
QVFYOBJRST - Consider value 5
• Only allow the restore of programs that are digitally signed
Integrity Related System Values
22 | IBM i Security Best Practices
Controlling System Interfaces
The "RST" interfaces are shipped as PUBLIC(*EXCLUDE).
• Only trusted users should be authorized to use the restore interfaces
• Note: BRMS interfaces are PUBLIC(*USE) but call the system "RST" interfaces which are PUBLIC(*EXCLUDE)
Verify the list of users authorized to “SAVE” data
• Data escaping your control once it is “off the box”
Protect the use of the system service tools (SST/DST) and Service related commands (DMPxxx, TRCxxx, etc)
• Dangerous tools/services exist in SST/DST
23 | IBM i Security Best Practices
Auditing Related System Values
QAUDCTL - Audit on/off switch
QAUDLVL and QAUDLVL2
QAUDENDACN and QAUDFRCLVL - Use default values
QCRTOBJAUD - Audit newly created objects
25 | IBM i Security Best Practices
Auditing Continued
Create the QAUDJRN audit journal
Set QAUDCTL to *OBJAUD, *AUDLVL and *NOQTEMP
Set QAUDLVL to *AUDLVL2
Set system wide auditing values in QAUDLVL2 sysval
• Many QAUDLVL2 values exist, see QAUDLVL2 help text
Audit sensitive objects via CHGOBJAUD
26 | IBM i Security Best Practices
Turn on audit and save the audit journal receivers. You may need the audit data in the future!
Auditing Continued – Data ObjectsSecurity Audit provides who accesses what object
A combination of security audit and “data object” journaling provides the complete audit trail
Turn on journaling for *FILE and IFS *STMF sensitive objects to get the complete audit of changes, including change to data
• CRTJRNRCV JRNRCV(MYLIB/MYRCV0001)
• CRTJRN JRN(MYLIB/MYJRN) JRNRCV(MYLIB/MYRCV0001)
• STRJRNPF FILE(MYLIB/MYFILE) JRN(MYLIB/MYJRN)IMAGES(*BOTH)
• QSYS/STRJRN OBJ(('/mydir/dir1/stmf1' *INCLUDE)) JRN('/qsys.lib/mylib.lib/myjrn.jrn')
27 | IBM i Security Best Practices
System Value
QAUDCTL
*AUDLVL
*NOQTEMP
*OBJAUD
System Value
QAUDLVL
QAUDLVL2
*SECURITY
*AUTFAIL
*DELETE
ETC, ETC, …
Object 1
OBJAUD(*NONE)
Audit Journal
Receiver
Journal Receiver
JRNLIB/AUDRCV
1
3
4
Object 2
OBJAUD(*ALL)
5
Audit Journal
Journal
QSYS/QAUDJRN
2
Object 3
OBJAUD(*USRPRF)
OS User Profile
OBJAUD(*CHANGE)
AUDLVL(*CMD
*CREATE)
5
6
Analyze
Audit Journal
DSPJRN
CPYAUDJRNE
Initial setup steps
Audit Journal Implementation Overview
28 | IBM i Security Best Practices
Is Audit Activated on your System?Display Security Auditing – DSPSECAUD
29 | IBM i Security Best Practices
Configuring Auditing for the First Time
Change Security Auditing – CHGSECAUD
Change Security Auditing – CHGSECAUD1. Creates QSYS/QAUDJRN journal2. Creates and attaches the journal receiver3. Changes QAUDCTL and QAUDLVL system values
30 | IBM i Security Best Practices
IBM i OS provides interfaces to view raw audit data
• CPYAUDJRNE – copy audit data to a file
• Use Query, or your favorite DB interface, to view data
Syncsort products are available to monitor and report:• View/Report on Audit data
• Control and Monitor object level access
• Monitor & Report on security configuration
• Direct the information out to a SIEM (QRadar, Splunk, etc.)
Monitoring and Reporting for Compliance
31 | IBM i Security Best Practices
WRKSYSVAL SYSVAL(QPWD*)
• Set password composition rule system values
• Min/Max length, required characters, etc.
• Consider using enhanced password support (QPWDLVL)
• Case sensitive long passwords (128 characters)
Use the ANZDFTPWD command to check for default passwords
Password Composition System Values
32 | IBM i Security Best Practices
NOTE: Passwords are well protected when on IBM i but can be exposed when saved and on media. (They are encrypted on the save media but subject to a brute force attack.)
WRKSYSVAL SYSVAL(*SEC) for the entire list
• QINACTITV - Set to a reasonable number of minutes
• QINACTMSGQ - *ENDJOB/*DSCJOB
• QMAXSIGN - Consider setting to 3
• QMAXSGNACN - Set to disable profile
• QNET* - Network Auditing
• QSSL* - Control system SSL parameters
Additional Security Related System Values
33 | IBM i Security Best Practices
Network security
• Firewalls, IDS/IPS, network segmentation, etc.
Deploy a network security product
• “Lock down” IBM i doors & windows (ODBC, FTP, DRDA, etc.) *
• Multi-factor authentication*
Secure sensitive data (*FILE, *STMF, etc.)
• Object level authority, PUBLIC(*EXCLUDE) where appropriate
• Use Journal to log changes for *FILE and *STMF objects
• RCAC (Row and Column Access Control)
• Deploy file level protection *
Encrypt “confidential” data
• Db2 field procedures, OS encryption interfaces, “at rest on media”, etc.*
Audit sensitive objects and security configuration
• Auditing, monitoring and reporting *
• CHGOBJAUD to active object audit
Monitor security configuration to ensure settings are accurately set *
Resource Security – A Layered Approach
35 | IBM i Security Best Practices
* Available in Syncsort solutions
IBM i OS provides an excellent base security infrastructure
However, an intruder who gains access and has complete privileges (security officer
authority) has full access and must be stopped before entry into the system or stopped before sensitive data is compromised.
Resource Security – Privilege User Concerns
36 | IBM i Security Best Practices
Resource Security – Network Layer
37 | IBM i Security Best Practices
Locking the IBM i doors and windows – keeping the intruder out
• Minimal support in the IBM i OS – authentication via passwords or Kerberos
Syncsort provides the network layer of protection
• Products for network security and audit
• Define rules to block access INTO IBM i
• Define rules to block access once the user has authenticated
• Products for multi-factor authentication
• And monitoring, reporting and SIEM integration
Keep the number of security officers and security administrators to a minimum
• *ALLOBJ, *SECADM, etc. special authority
• Service tool user IDs
• Syncsort Products minimize the need for powerful profiles
Audit the actions of the Powerful user• CHGUSRAUD command
• *CMD action audit value, *SECURITY, etc.
• Control and Monitor users via Syncsort products
Resource Security – Restrict Powerful Users
38 | IBM i Security Best Practices
Make sure the security officer understands,
procedurally, that audit cannot be turned OFF!
Resource Security - Protecting your ObjectsEDTOBJAUT
Interface to assign objectlevel authorities
Use *PUBLIC = *EXCLUDE for sensitive objects
Authority List
Public AUT
Owner
Private AUT
39 | IBM i Security Best Practices
Protecting your objects with resource security is necessary to protect your data
• Run at a security level 50 or 40
• Secure your confidential data with *EXCLUDE public authority
• *USE access for Db2 and IFS stream files exposes data
• Objects that are not security sensitive (public objects) should be protected with *USE public authority. This gives good performance for read operations on the object.
• Add Layers of security via Syncsort products
• Network, Audit, MFA, Privilege User Management, Monitoring & Reporting, etc.
Resource Security - Protecting your Objects
40 | IBM i Security Best Practices
Additional layer of data security available with Db2 in 7.2
Complementary to table level security (object authority checking)
Controls access to table data at the ROW, COLUMN or BOTH
Two sets of rules
• Permissions for rows
• Masks for columns
IBM Advanced Data Security for i
• No-charge feature, OS Option 47 required for RCAC
What is RCAC (Row & Column Access Control)?IBM Advanced Data Security for i
(Boss option 47)
No Charge
http://www.redbooks.ibm.com/redbooks.nsf/Redpiece
Abstracts/redp5110.html?Open
42 | IBM i Security Best Practices
View the data via “Run SQL Scripts” and SQL “SELECT” statement & RUNQRY
• iNav session user is “UEHLING” & no group profile
Example: Multi-Row *FILE with Row Permissions and Column Mask Enabled
Select all rows from table EMPTBLvia
select * from empdta.emptblresults
Row Permissions and Column Masking activated
43 | IBM i Security Best Practices
Customers run many applications on a single partition
• No detailed knowledge of the applications… where is the data?
• Data in Db2 or IFS … but where?
• Once found, how do you lock down security without application breakage?
• What is the “minimum” authority level that can be granted for the end user?
• Many customers have little to no knowledge of what interfaces an application uses so the authority requirements cannot be determined
• Applications are shipped with excessive public authority (common problem) which leads to security exposures
The problem: customers don’t change security leaving data exposed
• Example: Think about your personal device, over 1 million files on a single user system
• What if this device was a multi-user system… how would you lock it down?
• No knowledge of the application or data objects so very difficult to secure the objects
Security and Compliance - The Issue
45 | IBM i Security Best Practices
Locking Down Object Level Authority
Build a utility that captures pertinent data associated with an authority check (included as part of the base OS)
• The collection covers all native IBM i file systems
• Focus on capturing only unique instances of the authority check
• Run-time performance, while the collection is active, will degrade 2-3%
• Storage consideration for long running authority collection
The collection includes key pieces of information… (including)
“What authority is required for this authority check?”
Solution: Authority Collection
46 | IBM i Security Best Practices
• The Authority Collection is “User Based” in the 7.3 release
• Collect authority info for objects accessed by this user
• Provide both “User Based” and “Object Based” Authority Collection in 7.4
• Turn on the authority collection for an object(s) in QSYS or IFS file system
• Collect authority info for “EVERY USER” that accesses the object
• When a user accesses an object, collect authority info for this user
• The equivalent authority information, as user based, will be collected
• Output the data via the SQL view
Release 7.3 & 7.4 Object Level Authority Collection
47 | IBM i Security Best Practices
Authority Collection – View
SELECT * FROM qsys2.authority_collection where user_name = ‘FRED1’
48 | IBM i Security Best Practices
Authority Collection – View
Scrolling Right within the Authority Collection Data
49 | IBM i Security Best Practices
IBM i Encryption Algorithms
IBM i APIs exist to allow applications to encrypt data
• Included with the OS
• Encryption algorithms, via APIs, included with the OS
• Key management integrated with the API design (master keys and key store files)
Syncsort Products exist to provide NIST-certified encryption Algorithms
51 | IBM i Security Best Practices
A data encryption key should be well protected or data is exposed
• An encryption key and encryption algorithm are used to encrypt data (SSN’s, credit card numbers, etc.)
It is recommended to encrypt the data key with a key encrypting key (KEK)
• Used to encrypt data encryption keys
A Master Key can then be used to encrypt all KEKs
• A master key is used to encrypt KEKs or Data Encryption Keys
• Top level key, in the clear! If master key is compromised, data is compromised
• How do you securely store this master key?
Cryptographic Key Protection - TerminologyEncryption Algorithms are public knowledge
Encryption keys must be kept secret and protected
52 | IBM i Security Best Practices
1 2 3KEK2
1 2 3KEK1
Master
Clear Text
Crypto Key Management
53 | IBM i Security Best Practices
• Syncsort products exist that provide FIPS certified key management solutions.
• Syncsort products exist that allow remote access to encryption keys (keys off the partition).
GUI & CL interface to manage master keys• Included as part of the base OS
GUI & CL interface to manage IBM i key stores & keys• OS interfaces to manage key store files and keys
Db2 Column Level (field) exit support• Exit program (Field Procedure) called on insert/update/read of a column
• Similar to “Triggers” but additional support to enable encryption
• Masking of Data is also supported
IBM i Enables Column Level Encryption• Support to enable the Encrypt/Decrypt data in a Db2 column
• No need to change column attributes like field length or data type
• No application changes required
• Encryption & Key management must be implemented by the Field Procedure software
Solution from Syncsort for Db2 Field Procedures and Key Management
Db2 Field Procedures
54 | IBM i Security Best Practices
Tokenization
55 | IBM i Security Best Practices
IBM i has no OS support for tokenization
Syncsort provides a tokenization solution
• Tokenization provides the ability to replace sensitive data, such as a credit card number with a token that represents the sensitive data.
• The sensitive data is stored in a token vault, usually off the partition. The token cannot be used to directly obtain the credit card number.
• Tokenization is a popular technique for PCI (payment card
industry) compliance.
Encryption of data on tape & disk (HW technologies are recommended for optimal performance)
• SW Encrypted backup. Provides encryption support for tape/virtual tape via BRMS and tape management APIs (OS option 44)
• HW encrypted backup solutions
• SW Encrypted ASP. Provides disk level encryption support for all data written to disk (OS option 45)
• HW support for Disk level encryption
Encryption key management is required (master keys and data encryption keys)
Encryption of Data “at Rest”
56 | IBM i Security Best Practices
Enhanced HW tape drive and disk support with encryption
Provide encryption capability in the Tape and Disk (external storage)
Encryption capabilities are being designed to work with the key management software called Secure Key Lifecycle Manager (SKLM)
57 | IBM i Security Best Practices
Encryption Key Manager Software (SKLM), required for tape and disk HW solutions
User
NOTE: Most IBM i customers run SKLM
on stand-alone Linux or Windows
libraryTape
Drive
TCP/IP
IBM i
Data to
save/restore
TCP/IPKey store
(duplicate)
SKLM Config
(duplicate)
Duplicate Key Server System
(secondary)
Key store
(duplicate)
SKLM Config
(duplicate)
Primary Key Server System
(Primary)
IBM i
Data to
save/restore
58 | IBM i Security Best Practices
Conclusion – Resource Security
✓ Protecting your objects with resource security is necessary to protect your data
✓ Run at a high security level
✓ Secure your confidential data with a combination of authority and encryption
✓ Add Layers of security via Syncsort products✓ Network control
✓ Monitoring & reporting
✓ Audit and data protection
✓ Multi-factor authentication
✓ Elevated authority management
✓ And more
59 | IBM i Security Best Practices
Intrusion Detection Implementation Intrusion Detection System (IDS) behavior defined as policies in a policy file
Audit events logged to the security audit journal
IDSPolicyFile
IDS
TCP/IP stack
Security
Audit
Journal
QAUDJRN
Intrusion
detected?
“Audit journ
al entr
y”
Message queue
and e-mail
61 | IBM i Security Best Practices
IM Audit record detail example:The Intrusion Detection section in the Information Center contains information about the format of an IM entry type journal record.
Journal value Meaning
P Potential intrusion event detected.
2006-01-11-13.19.42.329688 Timestamp (11 Jan 2006, 13:19:42.329688)
1107 Detection point identifier
02 Local address family
119 Local port number
9.5.92.48 Local IP address associated with the detected event.
02 Remote address family
3511 Remote port number
9.5.92.102 Remote IP address associated with the detected event.
SCANE Probe type identifier (SCANE = Scan Event)
0020 Unique identifier for this specific intrusion event. You can use this identifier
to correlate this audit record with other intrusion detection information.
62 | IBM i Security Best Practices
Introducing Assure Security!
Syncsort’s new best-in-class product that addresses all aspects of IBM i security and helps to ensure compliance with
cybersecurity regulations
64 | IBM i Security Best Practices
Data Privacy
Protect the privacy of data at-rest or in-motion to prevent data
breaches
Access Control
Ensure comprehensive control of unauthorized access and the ability to trace any activity,
suspicious or otherwise
Compliance Monitoring
Gain visibility into all security activity on your IBM i and optionally
feed it to an enterprise console
Security Risk Assessment
Assess your security threats and vulnerabilities
Assure Securityaddresses the issues on every security officer and IBM i administrator’s radar screen
65 | IBM i Security Best Practices
Choose the full product
Choose a feature bundle
Or select a specific capability
Assure Security
Assure Data Privacy
Assure Encryption
Assure Secure File Transfer
Assure Monitoring and Reporting
Assure Db2 Data Monitor
Assure Access Control
Assure System Access Manager
Assure Elevated Authority Manager
Assure Multi-Factor Authentication
Assure Security Risk Assessment
Assure Compliance Monitoring
66 | IBM i Security Best Practices
Multi-Factor Authentication
Strengthen login security by requiring multiple forms of
authentication
Elevated Authority Management
Automatically elevate user authority as-needed and on a
limited basis
Access Control
Secure all points of entry into to your system including network
access, database access, command line access and more
Assure Access Control
67 | IBM i Security Best Practices
Secure File Transfer
Securely transfer files across internal or external networks
using encryption
Tokenization
Remove sensitive data from a server by replacing it with
substitute values that can be used to retrieve the original data
Encryption
Transform human-readable database fields into unreadable
cypher text using industry-certified encryption & key
management solutions
Assure Data Privacy
68 | IBM i Security Best Practices
SIEM Integration
Integrate IBM i security data with data from other platforms by
transferring it to a Security Information and Event Management console
System & Database Auditing
Simplify analysis of IBM i journals to monitor for security incidents and generate reports and alerts
Assure Compliance Monitoring
Db2 Data Monitoring
Monitor for views of sensitive Db2 data and optionally block
data from view
69 | IBM i Security Best Practices
Security Risk Assessment Service
Let Syncsort’s or Partners teams of security experts conduct a thorough risk assessment and
provide a report with remediation guidance
Security Risk Assessment Tool
Thoroughly check all aspects of IBM i security and obtain detailed
reports and recommendationsRisk Assessment
70 | IBM i Security Best Practices
Alliance Key ManagerFlexible
• Works with all major business and cloud platforms
• Integrates with all leading encryption applications
• Multiple deploying options including a VMware VM, Hardware Security Module (HSM), or cloud module (AWS, Microsoft Azure)
Compliant
• FIPS 140-2 compliant – the US standard for approving cryptographic solutions with both hardware and software components
• OASIS KMIP (Key Management Interoperability Protocol) compliant
• Certified for PCI-DSS version 3 by Coalfire, a certified QSA auditor
Easy and Cost Effective
• Affordable for any size Enterprise
• No additional client-side license or usage fees
• Ready-to-use client software speeds deployment and reduces IT costs
71 | IBM i Security Best Practices
Assure Security delivers innovative capabilities that lead the market in multiple facets of security:
✓ Comprehensive control of both legacy and modern IBM i system access points
✓ NIST-certified encryption, including integration with FIPS-compliant, off-platform key management from Townsend Security
✓ Powerful, flexible multi-factor authentication with RSA certification
✓ Unique and innovative new solution for monitoring views of highly confidential data
✓ Ability to forward IBM i security data to leading SIEM solutions, including QRadar certification
✓ Integration with Syncsort HA solutions via monitoring dashboard and failover scripting
Assure Security Advantages
S u p p o r t s C o m p l i a n c e w i t h GDPR PCI-DSSSOX HIPAAGLBA HITECH23 NYCRR 500 and more
72 | IBM i Security Best Practices
• Perform a security assessment
• Stay current on fixes and technology
• Secure your network
• Set the security-related System Values & lock them down
• Use the Security Audit Journal
• Protect your sensitive objects with object security & encryption
• Add layers of security via Syncsort products
• Network access control, monitoring & reporting, audit and data protection, elevated authority management, multi-factor authentication, etc.
Presentation Summary
Learn more at www.syncsort.com
Syncsort can help with all your
IBM i Security needs!
73 | IBM i Security Best Practices