Layered Security for IBM i

1

Stephan LeisseSolution Architectstephan.leisse@syncsort.com

Security 101: Layered Security

Security 101: Layered Security FundamentalsLayered Security Fundamental #1

Assume Vulnerability, Not Impregnability

Layered Security: The Swiss Cheese Model

James T. Reason, University of Manchester, 1990

We Assume There Are Holes, We Can’t Plug All Of Them

The Goal Is Not To Plug All The Holes

Security 101: Layered Security Fundamentals

The Goal is to Prevent a Breach

Security 101: Layered Security Fundamentals

Layered Security for IBM i

• Where are the critical

assets on IBM i?

• How can you get to

them?

The GDPR Regulation

• The GDPR is structured in 173 ‘recitals’ and 99 articles. • Of these, 14 recitals and 11 articles mention or imply the need

for data protection technologies, which can be grouped into the following categories:

• Protection of Data• Privacy and Confidentiality of Data• Integrity of Data• Encryption and Pseudonymization• Access Control, Malicious and

Accidental Damage

• Compliance to Regulations• Risk Assessment• Logging and Auditing• Security Settings and Policy

Object Level Security:

• Traditional way of securing on IBM i• Powerful capability but complex• Must have someone on staff with working knowledge of IBM i security

schemas • Many application packages implement Full Access to everyone• Object level security does not differentiate between internal and external

access to the file • How do you check your settings remain as you set them - assure object level

security stays in place

Protection of Data

File Level Security:

• Object Level Security is an extremely powerful tool

• However, it can be bypassed/neutralized by users with powerful user profiles (of which there are too many in most organizations)

• Organizations therefore are looking for full role based access to sensitive DB2 Files to control privileged users

• IBM offers an exit point but you have to write program

• Management infrastructure is needed to optimally use it

Protection of Data

TCP/IP Security:• The OS/400, now IBM i was architected before the advent of PC

connectivity• A user is able to access the IBM i through the network, change or

delete data he wants without being detected

• A person with a user profile and password is restricted in the interactive environment by menus

• TCP/IP Back Door: With the same user name and password through TCP/IP tools this user can bypass menu security and get to resources the menus would not allow him to access interactively

17

Integrity of Data

TCP/IP Security:

Exit Points - WRKREGINF

- Tools like FTP, ODBC, RMTCMD, IFS etc.

- Need structure to manage the exit programs – role based, layered

Integrity of Data

IFS QSYS.LIB

data

OTHERS

CLI QSQSRVR PHP, XML Service, …

QSQPRCED XDA, XDN, …

Sockets Socket programs

Open SourceNode.js, Python, Ruby

GCC, GIT, Orion, Perl…

IFS QSYS.LIB

data

NO Exit Points for 3rd Party and SSh etc…

Integrity of Data

Encryption and Pseudonymization

Different requirements based on regulations (Like PCI DSS, GDPR and HIPAA) to assure sensitive data is not seen by unauthorized eyes

Ensure blocking read of data independent of the means of access

Data at Rest (as opposed to in motion)

Threat – Non Credential User

• Database Encryption –Encryption Card

• Back-up (Tape or Save File) Encryption

Threat – Credentialed User

• Field Encryption (Masking/Scrambling/Security)

• File Encryption

Evolution within IBM I – OS Level Support

IBM i 7.1: Field Procedure

• Called at database levelAdvantages

• Control on almost everything related to the field:

• encryption/decryption

• Masking

• Scrambling

• Field Audit

• Field SecurityDisadvantage

• CPU intensive

IBM i 7.2: RCAC (Row Column Access Control)

• Pure IBM internal DB functionality

• Different masking views fieldsand records for different users

• Regulates access by data in the row according to user authorityAdvantage

• Good and fast performance

Disadvantages

• No Encryption

• No Scrambling

• No Field Auditing

Before IBM i 7.1

Needed to make changes on applications, especially on the decrypt

Command Security & Monitoring• Security exposure of everyone having access to commands.

• Monitoring of commands is possible in QAUDJRN but at User level

• Individual users need to be configured for *CMD auditing with CHGUSRAUD command.

• Limit access to command line (FTP command line still bypasses, powerful user)

• Another option is to use the exit point IBM provides - allows you to have role based management infrastructure as well as an audit trail

Access Control, Malicious and Accidental Damage

CALL QSYS.QCMDEXC (‘dspsysval qdate', 0000000015.00000)

cl:dspsysval qdate

SBMRMTCMD CMD('dspsysval qdate') DDMFILE(library/DDMfile)

dspsysval qdate

Rmtcmd //system dspsysval qdate

RUNRMTCMD CMD('dspsysval qdate')

RMTLOCNAME(system *IP) RMTUSER(user) RMTPWD( )

5250

FTP ServerQuote Rcmd dspsysval qdate

REXEC

IBM i Access for Windows

ODBC / DRDA

System i Navigator

DDM

db2 "call qcmdexc ('dspsysval qdate')"PuTTY

ALWLMTUSR(*NO)

Remote commands & parameter « Limit capabilities »

Auditing:• OS contains many journals and logs that contain a wealth of information

• Challenge is to present this information in a user friendly and comprehensive way

• Example File Journal – information is spread out over various screens

• File Journal- file information, but what about read data events?

• SQL – running this log without management

• tools is setting up for performance problems

• SQL – problem with ??? in SQL Statements

Logging and Auditing

• No indication of the PC that accessed the file

• No indication of the SQL statement

• No separation of field values

• No display of non-character fields

• No indication that this was breach rather than legitimate update

Logging and Auditing - Example

Challenge of Maintaining a Record:

• Amounts of Data

• Journal Receivers need to be taken offline, restoring them for forensics needs can be at cross purposes with operational needs.

• Storage on a Production Server – SIEM (Security Information & Event Management)

Logging and Auditing

Security Areas

SYSTEM

AUDITINGDATABASE

AUDITING

ACCESS

CONTROLELEVATED

AUTHORITY

ENCRYPTION

MASKINGANONYMI-

ZATION

SIEM

INTEGRA-

TION

MULTI-

FACTOR

AUTHENTI-

CATION

SECURITY

AND

RISK

ASSESS-

MENT

GUI

Cilasoft Compliance and Security Suite ModulesAuditing & Compliance

QJRN/400

• Reports and alerts on system events and database changes• System examiner

CONTROLER

Global Access Control

• ODBC, JDBC, OLE DB • FTP, DDM, DRDA, NetServer• Jobs, Sockets• File open, SQL engine• Commands

Elevated Authority Manager

ELEVATED AUTHORITY MANAGER• Grant additional authorities on an as-needed basis • Audit and log activities of elevated profiles

FREE JOB LOG EXPLORER

• Analyzes any job log using several powerful filters that will saveyou significant time when troubleshooting job-related issues on your IBM i

Utilities

• Reports and Alerts• MSGQ, Menus, profiles• Running a command over a resulting file

POST FILE

Data Consolidation and Distribution

• Consolidate any Db2 file from multiple remote sites• Deploy any Db2 file from a central site • Run commands simultaneously on remote sites

CENTRAL

Interface

• IBM QRadar• ArcSight• Splunk

SIEM• LogRhythm• Netwrix• LogPoint

39

Enforcive Security Product

ESEnterprise Security

CPACross-Platform Audit

CPC Cross-Platform Compliance

PSSPassword Self Service

AIXSecurity

Host Based Security, Audit & Compliance for IBM i

Log Management & Database Activity Monitoring

GRC (Governance, Risk Management, and Compliance)

Security and Auditing for IBM AIX

For use with:• Base ES Product• Exit Point Security• System Monitoring• Alerting• Reporting• Admin Tools

• Firewall Manager

• File Encryption• Policy Compliance Manager• Data Provider• Password Self Service• Accelerator Package

For use with:• Windows• Unix (AIX & Solaris)• Linux• IBM i (OS400 & DB2)• z/OS• MS SQL Server• Oracle• DB2• Sybase• MySQL• Progress• Syslog• Flat File Format

For use with:• Windows• AIX• IBM i (OS400 & DB2)• MS SQL Server• Oracle• Linux

For use with:• IBM i (OS400 & DB2)• Windows Active

Directory• Linux• AIX• Open LDAP

For use with:• Base AIX Product• Access Control• File Protection• System Audit• Event Auditing

Cross Platform Password Management

Security Risk Assessment Tool

Mainframe Security

Masking for Sensitive/Personal IBM i data

Real-time anonymization

• Masking, scrambling for data such as credit card numbers

• Important for GDPR readiness

• Graphical settings - pick the fields you need

• Key consistency

• IBM i native

Trader’s Security Product

41

Syncsort’s Future Security Product Line

SYSTEM

AUDITING

Cilasoft

DATABASE

AUDITING

Cilasoft Cilasoft

ACCESS

CONTROLELEVATED

AUTHORITY

Cilasoft

ENCRYPTION

MASKING

Townsend

Enforcive Trader’s

ANONYMI-

ZATION

Cilasoft

SIEM

INTEGRA-

TION

Ironstream

Cilasoft

MULTI-

FACTOR

AUTHENTI-

CATION

Enforcive

SECURITY

AND

RISK

ASSESS-

MENT

CODE

FOUNDATION

MODULES

INTERFACE

FEATURES

Graphical, Web-Based UI (VSP)

GDPR White Paper