1. SAFESTONE
safestone
for
User Management and Compliance
on the
System i
2. Contents
The Internal User as a Threat......................................3
Why is User Management so important? .......................4
The Auditor’s Perspective........................................................................... 5
The Manager’s Perspective......................................................................... 6
The User’s Perspective .............................................................................. 7
Audit, Report, Enforce ................................................8
Common Sense Best Practices................................... 10
How Safestone Addresses these Practices ................... 11
The Business Case................................................... 12
Conclusion ............................................................. 13
About the Author..................................................... 13
About Safestone Technologies ................................... 13
SAFESTONE SafestOne for User Management and Compliance on the System i Page 2 of 13
3. The Internal User as a Threat
The System i is used by organisations to process the most sensitive, critical data and
this data is its most important asset. Companies have invested a great deal of effort
in securing the perimeter from external attack, but the greatest threat comes from
those inside the firewall. How these users access the data, the powers they wield and
the way they are monitored should be the cornerstone of any security policy.
Every survey and indicator tells us that the threat is within the firewall…
• A survey conducted at InfoSecurity20081, Europe’s largest IT security event,
tells us that over 88% of IT administrators revealed that if their employment
was terminated tomorrow they could take valuable and sensitive information
including privileged passwords, confidential databases, R & D plans and
sensitive financial data about their employers business with them.
• The latest edition of PricewaterhouseCoopers annual Global State of
Information Security Survey2, also shows that ex-employees and current
employees account for 50% of known security incidents, which is almost twice
the number attributed to hackers.
• Jerome Kerviel an employee at Societe Generale cost the bank $7billion in
what the bank described as “…criminal computer fraud and records
falsification”3
• “An Insider Threat Survey” conducted last year by the Computer Emergency
Response Team (CERT) at Carnegie Mellon University found that 57 percent of
insider security attacks identified were carried out by employees who at one
time had privileged user status.4
What these surveys and many others show, is that companies have been diligent
about making advancements in protecting valuable data assets from external threats
but the biggest risk still lies with the very people actually allowed to access systems.
For the System i, these risks are compounded by the great value of this data and its
critical nature within the organisation that owns it.
1
http://www.cyber-ark.com/news-events/pr_20080827.asp
2
http://www.pwc.com/extweb/home.nsf/docid/C1CD6CC69C2676D4852574DA00785949?WT.ac=GISS_ho
mepage_banner
3
http://www.informationweek.com/news/management/showArticle.jhtml?articleID=205918671
4
http://www.cert.org/insider_threat/
SAFESTONE SafestOne for User Management and Compliance on the System i Page 3 of 13
4. Why is User Management so important?
In today’s regulation and compliance driven business it is no wonder that user
management continues to be a topic of concern for auditors, compliance officers and
IT administrators. When an organization undergoes an audit, user management is
one of the first areas for auditors to scrutinize. Why?
• It is an easy area to audit without having any technical understanding of the
underlying hardware platform, operating system or applications. The
questions are the same for any combination.
• Frequently users have more access to data than is necessary because it is
easier to grant more access to ensure the completion of their daily duties.
• Poor user management represents a large security exposure to a business
and its most valuable asset - data.
Managing user profiles has always been a time consuming and troublesome task, the
larger the user base the greater the pain! But even small organizations must comply
with regulations and they too understand the complexity of provisioning and
managing a user throughout the time of their employment
Regulations such as PCI, HIPAA and Sarbox have introduced another challenge for
organizations, especially IT Administrators who must answer to compliance officers
and auditors while remaining responsive to users within the company who are trying
to simply get their jobs done. The following control objectives come directly from
the PCI Data Security Standard5 and even if a company is not dealing directly with
PCI compliance, the controls provide an excellent example of how users should be
managed within an organization:
Implement Strong Access Control Measures
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
• Requirement 10: Track and monitor all access to network resources and
cardholder data
• Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
• Requirement 12: Maintain a policy that addresses information security
These IT controls support the need for user management and access control to be
enforced, proven and documented within any organization, public or private and
regardless of size. Failure to do so will result in compliance deficiencies which not
only leaves sensitive data compromised, it also damages a company’s reputation
with customers and partners.
5
PCI Security Standards Council www.pcisecuritystandards.org
SAFESTONE SafestOne for User Management and Compliance on the System i Page 4 of 13
5. The Auditor’s Perspective
When you look at the large number of different hardware platforms, networks,
operating systems and applications that auditors are expected to ensure compliance
on, it is easy to see why carrying out simple user profile related checks feature
prominently in almost all audits.
More importantly, auditors realize user profiles also represent a big security risk
since they are the means used to access your data. They will look at your
organization to see if good user security practices and rules are enforced as well as
documented.
The kinds of checks auditors look at are likely to be similar to those below:
• Does every user have a unique profile?
• Are any profiles shared by more than one user?
• How many users have special privileges?
• Are those special privileges required to perform their day to day work?
• How is the use of those special privileges monitored when they are used?
• Do any unused user accounts exist? (Ex-employees, sleeper profiles)
• Do any disabled user accounts exist?
• Have any of the user accounts still got default passwords?
• Who can create new users and how is this monitored?
Associated checks are also likely to be carried for group memberships and password
issues:
• Which users are members of what groups?
• Do any of those groups grant any special privileges?
• How often do users have to change their password?
o Is this enforced for all users?
• What rules are enforced when changing a user password?
Our experience shows that auditors run these types of tests because they uncover
some basic failings in corporate IT security policies. They use the results from the
tests to write up recommendations for user management improvement.
SAFESTONE SafestOne for User Management and Compliance on the System i Page 5 of 13
6. The Manager’s Perspective
The manager of a System i installation is responsible for designing, maintaining and
evolving a computer and communications systems that is at the heart of the
organization. In order to achieve the businesses’ objectives, there has to be a
number of powerful users.
Powerful users are responsible for the performance of the system; creating and
maintaining user accounts; troubleshooting operational issues; administering system
upgrades and any reconfigurations required in the course of ongoing operations.
They need the ability to instantly access IT resources so they can tune systems to
support business processes and high performance for end-users.
A powerful user has the ability to manipulate infrastructure and application
configurations, and with this increased power comes increased responsibility—and
increased security risks for the enterprise.
Powerful users on the System i have such rights as Security Officer or All Object
Authority. The latter gives the user rights to ALL OBJECTS on the system, which
means they are all powerful.
The task for the Manager is to balance the needs of the business for powerful users
against the need for the business to protect itself from them. In circumstances such
as these a process needs to exist to provide the user with temporary access so that
in exceptional circumstances they can provide the support required. When this
happens a record of who was granted that access and what actions they carried out
should ideally be recorded to protect both the user and the business.
Some companies have developed such software programs to control these users and
monitor their actions. However, auditors are quick to point out “Quis custodiet ipsos
custodes?” (who watches the watchmen?).
Understanding what special privileges have been given to users is probably the
biggest question to answer when determining what type of access a user needs for
their specific function. Once this is understood a way of granting appropriate access
for your users and your business can then be planned.
SAFESTONE SafestOne for User Management and Compliance on the System i Page 6 of 13
7. The User’s Perspective
In addition to the powerful users, described above, there are also many (sometimes
hundreds) of users who need to be provided with timely and appropriate access to
networks, as well as multiple operating systems and applications across all those
systems to complete their daily job functions.
PCI and Sarbox both state that users should only have access to data on a need to
know basis and it is the first thing an auditor will look for. So how can you maintain
regulatory compliance if users need access to data to complete their job?
Every user must have a secure password that is only known to them and is difficult
to guess. A password should be changed regularly and contain both alpha and
numeric characters. Not all systems’ passwords expire at the same time and users
are tempted to create simple passwords that can be remembered by them (and
guessed by others) more easily.
This leads to many users forgetting their passwords. The amount of time spent
waiting for the Help Desk to reset passwords significantly impacts the user’s ability
to work and increases their frustration.
It is also expensive for the organization. Apart from the lost work, 30% of calls to
the IT helpdesk (according to the Gartner Group) are password related at a cost of
up to $31 per call.
For organizations with operating environments supporting thousands of users, this
productivity bottleneck can quickly spiral out of control.
SAFESTONE SafestOne for User Management and Compliance on the System i Page 7 of 13
8. Audit, Report, Enforce
Of course auditors and compliance officers don’t give prominence to effective user
management just because it’s easy! A badly managed user community represents a
significant security risk. There is the obvious potential of a malicious act from outside
the organization, but there is an even greater threat of data becoming compromised
from users within the organization due to a lack of understanding on the impacts of
their actions. Administrators should ask themselves the following questions:
• Are employees taking home sensitive data on their laptops?
• Who has access to the financial records of the organization and can they alter
the data?
• Is there a corporate policy in place that clearly outlines how data is accessed
and who is responsible for its integrity?
If we look back to the IT Controls within PCI DSS we can see why the questions
asked above are necessary in reducing the risk of security exposures. Not only do
these controls apply to companies facing PCI compliance, they apply to any company
who wants to enforce strong user management:
Implement Strong Access Control Measures
Given the risks posed by a poorly managed user community it is surprising that so
little time and effort is dedicated to the subject. For example, the budget available
for user management compared to that available for other pieces of the IT security
budget is generally much less. In fact, user management is often not seen as a
security issue, it seen as an admin task and/or merely an inconvenience of doing
business.
Poor user management and lack of access control open up a company to a multitude
of security exposures. Customers, partners and employees expect their data to be
secure and if organizations are unable to ensure this and it is exposed to the public,
the high costs of legal fees coupled with the loss of reputation can be difficult to
overcome.
Regularly Monitor and Test Networks
According to the 2008 Global State of Information Security Study®, published by
Pricewaterhouse Coopers, 73% of companies surveyed say they are confident
internal policies are being followed, however 43% of those same companies say they
are not auditing against those policies. Establishing a policy is the first step,
however policies are only useful when there is accountability.
SAFESTONE SafestOne for User Management and Compliance on the System i Page 8 of 13
9. Maintain an Information Security Policy
With so many different departments responsible for various stages of users
management, it is necessary to implement strong policies and processes on how
data is accessed to avoid a security exposure. User management issues are not just
an IT problem to tackle, it is a cross-function of several different departments:
• Human Resources is responsible for providing details of new employees,
former employees and employee change in status.
• IT creates, amends and removes user profiles on required systems.
• Management decides on required level of access to applications and data for
users.
• Support manages the Helpdesk and assists with login problems etc.
This situation exists throughout all sizes of business from the large multinationals
down to even the smallest businesses. In fact those with larger user bases are often
the ones who have made an attempt to effectively manage their users, normally out
of desperation as the problem of user management has simply become impossible
with out some sort of controls and supporting procedures.
However, the basic principles of good user management are just as important in the
smallest business. In fact, it is possibly more so in smaller business since there are
not enough dedicated resources tasked with solely managing the user community.
Without some sort of policy, user management becomes another task for a
beleaguered IT administrator who is already juggling a host of other responsibilities.
SAFESTONE SafestOne for User Management and Compliance on the System i Page 9 of 13
10. Common Sense Best Practices
The CERT6 promotes the following thirteen points for best practice:
1. Institute periodic enterprise-wide risk assessments.
2. Institute periodic security awareness training for all employees.
3. Enforce separation of duties and privilege.
4. Implement strict password and account management policies and
practices.
5. Log, monitor, and audit employee’s online actions.
6. Use extra caution with system administrators and powerful users.
7. Actively defend against malicious code.
8. Use layered defense against remote attacks.
9. Monitor and respond to suspicious or disruptive behavior.
10. Deactivate computer access following termination.
11. Collect and save data for use in investigations.
12. Implement secure backup and recovery processes.
13. Clearly document insider threat controls
6
http://www.cert.org/insider_threat/
SAFESTONE SafestOne for User Management and Compliance on the System i Page 10 of 13
11. How Safestone Addresses these Practices
1. Institute periodic enterprise-wide risk assessments.
DetectIT Security Audit and Detection Module can be scheduled to
provide comprehensive audits on your System i
2. Institute periodic security awareness training for all employees
Safestone provide a range of Professional Services to ensure the best
practices are deployed
3. Enforce separation of duties and privilege.
It is important that those using the system are not the same people
who are policing it. DetectIT Smart Security Console can be used by
non technical administrators to check on all users’ activities.
4. Implement strict password and account management policies and
practices.
The Password Self Help, Password Synchronization and Password
Validation Program ensure that strong passwords are used and the
whole process of managing passwords is easily enforced
5. Log, monitor, and audit employee’s online actions.
The Security Audit and Detection Module allows you to configure, report
and archive against thousands of different security events
6. Use extra caution with system administrators and powerful users.
DetectIT gives you the ability to swap profiles and audit extensively on
what powerful users are doing
7. Actively defend against malicious code.
DetectIT allows you to identify new and changes to existing programs
on the server
8. Use layered defense against remote attacks.
Network Traffic Controller effectively “firewalls” the System i from the
rest of the network
9. Monitor and respond to suspicious or disruptive behavior.
DetectIT monitors thousands of different security events and reports on
all activity that falls outside your predefined security policy guidelines
10. Deactivate computer access following termination.
User Profile Manager provides full user life cycle management across
multiple System i servers
11. Collect and save data for use in investigations.
DetectIT Security Audit and Detection Module allows you to configure,
report and archive against thousands of different security events
12. Clearly document insider threat controls
Risk and Compliance Monitor contains pre-defined policies based upon
internationally accepted standards against which your systems are
monitored
SAFESTONE SafestOne for User Management and Compliance on the System i Page 11 of 13
12. The Business Case
Managing System i users effectively will deliver a financial benefit to any organization
that employs robust user management.
IT fraud such as the Societe Generale case and financial penalties for failure to
comply with legislative initiatives (Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA,
Basel II etc) can cost an organization a great deal of money. So it is no surprise that
security audits are addressed at board level and management of System i users is
given the highest priority. Security and operations must demonstrate the ability to
control, audit and report on which users have access to what System i resources.
Another, less obvious return on investment is in the case of password management.
On average, up to 70% of calls to the service desk are due to forgotten passwords.
Self service password resets and single sign on reduce the volume of calls by up to
80%. This eliminates many costly time consuming processes and delivers hard cash
savings to IT operations.
Gartner estimates that help desk calls cost an average of £30 each, and that
personal management reports for users, accounts for a minimum of 40% of help
desk call volumes.
SAFESTONE SafestOne for User Management and Compliance on the System i Page 12 of 13
13. Conclusion
Despite the huge threat posed by employees, user management can be overlooked
in security projects. Too often, it is considered just an administrative task, rather
than a security issue. The policy management and access control part of user
management tends to be forgotten.
The realities are that you can massively reduce the risk of security incidents, by
correctly managing employees and other authorized users. This is where
organizations should focus the majority of their efforts in securing their critical data.
The three IT Controls mentioned earlier provide a useful framework for organizations
to manage their user community:
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
When organizations follow these guidelines they can help ensure sensitive data stays
secure and keep users productive.
About the Author
Simon Bott has over 16 years experience working in IT, this has encompassed time
spent working within an end user environments, and for more than a decade working
as a consultant for several successful IBM business partners with a focus on the
iSeries/System i platform. For the past 3 years Simon helped build the networking
and security function of one of IBM’s largest business partners working with
technology partners such as Juniper Networks, RSA, Cisco, Trend Micro, Barracuda
Networks to meet the growing demand for security services in today’s regulatory
compliance driven business environment. Simon joined Safestone Technologies in
summer 2008 to help Safestone continue to evolve and deliver the high quality
innovative System i audit, compliance and security tools for which they are known.
About Safestone Technologies
Partner of choice for global financial and banking institutions with the most stringent
security and compliance requirements, Safestone provides the most comprehensive
solution in System i security to over 500 blue-chip customers worldwide.
Safestone’s module- based solutions are flexible, scalable, easy to implement and
use, allowing the solution to address all varying degrees of audit, compliance and
security requirements.
Safestone has built up a global network over more than 21 years, which provides
localized sales, consultancy and professional services to help organizations manage
all their System i security requirements.
SAFESTONE SafestOne for User Management and Compliance on the System i Page 13 of 13