The continuous news of personal information stolen from major retailers and financial institutions have driven consumers and regulatory bodies to demand that more action be taken to ensure data protection and privacy. Regulations such as PCI DSS, HIPAA, GDPR, and FISMA require that personal data be protected against unauthorized access using technologies like encryption, tokenization, masking, secure file transfer and more. With all the options available for securing IBM i data at rest and in motion, how do you know where to begin?
Register to get up to speed on the key concepts you need to know about assuring data privacy for your customers, business partners and employees.
Topics will include:
- Protecting data with encryption and the need for strong key management
- Use Cases that are best for tokenization
- Options for permanently deidentifying data
- Securing data in motion across networks
- Complete security solution for IBM I (AS/400)
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Social Distance Your IBM i from Cybersecurity Risk
1. Social Distance Your IBM i
from Cybersecurity Risk
Dang Pacis, EVP Sales & Marketing - Questronix
Bill Hammond, Senior Product Marketing Manager - Precisely
Dawn Winston, Product Management Director - Precisely
Sidney Wong, Senior Sales Engineer - Precisely
TG Falsis, Systems and Technology Head- Questronix
2. Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your computer speakers
• Audio lines will be muted during the presentation
Questions Welcome
• Submit your questions at any time during the presentation using the
Q&A box. Questions will be answered at the end.
Technical assistance
• If you need technical assistance with the web interface or audio,
please reach out to us using the Q&A box
• You can move and resize the different webinar panels
Resources, Recording and slides
• The Resource List contains brochures which you can download and
read later
• This webcast is being recorded. You will receive an email following
the webcast with a link to the recording
3. Agenda
Opening
Dang Pacis, EVP Sales & Marketing- Questronix
Key Concepts for Protecting the Privacy of IBM i Data
Bill Hammond, Senior Product Marketing Manager - Precisely
Dawn Winston, Product Management Director - Precisely
Complete security solution
Sidney Wong, Senior Sales Engineer - Precisely
Closing
TG Falsis, Systems and Technology Head- Questronix
Q&A
4. Key Concepts for Protecting
the Privacy of IBM i Data
Bill Hammond, Senior Product
Marketing Manager - Precisely
Dawn Winston, Product Management
Director - Precisely
5. 1. Marketplace Trends
2. Common regulatory requirements
3. Data Privacy solutions that align with regulations
Topics
7. Introducing Assure Security
7
A comprehensive solution that addresses all aspects of
IBM i security and helps to ensure compliance with
cybersecurity regulations.
Whether your business needs to implement a full set of
security capabilities, or you need to address a specific
vulnerability, Assure Security is the solution.
8. 8
Assure
Security
addresses the issues on the
radar screen of every security
officer and IBM i admin
Compliance Monitoring
Gain visibility into all security activity on
your IBM i and optionally feed it to an
enterprise console
Access Control
Ensure comprehensive control of
unauthorized access and the ability to
trace any activity, suspicious or otherwise
Security Risk Assessment
Assess your security threats and
vulnerabilities
Data Privacy
Protect the privacy of data at-rest or
in-motion to prevent data breaches
9. 9
Choose the full product
Choose a feature bundle
Or select a specific capability
Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Assure Security
Risk Assessment
Assure Compliance
Monitoring
10. 10
Risk
Assessment
Assure Security
Risk Assessment Tool
Thoroughly check all aspects of IBM i
security and obtain detailed reports and
recommendations
Security Risk
Assessment Service
Let Syncsort’s team of security experts conduct a
thorough risk assessment and provide a report
with remediation guidance
11. Security Risk Assessment
11
What It Is
• A security risk assessment is a
thorough check of all aspects of
system security, including (but not
limited to):
• Security settings in the OS
• Default passwords
• Disabled users
• Command line users
• Distribution of powerful users
• Library authorities
• Open ports
• OS exit points
• Risk assessments tools or services
provide detailed reports on
findings, explanations and
recommendations for remediation
• Assessment summary for non-
technical management
summarizes findings
Benefits
• Helps to satisfy the requirement for
annual risk assessments found in
regulations such as PCI DSS and
HIPAA
• Results in reports that inform
management and administrators
about security vulnerabilities and
remedies
• Saves time by automating (tool) or
offloading (service) the process of
conducting as assessment
• Using a service or tool that
encapsulates extensive experience
can fill skillset gaps
• Provides separation of duties
between administrator and auditor
13. 13
Access Control
Secure all points of entry into to your
system including network access,
database access, command line access
and more
•
Multi-Factor Authentication
Strengthen login security by requiring
multiple forms of authentication
Elevated Authority
Management
Automatically elevate user authority
as-needed and on a limited basis
Assure
Access Control
14. Assure System Access Manager
14
Comprehensive control of
external and internal access
• Network access (FTP, ODBC, JDBC,
OLE DB, DDM, DRDA, NetServer,
etc.)
• Communication port access (using
ports, IP addresses, sockets - covers
SSH, SFTP, SMTP, etc.)
• Database access (open-source
protocols - JSON, Node.js, Python,
Ruby, etc.)
• Command access
Powerful, flexible and easy to
manage
• Easy to use graphical interface
• Standard configuration provided for
out-of-the-box deployment
• Powerful, flexible rules for controlling
access based on conditions such as
date/time, user profile settings, IP
addresses, etc.
• Simulation mode for testing rules
without impact to the users
• Provides alerts and produces reports
• Logs access data for SIEM
integration
Secures IBM i systems and
enables regulatory compliance
• Supports regulatory requirements for
SOX, GDPR, PCI-DSS, HIPAA, and
others
• Satisfies security officers by securing
access to IBM i systems and data
• Significantly reduces the time and cost
of achieving regulatory compliance
• Enables implementation of security best
practices
• Quickly detects security incidents so
you can efficiently remediate them
• Has low impact on system performance
15. Assure Elevated Authority
Manager
15
Complete, automated control
of elevated user authorities
• Administrators can manually grant
user’s requests or rules can be
configured to automatically manage
them
• Rules can be defined for source and
target profiles based on group
profiles, supplemental groups, user
lists and more
• Rules determine the context in which
authority can be granted, such as
time of date, job name, IP address
and more
• *SWAP or *ADOPT methods are
supported to elevate authority
• Handles processes connecting via
ODBC, JDBC, DRDA and FTP
Comprehensive monitoring of
elevated profiles
• Monitors elevated users and duration
of elevation from GUI or 5250
displays
• Maintains an audit trail of elevated
activity using job logs, screen
captures, exit points and journals
• An option is available to simply log
user activity without changing
authorities
• Produces alerts on events such as
exceeding authorized time
• Generates reports in a variety of
formats
• Allows integration with ticketing
systems
Enables regulatory compliance
and security best practice
• Generates an audit trail of actions by
elevated profiles for compliance
auditors
• Makes it easy to manage requests for
elevated authority on demand
• Enforces segregation of duties
• Satisfies security officers by reducing
the number of powerful profiles and
maintaining a comprehensive audit
trail
• Produces necessary alerts and
reports
• Significantly reduces security
exposures caused by human error
• Reduces risk of unauthorized access
to sensitive data
16. Assure Multi-Factor
Authentication
16
Full-featured multi-factor
authentication for IBM i
• Enables you to require two or more
factors for authentication:
• Something the user knows
• Something the user has
• Something the user “is”
• Relies on codes from authentication
services delivered via mobile device,
email, hardware token, etc.
• Enables self-service profile re-
enablement and self-service
password changes
• Supports the Four Eyes Principle for
supervised changes
• RSA certified (See DOC-92160
on RSA’s community site)
Powerful, flexible deployment
options
• Allows multi-factor authentication to
be enabled only for specific users or
situations
• Rules engine makes it easy to
configure when multi-factor
authentication is used
• Supports multiple authenticators
• Free Syncsort authenticator
• RADIUS-based servers
• RSA SecurID (on-prem or cloud)
• Options to initiate from the 5250
signon screen or on-demand
(manually or from a program)
• Options for multi-factor or two-step
authentication
Strengthens login security and
enables compliance
• Adds an authentication layer above
and beyond memorized or written
passwords
• Reduces potential for the cost and
consequences of data theft and
unauthorized access to systems and
applications
• Lowers risk of an unauthorized user
guessing or finding another user’s
password
• Addresses regulatory requirements
and recommendations in PCI DSS
3.2, NYDFS Cybersecurity Regulation,
Swift Alliance Access, GLBA/FFIEC,
and more
17. 17
Assure
Data Privacy
Encryption
Transform human-readable database
fields into unreadable cypher text using
industry-certified encryption & key
management solutions
Secure File Transfer
Securely transfer files across internal or
external networks using encryption
Tokenization
Remove sensitive data from a server by
replacing it with substitute values that can
be used to retrieve the original data
18. Assure Encryption
18
The only NIST-certified solution
for IBM i encryption
• Automatic encryption for Db2 data
using IBM i Field Procedures (IBM i 7.1
or greater)
• AES encryption algorithms are
optimized for performance
• Built-in masking of decrypted data
based on user or group
• Built-in data access auditing
• Includes encryption commands for
Save Files, IFS, and much more
• Extensive encryption APIs for RPG &
COBOL
• Easily addresses issues of encrypted
indexes in legacy RPG programs
• Includes tokenization to replace
sensitive data with substitute values
or “tokens”
Supports multiple key
management options
• Encryption keys must be protected
since encryption algorithms are
public
• Compliance regulations require
proper key management
• Assure Security supports multiple key
management options
• Local key store provided
• Built to integrate with Townsend
Security’s FIPS 140-2 compliant
Alliance Key Manager, available as:
• VMware appliance
• Hardware Security Module (HSM)
• Cloud HSM (AWS, Azure)
• Other OASIS KMIP compliant key
management solutions
Enables regulatory compliance
and security best practice
• Encrypts data without impacting
applications
• Protects data from unauthorized
access by internal staff, contractors
and business partners – as well as
criminal intruders
• Meets requirements of regulations
that mandate sensitive data
protection such as HIPAA/HITECH,
PCI-DSS, state privacy laws and
more
• Builds your customer’s confidence in
doing business with you through
NIST validation
19. Assure Secure File Transfer
19
Secures data transferred with
trading partners or customers
• Secures data moving across internal
or external networks by encrypting it
before transfer & decrypting it at the
destination
• Encrypts any file type including Db2
database files, flat files, IFS files, Save
Files, and spooled files
• Supports common transfer protocols
• Secure Shell (SSH SFTP)
• Secure FTP (SSL FTPS)
• Records all encryption and file
transfer activity to meet compliance
requirements
• Offers a PGP option to encrypt data
at the source and destination
location
• PGP encrypted files can be received
from any other system including
Windows, Linux, and UNIX
Enables centralized
management and automation
• Automatically enforces data
protection with centrally managed
policies
• Intelligently negotiates firewalls
• Configurable in a hub-and-spoke
configuration to automatically
manage all your file transfer needs
• Provides email, SNMP, message
notifications and alerts
• Supports email confirmation of
transfer with distribution list
• Provides APIs and commands for
integration with RPG, COBOL
applications and CL programs
• Supports encrypted ZIP and PDF
Enables regulatory compliance
and security best practice
• Protects data from being seen in
clear text when transferred
across networks
• Meets requirements of
regulations such as PCI, HIPAA
and others that require
encrypted transfer and logging
of transfer activity
• PGP option provides cross-
platform, standards-based
encryption that works with all
other PGP solutions
20. 20
Assure
Compliance
Monitoring
System & Database Auditing
Simplify analysis of IBM i journals to
monitor for security incidents and
generate reports and alerts
Db2 Data Monitoring
Monitor for views of sensitive Db2 data
and optionally block data from view
SIEM Integration
Integrate IBM i security data with data
from other platforms by transferring it
to a Security Information and Event
Management console
21. Assure Monitoring and
Reporting
21
Comprehensive monitoring of
system and database activity
• Simplifies the process of analyzing complex
journals
• Monitoring for system and database
changes available separately or together
• Powerful query engine with extensive
filtering enables identification of deviations
from compliance or security best practice
• Out-of-the-box, customizable models
supplied for common ERP solutions and
GDPR compliance
• Application modifications not required
Produces clear, easy-to-read
alerts and reports
• Provides security and compliance event
alerts via e-mail popup or syslog
• Enables easy creation of customized reports
that can be generated continuously, on a
schedule or on-demand
• Supports multiple report formats including
PDF, XLS, CSV and PF formats
• Distributes reports via SMTP, FTP or IFS
• Add-on available to send security data to
SIEM consoles such as IBM Qradar, ArcSight,
LogRhythm, LogPoint, and Netwrix
• Integration of security data into Splunk for
security monitoring or IT operations analytics
available via Syncsort’s Ironstream product
family
Benefits of monitoring and for
compliance & security
• Quick identification of security
incidents and compliance deviations
• Monitors the security best practices
you have implemented
• Enables meeting regulatory
requirements for GDPR, SOX, PCI
DSS, HIPAA and others
• Satisfies requirements for a journal-
based audit trail
• Provides real segregation of duties
and enforces the independence of
auditors
22. Assure Db2 Data Monitor
22
Gives you complete control
over sensitive data access
• Monitors Db2 data to inform you of
who has viewed sensitive records in a
file, when and how
• Rich set of rules enable fine tuning of
read-access detection and alerts
(e.g. specific access of a specific file)
• No need to change existing
applications
• Generates reports in multiple formats
and real-time alerts
• Blocking mode prevents users from
reading specified information in a file
• Simulation mode available for testing
rules to ensure blocking doesn’t
disrupt normal activities before
deployment
Produces clear, targeted
reports on data views
• Reports could show on views of:
• Manager salaries
• Medical data
• Credit information
• Reports can include information on
how data was accessed, such as:
• IP address
• Current user
• Call stack
• And more
• Specify only the fields you need to
see in a report, not the entire record,
to keeps your confidential data truly
confidential
Meets even the most stringent
compliance and security needs
• Meets the most stringent regulatory
requirements for confidential data
• Reduces the risk of accidental data
disclosure
• Deters illicit or criminal activity
24. 24
What is the Cross-Platform Audit™?
An enterprise-wide Compliance Event Monitor.
The CPA is all about practical organizational security. It provides log
monitoring for your computer systems, and databases. It is
collecting and consolidating data from across the enterprise. Many
sources available including: Windows, Mainframe, IBM i, Unix, AIX,
SQL Server and Oracle.
The CPA filters then collects the events into a single database and
presents them in an intuitive GUI for ease of analysis and
investigation.
25. 25
Features of the Cross-Platform Audit™
• Collection of diverse data formats into a uniform database.
• Selectivity/Granularity in defining which events should be collected.
• Comprehensive monitoring in a multi-platform environment.
• Reporting real user activity utilizing all the user’s identities.
• Graphical analysis of security information statistics.
• Powerful filtering to pinpoint events with specific characteristics.
• Event information drill-down to the field change level, incorporating ‘before’
& ‘after’ images.
• Audit information from different systems available all in one place.
• Comprehensive audit information for every critical event, showing exactly
who did what, when and how.
26. 26
Differentiators
• A single Management Console is used to manage the
central repository as well as the individual systems that
are being monitored.
• Organizations can be highly selective in deciding which
information needs to be transferred for consolidation.
• Focus is on critical information, for example the important
data changes performed in the database.
• High visibility of changes using before and after images.
• Specialized IBM i logs – covering many unique event
categories, with a high level of granularity.
• Specialized IBM Mainframe logs – covering a large amount
of event categories, with a high level of granularity.
28. 28
• System Audit
• File and Field Audit
• Alerts
• Application Audit
• SQL Statement
• IP Filter
• Compliance
• Message Queue
• History Log
• View Data
• SMF TELNET
• SMF FTP
• SMF VSAM
• SMF RACF
• TCP/IP Application Audit (FTP and Telnet)
• DB2 SMF
• DB2 LOG (Data Audit)
• DB2 CICS (SQL Data Capture)
• DB2 BATCH (SQL Data Capture)
• System Audit
• UNIX DB2
• System Audit X86
• System Audit 86_64
• System Audit IA64
• System Audit PPC64
• System Audit PPC
• System Audit S390X
• System Audit S390
• System Audit
• SQL Statements
• SQL System Audit
• SQL Data Audit
• SQL Statements
• Oracle System
• Oracle Admin
• Oracle Profiles/Users
• Oracle Procedures
• Data Audit
• DB2 SMF – MF
• DB2 LOG (Data Audit) – MF
• DB2 CICS (SQL Data Capture) – MF
• DB2 BATCH (SQL Data Capture) – MF
• DB2 System Audit – i, AIX, LUW
• DB2 SQL Statement Audit – i, AIX, LUW
• System Audit
• Data Audit
• Windows Event Logs: Security, Application, DNS . . .
• Windows Active Directory
• ISA Server logs
• DHCP logs
• IIS Web Server logs
• System Audit
SYSLOG Sources
• Routers
• Firewalls
• Antivirus
• Other SYSLOG senders
• Audit
• Connect
• Query
• Prepare
• Execute
• Shutdown
• Quit
• No audit
• Init DB
• Other
All Sources
29. 29
What is the Cross-Platform Compliance™?
• An enterprise-wide Compliance Deviation Monitor.
• The CPC is all about practical organizational security. It
checks automatically if your system security settings are in
line with organizational security policy. Many sources
available including: Windows, AIX, Linux, IBM i, MS SQL and
Oracle.
31. 31
Enforcive/Compliance Accelerator Offering
• Speed up Compliance Projects
• Predefined
- Reports
- Alerts
- Policy Compliance Manager templates
• Areas covered; PCI DSS, SOX, COBIT and ISO
• 600+ Definitions
• Based on experience of Precisely implementations and interpretation of
regulations & best practices
35. 35
CPC Architecture
MS SQL
Server
LINUX
Windows
IBM Power:
i and AIX
Agent/Agent less
Agent/ Agent less
Agent i,
Agent/Agentless AIX
Cross
Platform
Compliance
Deviation Alerting
Deviation Reporting
Authority Manager
Password Administration
SOX, HIPAA & PCI Compliance
Enforce Policy
Agent less
Agent less
Oracle
On Windows server with MS SQL Database
36. 36
Configuring the
Compliance Policy
using templates
Check policy template
against system actual value
Policy
Templates
Deviation
Alerts
Online
Inquiry
Deviation
Reports
Deviations
Inquiry
Oracle
MS
SQL
WindowsAIX
and i
Linux
Policy
Compliance
Server
Force Policy Update
by scheduler (fix)
Cross Platform Compliance Flowchart