What Does a
Full-Featured IBM i
Security Strategy
Look Like?
Bill Hammond | Director, Product Marketing
John Vriezen | Principal Technology Architect

Housekeeping
Webinar Audio
• Today’s webcast audio is streamed through your
computer speakers
• If you need technical assistance with the web interface
or audio, please reach out to us using the Q&A box
Questions Welcome
• Submit your questions at any time during the
presentation using the Q&A box. If we don't get to your
question, we will follow-up via email
Recording and slides
• This webinar is being recorded. You will receive an email
following the webinar with a link to the recording and
slides

The leader in data integrity
Our software, data enrichment products and
strategic services deliver accuracy, consistency, and
context in your data, powering confident decisions.
of the Fortune 100
99
countries
100 2,500
employees
customers
12,000
Brands you trust, trust us
Data leaders partner with us
3
3

Overview
• What assets are we securing?
• What actions are we securing?
• Who’s access needs to be secured?
• Security principles
• How do we secure these assets and actions?
• How do we know we have secured these assets?
• How Precisely can help
4

What assets are we securing
5
Proprietary data
Customer data
Credentials
• Trade secrets
• Software
• Documents
• Processes
• Data base columns, IFS files
• Personally Identifiable Information (GDPR, PCI DSS, etc.)
• e.g. Names, addresses, credit card #s, Social Security #’s, etc.
• Medical data (HIPAA)
• Usernames
• Passwords
• Account numbers

What actions are
we securing?
6
Business actions
• Order processing
• Accounts Payable
• Accounts Receivable
Operational actions
• Logistics – deliveries, manufacturing
• Equipment automation

“Kemuri” Water
Company
7
IBM i used for:
• Web server
• Operation Technology
• Supervisory control and data acquisition (SCADA)
• Payment web server contained IP address and
userid/passwords
• Hacked ! (2016)
Allows access to valve and flow controls
https://www.securityweek.com/attackers-alter-water-
treatment-systems-utility-hack-report

Whose access needs
to be secured?
8
• Bad actors
• Our employees
• Our vendors
• Our customers
• Intentional breaches
• Unintentional breaches

Security
Principles
Zero Trust Deny by Default
https://www.cs.virginia.edu/~evans/cs551/saltzer/
Jerome H. Saltzer, Michael D. Schroeder 1975
• Authenticate all who access
system, every time
• No shared credentials
• All users are denied access
until/unless explicitly authorized
• Public Security = *EXCLUDE
Least Privilege Open Design
• Users are giving only enough
privilege and access to
accomplish their tasks
• Mechanisms used to secure are
not ‘secret’
• Only encryption keys, passwords,
etc. are kept secret
9

How do we
secure assets?
10
• Authentication
• Entry point controls
• Authorization
• Encryption/Masking
• Tokenization

Authentication techniques
Factors:
• What do you
know?
• What do you
have?
• Who are you?
• Who do you know?
11
8675309
1 2 3 4 5
6 7 8 9 0
.

Multi-factor Authentication
12
Cyber Security Factors
• What do you know?
• Username, password
• What do you have?
• Yubikey, cell phone, FIDO
UAF/U2F, etc.
• Who are you?
• Fingerprint
• Who do you know?
• “Four eyes” authentication
• Where are you?
• IP Address
• What is the day and time?
Which factor failed
to pass?
DON’T TELL !
MFA can be used after
sign on:
Use MFA at key
application points

Validation Lists instead of User Profiles
• IBM i Object type of *VLDL
• Used for HTTP server users or other external users
• Used by Apache web server
• Stores encrypted passwords ‘by design’
• No control over internal encryption key
• Passwords should not be stored – only secure
hash of salted passwords should be stored.
• Allows users to access system via Web or other
means without having an IBM i user profile
• Do you have a user/password to the server which
runs your bank web interface?
• External authentication servers can be used instead:
Okta, Radius, etc.
• Downside: No system level auditing of who is
responsible for actions taken, relies on Application
Server to log.

Entry Point Controls
• IBM has defined exit points to allow
additional user or Security vendor control
for users accessing system.
• Telnet
• Sockets
• FTP, TFTP
• REXEC (remote command execution)
• DDM
• SQL (ODBC, JDBC)
• IBM Command Exit point
• Managed via WRKREGINF command to
add exit point programs
14

Authorization
• Is the authenticated user authorized to perform a requested action or access requested data?
• Primarily enforced via IBM i object authorities.
• Library based objects (DB2, Programs, commands, menus, etc.)
• IFS objects (directories, stream files, symbolic links)
• Beware of securing directories only
• QDLS folders and documents
• Also, can be enforced via exit points

Authorization: Dealing with scale
16
• Consider an example:
• 500 user ids
• 10,000 object to secure
• Deny by Default means 5,000,000 authorizations to consider!
• Userids can be authorized by ‘grouping’ them using Group Profiles
• Users can be a member of up to 16 groups – 1 Primary group,
15 supplemental groups
• Objects can be authorized by ‘grouping’ them using
Authorization Lists
• User Groupings can then be authorized to Object Groupings
• This considerably reduces the complexity of managing authorizations.

Authorization: Groups and Authority Lists
• To add a User to one or more groups:
• CHGUSRPRF USRPRF(MYPROFILE) GRPPRF(MYGROUP) SUPGRPPRF(SUPPGRP1 SUPPGRP2)
• Group profiles are just regular profiles that have been identified as a group for another profile.
• To create an authorization list:
• CRTAUTL AUTL(MYAUTL) AUT(*EXCLUDE)
• To secure an object with an authorization list:
• GRTOBJAUT OBJ(MYLIB/MYOBJ) OBJTYPE(*FILE) AUTL(MYAUTL)
• CHGAUT OBJ('/MyPath/MyObject') AUTL(MYAUTL) SUBTREE(*ALL)
• To connect the authorization list to the group profile:
• ADDAUTLE AUTL(MYAUTL) USER(MYGROUP) AUT(*USE)
• ADDAUTLE AUTL(MYAUTL) USER(MYGROUP) AUT(*EXCLUDE)

Encryption/Masking
18
• Database Field level encryption
• IBM DB2 Field Procedure has support to allow for strong encryption
and masking
• Selected fields are encrypted in DB2 table storage and in journal entries
• When read, fields are decrypted or masked based upon which user is
accessing data
• Updates are handled seamlessly so that masked data is not written
to database.
• Encrypted key fields can be problematic for native RPG applications

Encryption Performance
19
• Encryption can add non-trivial overhead to database access and update.
• Initial conversion from plain text to encrypted for entire file can take many
hours or even days for very large files
• ‘Encrypt While Active’ is one technique to allow application up time during
encryption migration
• Similar to data format migration, but simpler to do
• Application down time is negligible

Tokenization
Sensitive data is
stored external from
primary data table
Tokens are used
to cross reference
from primary table to
sensitive data table
Tokens are
generated by
Security software
to conform to
data type
20

How do we know
we have secured
these assets?
• Open-Source Scan
• SAST – Static Application Security Testing
• DAST – Dynamic Application Security Testing
• Threat Modeling
• Penetration Testing
• IBM i Authority collection
21

How do we know we have secured these assets?
• Scans software for known security vulnerabilities
• Black Duck software is a primary player
• Works best on modern Web technologies
• Scan Based on exposure databases:
• CVE - Common Vulnerabilities and Exposures
(https://cve.mitre.org/cve/)
• List of exposures
• NVD - National Vulnerability Database
• Same as CVE, but includes patch information
• CVSS - Common Vulnerability Scoring System
(https://www.balbix.com/insights/understanding-cvss-scores/)
• Scoring of exposures.
22
Open-Source
Scan

How do we know we have secured these assets?
• Static analysis of source code or Java Byte code
• Looks for security exposure coding patterns.
• Lots of choices for Java, Java Script, C, C++, etc.
• Not many (good) choices for RPG
• Think of this as a very picky compiler that complains
about many poor/risky coding choices
23
Static
Application
Security
Testing

How do we know we have secured these assets?
• Dynamic analysis
• Automated probing of Web/Network interface
attempting to subvert security
• Many choices for Web interfaces –
(HTTPS, REST, etc.)
24
Dynamic
Application
Security
Testing

How do we know we have secured these assets?
• Manual, internal analysis ofapplication/
server design
• How is authentication/authorization done?
• Are passwords properly hashed?
• Is there opportunity for SQL code injection?
• Etc.
25
Threat
Modeling

How do we know we have secured these assets?
• Internal penetration testing
• Done by people who ‘know’ the software
• External penetration testing
• Done by outside experts who know how to look for
attacks you didn’t think of
26
Penetration
Testing

How do we know we have secured these assets?
• IBM 7.3 and 7.4 feature
• Object scoped collection added in 7.4
• Logs each object authority look up and reports
• Failure to authorize
• Successful authorization
• Includes how authority was realized:
• Public Authority
• Private Authority
• Authority list
• Group authority
• Adopted authority
• Comparing granted authority for user vs. actual used authority can
identify excess authority no longer (or never) needed.
27
IBM i
Authority
Collection

How do we know we have
secured these assets?
28
• SIEM : Security Information and Event Management
• Gathers and consolidate security related information from operation systems
• Includes ‘normal’ operations
• Includes ‘abnormal’ operations
• Target repositories:
• QRADAR
• SPLUNK
• Elk
• LogRythm
• Etc

Authority Elevation
29
• Sometimes, a user temporarily needs additional authority to
accomplish a task
• Classic Example: IT Help Desk
• Options:
• Just give the user the authority permanently
• Give the user authority temporarily – requires someone with
higher authority
• Con: Forgetting to retract the authority
• Automate the process

Authority Elevation - Automation
• User requests additional authority via command
• Requires external ‘ticket’ (E.g. Jira, Service Now, etc.)
• Ticket must be in proper ‘In progress’ state
• User is re-prompted for authentication
• Userid/Password/MFA
• Activity is logged and captured
• Job log
• 5250 Screen captures
• Elevation can be time limited
• Elevation can be limited to single function
(e.g. CHGUSRPRF PASSWORD() )

Security by Obscurity
31
• AS/400 to IBM i has benefited from Security by Obscurity for a long,
long time
• Obscure user interfaces (5250, DDM, EBCDIC, etc.)
• Not well known compared to Windows, iOS, Android, Linux
• Low number of targets compared to Windows, iOS, Android
• Biggest exposures:
• IFS Ransomware/malware
• Ransomware as a business looking for targets with deeper pockets,
more to lose

Example of Security by Obscurity
32
• Medical Pager systems
• Used by many modern hospitals
• Protocol: POCSAG: https://www.itu.int/dms_pubrec/itu-r/rec/m/R-REC-M.584-2-199711-I!!PDF-E.pdf
• Three Frequencies reserved for medical paging
• Central broadcast tower at hospital
• Enter: RTL-SDR – software defined radio
• Realtek chip
• Digitizes radio signal
• Software decoders for many different protocols
• Pagers
• ISS: International Space station
$30

Software Defined Radio Protocols
Protocol Name Type Author URL
gr-pocsag GRC Flowgraph Marcus Leech https://www.cgran.org/browser/projects/gr-pocsag/trunk
multimode RX (try first!) GRC Flowgraph Marcus Leech https://www.cgran.org/browser/projects/multimode/trunk
simple_fm_rvc GRC Flowgraph Marcus Leech https://www.cgran.org/browser/projects/simple_fm_rcv/trunk
python-librtlsdr Python Wrapper David Basden https://github.com/dbasden/python-librtlsdr
pyrtlsdr Python Wrapper Roger https://github.com/roger-/pyrtlsdr
rtlsdr-waterfall Python FFT GUI Kyle Keen https://github.com/keenerd/rtlsdr-waterfall
Wireless Temp. Sensor RX Gnuradio App Kevin Mehall https://github.com/kevinmehall/rtlsdr-433m-sensor
QtRadio SDR GUI Andrea Montefusco et al. http://napan.ca/ghpsdr3/index.php/RTL-SDR
gqrx SDR GUI Alexandru Csete https://github.com/csete/gqrx
rtl_fm SDR CLI Kyle Keen merged in librtlsdr master
SDR# SDR GUI Youssef Touil http://sdrsharp.com/ and Windows Guide or Linux Guide
tetra_demod_fft Trunking RX osmocom team osmosdr-tetra_demod_fft.py and the HOWTO
airprobe GSM sniffer osmocom team et al http://git.gnumonks.org/cgi-bin/gitweb.cgi?p=airprobe.git
33

How Precisely can help

Assure Security for IBM i
• Defending against the increasing sophistication and complexity of
today’s security threats, including malware requires a comprehensive,
multi-layered approach.
• The key is to maximize the strength of each layer of your defenses,
and then ask:
“If this layer is breached, what do I have
in place to prevent further damage?”
• Assure Security delivers market-leading IBM i security capabilities
that help your organization successfully comply with increasingly
stringent cybersecurity regulations and effectively address current
and emerging security threats.
35

36
36
Assure Security
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Access Control
Assure System
Access Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Monitoring Malware Defense
Assure System
Access Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Assure Monitoring
and Reporting
Assure Encryption
Assure
Security
addresses
top security
concerns

37
Access Control
• Prevent unauthorized logon
• Manage users’ system privileges
• Control and restrict access to
data, system settings, and
command line options
Monitoring
• Automate security and
compliance alerts and reports
• Monitor and block views of
sensitive data
• Integrate IBM i security data into
SIEM solutions
Malware Defense
• Harden all systems and data
against attacks
• Automate and integrate security
technologies and management
• Design for depth and resilience
if one or more defenses fail
Assure Security:
Addressing Critical
zSecurity Challenges
Data Privacy
• Encrypt IBM i data
• Secure encryption key management
• Tokenization and Anonymization
• File transfer security for Data in
Motion

Questions?