powertech - part-time privileges: accountability for powerful users

Part-Time Privileges: Accountability

for Powerful Users

2

• Introduction

• Managing Powerful Users

• Why Policy Matters

• Solution Demonstration

• Free Resources

3

ROBIN TATAM Director of Security Technologies

952-563-2768

[email protected]

4

• Premier provider of security solutions & services

– 17 years in the security industry as an established thought leader

– Customers in over 70 countries, representing every industry

– Security subject matter expert for COMMON

• Wholly-owned subsidiary of HelpSystems since 2008

• IBM Advanced Business Partner

• Member of PCI Security Standards Council

• Authorized by NASBA to issue CPE credits for security education

• Publisher of the annual “State of IBM i Security Study”

http://www8.software.ibm.com/bpconnections/bpcms.nsf/BPE/0D129368771B9F9786256C4A0067C0A3?OpenDocument&OpenFrameset

5

• Introduction



• Authority Broker Demonstration

• Free Resources

6

• Programmers

– Claim they need *ALLOBJ authority to fix production

applications

• System Administrators

– Claim they need authority to configure and change the system

• Operators

– Claim they need Special Authorities to do backups and other

specialized functions

• Vendors

– Can’t imagine running without Security Officer rights

8

Best Practices call for

<10 users with SPCAUTs

9

Date: January 9, 2005 2:37am

Author: A.F.

Subject: How to recover a deleted library?

PLS Help me! How can I recover a library I’ve just

deleted by mistake and I have no tape backup. I’ve

asked all users to sign off in order not to create any

new objects. PLS HELP ME AND I WILL UPGRADE

MY SUBSCRIPTION AT ONCE. THANKS

A posting at iSeriesNetwork.com

10 1

0

11

Date: September 1, 2004 12:49pm

Author: R.H.

Subject: Oops!

HELP!!!

I've accidentally deleted program QCMD in

QSYS (spelling error using DLTPGM). The system

has crashed. Any suggestions? I assume an

IPL will be required, but is there anything else that

can be suggested? This is bad.

A posting at iSeriesNetwork.com

12

• The #1 item cited by auditors is:

Control and monitoring of powerful users

What’s a powerful user?

• Someone with Special Authority or lots of private authority

• IT staff or other knowledgeable users with

direct access to production data

• A user with a way to execute commands

13

In 2014, 37% of breaches Involved inside threat

15

• Introduction



• Authority Broker Demonstration

• Free Resources

16

• Legislatures create laws

– Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley,

SB1386, and more

• Laws are open to interpretation

– Sarbanes-Oxley Section 404:

• “Perform annual assessment of the effectiveness of

internal control over financial reporting…”

• “…and obtain attestation from external auditors”

• Auditors are the interpreters

17

• Auditors interpret regulations:

– Auditors focus on frameworks and processes

– Auditors have concluded that IT is lacking when it

comes to internal controls

• Executives follow auditor recommendations

18

Special Authority (aka Privileges)

All Object

The “gold key” to every object and almost every

administrative operation on the system, including

unstoppable data access.

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

19


Security Administration

Enables a user to create and maintain the system

user profiles without requiring the user to be in the

*SECOFR user class or giving *ALLOBJ authority.


20


I/O Systems Configuration

Allows the user to create, delete, and manage

devices, lines, and controllers. Also permits the

configuration of TCP/IP, and the start of associated

servers (e.g., HTTP).


21


Audit

The user is permitted to manage all aspects of

auditing, including setting the audit system values

and running the audit commands

(CHGOBJAUD / CHGUSRAUD).


22


Spool Control

This is the *ALLOBJ of Spooled Files and allows a

user to view, delete, hold, or release any spooled file

in any output queue, regardless of restrictions.


23


Service

This allows a user to access the System Service Tools

(SST) login, although they also need

an SST login since V5R1.


24


Job Control

This enables a user to start/end subsystems and

manipulate other users’ jobs. It also provides access

to spooled files in output queues designated as

“operator control.”


25


Save System

This enables a user to perform save/restore

operations on any object on the system, even if there

is insufficient authority to use the object.

* Be cautious if securing objects at only a library level *


30

Production Update Authority

Read / Change

Payroll

Accounts Receivable

Accounts Payable

Customer Information

• IT personnel often insist that powerful authorities are necessary to do their job:

– Special Authorities like *ALLOBJ, *SPLCTL, *SECADM

– Rights to change critical production data

• Sometimes they are right!

31

Read / Change

Read / Change

Read / Change

Read / Change

Payroll

Accounts Receivable

Accounts Payable


This is a top exception item reported by auditors!

32

• To keep your business running, you need:

– Emergency access to repair data files

• To keep your system safe, you need: – A way to monitor when powerful authorities are used

– A way to monitor user activities, including when they

enter the “command tunnel”

33

• COBIT AI6.4 - Emergency Changes

– IT management should establish parameters defining

emergency changes and procedures to control these

changes (…)

• COBIT DS10.4 - Emergency and

Temporary Access Authorizations

– Emergency and temporary access authorizations

should be documented on standard forms and

maintained on file, approved by appropriate managers,

securely communicated to the security function and

automatically terminated after a predetermined period.

34

• ISO 27002 Section 9.2.2: Privilege Management

– The allocation of privileges should be controlled through a formal authorization process

– Privileges should be allocated to individuals on a need-to-use basis and event-by-event basis

– An authorization process and a record of all privileges allocated should be maintained

– Privileges should be assigned to a different user identity than those used for normal business

35

Manage, audit, and control powerful profiles on IBM i

36

Management is

aware of all activity

Report Message

Custom Alert

PAYCHANGE (Temp. Profile)

Payroll

Accounts Receivable

Accounts Payable


37

• Government regulators and IT auditors demand

accountability

• Legislatures have created laws that require us to

prove that our IT infrastructure is secure

• Non-compliance penalties range from public

disclosure, to fines, to prison sentences for

executives

– Executives are finally taking security very seriously

38

• Allows you to monitor and control users

with powerful authorities

– Authority Broker lets you specify when and how

users exercise powerful authority

– Authority Broker works with IBM i security to

protect assets

– Authority Broker provides notification, monitoring,

and control of powerful users

– Authority Broker provides visibility into non-

command-based environments

40

• Allows you to intercept commands and

conditionally perform other actions

– Command Security lets you specify when and how

users execute commands

– Command Security is applicable to all users – even

QSECOFR and other *ALLOBJ users

– Command Security provides notification, monitoring,

and control of command environments

– Command Security can enforce the requirement to

obtain privileges via Authority Broker

41

• Introduction




• Free Resources

42

• Sign on as a limited-capability & as a powerful user

• Attempt to access restricted functions

• Use Authority Broker to elevate user authorities

on demand, and Command Security to control

commands

• Perform restricted functions, including access to

“tunnel” environments

• Report on user activities

43

• IT security has executive attention

– This is the best opportunity to solve long-standing problems

– Gain management approval now

• Control users with broad authority to production data

– Leaving users unchecked is both an audit exception and an

accident waiting to happen

– Don’t accept that powerful users have to be limitless

• Limit the use of powerful profiles

– Monitor and report when power is used

44

• Introduction




• Free Resources

’

47

Please visit www.helpsystems.com/powertech to access:

• The State of IBM i Security Study

• Online Compliance Guide

• Webinars/Educational Events

• Articles & White Papers

• Product Datasheets

• Product Trial Downloads

www.helpsystems.com/powertech (800) 915-7700 [email protected]

49

www.helpsystems.com/powertech 800-328-1000

[email protected]

powertech - part-time privileges: accountability for powerful users

Software