Innovation and Airline Food: 2010 in Review

By Robin Tatam, Director of Security Technologies

For the first PowerNews of 2011, I’d like to step back from our traditional format and share some personal reflections on my year at PowerTech, and on things to come in the New Year.

New: Receive PowerNews in Print!

PowerTech from the Inside

I’m happy to report that, in 2010, PowerTech and Help/Systems continued to focus on customers. We hosted meetings, where we shared glimpses of our future and listened to your feedback on development and other issues. In response to the sessions, we released a great database monitoring solution. Overall, our customers reiterated what we already knew: we aren’t perfect, but we can be proud of our solutions and service.

Product-wise, 2010 brought a major update to our popular Network Security solution, including exciting features like object-level rule support, and a stronger infrastructure design to support future enhancements. As I write, our team is putting the finishing touches on Compliance Monitor 3, and we’ll roll out further enhancements throughout 2011. I can’t wait to see your reaction to these upgrades.

On the training front, we launched several great online classes in 2010, with more options coming in 2011. Watch for a Compliance Monitor class to complement the existing Network Security and Authority Broker classes. For those with a tight budget, this is an inexpensive way to gain expert training.

Life on the Road

Readers of my blog know that my objectives last year often involved boarding passes and suitcases, as I traveled to cities including Seattle, Orlando, Dallas, and New York. For those keeping track, here are some of my 2010 travel statistics:

Air miles	41,684
Cities	16
Continents	2
Nights spent in hotels	56
Nights spent in a lighthouse	1

If the lighthouse didn’t throw you, consider the number of hours I spent with my 6’ 6” frame crammed inside a Boeing 767.

Longest flight: Minneapolis to London, 4,015 miles
Shortest flight: Minneapolis to Chicago, 355 miles

High-Water Marks

I do whatever it takes to reach my customers. Last year, I rode planes, trains, cars, taxis, shuttle buses, untold miles of moving walkway—even an airboat (I’m not kidding!).

I baked in the sun and froze in the snow, though I managed to evade the Metrodome’s collapsing roof.

On my way, I met great customers and took in fantastic sights. I memorialized many of them in landscape photographs that brighten my office and my blog. I hope you enjoy them as much as I enjoy taking them.

A Steady Pulse

For now, I’m home again. I smile when I think back to one year ago, when our competitors were suggesting that PowerTech had no future. In reality, PowerTech’s heartbeat is stronger than ever, as our recent growth illustrates.

It was a great year, but the best is ahead.

Fire up the airboat.

—————————————————————————————-

7 Habits of Highly Secure Companies: Part III

By Robin Tatam

Please enjoy the final entry in my 7 Habits series. Feel free to go back and review Part I and Part II.

Habit 5: Use Existing Technology

Security companies spend millions of dollars to develop and perfect their solutions, so take advantage of their efforts.

Alternatively, you could hire staff to develop and support your own technology, but auditors frown upon self-policing.

You could also spend hours manually reviewing log entries and events, but automated solutions can notify you of actions. And what about activities the operating system cannot see, such as downloading payroll files via FTP?

In these cases, and many others, commercial security technologies can be extremely helpful. However, you must be sure to deploy them properly, and, in the case of IBM i, leverage your operating system’s built-in security controls.

Habit 6: Monitor Ongoing Compliance

Security isn’t a destination; it’s a journey. But this doesn’t mean you should dawdle. If you manage to elude mandates or regulations, you still have corporate and ethical responsibilities to your clients, customers, and employees.

The easiest way to meet your obligations is to implement and maintain a robust security infrastructure. Ongoing compliance checks help you maintain your high security levels.

Your initial assessment helped shape your security policy and subsequent server configuration; compliance checks should verify that you are doing what your policy states. Find the causes of non-compliant items, and take steps to prevent them from recurring.

In addition to compliance checks, use security tools to stay abreast of important events. Don’t wait until the end of the month to discover you had a non-compliance situation three weeks earlier. A good security solution makes constant analysis less daunting.

Habit 7: Plan for the Future

In the tech world, things are never the same tomorrow. Consider the technologies of ten years ago, and the ways in which we secured them.

Since then, we’ve experienced great technological innovation, challenges, and change. Your business must react to change to stay competitive,  and do it while complying with changing standards, laws, and regulations.

Compliance requirements will evolve, but they won’t go away. For example, privacy laws that began in California quickly rolled into forty other states, and a federal law may follow. Always keep your eyes on the horizon.

Master the 7 Habits

By reviewing and mastering the seven habits I’ve presented to you over the past few months, you can become and remain secure, no matter what the future brings.

—————————————————————————————-

Q & A with Paulie Culin

Dear Paulie,
I upgraded to Network Security version 6 and imported my security rules. How do I remove the old product libraries?

A: First, locate the old product library(s):

WRKOBJ OBJ(POWER*) OBJTYPE(*LIB)

Next, check for any object locks:

WRKOBJLCK OBJ(POWER5XX) OBJTYPE(*LIB)

If there are NO locks, you are OK to delete the old product libraries.

If there are locks, DO NOT DELETE THE OLD LIBRARY.

You may need to activate the new exit programs in Network Security 6. The activation process will recycle the server jobs, release the locks, and allow you to continue.

Learn more with PowerTech Webinars and online training.

Request a demo.

By Robin Tatam

If you are responsible for securing your organization’s IBM i environment, you know there are many steps. The step that many people overlook is creating a well-defined security policy. And, without this step, you can’t really evaluate how well you’re doing with security!

The majority of large corporations have policies that address access to different types of technology, but it is still rare to find one that pertains to the required settings for IBM i. It is even more unusual for smaller organizations to have any type of formal policy beyond a simple “best practices” list.

Even if you are not legally required to set up a security policy (to comply with Sarbanes-Oxley, HIPAA, or other security regulations), everyone has a certain level of fiscal or moral responsibility (to the company’s customers, vendors, and employees) to protect the information with which you are entrusted. When you set up a policy, you create a standard that allows you to achieve or maintain compliance with your objectives.

As I mentioned earlier, large corporations often have multiple policies. There may be an overall policy and multiple sub-policies that define the requirements with more granular detail. For example, an international corporation may have a policy that defines the main purpose for even having the policy, and policy objectives at a global level. Then, each country has a lower level policy that supports the global policy, but adds more information and requirements specific to the local level.

If the impetus for creating a security policy is not coming from senior management, it is critical that you convince a manager to sponsor your effort. Without sponsorship, you will struggle to obtain the necessary capital to design and enforce the policy, and compliance is unlikely to be achieved, let alone maintained.

Creating a security policy is not solely an IT responsibility, but should be the result of a steering committee that is charged with identifying the key areas to be addressed in the policy. Once a policy is established, the IT staff is responsible for planning and implementing the technical controls necessary to adhere to the policy. An auditor determines if the controls are adequate.

If a security policy is going to provide real benefit to the organization, it must be followed. Therefore, you need to:

• Introduce the security policy to make employees aware of it.
• Distribute copies to appropriate employees.
• Outline the penalties for willful non-compliance with the policy.
• Create a schedule of audits to:
  • Build a gap analysis between the policy and controls
  • Identify weaknesses in the policy, the mitigating controls, or the implementation of the controls.
• Establish a defined life span for the policy.

Your security policy needs to be a living document that is reassessed at least every two to three years to ensure the policy:

• Continues to meet the needs of the organization.
• Addresses technology and business changes that occur.

Whenever the steering committee updates the policy, they must communicate changes to the appropriate audiences in a timely manner.

Additional Resources

Policy Enforcement with Compliance Monitor
To manage the compliance of system values on your IBM i system, PowerTech’s Compliance Monitor includes a security policy editor. Use this policy management tool to run a dashboard-style scorecard on your system that indicates which values are out of compliance. For more information, visit the Compliance Monitor page on the PowerTech Web site.

Open Source Security Policy
If you don’t know how to get started on your own security policy, PowerTech provides a FREE policy template available for download. You should edit this “open source” document to meet your unique corporate requirements. If you think the changes you make might be of interest to other members of the IBM i community, please send them to us and we’ll review them for inclusion in a future edition.

Live Policy Discussion
As part of our ongoing education commitment to the IBM i security community, Jill Martin, PowerTech’s Product Support Manager, will be visiting the following cities next week to conduct FREE 3-hour workshops on crafting IBM i security policies.

Date	City	Questions or RSVP
March 9	San Francisco	Katie.Carnicom@helpsystems.com
March 10	Irvine	Katie.Carnicom@helpsystems.com
March 11	Las Vegas	Katie.Carnicom@helpsystems.com

By Robin Tatam

Although PowerTech is known around the world as the leading provider of IBM i security solutions, there is far more to the story than just software. Not only do we perform professional services—on IBM i-based controls as well as the implementation of our software—but we also continually invest in the security area by committing money and resources to education and spreading the security message within IBM i organizations.

I would like to take a moment to introduce you to some of the other initiatives we are busy working on for 2010.

Local User Groups

One of the main networking channels for IBM i professionals is often the local and regional user groups that help promote education and knowledge sharing. Unfortunately, many of these groups struggle to fund resources to speak to their membership. To assist with this, I am personally visiting no less than seven states in the next couple of months to conduct speaking sessions on various group-selected topics—all fully funded by PowerTech!

If you live in or around the following cities, please come out and say “Hi!” I would love to meet you, and I am sure that your local user group would welcome the support.

Date Location January 19 Fairfield, CT January 20 Long Island, NY January 21 Fairfield, NJ January 28 St. Louis, MO February 9 Beaverton, OR February 16 Nashville, TN February 18 Buffalo, NY March (TBD) Reno, NV

Security Education

While IBM won’t schedule their security class until they have enough customers to attend (and then makes you travel to one of several major metropolitan cities), PowerTech is bringing a security class to you! Several of the above cities and dates have been selected to host a half-day class on the basics of IBM i security, at a very reasonable price!

If your company has a security initiative in its future, or you have staff members who need to learn some of the basics of IBM i security, this class is for you. Don’t delay—seats are limited.

Please visit www.powertech.com for additional information, or to sign up.

Webinars

Since August, PowerTech been conducting FREE weekly webinars on topics ranging from the configuration of the built-in IBM i audit controls; the risk associated with FTP, ODBC, and remote command; and performing an assessment of your IBM i server in 15 minutes. These have proven to be immensely popular, and so we are busy scheduling further chances to listen to them, as well as add new content into the schedule.

We’ve already established the topic lineup for January, and will continue to add dates and topics as the year progresses.

Set your alarm for Wednesdays at 10 a.m. CT.

Online Training

Don’t let staff changes, or limited budgets prevent you from being at the top of your game. By popular demand, we are now offering online training from an official PowerTech trainer. In February, we are launching a new online training program, starting with Network Security. Each session is an easy-to-manage 60 minutes, and the class comes in segments to accommodate different levels of expertise, and busy schedules.

The cost for this class is $99 for the basic session; $198 for the 2-part advanced session; or $259 for both (basic & advanced).  It will be held at 10 a.m. CT on the following dates:

Date	Description
February 4	PowerTech Network Security – The Basics
February 9	PowerTech Network Security – Advanced Topics Part I
February 11	PowerTech Network Security – Advanced Topics Part II

While Network Security is the first class we’re offering, we’re also working to provide similar courses on Authority Broker and Compliance Monitor.

Visit the registration page for additional information, or to sign up.

No-Charge Compliance Assessment

Whether you already feel like your system is secure, or you have no idea where to begin, the hugely popular PowerTech Compliance Assessment provides valuable insight into the security configuration of your IBM i server.

The assessment tool runs on your PC and, in about 15 minutes, presents the findings to your team in a rich application environment. Find out information about your profiles, your system values, and the event auditing settings you have configured.

Not only do you get an automated review, but a PowerTech security expert helps you interpret the findings—all at no charge and with no obligation.

Please visit www.powertech.com for additional information, or to request an assessment.

Professional Services

Who better to implement and train you on PowerTech software than the security experts of the PowerTech Group? If you need just a little nudge in the right direction, try our WebEx-based remote assistance. Need to bring a security expert on site? We offer that, too. Let us walk your security staff through the solution installation; perform the initial configuration of the tools; and then train them on how to squeeze every ounce of functionality out of them.

And, if you’ve ever tried to find someone skilled in IBM i security mechanisms, you know how difficult it can be. If you do find someone, you generally have to pay dearly or wait for months for them to get there. Now, there’s another option. Bring in the experts at PowerTech to provide security expertise at reasonable rates.

Some of the topics that we can assist you with include:

• Security Assessments
• Moving to security level 40
• Architecting application security
• Starting to use IBM i auditing features

For more information, visit www.powertech.com/powertech/PowerTech_Web_Services.asp.

We haven’t forgotten our roots…

Of course, software solutions are still our forté and we are investing heavily in our solutions to continue to help you secure your IBM i data through the next decade.

Happy New Year, everyone!