readtech.com - Article: Applying Object Level Authorities
read technologies, inc.

SkyViewPolicy Minder for OS/400
 
Upcoming WEB Event

Topics include:

  • Cutting the Cost of Compliance
  • Saving you Time

Policy Minder for i5/OS & IBM i
Risk Assessor for i5/OS & OS/400
SkyView Security Check-Up
Halcyon
RSWeb
 
How to Buy

Article:

Applying Object Level Authorities

SkyView Partners Security News

by Carol Woodbury
22 MAY 2007

 

Here is your iSeries security tip for May, 2007 from SkyView Partners, Inc., World Class i5/OS and OS/400 Security Experts.

Now, more than ever, the need to implement appropriate *PUBLIC authority is vital to your organization. Why?

Several reasons come to mind:

  • Some regulations require it. For example, the Payment Card Industry's Data Security Standard requires that any file containing credit card information must be "deny by default". Translated into i5/OS terms, that's *PUBLIC *EXCLUDE
  • Some auditors demand it. Auditors do not want financial data to be able to be changed outside of the logic (protection) of the financial application. This translates into files being set to *PUBLIC *USE or *EXCLUDE
  • Identity theft is on the rise. Hackers are infiltrating networks. Insiders are selling secrets. There are many well publicized cases on both of these fronts.
  • It makes good business sense. Do you really want application users to have the ability to change application data outside of an application? Or do you want users viewing data when having that knowledge and information is outside of the scope of their job duties? The answer, of course, is no.

So what's preventing organizations from implementing object level security?

I think that one of the biggest issues is that they don't know where to start. So I'd like to give you some tips to help you get started implementing object security:

  1. Determine the data access policy - in other words, determine whether or not the data should be publicly available outside of the application. If its private data, credit card information or data that's confidential to your organization, then the file should be set to *PUBLIC *EXCLUDE. If it's OK for the general user community to be able to view or download the information, then the *PUBLIC authority setting can be *USE.
  2. Determine how the application will get sufficient authority to access the data and continue to work. As stated previously, my favorite method is to have the application adopt authority.
  3. In addition to the application itself, list the processes and users or groups that need to be able to access the file. If you're setting the files to *EXCLUDE, you've got to give these other processes authority. Otherwise, when a user tries to download the information to a spreadsheet or when the nightly batch process runs, it will fail.
  4. Consider using an authorization list to secure files. That way, if you didn't accommodate an outside process, you'll be able to recover quickly by authorizing the process to the authorization list even when the file is in use.
  5. If you think about and plan the order in which you make configuration changes. By carefully planning and staging the roll-out of configuration changes, you can minimize the number of users and processes affected should some process have been forgotten.

Carol's Tech Tip

How SkyView Policy Minder Can Help

Whether you're trying to determine the state of your current configuration, about to start changing the settings or simply want to ensure the system stays secured according to your policy, Policy Minder can help.

Discovering your Current Configuration

You can use Policy Minder to determine the state of your current object level security implementation. Simply define a library and object template or a directory and object template. In the template definition, you can check the objects' owner, the owner's authority, the authorization list, *PUBLIC authority, private authorities and auditing values. For program and service program objects you can also specify whether to check their adopted authority attributes. You can specify to check all of these values or just one of them. For example, for the first "wave" of discovery, you may want to determine the owner and *PUBLIC authority setting of all objects in the Finance application and leave the private authority analysis for later. No problem. Simply define the attributes to analyze and run a compliance check. I recommend running the CHECK command and sending the results to a streamfile or outfile, allowing you to bring the list of the non-compliant objects into an Excel spreadsheet or running queries for further analysis.

Fixing your Current Configuration

Now that you have investigated the current configuration and determined how to accommodate outside processes so nothing breaks, you can use Policy Minder's FixIt function to make the required changes. Using FixIt provides documentation for auditors on exactly what was changed as well as a record of the previous value. Using Policy Minder to make security configuration changes provides a repeatable process should the changes have to be re-applied (such as when the vendor upgrades the application.)

Ensuring your Configuration Remains Compliant

Once your security configuration is in place you obviously will want to make sure it stays in place. To do that, run regular Policy Minder compliance checks. You may want to check the compliance of some things more frequently. For example, you may want to check files containing credit card information or encryption routines on a daily basis. Other items, such as the ownership of application objects may be checked on a weekly basis. Policy Minder is flexible and provides the interfaces you need to make compliance checks on the schedule that meets your business needs.

 

SkyView Partners Solutions

Carol Woodbury's
Risk Assessor for i5/OS & OS/400:
is an i5/OS & OS/400 security diagnostic tool.
See Video Introduction to Risk Assessor (4:08) With Risk Assessor you get comprehensive, easy-to-understand, easy-to-produce and unbiased reports that quite frankly no other product in the marketplace will produce.

Carol Woodbury's
Policy Minder for i5/OS & OS/400:
is an i5/OS & OS/400 security compliance management tool.
See Video Introduction to SkyView Policy Minder (4:22) With Policy Minder, you take the time out of managing and fixing the implementation details of your security policy, as well as taking the guesswork out of your security compliance status.

About the author

Carol Woodbury spent 16 years with IBM in Rochester, MN. She served for more than 10 years as the AS/400 Security Architect and Chief Engineering Manager of Security Technology for IBM's Enterprise Server Group. During this time Carol provided security architecture and design consultations with IBM Business Partners and large AS/400 customers. She is known worldwide as an author and speaker on security technology, specializing in OS/400 and i5/OS security issues. Carol co-authored the popular book, Experts' Guide to OS/400 and i5/OS Security from 29th Street Press, has written numerous articles on security and is a technical editor for the IBM Systems Magazine. Carol is also a subject matter expert on security for COMMON, security author for Experts Journal, contributing author on security for System iNEWS and MC Press Online and the security expert for search400.

 

SPECIAL OFFERS
Easy Online Meetings – Anytime, Anywhere
Easy Online Meetings – Anytime, Anywhere
Read Less. Learn More.
Send Faxes. Receive Faxes. Anywhere You Can Email.
Never Go To the Post Office Again

 

 

Copyright © 2000 - 2008 Read Technologies, Inc. All rights reserved.