Thanks for Calling, But I'm Already Compliant!
True or false:
- IBM Power Systems servers running IBM i are totally secure.
- You can't get a virus on an IBM i server.
- The users don't know how to use ODBC and FTP.
- «Insert name of long-time employee here» would never abuse his/her access to sensitive information.
I'll resist the urge to provide the answers upside down and in parenthesis.
Debunk the IBM i Compliance Fallacies
For those of you who are curious or who have uttered the statements above, the answers are:
- No, they're not, unless you do a lot of configuration.
- Yes, you most certainly can.
- ODBC and FTP are easier to figure out than most people think.
- You most trusted users might not act maliciously, but don't bet your business on it.
In today's highly regulated world, compliance fallacies are becoming more common. I regularly hear examples of a business mindset that could result in a painful reality check.
Security and compliance are the same thing.
I don't have to worry because my IBM i is outside the scope of the regulatory mandate.
I'm already compliant.
I passed my audit.
The auditors didn't find anything.
Surprisingly, these comments sometimes come from global enterprises—organizations whose radar signatures as breach targets approach the size of small planets!
Formulate Your Compliance Plan
Regardless of the size of your business, the first step of a security initiative is building a goal-oriented project plan. This plan will probably include:
- Determining known vulnerabilities
- Assigning risk
- Performing cost/benefit analysis for mitigation
- Determining impact and overlap with regulatory compliance initiatives
I often speak to organizations whose sole focus is on achieving compliance. Sadly, they're overlooking the fact that there's a big difference betwwen being secure and being compliant.
Remember: Compliance Mandates Spell Out the Minimum Requirements
Mandates are typically just guidelines spelling out the minimum steps to take. Ironically, most regulatory mandates were created with the goal of making businesses more secure, but concentrating entirely on compliance creates a real possibility you won't be very secure.
On the other hand, if you focus first on becoming as secure as possible, you're also very close to achieving compliance with whatever mandate concerns you.
Compliance is definitely a motivator, but using it as your driving force can be problematic. Most regulatory mandates are not IT-centric—and never IBM i-centric—so compliance isn't always intuitive. In fact, a common frustration cited by IT staff around the world is that many simply don't know what they're supposed to do.
There's nothing in PCI, HIPAA, or SOX documentation that says "set QALWOBJRST TO *NONE*" or that it's okay to have up to seven users with *ALLOBJ special authority. Auditors walk in the door and demand that we "harden" our server security, but don't tell us how to do it.
Compliance Is Not a Destination
Don’t make the mistake of believing that compliance is a destination, or that Powertech can only help during the initial approach. Yes, we have great solutions to uncover configuration vulnerabilities, but the benefits of HelpSystems security solutions don’t end with achieving compliance.
Solutions such as Powertech Identity Manager for IBM i, Powertech Database Monitor for IBM i, and Powertech Exit Point Manager for IBM i are all designed to live on to help an organization be more secure (and compliant) and to maintain that state indefinitely. After all, regulatory mandates are designed to reduce the risk of an integrity violation from ever happening, and that’s not something that’s simply going to happen through wishful thinking.
And, like it or not, compliance can’t be achieved and subsequently maintained from a one-time effort. Success comes when valuable, time-saving controls are introduced and well-designed security procedures become ingrained into the corporate culture as a way of life.
No one should ever expect compliance will be inexpensive or quick, but the alternatives can be far worse. Since compliance mandates offer miniumum security standards, failing compliance is indication that your cybersecurity is lacking. Without appropriate security controls, your system is a prime target for a data breach. And if your system is breached, you could be footing the bill for investigations, customer notifications, lawsuits, and remediation, as well as losing customers in the wake of serious public relations problems.
Dedicating more time and resources to security usually looks like a bargain in comparison.
Cybersecurity Is a Concern for All Businesses
Even if regulatory mandates aren’t applicable (although I would offer that every organization has a responsibility to answer to someone), then we still need to maintain the business value and integrity of our server and data assets.
After all, if the applications are not able to function, then we’re in trouble. And, if the data that defines the recipe for the businesses “secret sauce” walks out the door then that door might get locked—permanently!
HelpSystems is home to some of the world's top IBM i security experts, and for nearly 20 years the Powertech product line has helped IT teams with their long-term security and compliance initiatives. Our free Security Scan is a service we perform for the IBM i community, helping with initial assessments of vulnerability.
Other solutions in the Powertech portfolio are designed to manage and maintain ongoing security and compliance—even if regulatory mandates don’t pertain to you.
If you previously thought achieving compliance meant that Powertech solutions were no longer necessary, or that the absence of a regulatory mandate meant no benefit from a product with “compliance” in its name, give me a call—you might be surprised how we can help!
We’re a leader in the IBM i security business, and compliance falls nearby as a subset of that.
Find out if your system is vulnerable and start down the path toward compliance and security.