I had a very interesting discussion this morning with an organization that is subject to compliance with International Traffic in Arms Regulations (ITAR). In a nutshell, they were in a position of having to report to the U.S. Department of State that they were out of compliance, and obviously that was a situation that needed to be rectified fast!
If you are not familiar with ITAR, it requires them to certify that numerous critical files are secured from any type of access by a foreign national. In their case, they had a Canadian system administrator who carries responsibilities and authorities that make that hard to accomplish using only IBM i security controls.
While ITAR is not as common as Sarbanes-Oxley or PCI, its requirement to secure data from access by powerful users can be applied to virtually any environment. Users often are given privileges in excess of their business need, or have responsibilities that overlap security restrictions. In this particular case, there was a very valid concern that the administrator was responsible for save and restore activities and could create a duplicate of the private data. What they didn’t know was that this user also potentially could delete the original data using the “storage free” option on the save commands!
Fortunately, this customer has a solid foundation of object-level security. This makes the addition of any commercial solution more robust. I discussed the “defense-in-layers” approach that I’ve spoken of previously in this blog, since no one can absolutely guarantee that those files can never be accessed. At least, not without removing the credentials belonging to any foreign national from the server. But, we do need to ensure that we make it painstakingly difficult to perform tasks not specifically related to their job, and then put a detection layer in place in case a possible circumvention is discovered.
We discussed several Powertech products during the call as they can immediately add significant value to this type of environment. Our solutions are modularized for those customers that require only specific functionality, but also have synergy when deployed together. Exit Point Manager for IBM i provides firewall protection to prevent the data from being moved off the machine through tools such as FTP and ODBC. SIEM Agent for IBM i enhances the firewall even further by monitoring both IBM i events and Powertech solutions in real-time and escalating its findings to an enterprise monitoring solution. Command Security for IBM i can ensure that restore operations involving these files and this user are performed only to the original library, and that copy or file editor commands are restricted and notified upon use. Authority Broker for iBM i audits all commands entered by a privileged user, and DataThread can issue an alert when a user simply views a record in a restricted file.
In this case, the primary objective was definitely to prevent access. Classified national security data (or medical or credit card data, for that matter) is best served by preventing a user from seeing it in the first place. But if doors were guaranteed to be 100% secure, we wouldn’t need security cameras in the hallways. And it’s the same with data; without anyone being able to guarantee 100% that data never will be accessed, it’s just as critical to have that audit trail of access and real-time monitoring in place.
I’m excited to work with this customer as I love a challenge. They seemed thrilled to have someone on the line who understood the difficulty in trying to remediate this situation. And, they were even more excited that a company as reputable as HelpSystems already had tools that could potentially help change their compliance standing with the U.S. Department of State.