Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx

Fortify your IBM Power Systems with Strong Access Control Bill Hammond | Director, Product Marketing

Today’s Topics Comprehensive Access Control Secure system access Elevated authority management Multi-factor authentication Access Control and Malware defense New Enhancements to Assure MFA Q & A 2

Comprehensive Access Control

Secure system access

Securing Access to IBM i 5 IBM i is increasingly connected and integrated Legacy, proprietary protocols are interconnected with open-source protocols – creating access point security headaches The worldwide hacker community now recognizes the IBM i as a high-value target Four critically important routes of access must be secured Networks and Endpoints Communication ports Databases System Commands Exit Point Programs are key to securing routes of access Exit Points are essentially security checkpoints Exit Programs are the guards

Exit Points and Exit Programs 6 How do exit points and exit programs work? Exit points provide “hooks” to invoke one or more user-written exit programs for a variety of OS-related operations Exit programs allow or deny access based on parameters such as permissions, date/time, user profile settings, IP addresses, etc. How are exit programs used for access control? Exit point programs are registered to particular exit points Command exit points can allow or deny command execution based on context and parameters Exit programs can also trigger actions such as logging access attempts, disabling user profiles, sending an alert, etc.

System Access Network Access Com Port Access Enforce strict security policies to protect your systems and data with effective, automated control over every level and method of access. When access is controlled through network exit point programs, only the specific operations defined by the exit program can occur Socket exit point programs can be paired with other exit point program-based access control methods to provide more robust, multi-layered protection Database Access Command Access The exit program can contain a granular set of rules that control under what conditions the file can be accessed and by whom Command exit programs supersede normal object-level security to provide an additional, very powerful layer of security for users with elevated authority 7

Authority Management

What Is Elevated Authority? 9 Granting elevated authority gives a user more powerful IBM i system privileges Also referred to as “Special Authorities” or “Privileged Access” Enables more advanced data, object, and field access and control, beyond standard System Defined Authorities To perform certain parts of their jobs, many users need to have elevated authority, at least temporarily Key word is “Temporary” To prevent cascading and catastrophic security breakdowns, the processes for granting and revoking elevated authority must itself be very carefully managed and controlled

Challenges of Managing Elevated Authority 10 Users naturally feel that they can be trusted, and should have more authority in order to do their job more efficiently. Administrators can be pressured to agree. Manually granting and revoking elevated authority is risky: Elevating Authority is easy, and can be done with a few keystrokes in a rushed moment, without proper oversight or logging Revocation steps may be postponed, deprioritized by the tyranny of the urgent, or may simply be forgotten Activities of users with elevated authorities must be logged, to comply with regulations Activities of administrators with elevated authority also need to be monitored and logged, under “2-Key” principles I need to be *SYSOPR for this assignment! I need *ALLOBJ to do my job! Can I have *SPLCTL for my project?

Benefits of Authority Management 11 Reduces risk of unauthorized access to systems and data Significantly reduces security exposures caused by human error Enforces segregation of duties Makes it easy to manage requests for elevated authority on demand Produces necessary alerts, reports and a comprehensive audit trail Satisfies auditors by reducing the number of powerful user profiles

Multi-Factor Authentication

Why Is Multi-Factor Authentication Required? 13 Multi-Factor Authentication supports the requirements of numerous industry and governmental regulations, such as: PCI-DSS 3.2 and greater 23 NYCRR 500 GLBA / FFIEC MFA is also mentioned, or the benefits of MFA are implied, for: GDPR HIPAA Swift Alliance Access Selective use of MFA is a good Security practice Avoids issues with weak passwords Avoids issues with complex passwords You may be required to use multi-factor authentication tomorrow, if you’re not already using it today. SOX And more

Key Features to Look for in an IBM i MFA Solution 14 Option to integrate with IBM i signon screen Ability to integrate MFA with other IBM i applications or processes Multiple authentication options that align with your budget and current authenticators Certification by a standards body (e.g. RSA, NIST)

Key Features to Look for in an IBM i MFA Solution 15 Rules that enable MFA to be invoked for specific situations or user criteria such as: Group profiles, Special authorities IP addresses, Device types, Dates and times And more Integration with other security capabilities, for true risk-based authentication Access control Elevated authority management SIEM

MFA and Malware

Employ MFA for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems* “Ransomware attacks against an organization rely heavily on the scammer's ability to steal the credentials of those accounts. One of the best defense measures against ransomware is multi-factor authentication (MFA).”* * IS Decisions 17 * US Cybersecurity & Infrastructure Security Agency (CISA)

Defending against Credential Theft Credential theft is when a bad actor obtains users’ user ids and passwords ( via theft from another site, via phishing, etc .) and uses them to gain access to an organization’s systems . When configured to require an additional piece of information besides user id and passwords, i.e., multi-factor authentication, having a valid user id/password combination is no longer sufficient to gain access to the systems. Think about it. Apple and Google use MFA for phones. How much more valuable is data on an IBM i?

Anatomy of a Ransomware Attack 19

Malware on IBM i No (current) malware for IBM i ‘proper’ – that is, the operating system itself IBM i can be affected by malware in the IFS in two ways An infected object is stored in the IFS Malware enters the system from an infected workstation to a mapped drive (that is, IBM i) via a file share

Advanced MFA protects against credential theft 21 Credential theft can happen in several ways An intruder is in the network and sniffs cleartext user ids and passwords off the network An intruder knows of an application that stores cleartext passwords and steals those Credential stuffing … An intruder finds user ids and passwords have been stolen from somewhere else, sold on the dark web and attempts to use them at another organization This is often successful because many people re-use the same password multiple places – banks, amazon and other online retailers and then at work Multi-factor Authentication can prevent all of these! Even if an intruder has a valid user id / password combination, they won’t have the second authentication piece.

22 MFA adds a significant layer of protection against malware by making it much more difficult for unauthorized individuals to access accounts and systems By requiring multiple forms of verification, MFA helps to ensure that only legitimate users can gain access, reducing the risk of data breaches and other security incidents. MFA and Malware

Assure Multi-Factor Authentication Enhancements

MFA Web UI – support for On-Demand Authentication 24 The Assure Security Web Interface for MFA now boasts enhanced support for a wider range of rule categories for On-Demand Authentication. Our newly redesigned Create Rule Wizard offers a seamless and intuitive experience, presenting only the most relevant options based on previous selections. This innovation simplifies the process and expertly guides users through their rule-definition journey.

Manage Users 25

Edit Rules 26

Create Rule Wizard 27

Expand capabilities for Multi-Factor Authentication 28 Secure File Transfer Protocol (SFTP) This will be a robust multi-factor authentication mechanism for all user access through Secure File Transfer Protocol (SFTP). This enhancement aims to provide an additional layer of security beyond traditional username and password authentication. Multi-Factor Authentication for User Sessions (SSH) to Execute Commands into the IBM i For securing user sessions via SSH intended for executing commands into the IBM i environment, the system must implement multi-factor authentication. This entails an additional security layer that complements the primary authentication process. New MFA template rules will be created for SSHD for Radius, ODA and Push Notification Supported in the 5250 and the Web UI Provide MFA basic user management in the Web UI Previously, an admin would have to manage their MFA users in the 5250, then associate the users to an MFA rule. With this feature, registering MFA Users will now be managed within the Web UI.

29 Access Control Prevent unauthorized logon Manage users’ system privileges Control and restrict access to data, system settings, and command line options Monitoring Automate security and compliance alerts and reports Monitor and block views of sensitive data Integrate IBM i security data into SIEM solutions Malware Defense Harden all systems and data against attacks Automate and integrate security technologies and management Design for depth and resilience if one or more defenses fail Assure Security: Addressing Critical Security Challenges Data Privacy Encrypt IBM i data Secure encryption key management Tokenization and Anonymization File transfer security for Data in Motion

Q & A

Security Challenges Network protocols make it possible for users to connect directly to backend databases on the IBM i Network protocols include FTP, ODBC, JDBC, DDM, DRDA, NetServer , and others Without proper controls, the system is open to hackers injecting malware as well as authorized users who may create problems Without network controls, it is also possible to remotely execute commands (e.g. RCMD or REXEC) via FTP, ODBC and RMTCMD functions SQL statements could also be remotely executed via ODBC, JDBC and DRDA if not locked down Securing Network Access 32 How Exit Point Programs Help IBM i provides dozens of exit points for managing network access protocols When access is controlled through network exit point programs, only the specific operations defined by the exit program can occur Using Application Administration can partially control which users can access network functions, but it leaves gaps. Does not provide options for critically important logging Cannot provide customized, granular rules-based control

Securing Com Port Access 33 Security Challenges Network protocols often don’t have their own exit points and can’t be protected in the same way These network protocols include SSH, SFTP, SMTP and others IT teams may also wish to control communication access in ways which network or other types of exit points cannot (for example, specifying a port number) How Exit Point Programs Help IBM provides socket exit points Socket exit point programs can secure connections by specific port and/or IP addresses But, socket exit point programs have limits; e.g. fewer parameters are available to control inbound connection Socket exit point programs can be paired with other exit point program-based access control methods to provide more robust, multi-layered protection

Securing Database Access 34 Security Challenges Failing to properly secure database access permits data to be viewed, changed, stolen, or even locked up and held for ransom Open-source protocols that can access data create particular vulnerabilities JSON, Node.js, Python, Ruby, Etc. Object-level security only goes so far in controlling access to sensitive data How Exit Point Programs Help A powerful IBM i exit point called Open Database File allows exit programs to be applied to protect data from any kind of access Exit programs can be invoked whenever a physical file, logical file, SQL table or SQL view is opened The exit program can contain a granular set of rules that control under what conditions the file can be accessed and by whom The exit program can also be defined to audit all activity Open-source protocols don’t have exit points

Securing Command Access 35 Security Challenges The incorrect use of commands by users can cause considerable damage (deleting files, ending processes, or worse) Access to commands can be controlled to some extent through user profiles and object-level security A more extensive approach to command control is often required – especially for use under Elevated Authority How Exit Point Programs Help IBM i provides many exit points to facilitate securing the use of any command Detailed, parameter-based rules within exit programs enable deep and flexible granularity of control Command exit programs supersede normal object-level security to provide an additional, very powerful layer of security for users with elevated authority Command control can be applied regardless of whether commands are invoked from within the IBM i or through network access

Presentation name 36 Your IBM i is like a treasure chest filled with important business information. Unfortunately, it can be a target for cybercriminals looking to steal or lock up your data. Did you know that a common way they try to break into your IBM i is by guessing or stealing your password? It’s like leaving the key to your treasure chest under the doormat! To keep your data safe, it’s important to use strong passwords and add an extra layer of protection called Multi-Factor Authentication. In addition, you need a strategy that can automate control of system authority levels and privileged accounts management.to to protect your systems and data with effective, automated control over every level and method of access. Join us for this webcast to hear about: • All the critical elements of access control • Flexible, highly customizable management of user authorities • Assure Security’s new enhanced MFA capabilities

Your MFA Solution Should… 37 …enable protection fo r more than just Telnet sign on …make it easy to add a new rule

Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

DTI BPI Pivot Small Business - BUSINESS START UP PLAN

CATHOLIC EDUCATIONAL Corporate Responsibilities

Karin Schaupp – Evocation; lançamento: 2000

Pillars of Biblical Oneness in the Book of Acts

7-10. STP + Branding and Product &amp; Services Strategies.pptx

Business Legislation PPT - UNIT 1 jimllpkggg

7-10. STP + Branding and Product & Services Strategies.pptx