Security Compliance Boot Camp - Click Here to Register

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

Carol Woodbury's IBM i & i5/OS Security Tip
Don't Forget Integrity 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 October 2008 
Greetings!
 
I was talking with one of our clients the other day, helping them compile the list of reasons to present to upper management as to why they needed to implement object level security.  One of the reasons I raised was data integrity.  As we talked through this point I realized that, with all of the emphasis on data privacy and confidentiality, the fact that appropriate access control settings can provide data integrity has been forgotten.
Don't Forget Integrity 
 
When people hear me talk about object level security, some incorrectly assume that I mean that the data must be set to *PUBLIC authority of *EXCLUDE.  But that's not the case.  Data needs to be classified and secured appropriately.  But just because data isn't classified as confidential or private doesn't mean that its access controls should be ignored.  Even if the general public is allowed to view the data, it's rare that you would ever want the general user community to be able to change the data outside of the protection or bounds of the application logic. When the access control settings provide users with the ability to change the data through any interface, the integrity of the data comes into question.  Most organizations want to ensure the integrity of their data.  This means that the *PUBLIC authority of the data is set to no more than *USE authority.  
 
Does this really happen, you ask?  Yes it does.  We have helped several clients set all of their application files to be *PUBLIC *USE.  The issue they wanted to address was not one of confidentiality or privacy.  As long as the user had a profile on the system, users were allowed (by policy) to view all company data.  So why did these clients feel that they had an issue that needed to be fixed?  Because they were concerned about the integrity of their data - that is, given the access control settings on their files, anyone could have changed the data from outside of the application.  So we helped them set all of their application files to *PUBLIC *USE and did so using Policy Minder.
Summary 
 
Just because the data on your system isn't private or confidential doesn't mean that applying the appropriate object security is a waste of time.  On the contrary, setting appropriate access controls will ensure the integrity of your data. 

 
SkyView Partners Can Help ...
 
Whether you're trying to determine the state of your current configuration, about to start changing the settings or simply want to ensure the system stays secured according to your policy, SkyView Policy Minder can help.
 

SkyView Policy Minder is an IBM i & i5/OS security compliance tool that provides a mechanism for comparing your systems' current settings against the requirements of your established (or desired) security policy.  Policy Minder is about "enforcing" your security policy.  Policy Minder is designed to automate the process of keeping your i5/OS and OS/400 security configuration in compliance with your existing security policy.

 
Discovering your Current Configuration
You can use Policy Minder to determine the state of your current object level security implementation.  That is, do the current access control settings provide data integrity (are they set to *PUBLIC *USE or less?)  To find out, define a library and object template or a directory and object template. In the template definition, you can check the objects' owner, the owner's authority, the authorization list, *PUBLIC authority, private authorities and auditing values.  You can specify to check all of these values or just one of them.  For example, for the first "wave" of discovery, you may want to determine the owner and *PUBLIC authority setting of all objects in the Finance application and leave the private authority analysis for later.  No problem.  Simply define the attributes to analyze and run a compliance check.  I recommend running the CHECK command and sending the results to a streamfile or outfile, allowing you to bring the list of the non-compliant objects into an Excel spreadsheet or running queries for further analysis.
 
Fixing your Current Configuration
After investigating the current configuration and determining how to accommodate outside processes so nothing breaks, you can use Policy Minder's FixIt function to make the changes to the object's security settings (e.g., set the files to *PUBLIC *USE.)  Using FixIt provides documentation for auditors on exactly what was changed as well as a record of the previous value.  Using Policy Minder to make security configuration changes provides a repeatable process should the changes have to be re-applied (such as when the vendor upgrades the application.)
 
Ensuring your Configuration Remains Compliant
Once the new security configuration is in place, you'll want to make sure it stays in place.  To do that, run regular Policy Minder compliance checks.  If any settings are out of compliance, you can use FixIt to set them back so that they match your policy.

See Carol Woodbury's
Policy Minder for i & i5/OS 
a security compliance management tool.
 Video Introduction to Policy Minder (4:08) 

 
About Carol Woodbury ...  
 
Carol Woodbury
 
Carol Woodbury is President and co-founder of SkyView Partners Inc. a company specializing in security policy and compliance software and services.   Carol is a system security expert, a noted author, an award-winning presenter and architect of the SkyView products. 
About SkyView Partners ...
 
SkyView Partners is committed to delivering security compliance products and services that provide our customers with sound advice that saves them time and reduces the costs and complexities of attaining and maintaining compliance. 
 
For more information
 
 425-458-4975