The iSeries/400 is famed for its robust, secure environment, and
apparent invincibility to hacking, but will that be challenged in
the e-biz/e-com era?
The iSeries, like its predecessor the AS/400, has an impressive
reputation when it comes to security, having been designed by IBM
from the ground up, with security in mind.
Of course, with these strengths also comes the risk of complacency.
Jeremy Sharp, UK country manager for Seagull Software explained:
"Traditional AS/400 operators and administrators are well versed in
the traditional security measures, but new improvements in OS/400
bring new avenues to be exploited, and therefore new areas that
must be secured."
Users have to be aware of all the latest security risks. It appears
that IBM is rising to this challenge. While the recent launch of
the new iSeries operating system (OS), OS/400 V5 R1, may have
grabbed the headlines for Linux compatibility and partitioning,
there were also significant enhancements to the system's security
features.
According to the manufacturer, the latest OS offers "enhanced
system integrity" with digital signature and object signing. A
digital certificate is an electronic credential that you can use to
establish proof of identity in an electronic transaction. This type
of verification is becoming an increasingly important element of
e-commerce, hence the presence of an easy to use Digital
Certificate Manager (DCM) within V5R1.
DCM lets users manage applications certificates that can be
obtained from any Certificate Authority (CA). It can also be used
to create and operate your own CA to issue private certificates to
applications and users within your organisation.
IBM executives claim that this is simply an extension to the
security features that have been built into the AS/400 platform
over the years.
Nigel Adams, iSeries product manager at IBM explained: "The fact
that security is a fundamental part of the operating system means
that it has not just been bolted on as an afterthought." He added:
"It is an integral part of how the OS has been put together."
There has been a security toolkit on OS/400 dating back to version
3 release 1, comprising a set of tools to audit and manage security
and users. These let users check profiles for default passwords and
complete other critical processes such as security auditing.
Users, however, should not be daunted by the presence of the
security toolkit. If you don't feel that there is enough technical
expertise within your organisation to get the most out of it, then
there are plenty of specialist companies that can help you exploit
it. These could prove particularly useful if you are wrestling with
the many demands of e-business.
In this way, organisations such as Quattro Consulting can undertake
security healthchecks on the iSeries and AS/400 using the security
toolkit, in addition to more specialised work. According to Glenn
Robinson, managing director of Quattro Consulting, the security
toolkit is a basic front-end to the security system, which can
provide users with reports and user profiles.
He said: "The problem is that you can get reams and reams of
reports, that is why it is sometimes better to use specialist
products from companies like Pentasafe or SafeStone."
A number of companies are already turning to specialist
consultancies such as Quattro Consulting to secure their iSeries
and AS/400 servers. Robinson explained: "We don't have software to
sell, we are basically techies that really know the
AS/400."Moreover, the fact that the iSeries has become much more of
an open system over the last few years is now presenting a number
of security issues to users.
Robinson said: "Because of all the enhancements with the operating
system, there are lots more ways into the box that people are not
necessarily aware of." Not surprisingly, it is the exit points on
the iSeries and AS/400 that users need to be most aware of when it
comes to security. Exit points are effectively there to protect the
system but, from a user's perspective, they are not that easy to
actually code.
Robinson said: "This is one of the occasions where we would
recommend third-party products, because they have built-in
utilities to define rules against the exit points." Thus, there is
no programming required and users can get on with running their
business.
Gavin Massie of SafeStone Technologies agreed: "The exit points are
the major challenge for users at the moment. Theoretically, these
could allow access to the iSeries through the likes of FTP or ODBC,
the database language, hence the need for specialist products.
"The iSeries is as secure as you want to make it but there are a
number of applications out there to make it more secure." Wisely,
IBM itself chooses not to publish all the exit points on the
iSeries and AS/400. For its part, SafeStone provides a range of
audit, monitoring and security software tools for the server range.
When you consider the degree of hype that has surrounded Linux on
the iSeries and the changing nature of the system, security becomes
of paramount importance. For its part, IBM does not see Linux as
posing a massive security headache to users. Adams said: "Linux
will not be a security problem, because it runs on a secondary
partition." Users can essentially carve out disk space that is
allocated on the Linux partition alone. Adams added: "If you want
to go anywhere else on the iSeries you have to go through OS/400,
where you are subject to all the usual constraints."
The simple fact is that people are often too busy to scrutinise
every new release of the operating system, so it could be
worthwhile taking expert advice. This is especially pertinent as
data becomes increasingly mission-critical. Robinson said: "The
biggest problem is that people don't know what to secure anymore,
because there is literally so much to secure."
John Miles, UK business development manager at software specialist
RSA Security explained: "Since AS/400 servers are commonly used as
database servers, security is extremely important to keep customer
information databases confidential."
This is where security needs to be present throughout your
organisation. Miles said: "Passwords are a very weak form of
authentication that can be easily compromised using hacker tools
widely available on the internet, so for additional security it is
advisable to implement a 'strong authentication' solution."
Certainly, users should spare some time to think about access. Ian
Kilpatrick, managing director of Wick Hill Group
explained:"Inappropriate access will be the main problem." He
believes that access control is the security area most in need of
attention, rather than the hacking of applications or the operating
system.
With the iSeries apparently moving to a more open access
environment, the potential security risks have increased.
Kilpatrick advised, "One way of minimising Web threats is to not
rewrite applications for the Web, but rather to Web enable existing
killer applications."
This means that established application security can be employed
rather than trying to bolt it into new web apps. Kilpatrick
believes that this is also cheaper and easier than the process of
rewriting.
Notably, the server is still one of the most secure boxes around,
but that doesn't mean that users should adopt a laissez-faire
approach to security. On the contrary, recent developments in the
system, combined with the rigours of e-commerce mean that users
need to be more aware of security than ever before.
Glenn Robinson, who acknowledges that security on the iSeries and
AS/400 is "excellent" said: "In the future I think that people need
to be more aware of what the machine can do, how it has opened up
over the last few years, and how it has exposed the system."
Case study: Kleinwort Benson
A number of companies are
turning to specialist software products in order to secure their
mission-critical AS/400s and iSeries servers. One of these is
offshore bank Kleinwort Benson Channel Islands, which is part of
the Dresdner Private Banking organisation.
The St.Helier-based subsidiary uses two AS/400s, one of which runs
Milvus, the company's standard banking and trust application. Not
surprisingly, security is of paramount importance on the machine.
Andre Gorvel, head of information security at Kleinwort Benson
Channel Islands, explained: "Because we work as a private bank
dealing with individuals in the offshore market we pay particular
attention to security."
According to Gorvel, most AS/400 applications have traditionally
supported applications security through the use of secure menus,
something which is changing with the advent of more open systems.
He said: "Obviously, this isn't the case when you move to a
standard PC with standard network protocols." These include the
likes of ODBC and FTP, which allow users to get directly into file
systems.
The bank realised that a specialist software package was needed to
cope with its stringent security needs. Gorvel said: "What we were
looking for was an application to monitor and control what our
users were doing. We also wanted to present this information in as
logical and concise a way as possible."
The challenge for Gorvel was to effectively place the machine under
full security audit, while at the same time meeting the demands of
the parent company's IT security policy. He said: "We have a global
IT requirement that is relatively stringent, and we needed to match
this in terms of our auditing software."
Eventually, Kleinwort Benson Channel Islands opted for specialist
audit software from one of the major mainland suppliers, which is
already delivering significant results. Gorvel said: "We have
reduced the amount of man hours needed to audit the AS/400 from one
day, to effectively a few hours."
This is especially important, given that Kleinwort Benson Channel
Islands is moving to 'the holy grail' of 'straight-through'
transaction processing. Gorvel explained: "This requires greater
levels of security than the AS/400 will natively allow, so we are
using some of the modules from our software supplier to enhance the
AS/400 user creation and amendment facilities within the operating
system."
By doing this, Kleinwort Benson Channel Islands is effectively
providing the same level of security that is found within the
organisation's primary payment systems such as Swift. Gorvel
commented: "As a bank we are dealing with large sums of money, so
we really need to know what is going on."