In-Depth

Why PowerTech Group Wants to Update Your AS/400 Security Model

If you have an AS/400 or iSeries, PowerTech Group wants you to update your security model—and a recent study suggests you should pay close attention

• By Chris DeVoney
• 05/01/2007

IBM introduced the Applications Server/400 in 1988 as the successor to the System/38 and merger point for the System/36. The “system” included all the hardware and software needed for turnkey operation and had 2,500 business applications available when it first shipped. Altering a classic joke, you could use any database you wanted as long as it was DB2, which is still integrated into the system today.

With new models and new processors, in the intervening years the family name changed from AS/400 to iSeries to Series I. That’s the letter “I” standing for “integrated.” Now client-server and Web applications function are in the systems, and logical partitioning, part of the OS long before virtualization became a buzzword, runs AIX or Linux alongside i5/OS.

About 16,000 community banks run core applications on these midframes that are also popular in local and state governments, retailing, distribution, and manufacturing companies. Even several Fortune 100s have a few lurking about. IBM states that over 200,000 systems are updated and/or kept under maintenance contracts. Industry estimates place their total active system number at 400,000.

With a rock-solid reputation and entrenched use, these systems don’t get the same attention as machines running more-volatile operating systems such as Windows or Linux. In addition, many of the active-duty machines trace their use as a still-functioning original or as a replacement system to the 1990s. Talk about legacy systems.

Back in the late 1980s you only worried about users at the end of your TWINAX cables, and if the action wasn’t on a green-tube menu, it couldn’t be done. Back then, connected PCs could upload and download files.

Then IBM introduced a TCP/IP stack for the AS/400, and therein lies the problem.

We have AS/400s to System I’s used in the 2st century with security models struck in the 1990s. Pre-Internet. Pre-TLA/-FLA/-hyphenated-name regulations. Pre-financial-data-stealing-cyberfelons.

That’s exactly what’s on the mind of Laura Koetzle, vice president at the Forrester Group who covers this market. “Many of these systems were first installed in the 1980s and the 1990s. People use them because they have core applications that are difficult or too costly to replace. The systems don’t need anything; they just keep doing their job, but nobody thought of securing them, and a lot of the security assumptions applied to the systems are 5, 7, even 10 years old.”

That’s why the recent report on the state of AS/400 security by the PowerTech Group of Kent, Washington fascinated me. Despite my skepticism when reading any product vendor’s study, some findings should get companies and CSOs moving.

For example, about 10 percent of user profiles had Allobj rights, the equivalent of Window’s Administrator or Unix’s/Linux’s super-user privileges. Eight percent of user profiles used the default account password. 29 percent of systems had auditing turned off. Some 76 percent of the programs made no “exit call,” a way for an add-on program to provide access or auditing controls.

PowerTech, which lists over 800 customers worldwide and several Fortune 100 companies, has a family of products that either build on security functions in the AS/400 or provide missing security and compliance functionality. Easy Pass, the single sign-on offering, builds on IBM Enterprise Identity Management and Kerberos to sniffle out and map out passwords across Windows, Unix, Linux, Websphere, Domino, and about anything else Kerberized.

Authority Broker basically allows controlled user-privilege elevation and complete logging not only of the swapping for privileged use but for all activities while privileged. The product meets COBIT guidelines for separating IT functions and limiting privilege use.

PowerTech Encryption brings 256-bit, AES encryption and can handle files, reports, backup tapes, and DB2 databases and database fields. Field encryption, often used because it takes the least processing power and often applied to critical fields such as Social Security or credit card numbers, is intelligent enough to respect field length and is properly seeded so flag fields such as yes/no answers can’t be decrypted. Split keys are supported. All of the above either fulfills or meets recommends or requirements for PCI, CIPS, HIPAA, California privacy act, and most other privacy standards.

Interact is network access control for that AS/400-iSeries family, providing monitoring and controls for over 30 network access points (exit points) including FTP, ODBC calls, Remote commands, and Filserve use. The rule criteria include objects such as users/groups, profiles, transaction detail, and even IP address. The events can be filtered and sent to a Windows log file, a Syslog file (coming soon), or (IBM’s) Internet Security Systems’ Site Protector.

Compliance Monitor is the auditing tool for a single or group of AS/400s. Policies and reports are developed on a GUI-faced PC tool and security settings are pulled by agents sitting on the midframes and compared. Compliance Monitor can consolidate information from all systems into a single report and knows how to analyze and report on AS/400 logical partitions. The product comes with a wide range of preset reports that include an audit ranking cross-referenced from the PCI, COBIT, ISO 17799 standards.

The products are priced based on midframe size. and each product runs between $2K and $20K. If you’re working with a limited budget, Koetzle recommends prioritizing the purchase of Authority Broker, the network access control Interact, and Compliance Monitor, but she believes that is the priority order for any system.

Koetzle sees only a few companies in the Series I security space and is somewhat distrustful of vendors who claim they have a module from their product that fits the system. “It’s a world onto itself and needs its own expertise,” she says. PowerTech is on her short list and recommends, “anyone considering these tools should make sure PowerTech is invited to the table.”

She also warns that once the most prevalent systems get better hardened, the attackers will be become more interested in more esoteric platform holding the corporate jewels. Kosetzle also believes the number one problem facing System I owners is complacency.

With that information, anybody with one or more these midframes in their stable should make some security and compliance inquires very, very soon.