Secure/Net Combats Internal Security Threat

While AS/400's integrated security remains one of its most valued features, the increased use of the system for more--and more varied--applications has created a need to supplement the built-in security with some additional help.

Recognizing this trend, Long Beach, Calif.-based Palace Guard Software (PGS) launched Secure/Net this past October, and plans to release an upgrade this month. The software is designed to enhance AS/400 security in client/server environments by monitoring incoming requests from clients accessing server functions. According to Richard Serrano, VP for sales and marketing at PGS, the need for products like Secure/Net is not the result of a failure in the existing AS/400 security system, but rather a way of supplementing an OS/400 system which was not designed to address the issue of exit points. "It's a realization that as the AS/400 becomes more prolific and a more widely-used box, those additional security concerns become more apparent."

The latest release, which extends the capabilities of the first one by adding more exit points, provides additional security checks for one of the most vulnerable areas in which security breaches occur--unauthorized access by authorized users.

"You've got firewalls to protect you from outside problems, but that only covers 10 percent of the threat corporations face today," Serrano said. "That means 90 percent goes unchecked. And 45 percent of those internal threats are from a disgruntled employee."

As companies add more business solutions and further expand into e-commerce practices, they risk falling victim to a host of security problems ranging from viruses and hacking to data theft and proprietary information leaks. Despite the growing number of potential problems confronting companies looking to move onto the Net, industry surveys have repeatedly shown that one of the greatest security threats business face still originates behind their own firewalls.

According to an annual survey on Computer Crime and Security done by the FBI and the Computer Security Institute, the largest number of attacks not due to a virus were in the areas of unauthorized access by insiders and insider misuse of net access. The survey also shows that 86% of companies surveyed answered that the most likely source of attack was disgruntled employees.

Secure/Net is designed to work with OS/400 security, using a command-driven interface and the exit program facility provided by AS/400 network attributes. It allows administrators to set access rules, limiting specific users to specific functions. Each time a request is made to the server from a remote computer, Secure/Net performs an additional security check independent of the standard OS/400 check, to determine whether the user is permitted access. The product also compiles an audit trail, so network administrators can have a record of all requests received, including those that were rejected. Because the check is done internally, based on the sign-on name and password, the additional security check does not inconvenience users or slow down their productivity.

"The only difference the end user will see is in their restricted access to those things they aren't supposed to have access to," Serrano says. "…Because the program is so simple, very straightforward and usable, we have not heard of any problems or complaints, either from business partners or from end users."

PGS, which began as a consulting company for IBM mainframe systems 11 years ago, extended its services to include AS/400s in 1998. The company is currently developing an auditing software product for the AS/400, which is expected to be available by the second quarter of 2000.