Townsend Security Data Privacy Blog

As a data security company, we talk to a lot of people concerned with keeping their systems and information safe.  Compliance regulations are often the driving force behind our conversations – and these discussions are with people who can be divided into two camps – as either being proactive or reactive.  The proactive group realizes that data breaches are not a matter of if, but when, and on average cost an organization over $7 million.  The reactive segment is often facing a failed security audit or has experienced worse – a data breach because the proper controls were not in place.

Not very often do we have a conversation about the immediate return on investment (ROI) of deploying a security solution.  Patrick Botz of Botz and Associates tells us that not only has he been having plenty of these conversations, he is helping companies save thousands of dollars a year with his SSO stat! service.

If you are a security professional, his name may sound familiar.  Prior to starting his own consulting company, he was the Lead Security Architect at IBM and founder of the IBM Lab Services security consulting team.

By enabling single sign-on (SSO) with the technology that an organization already has, Patrick Botz helps businesses see a return on their investment of his services typically within 2-6 months.  Recently he authored a white paper titled “A Guide to Practical Single Sign-On – The Case for Managed SSO” that takes a real-world look at single sign-on technology and offers a straightforward, sensible approach to SSO.

Rather than SSO being a technology problem, Botz asserts that managing passwords is truly a business problem.  As he writes in his white paper, “The REAL purpose of SSO is to significantly reduce the high cost of managing passwords across the organization.” The ROI can be best illustrated by a story he likes to tell from when he was at IBM:

“At one point, I started tracking the time I spent changing passwords and “recovering” from those changes.  I was very surprised to learn that instead of the 10-15 minutes I thought I was spending, it really was taking, on average, closer to 35-40 minutes! And I was just one of about 300,000 employees! Assuming 30 minutes on average across all employees, four times a year — that equates to 600,000 hours of time! If the average hourly rate per employee is only $20, that’s $1.2 million dollars!  And that’s just for end users!”

While the primary goal of SSO is to reduce the costs associated to managing multiple passwords, it also reduces the risk of a lost or stolen password due to employee negligence.  How often do we hear about confidential information “protected” with:

• Easily guessed passwords
• Written lists of passwords located under keyboards, desk drawers, etc.
• Lists of passwords stored in files on workstations or network drives
• Shared userIDs/passwords

So once an organization decides that they need an SSO solution, what should they consider before deploying one?  In the white paper, Botz discusses the pros and cons of the four technical approaches to SSO, but concludes that two technologies will ultimately do the lion’s share of work (60-80%) for most companies.  For these organizations, eliminating passwords with Kerberos and EIM ends up being the best starting point.

Typically, the extra cost involved in achieving 100% “Single Sign-On Nirvana” is simply not justified by the estimated costs.  Further, as Botz states in his white paper, “It turns out that most businesses get the best ROI by using technology that they already own to eliminate the high cost of managing passwords – over their entire multi-platform network.”  By not needing to invest in any additional technology, an organization is not responsible for any additional software licenses or maintenance fees.

After talking with Patrick Botz and reading his white paper, I am looking forward to using his SSO stat! service at Townsend Security!  For more information on Single Sign-On and how it can save your organization time and resources while increasing security, download his white paper “A Guide to Practical Single Sign-On – The Case for Managed SSO.”

Most encryption discussions start with my customers asking about the algorithms available. My usual response is "That's a great question. But talking about that now is like worrying about how to dispose of a bomb before disarming it." The point I'm trying to make is that effective encryption algorithms are required, but not sufficient. If you don't have robust, secure key management, encrypting data is a waste of resources regardless of the algorithm used. Therefore, the first place to begin any new encryption project is key management.

So what does a robust key management solution enable? Good key management systems have, in my mind, three functional, must have components:

1. Key generation and storage management,
2. Secure key distribution
3. Standards compliance

All of these need to be provided in a manner that provides tight control by a select few encryption key administrators who don't also have access to the encrypted data.

At first glance, key generation may seem relatively easy. Just generate a key of the appropriate length and store it somewhere. But that's only a piece of the problem. First, best practices says that no person should know the key and no one person should be able to generate a new key and put it into use.

Second, unlike military secrets on the battlefield, data encrypted today may need to stay protected for years or even decades. But the longer data remains encrypted with the same key, the higher the risk of that data being compromised. Best practices address this by implementing key rotation (i.e. generate a new key, unencrypt data encrypted with the old key, and re-encrypt with the new key).

The next important area for a good key management solution to address is key distribution. One aspect of key distribution is secure storage, retrieval and transmission of keys. Key management solutions must make it easy for approved application and system interfaces to work with unencrypted data while not exposing the keys to those interfaces or to any human users of the system. Good key management solutions typically use a hierarchy of keys (such as key encryption keys and data encryption keys) to help enable this function.

Another aspect of key distribution is authorization. While operating systems can be used to specify which people are allowed to access data in a database, they do not provide mechanisms to indicate whether encrypted fields in the database should be decrypted or not. Consider a scenario where Joe has access to the CUSTMST database because he runs a specific application. Joe's job does not require him to access customer credit card information, which is encrypted. The application does not show Joe this information so it isn't a problem from that point of view. But what if Joe uses DBU or ODBC to access the database? Good encryption solutions allow an administrator to indicate if Joe is allowed to view decrypted data and will enforce the decision of the administrator by not decrypting information for the user JOE (or Joe user? :-) ).

Of huge importance for good key management solutions is government and industry standards compliance. Any key management solution worth their salt will be compliant with any standards that affect your organization. While uncertified solutions may be compliant, there is no way to tell if they haven't been certified by an appropriate third-party as compliant.

I recently collaborated with Patrick Townsend of Townsend Security on a white paper discussing the topic of encryption standards compliance on the IBM i. You can download a copy of it here.

Finally, good key management solutions provide the functionality discussed above in an easy to use package. What does "easy to use mean?" It means that business logic programmers and system administrators are not forced to become crypto experts or to learn the internals of the key management solution in order to efficiently and effectively implement encryption in your organization.

So when you begin your quest to implement encryption on your system, start by looking for the qualities of good encryption key management described here. Only after you find one should you begin to worry about the technical details associated with the encryption algorithms supported by that solution.

About the Author
Patrick Botz is the President and CTO of Botz & Associates. Patrick’s expertise includes security strategy, security policy enforcement, password management and single sign-on (SSO), industry and government compliance, and biometrics.

Previously as Lead Security Architect at IBM and founder of the IBM Lab Services security consulting team, Patrick achieved intimate knowledge of system security capabilities and pitfalls on a broad spectrum of platforms, with special emphasis on IBM i (formerly AS/400), AIX, Linux and UNIX operating systems.

Patrick Botz, founder of Botz and Associates and former Lead Security Architect at IBM, recently published a White Paper in conjunction with Townsend Security discussing dual control, split knowledge, and separation of duties--three critical controls needed to protect encryption keys and encrypted data on the IBM i platform. These controls are considered “best practices” in the IT industry, and it is common knowledge amongst security professionals that without these controls in place, any organization could be at risk for a major data breach.

Just like financial controls that are put in place to prevent fraud in a business, these concepts are used in IT security to prevent data loss. As data breaches are reported in the news almost every day, we can easily see the consequences of data loss: public scrutiny, hefty fines, lost business, and litigation are just a few of the ramifications. Implementing these controls reduces the potential for fraud or malfeasance caused by the mishandling of data or a data loss event due to hackers, employee mistakes, or stolen or lost hardware.

In this white paper Patrick Botz outlines the importance of these three controls and explains why they must be used to protect data stored in IBM i databases. Botz discusses on-board master key capabilities provided by the IBM Cryptographic Services APIs on an IBM i, the limitations of the IBM i Master Key Facility, and why organizations should use third-party key management to protect their sensitive data.

The top 3 critical best practices are:

Separation of Duties - This is widely known control set in place to prevent fraud and other mishandling of information. Separation of duties means that different people control different procedures so that no one person controls multiple procedures. When it comes to encryption key management, the person the person who manages encryption keys should not be the same person who has access to the encrypted data.

Dual Control - Dual control means that at least two or more people control a single process. In encryption key management, this means at least two people should be needed to authenticate the access of an encryption key, so that no one single person has access to an encryption key

Split Knowledge - Split knowledge prevents any one person from knowing the complete value of an encryption key or passcode. Two or more people should know parts of the value, and all must be present to create or re-create the encryption key or passcode. While split knowledge is not needed to create data encryption keys on the IBM i, it is needed for the generation of master keys which are needed to protect data encryption keys. Any encryption keys that are accessed or handled in the clear in any way should be protected using split knowledge.

The three core controls should always be used when storing or transferring encrypted sensitive data. A certified, hardened security module (HSM) designed to secure data encryption keys and key, or master, encryption keys should implement these controls into the administration of the key manager. NIST FIPS 140-2 validation is an important certification to look for in an encryption key manager. This certification ensures that your key manager has been tested against government standards and will stand up to scrutiny in the event of a breach.

Automatic Encryption on V7R1
With the release of IBM i V7R1, users can now encrypt data automatically with no application changes. This is great news for IBM i users since encryption has been a difficult task in the past, needing specialized encryption solutions for earlier versions of IBM i. Protecting your encryption keys in a an external key management HSM is the critical next step to protecting your encrypted data.

To learn more about encryption key management for the IBM i download the full White Paper “Encryption Key Management for IBM i - Sources of Audit Failures,” by IBM i security experts Patrick Botz and Patrick Townsend.

Over the past two years the IBM i 7.1 (V7R1) has come to be known as a powerful, reliable, and highly scalable solution for businesses. IBM i V7R1 supports total integration and virtualization with new encryption capabilities that are appealing to many companies who must comply with data security regulations such as PCI and GLBA/FFIEC. This new exit-point feature, called field procedures (FIELDPROC), helps businesses to encrypt their sensitive data at column level without any application changes in order to meet compliance regulations and protect data from hackers.

This is great news since data breaches have become painfully common. Despite the staggering amount of data breaches that happen every month, a new study has shown that nearly 70% of data breaches could have been avoided had the proper security measures been implemented.

Patrick Botz of Botz and Associates recently joined our founder and CEO, Patrick Townsend, in an interactive webinar that focused on security tips both he and Patrick recommend. Patrick Botz is an expert on data security and data breach prevention. He held the position of lead security architect at IBM and was the founder of the IBM Lab Services security consulting team.

Here are the top three security tips for users securing sensitive data in IBM i V7R1 and meeting data security regulations according to Patrick Botz and Patrick Townsend:

1. Use Encryption & Encryption Key Management Best Practices - Encryption is the tool that protects your data. If you do your encryption poorly, there’s really no point in doing it at all.  In order to do encryption well you must follow best practices for encrypting data and managing the encryption keys. These best practices include: using AES encryption certified by the National Institute of Standards and Technology (NIST) and key management certified under the FIPS 140-2 standard; and using key management that utilizes controls such as separation of duties and dual control. Your encryption is only as good as your key management. If you follow best practices for encryption and encryption key management, you are also more likely to avoid having to report a data breach and deal with the severe costs.

2. Use Password Best Practices - Password management is often the downfall of many companies who suffer a data breach, especially a data breach that happens internally or by mistake. Patrick Botz specialized in password management and has enabled IBM i users to manage their passwords more securely with his Single SignOn (SSO) service, SSO Stat! Using a program called Kerberos, SSO works with both Windows and IBM i domains to streamline password use in a secured environment.

3. Monitor Your IBM i with System Logging - A crucial step to achieving good data security, receiving important system logs in real time and using a SIEM solution can help a database administrator prevent or catch a system breach as soon as it happens. System logging is also a critical part of meeting most compliance regulations. One challenge around system logging on the IBM i, however, is that security audit journal, QAUDJRN, is in a proprietary IBM format. In order for these logs to be centralized and correlated with other logs in your server environment, these IBM logs must be translated into a useable format.  File integrity monitoring (FIM) is also important to monitor configuration changes. Townsend Security’s Alliance LogAgent provides file integrity monitoring and translates all of your logs into a single usable format that can be read by your SIEM provider.

Encryption, encryption key management, password management, Secure System Logging and File Integrity Monitoring are all absolute necessities for a business to safely store their data, and avoid legal complications due to negligence.

Please check out our resources tab to find out more information. You can find us on Facebook, Twitter and LinkedIn as well as our website, www.townsendsecurity.com. Start better security today!

With data breaches in the news every week, and each bigger than the previous, security is a top concern for system administrators, as well as business leaders.  As we have seen, a data breach can cripple an organization.  While the IT team performs forensics and updates their systems, the management team has to explain to investors why they weren’t adequately prepared and break the news that “Those big plans we had to grow the business in the next two years? Yeah, those are on hold while we remediate this breach.” 

While the IBM i (AS/400) is considered by many to be a secure platform, it is not immune to data breaches.  As a data security company, we see plenty of organizations think they are doing the right things to keep their data safe, but are falling down on a few key areas.  Below are the top three tips to keep your IBM i (AS/400) secure and your data safe:

1) Encryption and Key Management

Did you know that many compliance regulations consider an email address personally identifiable information (PII) and require it to be encrypted?  Security experts recommend using NIST-certified AES encryption coupled with an external encryption key management hardware security module (HSM).  With the introduction of FIELDPROC in V7R1, IT teams can now encrypt their sensitive data without application changes – saving development resources and time coming up with excuses to company leaders on why the company is still at risk.

For organizations who have been encrypting their sensitive data, security audits often find they haven’t been properly managing their encryption keys.  Encryption keys should never reside on an IBM i with encrypted data. We help more enterprises than you would like to know after they fail a security audit for improper encryption key management.   

2) Password Management

Password management continues to be a challenge for all organizations.  Poor management leads to insecure passwords and inconsistent policies – which in turn leads to more data breaches.  Fortunately for IBM i administrators, IBM realized this and made a Single Sign On (SSO) option as part of the OS – all administrators have to do is enable it.  Patrick Botz, former lead security architect and founder of the IBM Lab Services security consulting practice, regularly helps organizations enable SSO and eliminate 80% or more of an organization’s password management problems just using tools that IBM provides as part of the OS.  Additionally, there is a clear return on investment when an organization enables SSO, which makes you a hero when you tell management “I have a way to make our jobs easier and save money at the same time.”

3) Secure System Logging and File Integrity Monitoring

A recent study shows that 69% of data breaches could have been detected before any data was lost if proper system logging was in place. Maybe that is why most compliance regulations (PCI DSS, HIPAA/HITECH, etc.) require it.  So why isn’t system logging a common practice on the IBM i?  Simply put, the IBM i doesn’t log information like other systems.  There are some big challenges getting security information into a usable format and transmitted to a SIEM for monitoring.  Challenges an administrator faces with propriety IBM i logs:

• Data format – IBM security events are in internal IBM format, not syslog format.
• Multiple sources – Security events get collected in a variety of locations, almost always in an internal and proprietary IBM format.
• Timeliness – Tools are lacking to collect security events in real-time, increasing the security exposure.
• Communications – There are no native syslog UDP, TCP or SSL TCP communications facilities.
• Data completeness – While it is possible to print security information using IBM tools, critical information is missing from reports.

Fear not, there is a solution – Alliance LogAgent Suite with File Integrity Monitoring (FIM).  Alliance LogAgent Suite can send system logs to any collection server that is listening for messages.  Additionally, the FIM tools allow system administrators visibility right down to the field and column level, record-by-record, in their databases.

While this is by no means a comprehensive list of everything security-related an administrator should do to their IBM i, these three areas are where we recommend you start. If you are currently encrypting data, we challenge you find out where your encryption keys are being stored (it might scare you).  If you aren’t securing your systems with SSO, what are you waiting for?  Are you under a compliance regulation that requires system logging?  A complete system logging solution like our Alliance LogAgent Suite can be installed and running in an hour. To hear security experts Patrick Townsend and Patrick Botz elaborate on these three IBM i security tips, view our webinar “Top 3 IBM i Security Tips.”

Anyone active in the IBM i community knows Patrick Botz from his time as the Lead Security Architect for the IBM i group in Rochester, Minnesota. Patrick worked for years promoting security best practices, and worked diligently to solve one of the more perplexing and complex issues for large accounts – Single Sign On (SSO). Everyone with a large number of users has felt the pain of managing lots of user accounts and passwords across a lot of different types of systems. For any organization with more than a few users, managing user accounts and passwords has traditionally been an expensive proposition.

But it is one that you can now tackle very effectively.

Because of a lot of work that Patrick did during his stint at IBM, IBM i customers now have the technology they need for Single Sign On (SSO). Yes, you have the technology you need, you just didn’t know it.

Patrick is now in private life providing services to customers who want to reduce their help desk costs for managing user accounts and passwords. You can actually get to an SSO solution without purchasing additional software, and Patrick can help you achieve this. His company, Botz and Associates, has an affordable, packaged services solution called SSO stat! that will get you up and running with SSO very quickly. And this is not a drive-by engagement. He focuses on knowledge transfer during the engagement so that you can make it on your own, and he provides a support offering in case you want to have his expertise on demand.

Password management continues to be a challenge for all organizations. Poor management leads to insecure passwords and inconsistent policies – and these lead to more data breaches. We can do better. And Patrick Botz can help you get there.

By the way, Patrick worked for years at IBM, but before that he was a UNIX kind of guy. Today his expertise spans UNIX, Linux, Windows, Mac, and IBM servers. We all have multiple technologies in our organizations and he can help you stitch them all together.

We just did a podcast together with Patrick on Single Sign On (SSO) that I am sure you will find interesting and I encourage you to listen to it now.

Disclaimer: Neither I nor Townsend Security has a financial relationship to Botz and Associates. We’ve hoisted a beer together, and I’ve seen his work at mutual clients. He’s someone I think you should get to know.

Patrick