Townsend Security Data Privacy Blog

We’ve had an upsurge in interest recently in our Alliance LogAgent solution for the IBM i (AS/400) platform. This solution sends security events from the IBM i in real time to log collection servers and SIEM solutions. As I’ve talked to IBM i customers, I am beginning to appreciate how difficult it is to get IBM i security information into a usable format so that events can be collected and monitored. The challenges are big:

• Data format – IBM security events are in internal IBM format, not syslog format.
• Multiple sources – Security events get collected in a variety of locations, almost always in an internal and proprietary IBM format.
• Timeliness – Tools are lacking to collect security events in real-time, increasing the security exposure.
• Communications – There are no native syslog UDP, TCP or SSL TCP communications facilities.
• Data completeness – While it is possible to print security information using IBM tools, critical information is missing from reports.

Here is a really good example of this last point. I can use the Display Audit Journal Entry command (DSPAUDJRNE) to print a report of user ID and password failures. Here is a bit of what that report looks like:

Can you imagine a SIEM solution or poor network administrator trying to get useful information from this? Fields are not easily identified and extracted, and most SIEM query tools would have a really hard time extracting the meaning from this report. There are user ID and password failures here, but hard to parse them out.

And one of the most important pieces of information is missing. Can you see what it is?

Right, the IP address of the originator of the error. SIEM solutions are good at correlating events if they know where they are coming from. The IP address is critical for accomplishing this. This report could probably tell you when you are under attack, but not where it is coming from and certainly not in real-time.

Our Alliance LogAgent solution solves all of these problems. Events are extracted from all of the relevant sources, in real time, converted to standard syslog format, and communicated using your choice of UDP, TCP, or secure TLS communications to your log server. And, Yes, the IP address is in the event! Here is an example of a PW event as it is processed by Alliance LogAgent:

<118>Sep 20 15:47:11 S10125BA QAUDJRN:[PW@0 event="PW-Invalid user or password" event_type="Q-Signon failed profile disabled" user_profile="QTCP" device="*N" jrn_seq="002273092" timestamp="20120120154711021000" job_name="QTLPD00145" user_name="QTCP" job_number="630743" ip_addr="10.0.1.205" port="15427"]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             

This is caviar to your SIEM solution!  Real time alerts, event queries, and forensics become a snap when you get the right data into your SIEM solution. And real time system monitoring is one of the top recommendations by security professionals to keep your IBM i (AS/400) safe.

I’m proud of our system logging solution for the IBM platform. Our customers have deployed the solution in under an hour starting from the time they do the download from our web site.

Patrick

It is increasingly apparent how much smaller the world is getting. As long as there has been human civilization, technology has decreased the vast uncertainty of our universe. We are a far cry from the 15^th century, when the European elite didn’t know North America existed. Bell invented the telephone, and suddenly months of correspondence could be condensed into a five minute chat. Then came the personal computer and opportunities for seemingly everything in the world were endless. As the complete paradigm shift to cyber data happened, the increasing dependability on what is put on the net became a way of life.

Recently, The National Security Administration (NSA) began construction on what is plainly named the “Utah Data Center” in Salt Lake City, Utah.  The “Utah Data Center” is going to be a one-million square foot, state-of-the-art data center designed for the purpose of intercepting, deciphering, analyzing, and storing communications from all over the world.

NSA’s security director General Keith Alexander has been under a constant barrage of questions from the American public regarding the security and privacy of the information that is being collected.  Concerns include:

• Does the NSA have access to Americans’ emails?
• Does the NSA have access to Americans’ Google searches?
• Does the NSA have access to Americans’ text messages

All of these questions have been answered by Alexander with a flat “no.”

I think we can assume that the NSA doesn’t have outright access to these private details from our lives, but many are concerned about their right to privacy and if the NSA infringing on it. It is understandable when places like the “Utah Data Center” are created to intercept and store personal information. As a company that deals with protecting private information, we have to trust this new facility has the absolute best security in place.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person. Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

In today’s environment, most organizations fall under multiple compliance regulations. If you are taking credit cards, you need to meet PCI data security standards. If you are in the health care industry, you have HIPAA and HITECH to work on. If you are in the banking industry or any financial segment, you have the Graham Leech Bliley Act (GLBA) and FFIEC requirements to meet. All of us have to deal with state and federal privacy regulations about protecting data.

A secure Managed File Transfer solution with NIST validated PGP encryption can help meet compliance regulations for securing data in motion.

Compliance regulations come full bore on all of us - whether you are in the business, Federal, or non-profit world. PCI DSS and a number of other regulations require encryption of data in motion. Townsend Security has partnered with Symantec to offer the only commercial and fully supported version of PGP encryption on the IBM i (AS/400).

Maintaining proper audit trails is also a very clearly defined requirement of compliance regulations. I think as we see compliance regulations evolve, making sure that your Managed File Transfer solution is based on well accepted standards is very important. For example, the commercial version of PGP encryption that we offer has been through multiple certifications with the National Institute of Standards and Technology (NIST). We have seen fines given to companies using non-standard implementations, so having those certifications and having the confidence that you’re using a solution that provably meets industry standard is really important.

Compliance regulations are still evolving and we continue to see new regulations being brought forward. For example there is a new federal data privacy regulation coming through Congress. There is also a clear evolution of compliance regulations requiring solutions to meet defined industry standards (such as NIST). I know our certifications give our customers confidence that they are meeting compliance regulations and that they are using the right kind of encryption.

Townsend Security’s FTP Manager has been helping IBM i (AS/400) users meet compliance regulations by securing and automating their data in motion to trading partners, customers, employees, and internal systems. Download our podcast “Secure Managed File Transfer on the IBM i – An Introduction” for more information on how we can help your organization save time and money by securely automating your file transfers.

Today, data security is more important than ever. We live in world now where organizations of every size - from small companies to large global companies – need to make sure their sensitive data is safe. The bad guys are getting much better with more sophisticated attacks. Even mid-sized companies are now targets. So, with the most up-to-date security features included in IBM i 7.1 (V7R1), why would you still be using or consider using the V6R1 release?  I recently sat down with Patrick Townsend, Founder & CEO, to discuss the latest IBM i OS and the security reasons a company who is on an upgrade path from V5R4 should bypass V6R1 and install V7R1.

What do you have to say to the company who traditionally moves up just one release? For example the company that would just upgrade to V6R1 because they feel that it has all the kinks worked out.

Well, I understand that motivation and I have been in that seat before. OS upgrades are always something you want to be very cautious about - whether you are talking about your IBM i or even your Linux, UNIX, and Windows servers. You know that a certain number of bugs will get worked out after a new release has come into the market and you tend to be a little cautious about applying the latest release upgrade. Having been released for over a year, V7R1 is now pretty mature and I haven’t heard of any significant upgrade problems.

IBM i users that are on V5R4 know that IBM recently announced the end of support date for that release (which means maintenance and support will stop in about a year) and people will need to upgrade. There are two reasons it is a good idea to jump past V6R1 straight and to V7R1. First, it is a fully supported path by IBM. Second, there are security benefits to making that jump. You are getting significant new security features in V7R1 that you won’t see in V6R1. I know that there are external factors that sometimes influence moving forward on releases. Some software vendors may not be ready for V7R1 and this can represent a significant barrier in terms of getting to the latest release of the operating system. If you have not yet begun a discussion with your software vendors on whether they have certified their software on V7R1, now is the time to do that. IBM makes it very easy for a software vendor to test their software on a pre-release version of the operating system. We do that, and your other software vendors should be doing that too, well before IBM releases a new version of the operating system. This is one time that you should balance the security benefits of V7R1 against the cautionary approach of going only to V6R1, which will be just one step for many people.

Download our podcast “IBM i Security: Skip V6R1 and Upgrade to V7R1” for more information on the security reasons that you should go straight to V7R1. Additionally, we will discuss how Townsend Security can help you take advantage of FIELDPROC, a new addition to V7R1, which allows companies to encrypt their sensitive data without changing their applications.

In June 2010, a computer worm called “Stuxnet” made worldwide news when it infiltrated Iranian science labs. Many of Iran’s industrial facilities including Natanz, were seriously harmed as a result of this worm. Uranium enrichment is a project that many global nuclear outfits are working on. The idea is to create a higher concentration of the Uranium isotope U-238 to make for a more reactive metal. The source codes for all of these machines are stored on computers, so they are run by what the computers are instructing them to do. When the bug hit, the sophisticated centrifuges began spinning too fast causing the machines to self-destruct.

The dials and gauges looked like they were functioning correctly, so the Iranian officials knew that an external virus or bug must have invaded their computer, with the specific instructions to destroy their appliances. After investigation, it was discovered that it wasn’t a virus, but a worm. A virus will corrupt individual files on a computer, but a worm is malicious software that spreads through a computer network. For a computer to avoid contracting a bug, computer security is paramount.

Having proper encryption and key management possibly could have prevented a disaster like this from happening. It really shouldn’t have had a chance. The Iranian government was running programs that needed the highest level of security and they could have done more to prevent this from happening.

We help our customers deal with security issues all the time. Alliance Key Manager, our encryption key management Hardware Security Module (HSM), has built-in encryption and decryption services. With an HSM, the encryption key never leaves the appliance, keeping the encryption key separate from the data it protects. By using encryption and key management, Iran could have possibly prevented Stuxnet from modifying the source code that caused their servers to self-destruct.

The effects of the Stuxnet worm were devastating for Natanz and other industrial facilities in Iran. Their nuclear projects were setback an estimated four months. This is of course, an extreme case with intended malice toward the government. This worm was specifically designed only to harm Iran’s centrifuges. Ralph Langner, an independent computer security expert and the man who discovered the intent of Stuxnet said, “The attackers took great care to make sure that only their designated targets were hit. It was a marksman’s job.”

 Hopefully, there isn’t a company or organization out there that will feel the need to specifically target your company. But there was some collateral damage to other computers caused by Stuxnet, and encryption and Key Management can prevent the effects or other worms. Take a look at the program!

For more information on encryption and key management, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and key management work together to secure your data.

Some years ago, during an “in between” period of my life, I drove a taxi in Houston, Texas. It was one of those enriching life experiences (this means it left scars), and a recent security newsletter from Bruce Schneier had me thinking about it again.

All of us drivers loved to take a customer to Gilley’s, a famous honky-tonk out in Pasadena.  Gilley’s was a huge place with live country music, line dancing, a mechanical bull, a real rodeo arena, and lots of Texans (most with quite a few long necks behind them). It ran well into the early morning hours and was always busy. It was a good distance from downtown Houston or the Houston airport and a ride to or from Gilley’s was going to be a good fare and usually a good tip.

Here’s the security angle – Gilley’s could be a bit dangerous starting from about 10 or 11 at night. There was a whole lot of drinking going on (I know you will be surprised by that), and some roughneck or cowboy or soldier was going to take an unfortunate interest in someone else’s girlfriend. Or maybe someone liked the wrong football team. Or whatever – there was no shortage of things that could cause a fight. A shooting or brawl was not that uncommon at Gilley’s.  Every driver I knew carried some type of “protection” under the seat. Mine was a short tire iron. But some carried serious heat. But you never wanted to be in a position of actually having to defend yourself – you were probably going to get some serious hurt on you.

Every night when you were driving taxi you had to make a decision about taking a late night run to Gilley’s. A lot of drivers just wouldn’t go out there after 11pm. Some drew the line at 1pm, or wouldn’t go out there when the place was closing.  But if you’ve had a bad day, that run might help you get profitable before sunrise. So, you were always making a security assessment – how much risk were you willing to bear?

Now here is what I was thinking about: When I think of Pasadena, Texas, my impression is still tinged with that original experience. For all I know, Pasadena may have changed into a yuppie paradise with 5-star restaurants and day spas. I’ve seen other neighborhoods transform (good or bad) over time. South of Market in San Francisco now has a Whole Foods, and China Basin is definitely not as dangerous. So things change over time. And a person’s personal security posture will change, too, if there is adequate information about the neighborhood.

Now let’s bring these chickens home to roost.

Things have changed in the world of IT. We used to feel safe behind our firewalls and DLP systems and anti-virus software. We carefully avoided upgrading our operating systems and software to avoid buggy releases. This made complete sense at the time.

But now the attacks come in from infected PDF files and infected web sites. A USB thumb drive can carry the danger. Systems that we thought were relatively safe like Macs, mobile phones, or IBM Mainframes and AS/400s now are as much of a threat as anything outside the firewall. Criminals now routinely use weaknesses in unpatched systems to steal sensitive data. The threat landscape has changed. We need to change, too.

So, when you think about that OS or software upgrade you should give more weight to staying current, and perhaps a little less weight to avoiding some bugs. I know the risks of doing software upgrades, and that you have to make a judgment call. But out of date software is honey to the bad guys. It’s time to re-think the security posture - the neighborhood is not the same.

Patrick

No, I’m not from Texas (Hat tip to Lyle Lovett)

Learn how we have made encryption and key management easier and more affordable than ever with Alliance Key Manager.

As more and more organizations are falling under compliance regulations, IT managers are being tasked with finding a secure Managed File Transfer solution to secure and automate data in motion with their trading partners, customers, employees and internal systems.  There are a few out there, but how do you decide which is the best for your organization?  I recently sat down with Patrick Townsend, Founder & CEO to learn more about the core components of a Managed File Transfer solution.  Here is what he has to say:

First, you must have security built-in with your solution. Our Alliance FTP Manager uses a number of secure encrypted mechanisms for transferring files. We use SSL FTP, Secure Shell sFTP, PGP encryption and decryption. That security component is absolutely crucial to the product. I’m really happy with our security, and we have a great partnership with Symantec around their PGP product. Our enterprise customers really expect the highest level of solution when it comes to encryption. We have partnered with Symantec on the PGP product and it carries the proper certification and the depth of support that customers want.

Automation is another core component. If you are dealing with a lot of files, you need to have automation to be efficient. You don’t want to have to do a lot of manual intervention. There should also be a centralized management environment so that configurations can be set up and managed from a central location.

Additionally, notification is another core component. For example you may have files that you’re sending to a customer or your bank. You may only do that transfer once a month, but wouldn’t it be nice if after you transferred the file you sent the customer an email telling them your file is transferred and is ready for processing. With Alliance FTP Manager, we can notify your customer or an entire email list of recipients when a file transfer is complete. Or if there is a failure in a transfer, maybe a customer turned off their FTP server, we can notify that too.  We can do both success and failure notifications in our Managed File Transfer product.

Finally, to meet compliance regulations, you need to have full audit capabilities. We can create audit trails of all the transfers, which is really important from a compliance point of view.

View a recording of our webinar Secure Managed File Transfers: Meeting Compliance Regulations for more information on meeting data in motion requirements of PCI DSS, HIPAA/HITECH, and other compliance requirements on your IBM i.

Managed File Transfer is an easy way to meet business requirements and comply with data privacy regulations.  With a solution like Alliance FTP Manager, businesses can meet compliance regulations by securely transmitting files from their IBM i (AS/400) to their trading partners and customers. Additionally, a Managed File Transfer solution can help your organization save time and money by automating processes that traditionally have eaten into IT manpower. I recently sat down with Founder & CEO Patrick Townsend to discuss how Managed File Transfer can help businesses assure their customers and partners that their sensitive data is secure and in compliance with data privacy requirements such as PCI DSS, HIPAA/HITECH, FFIEC and other regulations.

Can you walk us through a typical business problem that Managed File Transfer Solves?

If you’re a mid-sized or large company, security is absolutely crucial in today’s environment. We all hear over and over again about data losses by large companies and the damage that causes to both the business and the reputation of those companies. Business executives around the world are trying to protect their data, their customer data, and supplier information so they can have the confidence to go forward with their business plans. A managed file transfer solution provides a start-to-finish mechanism for securing data in motion.

If you are using a Managed File Transfer solution like our Alliance FTP Manager, you can have the confidence that you are doing things right, that you are meeting best practices in the industry and that you are less likely to  wake up one day and find yourself in a headline in the New York Times about some large data loss.

Can you explain how a Managed File Transfer works?

Managed File Transfer solutions, like our Alliance FTP Manager, need to meet a number of core requirements. Obviously, they need to protect data in motion and we use SSL session encryption and PGP encryption, which are the industry standards. Automation is also very important. Most of our customers are transferring multiple files everyday to banks, trading partners and suppliers. You don’t want to burn resources by having someone manually transfer files any time it needs to be done.

Additionally, policy driven configuration and reporting by exception are extremely important. Some of our customers are sending tens of thousands of files every day to their trading partners, which can be a lot to manage. You need to be sure that you can manage by exception if there is a problem.

Finally, a Managed File Transfer Solution not only automatically picks up and transfer files, but provides additional controls to make the process efficient - not only from a human resource point of view, but also from a cost point of view. You don’t want to be spending valuable human resources, picking up files and processing them. This should all be an automatic process and that is really the core idea behind Managed File Transfer – automation and security. 

Download our podcast “Secure Managed File Transfer on the IBM i – An Introduction” for more information on how we can help your organization save time and money by securely automating your file transfers.

Tokenizing sensitive data delivers an outstanding return on investment (ROI) to businesses by providing a risk-reduction of losing sensitive data.  By tokenizing data, organizations can reduce the chance of losing sensitive information – credit card numbers, social security numbers, banking information, and other types of PII.  In some cases tokenization can take an entire server or database application out of scope for compliance regulations.  This blog will discuss how tokenization can reduce risks in customer service departments, with outside services, and in BI and Query environments.

Tokenization for Customer Service

Tokenization can reduce risk in the customer service department by removing sensitive data from customer service databases.  For out-sourced operations you should tokenize data before sending it to the outside service.  A customer service worker can still accept real information on the phone from an end customer, but there is no need to store the actual information in a database that can be stolen.  Tokenization services will associate real information with tokenized information for data retrieval.  While using tokenization in a customer service environment can’t completely remove the risk of data loss, but it can dramatically reduce the amount of data at risk and help you identify potential problems.

Tokenization for Outside Services

Many retail companies send their Point-Of-Sale transaction information to analytics service providers for trend and business analysis.  The service provider identifies trends, spots potential problems with supply chains, and helps evaluate the effectiveness of promotions.  In some cases, service providers consolidate information from a large number of companies to provide global trends and analysis.  You can avoid the risk of data loss by replacing the sensitive data (names, credit card numbers, addresses, etc.) with tokens before sending the data to the service provider.

Tokenization for Business Intelligence and Query

Many IT departments help their business users analyze data by providing them with business intelligence (BI), query reporting tools, and databases of historical information. These tools and databases have empowered end-users to create their own reports, analyze business trends, and take more responsibility for the business.  This practice has decreased workloads and increased efficiency in IT departments.

Unfortunately, these tools and databases open a new point of loss for sensitive information.  A database with years of historical information about customers, suppliers, or employees is a high value target for data thieves.  Criminals aggregate this type of information to provide a complete profile of an individual, making it easier to steal their identity.  When tokens replace names, addresses, and social security numbers, this makes the BI database unusable for identity theft, while maintaining the relational integrity of the data.  Tokenizing business intelligence data is an easy win to reduce your risk of exposure.

Download our white paper “The Business Case for Tokenization: Reducing the Risk of Data Loss” to see how tokenization is helping organizations meet their business goals without exposing their sensitive data to loss. 

“I’m scared to death about what my users are putting into SharePoint!”

This is what a Database Administrator said to me recently when I attended a SQL Saturday event on the Microsoft campus in Redmond, Washington. And I’m hearing that a lot from IT directors and CIOs in the financial and medical sectors. Microsoft SharePoint is a wonderful collaboration tool, and it supports a number of versions and deployment options. These options run the gamut from free versions that ship with Windows Server, to versions tailored to the Microsoft Office suite of applications, to web portals. And an industry has grown up around installing, customizing, and hosting SharePoint.

But IT managers are sweating about the risk of data loss. And they have reason to be afraid.

We know that users are creative about circumventing written policies about data security. Ever look at an audit of user passwords? It’s a good bet that “Password1” is the most common password on your network. It has upper and lower case letters, and at least one number. And even good employees can accidentally violate security policy. We ask a lot of our colleagues and security is often not on the top of their consciousness. So how likely is it that users are following your security policy requirement NOT storing sensitive data in SharePoint?

Somewhere close to zero.

And that’s why IT managers have good reason to be concerned. And that’s one reason why the uptake of SharePoint collaboration runs into resistance in the financial and medical segments.

Fortunately, Microsoft added some important security features to SharePoint 2010. One of those is support for Transparent Data Encryption (TDE) when you use SQL Server 2008 as the storage mechanism for SharePoint. The great thing about TDE is that it is easy to implement. You get good encryption performance, separated key management, and a high level of automation. Your IT staff can deliver it with a minimum of fuss and delay.

Will encryption with TDE solve all of the SharePoint security concerns? No. But it will protect you from data loss in the event of a lost backup or hard drive, and a server breach that just steals a copy of the database or log files won’t compromise your data. That’s one big step in the right direction.

Take a look at our encryption key management solution built for Microsoft SQL Server. You can start to build the confidence you and your management team needs to move forward with SharePoint collaboration, and at a reasonable cost and in a reasonable time frame.

For even more information, view our webinar “Encryption Key Management with Microsoft SQL Server.”  See how easy it can be to implement strong key management and hear what hundreds of attendees learned at PASS last week.

Patrick