Transcript Document

Extending iSeries Security
A
P R E S E N T A T I ON
System i
Security Products
Agenda
>
>
>
>
>
Security Issues regarding System i
Who is PowerTech?
Customer Requirements
System i Security Vulnerabilities
PowerTech Solutions Overview
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
The PowerTech Group
Definitive iSeries Security
>
>
>
>
World lead company for System i security
PowerLock AuthorityBroker Ships with iSeries OS.
Acquired leading iSeries SSO Technology 2005
Winner of prestigious Industry Driver APEX Award
from iSeries News in 2004
> Over 1.000 Enterprise and Small Business customers
> More than 3,000 licenses installed
> Advanced Level IBM Partner
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Where to Begin
Demonstrate
Compliance
Real time
Monitoring
Audit for
Compliance
Be Compliant
Access Control
Power
Users
www.mik3.gr
Data
Access
PW/User
Mgmt
Security Change
Config Mgmt
System Source
Settings Control
Business
Data
Continuity
Privacy
High Data Data DataAvail Recov Xfer base
© 2006 PowerTech Group, Inc. All rights reserved.
IT Controls Being Raised
Legislators are doing their best to raise security from a
technology issue to a business concern
Auditors are defining what security is for companies
Companies are documenting in-scope processes and
procedures
All are looking to CobIT and ISO 17799 for guidance
Risks inherent in IT Control are being identified and
addressed
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
iSeries Environment
Can users perform functions/activities that are in conflict with their job
responsibilities?
Can users modify/corrupt iSeries data?
Can users circumvent controls to initiate/record unauthorized
transactions?
Can users engage in fraud and cover their tracks?
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
iSeries Security Study
> 87% of libraries were accessible by *PUBLIC (any user on
the system) – Auditors recommend 0%
> 80% of access points on iSeries were not monitored or
controlled, leaving the possibility for un-audited access to
critical data – A violation of CoBIT recommended standards
and a threat to data integrity.
> 78% of systems had more than 40 user profiles with default
passwords (password = user name) – A red flag for auditors
and a violation of CoBIT recommended standards.
> 84% of systems had more than 10 users with *ALLOBJ (allpowerful users) – A red flag for auditors, and a threat to data
integrity and accountability.
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Data Access Public Authority to Libraries
*EXCLUDE, 8%
AUTL, 5%
*USE, 25%
*ALL, 9%
*CHANGE, 53%
iSeries Security Study 2005 Source: The PowerTech Group
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
iSeries Security Gap
REMOTE
EMPLOYEES
Menu Access Only
In the old days you could
rely on menu security. But
once PCs came along and
the iSeries was opened up
to ODBC, FTP, Remote
command, the iSeries
became vulnerable.
EMPLOYEES
Ramifications
Menu Access Only
No Visibility to Network
activity
No Control of Network
Activity
CUSTOMERS
No Security Monitoring
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
IBM Recognizes the Problem
> “ODBC introduced a plethora of desktop applications
that offer easy access to data on the as/400 via a few
mouse clicks.”
> “COMMON BACKDOORS - Several servers offer
methods to submit AS/400 commands via the client.
Restricting command line usage does not block this.”
From IBM technote: “Security Issues with Client Access ODBC Driver”
http://www-1.ibm.com/support/docview.wss?uid=nas1936b3cdad3645bd98625667a00709a29
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Customer Data
Can users perform functions/activities that are in conflict with their job
responsibilities?
Can users modify/corrupt application data?
Can users circumvent controls to initiate/record unauthorized
transactions?
Can users engage in fraud and cover their tracks?
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Data Access
Public Authority
120%
Can users perform functions/activities that are in conflict with their job
100% responsibilities? Yes
*AUTL
80%
*EXCLUDE
*USE
60%
*CHANGE
*ALL
40%
20%
0%
Industry Average
www.mik3.gr
Best Practice
System 1
System 2
© 2006 PowerTech Group, Inc. All rights reserved.
Data Access
Special Authorities - *ALLOBJ
35
Can users modify/corrupt iSeries data? Yes
30
Can users circumvent controls to initiate/record unauthorized transactions?
Yes
25
Users
20
15
10
5
0
Industry Average
www.mik3.gr
Best Practice
System 1
System 2
© 2006 PowerTech Group, Inc. All rights reserved.
Data Access
Network Access
100%
Can users engage in fraud and cover their tracks?
Yes
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Industry Average
www.mik3.gr
Best Practice
System 1
System 2
© 2006 PowerTech Group, Inc. All rights reserved.
Product Overview
Compliance Monitor
AuthorityBroker
Control
Powerful
Users (Separation
of Duties)
FlashAudit on iSeries
Security
Data
Back
Up
Encryption
Encryption
NetworkSecurity
Access Control
Access
Control SecurityAudit
Single Sign-On
Regular
SSO
Auditing
www.mik3.gr
ISS - Robot
Real Time
Monitoring
© 2006 PowerTech Group, Inc. All rights reserved.
> Compliance Monitor
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
PowerLock
ComplianceMonitor
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Case Study
> Large multinational retail company dealing with SOX
compliance issues
> Problem:



No staff available to develop new custom reports
IT security group is not familiar with iSeries
Overwhelmed with burden of tracking more than 10 systems
> Answer: PowerLock ComplianceMonitor



www.mik3.gr
IT staff save development time
Expert guidance built in to product
Consolidated reports
© 2006 PowerTech Group, Inc. All rights reserved.
Requirements
> Be compliant with regulations

Sox, HIPAA, PCI, Privacy laws
> Demonstrate compliance through regular reporting




Automatic scheduling
Focus on exceptions to policy
Historical comparisons of audit results
Process to report on




www.mik3.gr
User profile/account data
System Values
Authority to objects
Network access control
© 2006 PowerTech Group, Inc. All rights reserved.
Systems arranged in user defined groups to match the
business environment
A system (or endpoint as it is called in the product) can
belong to more than one group.
This allows you to selectively audit and report on sets of
systems.
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
System Value scorecard
highlights exceptions to policy
with red down triangle.
Green up arrow shows settings
that match policy.
Policy is stored in an xml file.
We can update this to match
specific company policy.
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Consolidated report across three
systems – The system value
view shows them next to each
other for comparison purposes
PLCM can collect all system
values. In this report, we are
looking specifically at the
security system values
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Effective special authority – it’s
not just the authority of the user
profile, but we also check to see if
the user has inherited special
authorities from their membership
in a group profile.
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
> Netwrok Security
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Features
> Customizable reporting



PowerTech recommended reports
GUI to create custom SQL queries (filters)
Flexible Interface and grid view
> Expert guidance



Scorecards rate compliance against security policy
Exceptions are highlighted
Compliance guide
> Consolidation across multiple systems

www.mik3.gr
Drastically cut the number of reports
© 2006 PowerTech Group, Inc. All rights reserved.
PowerLock NetworkSecurity Technology
> IBM recognizes the security problems with network access to iSeries
assets, and has added and continues to add network access exit points.
> NetworkSecurity implements exit point programs that monitor and
control iSeries access through the network interfaces
> Exit point programs intercept and can record inbound requests.
> Access requests can be controlled by:
 User Profile, Group Profile, Supplementary Group profile, *PUBLIC
 Device Name, IP address, PowerLock IP address groups or generic
names
 Server and Function type


Remote command, FTP download, FTP upload, etc,
Can be configured to emulate an increase or decrease in object
authorities
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
PowerLock NetworkSecurity Technology
What is an exit point anyway?
A point in a process where control can be passed to a UserSupplied program. The User-Supplied program can usually
perform processing that overrides or compliments the
processing done by the main process.
Main program
IBM’s FTP Server
Access Request
Call to Exit program
Continue Processing...
www.mik3.gr
User-Supplied
exit program
Analyze request & return data
© 2006 PowerTech Group, Inc. All rights reserved.
PowerLock NetworkSecurity Technology
> PowerLock NetworkSecurity provides exit
point programs that allow iSeries customers
to monitor and take control of their network
interfaces (FTP, ODBC, Telnet, DDM, Client
Access, etc...)
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Network Exit Points
> 4 Major categories of network exit points




Original PCS Servers (PCSACC)
DDM & DRDA Servers (DDMACC)
Optimized Client Access Servers (WRKREGINF)
TCP/IP Servers (WRKREGINF)
> More than 30 network servers
> More than 250 combinations of servers &
functions that regulate network access
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Network Servers that can be
monitored and controlled
> Original Servers
Virtual Print Server
Data Queue
Shared Folders
File Transfer Function
Remote SQL
Message Function
License Management
> DDM (Including DRDA) Server
> Optimized Servers
File Server
Network Print Server
Signon Server
Database Server
Central Server
Data Queue Server
Remote Command Server
TELNET
WSG (V5R1)
> TCP/IP Servers
FTP
etc...
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
iSeries Network Access with
PowerLock NetworkSecurity
P
FTP Server
O
W
TELNET Server
E
Database Server
R
L
DDM Server
O
DRDA ServerC
K
PowerLock NetworkSecurity is the software that controls and
monitors access to the iSeries through the network interfaces
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Reporting current exposures
> To help you get a current view of your network access
exposures, NetworkSecurity includes comprehensive reporting
capabilities. NetworkSecurity includes several reports that may
be run at any time. The Reporting Menu is accessed using
option 4 from the NetworkSecurity Main Menu.
> If you want information on all network access attempts, you can
run the NetworkSecurity reports for All users at All locations.
While this will create a lengthy report, it will provide all the detail
you need to determine who is connecting to your system, and
what functions are being performed.
> Right after activation there will be few if any entries on the
reports. NetworkSecurity activation begins to record access
attempts. Some applications like JDE OneWorld and FastFax
can generate lots of entries very quickly.
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
NetworkSecurity
www.mik3.gr
Work with Servers
© 2006 PowerTech Group, Inc. All rights reserved.
> Authority Broker
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Sarbanes-Oxley Implications
> COBIT DS5.3 – Security of Online Access to Data
“… IT management should implement procedures in
line with the security policy that provides access
security control based on the individual’s
demonstrated need to view, add, change, or delete
data.”
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Reactive security
Employees
Customer
www.mik3.gr
Many companies use Reactive
security trying to respond to
breaches as they occur. The
problem with trying to find all the
different ways people can get to
you data is that you will never find
all the different approaches.
Instead, PowerTech takes and
exclude based security approach.
© 2006 PowerTech Group, Inc. All rights reserved.
Exclude Based Security
Employees
Customers
www.mik3.gr
PowerTech allows you to
determine what type of
activity you want to allow first.
Then you lock everything else
out and set up alerts so you
know if someone is trying to
do something you don’t allow,
you can decide at that point
whether you want to allow
them to do it or not.
© 2006 PowerTech Group, Inc. All rights reserved.
Case Study: The Solution
> Remove special authorities from the programmer on
the production system
> Implement PowerLock AuthorityBroker




Programmer “switches” into powerful profile when needed
All actions are audited to a secure journal
Management gets alerts (to cellphone!)
Management reviews and signs off on regular reports
> Compliance - Auditors are happy!
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Customer Requirements
> Log and record activity of powerful users
> Flexible Reporting options



3 levels of detail
Filter out unnecessary information
Print, Database, .csv
> Time specific controls



www.mik3.gr
Limit duration of profile switch
Specific Day, Date, and Time restrictions
Delegate “Firecall” to Helpdesk personnel
© 2006 PowerTech Group, Inc. All rights reserved.
Product Demo
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
> Security Audit
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
PowerLock SecurityAudit
>Assesses your iSeries and AS/400 systems
Complete history
Instant view of changes
>Used by internal auditors
No Special Authorities (like *ALLOBJ) required for auditors
>200+ reports available
Network transactions
Object level assessments
User profiles and system values
Continuous auditing of events, objects, users and system values
>Comprehensive reporting and analysis
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
System Requirements
> V5R1 of OS/400 or later
> 100 MB of disk space
> *ALLOBJ special authority for installation
> Users without *ALLOBJ should be added to the
SECAUDADM authorization list to allow them to run
reports
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Value Proposition
> SOX related usage opportunities

Security Audit generates reports that can be used to test the
effectiveness of AS/400 related logical access IT General
Controls.
> Improves efficiency of audits
> Improves quality and consistency of audits
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
OS/400 Report
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
SecurityAudit Report
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
PowerLock SecurityAudit
Demonstration
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
PowerLock SecurityAudit
Demonstration
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Powerful Users
>Special Authorities = Power!
 Special
authorities trump OS/400 object level authorities.
>A user with …
 *ALLOBJ
CAN READ, CHANGE, OR DELETE ANY OBJECT ON THE
SYSTEM.
 *SPLCTL CAN READ, CHANGE, PRINT, OR DELETE ANY SPOOL
FILE ON THE SYSTEM.
 *JOBCTL CAN VIEW, CHANGE, OR STOP ANY JOB ON THE
SYSTEM (INCLUDES ENDSBS AND PWRDWNSYS)
 *SAVSYS CAN READ OR DELETE ANY OBJECT ON THE SYSTEM.
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Powerful Users
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
User Profiles
>Users with Command Line Access
 Limit
Capability of *NO or *Partial
>Default Passwords
 Username
= Password
>Inactive (Dormant) accounts
 Any
profile that has not been used in the last 90 days
>IBM Profiles
>Group Profiles
 Password
of *None – should not be used for sign-on
>Public Authority
 Public
www.mik3.gr
should be set to *EXCLUDE
© 2006 PowerTech Group, Inc. All rights reserved.
Sample Reports
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Special Authorities
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
User Access – System Users
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Public Authority to Data
>To mitigate the risk of unauthorized program changes
and database alterations, the public authority for each
significant production database and production source
code file must be set to *EXCLUDE with access
allowed through appropriate individual settings.
>In addition, any programmer access to production
libraries should be restricted.
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Adopted Authority
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Library Authorities
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Library Authorities
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Security Audit Journal
Security sensitive operations e.g. changing system values
Failed sign-on attempts; Unauthorized access to files
Object move and rename operations
Restore actions to security sensitive objects
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
> Single Sign On (SSO)
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Agenda
A. The Problems with Passwords
B. What is Single Signon
C. Who Benefits from Single Signon?
D. How does it work?
E. Five Steps to Single Signon.
F. PowerLock EasyPass
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
The Problems with Passwords
> Passwords have been around since the dawn of
computers.

And they are starting to show their age
> What are the key features of a Password?



www.mik3.gr
A password is a secret associated with a user id.
Passwords should work only on the hosting system.
For each unique user ID on each system, there is a
single, correct, key
© 2006 PowerTech Group, Inc. All rights reserved.
The Problems with Passwords
> Each computer system the user logs on to
(theoretically) has a different password

How many unique passwords do really you have?
> Users must remember their passwords.


But we don’t want users to write them down.
Users shouldn’t use easy to guess passwords.
> Your users log on to many, many systems



www.mik3.gr
Internal systems, home, websites etc.
A user could have passwords for a hundred different
systems
Some external servers are not secure and not to be
trusted.
© 2006 PowerTech Group, Inc. All rights reserved.
The Problems with Passwords
> Each password on each of your servers
represents a potential security exposure.

The more passwords you have, the more
exposures you have.
> The chief protection for passwords are your
end users.

Humans are almost always the weakest link in the
security chain.
> Reducing the number of passwords a user is
responsible for, reduces your organization’s
security exposure.

www.mik3.gr
User’s can’t compromise a password they don’t
know.
© 2006 PowerTech Group, Inc. All rights reserved.
What is Single Signon?
> Single Signon is a technology that requires a
user to only authenticate one time per
session – regardless of the number of
systems connected to.



www.mik3.gr
The first server authenticates the user, then
vouches for that user’s authenticity to other
systems.
The user is then able to seamlessly connect to all
of the other trusted systems in that domain.
A single authentication can be good for a number
of hours – a number that you can set.
© 2006 PowerTech Group, Inc. All rights reserved.
What is Single Signon?
> Single Signon requires that the user only
have one password.

This password would be for the first server they
connect to each morning.
> With only one password to remember, users
require less help desk assistance

It’s also easier and faster to reset passwords on a
single system.
> Single Signon simplifies disabling a user.

www.mik3.gr
Again, there is just one entry to maintain.
© 2006 PowerTech Group, Inc. All rights reserved.
What isn’t Single Signon?
> Single Signon isn’t password synchronization



It doesn’t require that password be shared among
multiple systems
It does not require a user to log on separately to
each server.
It doesn’t send passwords around the network in
clear text.
> Single Signon is not password replay.



www.mik3.gr
It doesn’t capture passwords on an appliance and
replay them for each server.
It doesn’t store passwords in multiple places
It doesn’t send passwords around the network in
clear text.
© 2006 PowerTech Group, Inc. All rights reserved.
Who benefits from Single Signon?
> Users



Have fewer passwords to remember
Spend less time authenticating on your network
Have far, far, fewer password reset requests
> Help Desk

Far, far, fewer password reset requests
> System Administrators



More secure systems
More secure passwords
Fewer invalid signon attempts
> Programmers


More robust applications
Pull data from several sources, without authentication hassles
> Management


www.mik3.gr
More Secure systems
Less cost!
© 2006 PowerTech Group, Inc. All rights reserved.
How Does it work?
> Single Signon uses industry standard technologies
from several leading sources.



Kerberos Authentication – developed at M.I.T. in the 1980’s
and funded by a grant from DEC and IBM
Active Directory – Introduced by Microsoft with Windows
2000 for secure network authentication
Enterprise Identity Mapping (EIM) – Introduced by IBM in
2001(?) to provide User Identity Mapping across dissimilar
servers
> Backed by computer industry powerhouses, Single
Signon is the new authentication standard.

www.mik3.gr
Kerberos, Active Directory, and EIM combine to make
stronger, simpler, and more secure user authentication.
© 2006 PowerTech Group, Inc. All rights reserved.
How Do I get started?
> If you use these OS’s, you already have the
ingredients to get started:


OS/400 V5R2 or higher
Windows server 2000 or higher
> Unlike other technologies, Single Signon
deployment can be incremental


No need to change the whole organization - start
with a small group
Start with yourself and experience the benefits first
hand
> With experienced assistance, you can truly go
to “Single Signon in a single day”

www.mik3.gr
Some assembly required.
© 2006 PowerTech Group, Inc. All rights reserved.
PowerLock EasyPass
> Single Signon implementations are better, faster, and
more reliable when you use automated tools.
> PowerLock EasyPass simplifies the steps of setting
up, associating, and maintaining user ID’s and User
associations.
> User associations can be maintained across multiple
systems, and multiple OS’s.






www.mik3.gr
OS/400 V5R2 or higher
Windows server 2000 or higher
Lotus Domino
Websphere
AIX
and more…
© 2006 PowerTech Group, Inc. All rights reserved.
Measuring SSO ROI
> Productivity Gain > Cost?
> Cost Components:
Management
Implementation
Acquisition
Productivity
Gain
www.mik3.gr
Cost
© 2006 PowerTech Group, Inc. All rights reserved.
Synchronization SSO Approach
User ID/Password Synchronization
•
•
•
•
•
No end user productivity gains (not really SSO)
Must deploy and configure synchronization service
Passwords must still be changed and audited
Must troubleshoot synchronization issues
User IDs and Passwords are limited by platform
UID: JACKM
PWD: TEXAS
UID: JACKM
PWD: TEXAS
UID: JACKM
PWD: TEXAS
UID: JACKM
PWD: TEXAS
UID: JACKM
PWD: TEXAS
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Centralization SSO Approach
User ID/Password Centralization
•
•
•
•
•
End user productivity gains
“Capture & Replay” function must be deployed on all PCs
“Capture & Replay” must be initially trained
Passwords must still be changed and audited
Must troubleshoot centralization issues
UID: JACKM
PWD: HOUSTON
UID: JACK
PWD: LONGHORN
UID: jmcafee
PWD: LoneStar
Central Repository
UID:
UID:
UID:
UID:
UID:
jmcafee
JACKM
JACK
RJMCAF
rjmcafee
www.mik3.gr
PWD:
PWD:
PWD:
PWD:
PWD:
LoneStar
HOUSTON
LONGHORN
ALAMO
SpaceCenter
UID: RJMCAF
PWD: ALAMO
UID: rjmcafee
PWD: SpaceCenter
© 2006 PowerTech Group, Inc. All rights reserved.
The Password Elimination Approach
Single Sign-On Components
> Kerberos for authentication


Uses strongly encrypted tickets and not passwords
Implemented on all major platforms
>
Enterprise Identity Mapping (EIM) for authorization

Maps people to their user identities on various registries

Registry might be a platform, application, or middleware
>
Applications enabled for Kerberos and EIM

IBM has enabled many popular services in V5R2 and i5/OS

NetManage has enabled RUMBA 7.4 & OnWeb Web-to-Host 5.2

Customers can also enable their applications (Services!)
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
The Password Elimination Approach
Source
Target
EIM
Domain
EIM and Kerberos
•
•
•
•
End user productivity gains
Easy to implement – no synchronization
Easy to manage – no centralization
Password Elimination!
jmcafee on KDC  JACKM on iSeries
UID: JACKM
PWD: HOUSTON
Source
UID: JACK
PWD: *NONE
Targets
Key Distribution Center (KDC)
UID: jmcafee
PWD: LoneStar
Sign-On as jmcafee and get Kerberos TGT
KDC sends a Kerberos ST to iSeries
i1 authenticates the Kerberos ST
EIM  Jack McAfee is authorized on iSeries as JACKM
www.mik3.gr
UID: RJMCAF
PWD: ALAMO
UID: rjmcafee
PWD: SpaceCenter
© 2006 PowerTech Group, Inc. All rights reserved.
Top 10 Password Elimination Benefits
1.
2.
3.
4.
No need to install and configure another new IT infrastructure layer;
Less IT infrastructure means incremental and faster deployment;
Less IT infrastructure means lower cost to deploy and maintain;
Existing IT infrastructure is already supported by companies like IBM, Microsoft, Novell,
SuSE, Red Hat, and many others;
5. Existing IT infrastructure leverages EIM to document user account ownership, which is a
powerful business tool
6. Existing IT infrastructure leverages a combination of authentication technologies like Kerberos
(Windows), Identity Tokens (WebSphere), Pluggable Authentication Modules (UNIX or Linux
PAMs), and others, rather than passwords;
7. Password elimination results in fewer help desk password reset calls;
8. Password elimination includes distributed applications, which no longer require hard coded
user ids and passwords to be sent across the network;
9. Password elimination results in fewer passwords to audit and change every 30, 60, 90 days
per company policy;
10. Fewer passwords to audit helps exceed regulatory requirements (i.e. SOX, HIPAA, GLBA,
ISO17799, etc.)
www.mik3.gr
© 2006 PowerTech Group, Inc. All rights reserved.
Extending iSeries Security
A
P R E S E N T A T I ON
PowerTech Security Solutions
extend iSeries security
:
Thank You
www.mik3.gr