In this post I interview my colleague Terry Ford, with IBM's Lab Services organization. He is one of the long time subject matter experts around IBM i Security in Lab Services and the brains behind a new offering called Compliance Automation Reporting Tool, single server/LPAR edition!
Q: Hi Terry,
thanks for joining me here – really happy to have the chance to interview you!
With us both being in Lab Services
I know a bit about what you and your team does – specifically focused on IBM i
Can you give us an overview of the kinds of things an IBM i customer
Security Services Delivery Team has a mission to assist customers with securing their IBM i related IT systems. In
the current IT threat landscape, all enterprises – large and small - need to
take steps to protect their vital systems from attacks, insider threats, and
malware as well as the risks emerging from a
changing business environment. We do this primarily through
consulting service engagements but also through tools we have created to do the
heavy lifting required of remedial efforts for securing customer systems.
Q: What would you say are the top 3 things an IBM i customer can do today to help them address security exposures from your experience?
ANS: Lots of ways to
answer that question depending on a customer’s context and where they are in
their security and compliance journey.
One of the top things a client
can do is to assess the posture of their IBM i operating environment against corporate
policies and objectives. That assumes corporate IT
policies and objectives exist – often they do not and without these it is
difficult to determine what is and is not secure. So, if a corporate policy
does not exist, that is job one. If a policy does exist, then job
one is to assess compliance to the policy – preferably by an objective
Next, I would say is to staff for security and compliance. Too often I see the person assigned to “security” only does security-related tasks as a small part of their job responsibilities. A part-time security administrator is not going to be able to stand-off an attack by a nefarious individual who is engaged full-time to do harm.
Lastly, based on the results of the assessment, embark on a
security improvement project to address the issues uncovered by the assessment. As
required, hire consultants who can help you understand the risks, the root
causes, and the mitigation required.
This is not an overnight endeavor
but one that is likely weeks, months or even years.
Q: I think your team may do this a bit more than our Db2 team, but there are times in Lab Services where we’ll be working with a customer to develop a solution for them that makes sense to shore it up a bit for general usage and make it available to other customers. Internally, we call these “assets,” but at the end of the day they are effectively productizing some good work that came out of an engagement.
Can you describe the genesis of the CART (Compliance Automation Reporting Tool) our teams collaborated on?
ANS: About a decade or so ago, our security team was asked to assess one region of one of the largest banking organizations in the world. The presentation of the findings was laid out in such a way that it was easy for the customer to compare and interpret the results and take remedial action. So much so, they funded us to develop an automated solution that could perform the assessment tasks on a global scale and present the information from a central repository. For this client, the gathering and reporting of security information was an effort measured in days, weeks, and months.
At the time, our security team had a lot of experience in security automation but lacked methods for centralization and visualization. With the help of your Db2 team, we determined that a security centric data mart involving collection agents and a central system consolidated database was the appropriate architecture to support enterprise reporting which was done with Db2 Web Query.
Q: That solution is really a good piece of work by our collective teams! And has been quite popular for our customers with many Servers/LPARs. Can you provide some examples of the value customers have been getting from CART Enterprise Edition?
ANS: For the banking customer mentioned before, the gathering of global security was extremely slow. When they were trying to assess their exposure to a particular weakness, they described it as taking months just to assess the corporate risk – that was their benchmark for a solution. Within the first few days of implementing our solution, they tested the benchmark scenario and successfully reported globally within a few hours across hundreds of systems.
So, the single aspect of centralization is a huge time-saver for clients. One observation that astounds me globally is that the simple act of administrative information gathering for many customers is many days to weeks annually – and this is only gathering – no analysis, no filtering, no decision making – just gathering! With CART you have automated gathering AND analysis, with filtering and drill downs.
A quote from this client that I like was: “It has been like
adding a staff member!”
Q: What has surprised you about customers who have implemented CART in terms of feedback, additional requests for enhancements, or other usage?
ANS: The most surprising thing to me is how short-staffed and short-skilled clients are. Many of the enhancement requests have been to address time-constraints related to their day-to-day administration that overlook operational deficiencies or audit requests for information. In fact, at one client their management was adamant that the admin team spend no more than an hour a week reviewing security.
recently you’ve been working very hard to solidify a similar solution for
single server scenarios because so many IBM i clients are smaller
shops with single servers running their production environment – and while they
don’t have the data collection issues larger enterprises have they still
have the same needs to monitor their system for security exposures, report on
it, and hopefully take action
ANS: Right, smaller shops have similar issues to larger shops in terms of securing information assets. They often have fewer people and fewer skills than larger shops and must rely more heavily on tools and other consulting services to address vulnerabilities (assuming they even try) and administrative concerns. For the smaller client, this single server/LPAR version of CART collects all the same components of the enterprise version but provides a more manageable set of reports to look at for insight and to determine a course of action.
Q: How can a customer learn more about the new single server, CART solution and how to acquire it or evaluate it?
ANS: The wiki certainly has more information including a presentation and the user's guide. We've also decided to include a demo version of the single server CART solution in the web query EZ-Install package where you can at least see it in action (but with dummy data). You can also reach out to me directly and we can discuss the solution and a trial version of it at TAFORD@us.ibm.com
Q: I understand IBM Lab Services also has a complimentary quick-security-check offering. What can you tell me about that?
ANS: Sure, glad you brought that up! We recently introduced a freebie offering that clients can download and run to gather information about potential security risks in their system. The solution automatically generates a fairly large report which points out potential high risk exposures and brings it to your attention. It is a limited use tool -if you really needed the on-going monitoring solution we'd point you to CART, But, it can be a quick and no-cost way to just get a look into potential high risk exposure the quick-check finds. You can learn more about that here.
Thanks - I sure appreciate you taking the time out of your busy schedule to spend some time talking about the great work you've done here to bring these solutions to our IBM i Clients!!