Posted by Luke Probasco on Thu, Feb 02, 2012 @ 10:10 AM
In the first part of our series on system logging on the IBM i (AS/400) we discussed why system logging is so important and where security information lives on the IBM i. We will now continue my conversation with Patrick Townsend, Founder & CTO, and talk about log collection and meeting compliance regulations with system logging.
So now that you have identified the sources of this important system information, how do we format it for log collection and SIEM Servers?
This is probably the biggest challenge for IBM i users - getting log information from the IBM i into a usable format. IBM i logs are not recognizable by a typical log collection sever or a SIEM console that monitor log data. With Alliance LogAgent, we have tackled this problem by reading all of these sources of event information and translating from the IBM i format to a standard log format. IBM does provide a few utilities for printing log information, and I have seen people try to use those to get data into a text type format, but they are unsuccessful because the printed log information is not in a standard format. Another reason why this method doesn’t work is that it is typically not in real-time, so you’re not picking up information in a timely fashion - meaning you are missing threats that are happening in your machine.
Formatting data is a major challenge and we decided that the right way to do this was to bite the bullet and read the internal format of the logs, while they are completely unrecognizable to any standard log collection server, and format them to industry standard formats - based on existing RFC’s in terms of SYSLOG formats or Common Event Format. Alliance LogAgent puts them in the right format and transmits them. The technology in our logging solution is really focused on making all that log information usable, doing it in real-time, and then getting it to where it needs to go – allowing it to be monitored by your SIEM in real time.
System logging is also important for meeting compliance regulations too, right?
Absolutely, if you take a look at PCI data security standards from the beginning, section 10 is focused on collecting logs and analyzing them in a timely fashion. If you drill down into the recommendations for HIPAA/HITECH Act, or if you’re looking at FFIEC in the financial sector, or even privacy notification laws, they are all very consistent about requiring proper monitoring of system logs. And this is understandable, looking at how threats evolve and what the typical threat looks like.
Sometimes bad software gets installed on a system and sits there for months at a time, undetected because nobody is monitoring the logs. That software can be phoning home through an IP connection and checking in through remote servers. Your logs should be showing that activity. That is why you’ll find across the board, in almost every compliance regulation, a need or requirement to collect logs in a central location, on a log collection server, or in a SIEM. Someone needs to be paying attention to those logs and “someone” could be automated software, including products from SIEM vendors. It is really important from a compliance point of view that you are collecting logs, doing it in a fast, real-time fashion, and have something monitoring those logs looking for threats.
View our Webcast “Understanding Log Management on the IBM i” for more information on logging and how it can help you meet compliance requirements with real-time security event logging across your Enterprise.
Posted by Luke Probasco on Tue, Jan 31, 2012 @ 11:02 AM
As a company that works hard to protect your data, we get a lot of questions – from people wanting to know the ins and outs of our products to IT professionals who are new to the world of meeting compliance regulations. Luckily, our company has several experts to answer these questions. One topic that we often get questions regarding is system logging on the IBM i (AS/400). Logging on the IBM i is different than logging on other platforms. I recently sat down with Patrick Townsend, Founder & CTO, to pick his brain on what system logging is, and why it is so unique on the IBM i.
System logging has become one of the most essential compliance tasks in contemporary corporate IT. Can you give a brief explanation of what logging is and why it is so important?
Sure, all computer systems, including the IBM i (AS/400, iSeries, System i) collect lots of important information about the security state or the operational state of the system as a whole. We call these System Logs and they often include a great deal of information about what is going on in the system. In a lot of systems, including the IBM i, these logs are created in real-time. To give an example, if someone tries to sign into an IBM i and for whatever reason the username or password is invalid, that event is logged in the system log. This is an important thing to log because if you were to look at this system log in real-time and notice several invalid username and password events, you would say “Hey, our system is being attacked. We need to take action on this now.” In summary, System Logs are just a central repository on the computer system that say what is going on within the system. This is why they are so important from a security point of view.
Where does security information live on the IBM i?
Security information lives in a number of places, which is one of the challenges that IBM i administrators have. On the IBM i, IBM creates a central repository (QAUDJRN in the IBM i world) for a large number of security events including password and other security events. Our Alliance LogAgent customers can decide what kind of events they want to collect. QAUDJRN is not the only place to look for this security information. There is also a system event log file called QHST that has important log-on and log-off information for users. The operators console (QSYSOPR) collects and tracks important events and messages for security monitoring. Finally, the IBM i sports a lot of new, web-type services that have their own log collection facilities including WebSphere, Apache, and SSH. In order to properly look at all of the security events that are happening on an IBM i, you have to look in several places, which can be a challenge.
Listen to our podcast “System Logging on the IBM i” for more information on logging, how it can help you meet compliance requirements, what to look for in a logging solution, and how Townsend Security can help you transmit the logs from your IBM i to any SIEM console.
Posted by Luke Probasco on Thu, Jan 26, 2012 @ 01:48 PM
Data Privacy Day (January 28, annually) is an annual international celebration designed to encourage awareness about privacy and education on best privacy practices. Sponsored by companies such as Intel, eBay, and Google, the day is designed to promote awareness on the many ways personal information is collected, stored, used, and shared, as well as education about privacy practices that will enable individuals to protect their personal information.
As a data privacy company, this day is almost like our birthday – a day for the IT world to focus on our slice of the pie (can we celebrate Data Privacy Day with pie too?). It also is a time to reflect on some of the data breaches that made news headlines in the previous year – “is my organization making some of the same mistakes?”
In honor of Data Privacy Day, StaySafeOnline.org has published a document titled “Stop. Think. Connect” that gives tips and advice on keeping your personal information safe. Here is some of their advice:
Protect Your Personal Information
- Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site.
- Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
Connect with Care
- Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.
- Protect your $$: When banking and shopping, check to be sure the sites is security enabled. Look for web addresses with “https://” or “shttp://”, which means the site takes extra measures to help secure your information. “http://” is not secure.
Keep a Clean Machine
- Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
- Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
By following these few tips your personal information/data will be more secure than ever. We also urge you to think about who you give your personal information. Do you think twice about whether it is being properly protected?
For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person. Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.
Posted by Luke Probasco on Tue, Jan 24, 2012 @ 01:02 PM
During our monthly webinars we receive some great questions that we like to share with our blog readers. Our most recent webinar titled “Secure Managed File Transfers on the IBM i” discussed meeting compliance regulations, as well as how to automatically transfer files to trading partners using sFTP or SSL FTP. While on the topic of secure transfers, one attendee asked the following question that Patrick Townsend, Founder & CTO, was able to answer:
A public/private key pair is needed for SSH/sFTP Transfers. Does the Alliance FTP Manager exchange keys with the destination server?
Yes, SSH as a technology, implements a number of ways to secure and authenticate connections. Public/Private Key or PKI implementation is a part of that. Also password authentication is an option within the SSH world too. Looking back over the last few years, public/private key based encryption has predominately been the rule with SSH and sFTP Transfers.
Recently, there has been an interesting migration with a trend of moving to a password-based authentication for sFTP sessions, and I understand why. Many large institutions have a big task of managing all of their Public/Private key pairs. If you are transferring just one file outside of the company, like to a bank, then there is not really much of a problem. But some of our customers use thousands of keys within their IT environment, which becomes very difficult to manage.
Alliance FTP Manager supports Public/Private key based authentication as well as “password based” authentication. Usually, your trading partner is choosing the authentication for you, but we do support both models.
There is another aspect to this question and that is the key exchange, which can be a bit of an administrative nightmare. We have really tried to help our customers by automatically pulling in a remote SSH severs Public Key into the proper files on the IBM i. Additionally, we have developed utilities that make that a matter of selecting on option in a menu. In some cases you still have to send a public key to your partner, but we have done a lot to help manage the PKI infrastructure exchange that needs to happen. From an administrative perspective, you don’t want to be emailing keys around all over and we have done a lot to help make secure managed file transfers an easy process.
View our webinar “Secure Managed File Transfers on the IBM i” for more information on automatically transferring files to business partners while meeting compliance regulations.
Posted by Luke Probasco on Thu, Jan 19, 2012 @ 09:57 AM
Meeting compliance regulations on your IBM i for securing data in motion doesn’t need to be difficult. They all have the same overlying theme – encryption. PCI DSS requires encryption when transferring files over the internet and WiFi networks. HIPAA/HITECH says that encryption is the only Safe Harbor from a data breach. While failing to comply with these regulations can financially impact your organization, the good news is that with just a few core encryption components, you can easily satisfy these requirements.
There are a handful of core components to look for when deciding on a managed file transfer solution for your organization.
- SSL FTP with 128-bit encryption
- sFTP with 128-bit encryption
- PGP file encryption with 2048-bit keys
- Audit trails
Our Alliance FTP Manager not only contains all of these components, but also enables users to automate their managed file transfers. Alliance FTP Manager provides several automation functions to help you exchange files without human intervention. Users can automatically transfer files using Secure Shell sFTP or secure SSL FTP to banks, insurance companies, benefits providers, payment networks, and any other internal or external server. The transfers are encrypted to meet compliance regulations (such as PCI DSS, HIPAA/HITECH, and privacy notification laws). Additionally, audit trails and system logs provide the permanent history needed for compliance regulations.
Finally, Pretty Good Privacy (PGP) is the de facto standard for file encryption before transmission to a trading partner. Based on open standards and tested by time, PGP has won the trust of governments and private enterprises to protect their sensitive data.
Are you ready to get started? Download a 30-day evaluation of Alliance FTP Manager, configure it, and send your first encrypted file transfer in about an hour. Sending and receiving encrypted data just doesn't get any easier.
Posted by Luke Probasco on Tue, Jan 17, 2012 @ 10:04 AM
As the social revolution moves into the business world, protecting your data is more important than ever. This was a key takeaway for attendees of the recent “Dreamforce to You” event in Seattle, WA, hosted by Salesforce.
Similar, yet smaller in scale to the Dreamforce conference held annually in San Francisco, this event brought together sales and marketing professionals who use Salesforce.com (a cloud-based Customer Relationship Manager) to see what is new with the CRM, how it can help you do your job better, as well as allow attendees to network with peers. Additionally, Peter Coffee, an IT visionary who acts as the VP and Head of Platform Research at Salesforce.com, delivered an inspirational keynote titled “Toward the Social Enterprise: Trust; Vision; Revolution”.
The focus of both Dreamforce and “Dreamforce to You” is that by and large business is embracing the social revolution. Whether you are Bank of America and helping your customers find the nearest ATM or are collaborating with co-workers internally using social tools, businesses are migrating to the social world. During the keynote, Peter Coffee presented a slide titled “Social is a model, not an app.” By being social, businesses are able to work more efficiently and reach more customers in ways that were never thought possible. “Salesforce is not just using social tools but instead is driven and formed by the social network.”
As Peter Coffee continued to discuss cloud computing, the future of IT platforms, and how businesses are “going social”, he conveyed a key concept – companies need to protect their sensitive information.
We couldn’t agree more. As a security company, this is something we have been saying since the beginning. We have offered NIST-certified AES encryption for all the major enterprise platforms for over ten years, been securing managed file transfers with PGP encryption, and recently stepped up our game with a FIPS 140-2 certified encryption key management HSM. Simply put, we are helping organizations protect their sensitive information and meet compliance regulations with certified encryption solutions.
Occasionally we hear “I don’t need encryption, nothing can get inside my network.” The truth is, no matter how many of the latest and greatest network security devices you implement, there is still nothing as fail-safe as properly encrypting your data. As keynote speaker Peter Coffee would say about investing in the wrong technology, “doing it better is still doing the wrong thing.”
For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person. Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.
Posted by Kristie Edwards on Thu, Jan 12, 2012 @ 05:55 PM
I recently had a conversation with one of our customers about the automatic encryption webinar they attended. The webinar demonstrated how companies can implement AES encryption on their AS/400 without making application changes. This customer currently has our managed file transfer solution, FTP Manager with PGP encryption, and was confused as to why they would need AES encryption if they were using PGP. I explained that PGP encryption protects data in motion - when it is transferred outside his company. If he was storing data on his AS/400, he would need AES encryption to protect his data at rest.
AES Encryption
AES encryption is the standard when it comes to encrypting data in a database. Advanced Encryption Standard (AES) has been adopted as a standard by the US government and many state and local agencies. AES is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations. AES encryption uses an encryption key to encrypt the data. Typically, this key is stored on the AS/400 and used when the data needs to be decrypted. To side track here a little, this is not a good idea. Leaving your encrypted data and keys in the same place is like leaving the key to your house under your door mat. If you want to learn more about why this is a bad idea, take a look at this blog article on the topic.
PGP Encryption
PGP encryption is the standard when it comes to encrypting files that need to be transferred. Pretty Good Privacy (PGP) is the standard for encrypted file exchange among the world’s largest financial, medical, industrial, and services companies. Also know that when encrypting a file with PGP, you may be using AES encryption.
AES encryption and PGP encryption solutions work together to ensure that all your sensitive data is secure. AES will protect data at rest within your organization and PGP encryption keeps it secure when it is sent outside your company.
I hope this has been helpful in better understanding the differences and similarities of PGP encryption and AES encryption. If you have any questions you can always email me at kristie.edwards@townsendsecurity.com or learn more about AES and PGP encryption. Additionally, you can view the webinar "Automatic Encryption on the IBM i" that spurred this conversation.
Posted by Patrick Townsend on Tue, Jan 10, 2012 @ 10:03 AM
I’ve been writing about encryption performance lately because our customers and potential customers have been asking about the impact of encryption on the overall performance on their systems. It’s good that they are asking these questions as a poorly performing encryption library can have severe impact on your application environment. This is especially true on an IBM Enterprise platform like the IBM i (formerly known as AS/400 and iSeries) where customers often run multiple applications.
While it is common in the Microsoft, UNIX, and Linux worlds to segment different applications onto different physical servers, it is common in the IBM i world to run many applications on the same server. You typically find CRM, ERP, web, and many other applications happily co-existing on one IBM i server. But this means that a poorly performing encryption library will have a ripple impact on all of these applications, and not just one.
IBM provides a no-charge, AES software encryption library on the IBM i platform that developers can use to encrypt data. It implements all of the standard AES key sizes (128, 192, and 256) along with a variety of other encryption algorithms, both open and proprietary. I don’t believe the software library has been independently certified to the NIST standards, but I believe that it properly implements the AES encryption algorithm.
But how does it perform?
We did a simple little comparison test of encrypting 1 million credit card numbers on an entry level IBM i model 515 server with a single processor. We compared the native IBM AES library with our own AES encryption library which is NIST certified and optimized for encryption. The difference is very large. Our IBM i encryption library clocked in at 116 times faster than the native IBM i library. Note that this is an informal test and not independently verified, but practical experience by our customers is very similar.
What does this mean in terms of application performance when you add encryption to the mix? The math is pretty simple. An encryption task that takes 10 minutes with our library will take several hours with the IBM library. That’s painful. And all of the other applications that share this system will also feel the pain.
The problem is not limited to just an occasional developer at an individual customer site. Some vendors of IBM i software use the IBM encryption libraries, too. So you can be inadvertently using the poorly performing libraries without knowing it.
Often I see IBM i customers trying to fix an encryption performance problem by adding additional processors to their servers. This can be expensive, and usually involves software license upgrade fees. It can also not have the impact that you might think. Due to the way that encryption works, adding a second processor usually will not double your encryption throughput. Another bit of disappointment and extra cost.
It is usually not hard to fix an encryption performance problem if you catch it early. If you’ve take a modular approach to the implementation, you can usually swap out one module for another without too much difficulty. You just don’t want to be doing that for hundreds of applications.
For more information on AES encryption, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and key management work together to secure your data.
Patrick
Posted by Kristie Edwards on Thu, Jan 05, 2012 @ 02:04 PM
Recently, Townsend Security hosted a donation drive for the YWCA’s “The Other Bank”. The Other Bank provides items to low income families in Thurston County, where Townsend Security is headquartered. They collect a variety of things to help families in need - for example; diapers, toilet paper, dish soap, deodorant, etc. From the The Other Bank’s website:
THE OTHER BANK offers assistance to over 100 families each week, representing 350-450 individuals; one-third of whom are younger than thirteen and half of those are under the age of 5. We also provide supplies to clients who are disabled, elderly, or otherwise housebound, averaging approximately 10-20 individuals monthly with the aid of their caregivers or chore workers. The average income for a family of four who use THE OTHER BANK is $650 a month. Family circumstances vary; there are families who are homeless, receiving unemployment benefits, and others who are working minimum wage jobs. All are struggling to make ends meet and would have to go without the items we distribute if we did not have them available.
At Townsend Security we wanted to give back to our community during this holiday season and when I learned about this organization, I knew that everyone in the office would want to help. I asked the The Other Bank what was most needed and decided that the best way to help was to conduct a hygiene drive. Our team rose to the occasion and helped to donate nearly $600.00 worth of hygiene products. This is our first annual donation drive and we are hoping to do more next year.
Without organizations like The Other Bank, there are a lot of people that would go without. In an earlier blog post this year, I mentioned how great it is to work at a company where the community is so important. It is great to work at a company that not only says they want to make their community better - they actually do it and encourage all of its employees to do the same. Working at Townsend Security has inspired me to be a volunteer at the YWCA and I have put in over 20 hours these past few weeks.
How have you paid it forward this year? Please share your stories to help inspire new ideas.
We invite you to take a look at all of our community sponsorships that we are a part of. You can also follow us on Facebook, Twitter, and LinkedIn to see what we are up to next.
Posted by Kristie Edwards on Tue, Jan 03, 2012 @ 12:02 PM
I recently attended a webinar for accountants on the importance of IT security. The webinar discussed findings from the newly released 2012 Global State of Information Security Survey®, a worldwide study conducted by Pricewaterhouse Coopers, CIO Magazine and CSO Magazine. They used the information from the survey to make two important points
- IT security isn’t just the responsibility of the compliance officer and IT department, everyone in the organization is responsible for keeping corporate assets secure - all of us, even those in accounting, customer service and sales play an important role in data privacy.
- IT security is not just a project with a due date for completion, it is something all of us must remain diligent about.
Some of us have access to sensitive customer information or account numbers, while others may be collecting credit card information to process payments. Sure, our IT department implements safety policies, installs security software and sets access rules and passwords to give us access to data we need to see. But do we stop and think about what information is on our laptop before we take our laptops home or what files might be on that USB drive? We need to think about the information that we email or send outside the company and think twice about the way we send it, especially if we think the information could cause damage if it landed in the wrong hands.
The companies used for the survey all felt they implemented strong controls around access to their data, but nearly all of them had some sort of budget allocated for additional resources because they know they need to do it better. Interestingly, the confidence level these companies felt about their security strategy had declined over the years due to the increase in use of mobile devices and social media, which have introduced new risks and challenges for companies. In 2009, 73% of the companies surveyed felt they had a good security strategy in place, however, in 2011 that fell to only 53% feeling confident about what they are doing.
It was very apparent to me after viewing this webinar that the adoption of mobile devices by employees and the acceptance of social media has made IT security everyone’s responsibility. Key take-aways for me from this webinar – we all need to be thinking about how we keep information that our company entrusts with us secure. We need to follow company policies and procedures and be diligent. We are all in this together.
For more information on data privacy, we have put together a podcast titled "Data Privacy for the Non-Technical Person." Let us know what you think.
