Transcript Document

Extending iSeries Security A P R E S E N T A T I O N

System i Security Products

> Security Issues regarding System i > > Who is PowerTech?

Customer Requirements > System i Security Vulnerabilities > PowerTech Solutions Overview

Agenda

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

The PowerTech Group Definitive iSeries Security

> World lead company for System i security > PowerLock AuthorityBroker Ships with iSeries OS.

> Acquired leading iSeries SSO Technology 2005 > Winner of prestigious Industry Driver APEX Award from iSeries News in 2004 > > Over 1.000 Enterprise and Small Business customers More than 3,000 licenses installed > Advanced Level IBM Partner © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Where to Begin

Demonstrate Compliance Real time Monitoring Audit for Compliance Access Control Power Users Data Access PW/User Mgmt Be Compliant Security Change Config Mgmt System Settings Source Control Business Continuity High Avail Data Recov Data Privacy Data Xfer Data base © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

IT Controls Being Raised

Legislators are doing their best to raise security from a technology issue to a business concern Auditors are defining what security is for companies Companies are documenting in-scope processes and procedures All are looking to CobIT and ISO 17799 for guidance Risks inherent in IT Control are being identified and addressed © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

iSeries Environment

Can users perform functions/activities that are in conflict with their job responsibilities?

Can users modify/corrupt iSeries data?

Can users circumvent controls to initiate/record unauthorized transactions?

Can users engage in fraud and cover their tracks?

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

iSeries Security Study

> > 87% of libraries were accessible by *PUBLIC (any user on the system) – Auditors recommend 0% 80% of access points on iSeries were not monitored or controlled, leaving the possibility for un-audited access to critical data – A violation of CoBIT recommended standards and a threat to data integrity. > 78% of systems had more than 40 user profiles with default passwords (password = user name) – A red flag for auditors and a violation of CoBIT recommended standards. > 84% of systems had more than 10 users with *ALLOBJ (all powerful users) – A red flag for auditors, and a threat to data integrity and accountability. © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

*EXCLUDE, 8% AUTL, 5% *ALL, 9% Data Access Public Authority to Libraries *USE, 25% *CHANGE, 53% iSeries Security Study 2005 Source: The PowerTech Group www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

REMOTE EMPLOYEES CUSTOMERS

iSeries Security Gap

In the old days you could rely on menu security. But once PCs came along and the iSeries was opened up to ODBC, FTP, Remote command, the iSeries became vulnerable.

Menu Access Only EMPLOYEES Menu Access Only Ramifications

No Visibility to Network activity No Control of Network Activity No Security Monitoring

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

IBM Recognizes the Problem > > “ODBC introduced a plethora of desktop applications that offer easy access to data on the as/400 via a few mouse clicks.” “COMMON BACKDOORS - Several servers offer methods to submit AS/400 commands via the client. Restricting command line usage does not block this.” From IBM technote: “Security Issues with Client Access ODBC Driver” http://www-1.ibm.com/support/docview.wss?uid=nas1936b3cdad3645bd98625667a00709a29 © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Customer Data

Can users perform functions/activities that are in conflict with their job responsibilities?

Can users modify/corrupt application data?

Can users circumvent controls to initiate/record unauthorized transactions?

Can users engage in fraud and cover their tracks?

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Data Access

Public Authority

120% Can users perform functions/activities that are in conflict with their job 100% responsibilities? Yes 80% 60% 40% 20% 0% Industry Average Best Practice System 1 System 2 *AUTL *EXCLUDE *USE *CHANGE *ALL © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Data Access

10 5 0

Special Authorities - *ALLOBJ

35 Can users modify/corrupt iSeries data? Yes 30 25 Can users circumvent controls to initiate/record unauthorized transactions?

Yes 20 15 Industry Average Best Practice System 1 System 2 © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

Network Access

Can users engage in fraud and cover their tracks?

Yes Industry Average Best Practice System 1 System 2

Data Access

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Users (Separation of Duties)

NetworkSecurity

Access Control SSO

Compliance Monitor

Product Overview

FlashAudit on iSeries Security Data

Back Up Encryption Auditing

ISS - Robot

Real Time Monitoring

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

> Compliance Monitor

www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

PowerLock ComplianceMonitor

www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

Case Study

> Large multinational retail company dealing with SOX compliance issues > > Problem:  No staff available to develop new custom reports   IT security group is not familiar with iSeries Overwhelmed with burden of tracking more than 10 systems Answer: PowerLock ComplianceMonitor    IT staff save development time Expert guidance built in to product Consolidated reports © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Requirements

> Be compliant with regulations  Sox, HIPAA, PCI, Privacy laws > Demonstrate compliance through regular reporting  Automatic scheduling    Focus on exceptions to policy Historical comparisons of audit results Process to report on  User profile/account data  System Values  Authority to objects  Network access control © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

www.mik3.gr

Systems arranged in user defined groups to match the business environment A system (or endpoint as it is called in the product) can belong to more than one group. This allows you to selectively audit and report on sets of systems.

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

System Value scorecard highlights exceptions to policy with red down triangle.

Green up arrow shows settings that match policy. Policy is stored in an xml file. We can update this to match specific company policy.

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Consolidated report across three systems – The system value view shows them next to each other for comparison purposes PLCM can collect all system values. In this report, we are looking specifically at the security system values © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Effective special authority

– it’s not just the authority of the user profile, but we also check to see if the user has inherited special authorities from their membership in a group profile.

© 2006 PowerTech Group, Inc. All rights reserved.

> Netwrok Security

www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

Features

> > Customizable reporting  PowerTech recommended reports   GUI to create custom SQL queries (filters) Flexible Interface and grid view Expert guidance    Scorecards rate compliance against security policy Exceptions are highlighted Compliance guide > Consolidation across multiple systems  Drastically cut the number of reports © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

PowerLock NetworkSecurity Technology

> > > IBM recognizes the security problems with network access to iSeries assets, and has added and continues to add network access exit points. NetworkSecurity implements exit point programs that monitor and control iSeries access through the network interfaces Exit point programs intercept and can record inbound requests.

> Access requests can be controlled by:  User Profile, Group Profile, Supplementary Group profile, *PUBLIC   Device Name, IP address, PowerLock IP address groups or generic names Server and Function type  Remote command, FTP download, FTP upload, etc,  Can be configured to emulate an increase or decrease in object authorities © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

PowerLock NetworkSecurity Technology

What is an exit point anyway?

A point in a process where control can be passed to a User Supplied program. The User-Supplied program can usually perform processing that overrides or compliments the processing done by the main process.

Main program

IBM’s FTP Server

Access Request

Call to Exit program

User-Supplied exit program

Analyze request & return data

Continue Processing...

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

PowerLock NetworkSecurity Technology

>

PowerLock NetworkSecurity provides exit point programs that allow iSeries customers to monitor and take control of their network interfaces (FTP, ODBC, Telnet, DDM, Client Access, etc...)

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Network Exit Points

>

4 Major categories of network exit points

    Original PCS Servers (PCSACC) DDM & DRDA Servers (DDMACC) Optimized Client Access Servers (WRKREGINF) TCP/IP Servers (WRKREGINF) >

More than 30 network servers

>

More than 250 combinations of servers & functions that regulate network access

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Network Servers that can be monitored and controlled

>

Original Servers

Virtual Print Server Data Queue Shared Folders File Transfer Function Message Function Remote SQL License Management >

DDM (Including DRDA) Server

>

Optimized Servers

File Server Database Server Network Print Server Central Server Signon Server >

TCP/IP Servers

FTP etc...

TELNET Data Queue Server Remote Command Server WSG (V5R1) © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

iSeries Network Access with PowerLock NetworkSecurity

P FTP Server O E DDM Server L O DRDA Server C K

PowerLock NetworkSecurity is the software that controls and monitors access to the iSeries through the network interfaces

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Reporting current exposures

> To help you get a current view of your network access exposures, NetworkSecurity includes comprehensive reporting capabilities. NetworkSecurity includes several reports that may be run at any time. The Reporting Menu is accessed using option 4 from the NetworkSecurity Main Menu.

> If you want information on all network access attempts, you can run the NetworkSecurity reports for All users at All locations. While this will create a lengthy report, it will provide all the detail you need to determine who is connecting to your system, and what functions are being performed.

> Right after activation there will be few if any entries on the reports. NetworkSecurity activation

begins

to record access attempts.

Some applications like JDE OneWorld and FastFax can generate lots of entries very quickly.

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

NetworkSecurity Work with Servers

www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

> Authority Broker

www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

Sarbanes-Oxley Implications

> COBIT DS5.3 –

Security of Online Access to Data

“…

IT management should implement procedures in line with the security policy that provides access security control based on the individual’s demonstrated need to view, add, change, or delete data.”

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Employees Customer www.mik3.gr

Reactive security

Many companies use Reactive security trying to respond to breaches as they occur. The problem with trying to find all the different ways people can get to you data is that you will never find all the different approaches. Instead, PowerTech takes and exclude based security approach.

© 2006 PowerTech Group, Inc. All rights reserved.

Employees Customers www.mik3.gr

Exclude Based Security

PowerTech allows you to determine what type of activity you want to allow first. Then you lock everything else out and set up alerts so you know if someone is trying to do something you don’t allow, you can decide at that point whether you want to allow them to do it or not.

© 2006 PowerTech Group, Inc. All rights reserved.

Case Study: The Solution

> Remove special authorities from the programmer on the production system > Implement PowerLock AuthorityBroker  Programmer “switches” into powerful profile when needed    All actions are audited to a secure journal Management gets alerts (to cellphone!) Management reviews and signs off on regular reports > Compliance - Auditors are happy!

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Customer Requirements

> Log and record activity of powerful users > Flexible Reporting options    3 levels of detail Filter out unnecessary information Print, Database, .csv

> Time specific controls    Limit duration of profile switch Specific Day, Date, and Time restrictions Delegate “Firecall” to Helpdesk personnel © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Product Demo www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

> Security Audit

www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

PowerLock SecurityAudit

> Assesses your iSeries and AS/400 systems  Complete history  Instant view of changes > Used by internal auditors  No Special Authorities (like *ALLOBJ) required for auditors > 200+ reports available  Network transactions  Object level assessments  User profiles and system values  Continuous auditing of events, objects, users and system values > Comprehensive reporting and analysis © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

System Requirements

> V5R1 of OS/400 or later > 100 MB of disk space > *ALLOBJ special authority for installation > Users without *ALLOBJ should be added to the SECAUDADM authorization list to allow them to run reports © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Value Proposition

> SOX related usage opportunities  Security Audit generates reports that can be used to test the effectiveness of AS/400 related logical access IT General Controls.

> Improves efficiency of audits > Improves quality and consistency of audits © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

OS/400 Report www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

SecurityAudit Report www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

PowerLock SecurityAudit Demonstration www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

PowerLock SecurityAudit Demonstration www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

Powerful Users

> Special Authorities = Power!

 Special authorities trump OS/400 object level authorities.

> A user with … 

*ALLOBJ

CAN READ, CHANGE, OR

DELETE

ANY OBJECT ON THE SYSTEM.

*SPLCTL

CAN READ, CHANGE, PRINT, OR FILE ON THE SYSTEM.

DELETE

ANY SPOOL 

*JOBCTL

CAN VIEW, CHANGE, OR STOP ANY JOB ON THE SYSTEM (INCLUDES ENDSBS AND PWRDWNSYS) 

*SAVSYS

CAN READ OR

DELETE

ANY OBJECT ON THE SYSTEM.

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Powerful Users www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

User Profiles

> Users with Command Line Access  Limit Capability of *NO or *Partial > Default Passwords  Username = Password > Inactive (Dormant) accounts  Any profile that has not been used in the last 90 days > IBM Profiles > Group Profiles  Password of *None – should not be used for sign-on > Public Authority  Public should be set to *EXCLUDE © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

www.mik3.gr

Sample Reports

© 2006 PowerTech Group, Inc. All rights reserved.

Special Authorities www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

User Access – System Users www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

Public Authority to Data

> To mitigate the risk of unauthorized program changes and database alterations, the public authority for each significant production database and production source code file must be set to *EXCLUDE with access allowed through appropriate individual settings. > In addition, any programmer access to production libraries should be restricted.

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Adopted Authority www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

Library Authorities www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

Library Authorities www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Security Audit Journal Security sensitive operations e.g. changing system values Failed sign-on attempts; Unauthorized access to files Object move and rename operations Restore actions to security sensitive objects

© 2006 PowerTech Group, Inc. All rights reserved.

> Single Sign On (SSO)

www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

Agenda

A.

The Problems with Passwords

B.

What is Single Signon

C.

Who Benefits from Single Signon?

D.

How does it work?

E.

Five Steps to Single Signon.

F.

PowerLock EasyPass

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

The Problems with Passwords

>

Passwords have been around since the dawn of computers.

 And they are starting to show their age >

What are the key features of a Password?

 A password is a secret associated with a user id.

 Passwords should work only on the hosting system.

 For each unique user ID on each system, there is a single, correct, key © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

The Problems with Passwords

>

Each computer system the user logs on to (theoretically) has a different password

 How many unique passwords do really

you

have? >

Users must remember their passwords.

 But we don’t want users to write them down.

 Users shouldn’t use easy to guess passwords.

>

Your users log on to many, many systems

 Internal systems, home, websites etc.

  A user could have passwords for a hundred different systems Some external servers are not secure and not to be trusted.

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

The Problems with Passwords

> > >

Each password on each of your servers represents a potential security exposure.

 The more passwords you have, the more exposures you have.

The chief protection for passwords are your end users.

 Humans are almost always the weakest link in the security chain.

Reducing the number of passwords a user is responsible for, reduces your organization’s security exposure.

 User’s can’t compromise a password they don’t know.

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

What is Single Signon?

>

Single Signon is a technology that requires a user to only authenticate one time per session – regardless of the number of systems connected to.

 The first server authenticates the user, then vouches for that user’s authenticity to other systems.

 The user is then able to seamlessly connect to all of the other trusted systems in that domain.

 A single authentication can be good for a number of hours – a number that you can set. © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

What is Single Signon?

>

Single Signon requires that the user only have one password.

 This password would be for the first server they connect to each morning.

>

With only one password to remember, users require less help desk assistance

 It’s also easier and faster to reset passwords on a single system.

>

Single Signon simplifies disabling a user.

 Again, there is just one entry to maintain.

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

What

isn’t

Single Signon?

> >

Single Signon isn’t password synchronization

 It doesn’t require that password be shared among multiple systems   It does not require a user to log on separately to each server.

It doesn’t send passwords around the network in clear text.

Single Signon is not password replay.

 It doesn’t capture passwords on an appliance and replay them for each server.

  It doesn’t store passwords in multiple places It doesn’t send passwords around the network in clear text.

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Who benefits from Single Signon?

> > > > > Users  Have fewer passwords to remember   Spend less time authenticating on your network Have far, far, fewer password reset requests Help Desk  Far, far, fewer password reset requests System Administrators    More secure systems More secure passwords Fewer invalid signon attempts Programmers   More robust applications Pull data from several sources, without authentication hassles Management   More Secure systems Less cost!

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

How Does it work?

> > Single Signon uses industry standard technologies from several leading sources.

   Kerberos Authentication – developed at M.I.T. in the 1980’s and funded by a grant from DEC and IBM Active Directory – Introduced by Microsoft with Windows 2000 for secure network authentication Enterprise Identity Mapping (EIM) servers – Introduced by IBM in 2001(?) to provide User Identity Mapping across dissimilar Backed by computer industry powerhouses, Single Signon is the new authentication standard.

 Kerberos, Active Directory, and EIM combine to make stronger, simpler, and more secure user authentication.

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

How Do I get started?

> > >

If you use these OS’s, you already have the ingredients to get started:

 OS/400 V5R2 or higher  Windows server 2000 or higher

Unlike other technologies, Single Signon deployment can be incremental

  No need to change the whole organization - start with a small group Start with yourself and experience the benefits first hand

With experienced assistance, you can truly go to “Single Signon in a single day”

 Some assembly required.

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

PowerLock EasyPass

> > > Single Signon implementations are better, faster, and more reliable when you use automated tools.

PowerLock EasyPass simplifies the steps of setting up, associating, and maintaining user ID’s and User associations.

User associations can be maintained across multiple systems, and multiple OS’s.

      OS/400 V5R2 or higher Windows server 2000 or higher Lotus Domino Websphere AIX and more… © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Productivity Gain Cost www.mik3.gr

Measuring SSO ROI

> Productivity Gain > Cost?

> Cost Components: Management Implementation Acquisition © 2006 PowerTech Group, Inc. All rights reserved.

Synchronization SSO Approach User ID/Password Synchronization

• No end user productivity gains

(not really SSO)

• Must deploy and configure synchronization service • Passwords must still be changed and audited • Must troubleshoot synchronization issues • User IDs and Passwords are limited by platform

UID: JACKM PWD: TEXAS UID: JACKM PWD: TEXAS UID: JACKM PWD: TEXAS UID: JACKM PWD: TEXAS UID: JACKM PWD: TEXAS

© 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

Centralization SSO Approach User ID/Password Centralization

• End user productivity gains • “Capture & Replay” function must be deployed on all PCs • “Capture & Replay” must be initially trained • Passwords must still be changed and audited • Must troubleshoot centralization issues

UID: JACKM PWD: HOUSTON UID: JACK PWD: LONGHORN Central Repository UID: jmcafee UID: JACKM UID: JACK UID: RJMCAF UID: rjmcafee PWD: LoneStar PWD: HOUSTON PWD: LONGHORN PWD: ALAMO PWD: SpaceCenter www.mik3.gr

UID: jmcafee PWD: LoneStar UID: RJMCAF PWD: ALAMO UID: rjmcafee PWD: SpaceCenter

© 2006 PowerTech Group, Inc. All rights reserved.

The Password Elimination Approach Single Sign-On Components

> Kerberos for

authentication

  Uses strongly encrypted tickets and not passwords Implemented on all major platforms > Enterprise Identity Mapping (EIM) for

authorization

  Maps people to their user identities on various registries Registry might be a platform, application, or middleware > Applications enabled for Kerberos and EIM    IBM has enabled many popular services in V5R2 and i5/OS NetManage has enabled RUMBA 7.4 & OnWeb Web-to-Host 5.2

Customers can also enable their applications (Services!) © 2006 PowerTech Group, Inc. All rights reserved.

www.mik3.gr

EIM and Kerberos

• End user productivity gains • • Easy to implement – no synchronization • Easy to manage – no centralization

Password Elimination!

The Password Elimination Approach Source Target EIM Domain jmcafee on KDC

JACKM on iSeries UID: JACKM PWD: HOUSTON Source UID: JACK PWD: *NONE Targets Key Distribution Center (KDC) UID: jmcafee PWD: LoneStar

Sign-On as jmcafee and get Kerberos TGT KDC sends a Kerberos ST to iSeries i1 authenticates the Kerberos ST EIM  Jack McAfee is authorized on iSeries as JACKM

www.mik3.gr

UID: RJMCAF PWD: ALAMO UID: rjmcafee PWD: SpaceCenter

© 2006 PowerTech Group, Inc. All rights reserved.

Top 10 Password Elimination Benefits

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

No need to install and configure another new IT infrastructure layer; Less IT infrastructure means incremental and faster deployment; Less IT infrastructure means lower cost to deploy and maintain; Existing IT infrastructure is already supported by companies like IBM, Microsoft, Novell, SuSE, Red Hat, and many others; Existing IT infrastructure leverages EIM to document user account ownership, which is a powerful business tool Existing IT infrastructure leverages a combination of authentication technologies like Kerberos (Windows), Identity Tokens (WebSphere), Pluggable Authentication Modules (UNIX or Linux PAMs), and others, rather than passwords; Password elimination results in fewer help desk password reset calls; Password elimination includes distributed applications, which no longer require hard coded user ids and passwords to be sent across the network; Password elimination results in fewer passwords to audit and change every 30, 60, 90 days per company policy; Fewer passwords to audit helps exceed regulatory requirements (i.e. SOX, HIPAA, GLBA, ISO17799, etc.)

www.mik3.gr

© 2006 PowerTech Group, Inc. All rights reserved.

Extending iSeries Security A P R E S E N T A T I O N

Thank You

www.mik3.gr