Present Blog-IT thought leadership in Canada

Security on IBM i servers: a new approach to managing power users

Written by present | Feb 2, 2016 5:00:00 PM

This article has been around for a while now. We invite you to consult our most recent blog articles here to be on the lookout for all the innovations in cybersecurity.

 

 

 

 

With companies creating and using increasing volumes of data and with increasingly complex protocols, security and user rights management is at the heart of many decisions. Risk prevention at the server level has become essential, which has led to many industry regulations.

IT security regulations vary from one country as well as one industry, to another. Yet, the overlaying issue is the same: how do you ensure the integrity of an ever increasing volume of data and enable companies to conduct their activities while conforming to the requirements of different regulatory organisations.

It is in this context that auditors inform businesses of the potential risks they face and recommend adjustments to avoid problems. Power users on servers, that is to say those with privileges and access rights to critical IT systems, have a key role in ensuring the business runs smoothly. However, this role also carries risks that enterprises are looking to mitigate.   

 

The importance of giving a precise framework to power users

 

1. A hacker is more often internal than external

Hackers captivate the public’s attention and the press in general. But this kind of intrusion, of the Anonymous kind, is very rare in the business world. The real business problematic comes from fraud and mistakes made in-house by users who have access rights to sensitive data or functions. Some examples that have made headlines in recent months are Ashley Madison or the Multi-State Lottery Association.

The 2014, the PWC studyInformation Security Breaches Survey’ showed that 58% of large companies have experienced security vulnerabilities caused by their staff. This study also revealed that 31% of the largest security breaches were caused by inadvertent human errors and 20% by intentional misuse of systems.

 

2. Significant consequences for a company

Whether a fraud committed by a power user or, more commonly, human error, the consequences of sabotage, a de-synchronisation or a failure in the databases can be catastrophic. Significant financial losses are probable and, more importantly, the image and credibility of the company may suffer from a loss of confidence of its customers. These issues are dictating more and more audit recommendations.

 

A solution: a temporary rights elevation process

 

Identifying and understanding the source of risk is rather simple, but determining and managing a user’s limits without harming productivity can be difficult. Today, this is simplified by the Elevated Authority Management process enabled by an application such as EAM from Cilasoft.

 

Priority 1: Efficiency and effectiveness

First of all, the temporary elevation process permits the establishment the essential rights for users on IBM i servers, that is to say the rights and privileges needed to perform the vast majority of tasks so that their performance is not affected by the new procedure.

 

Priority 2: React quickly

Furthermore, the technology permits occasionally allocating a higher level of privilege depending on the situation or problem, and at any time of day. By automating the process for one-time permission through an emergency protocol, the user may access at any time, additional temporary rights.

 

Priority 3: Transparency

This versatile protocol doesn’t hinder user productivity nor the trust placed in user’s competencies.  In fact, it helps protect users (and data) by limiting the possibilities of making wrong manipulations of critical data. As well, the system records a log of all actions taken. This solution allows the documentation of the entire process of elevation for better transparency of operations.

The report is then forwarded to managers, and most of the time to internal auditors, which facilitates the review of regulations and corporate security processes.

 

 

Choose security

In the past, IT security issues were often neglected by the upper echelons of management. The insistence of audits when it comes to power users is now reversing this trend and bringing about a new equilibrium.

Today, those responsible for security stand more and more alongside company management. This new reality is reflected in a more collegial decision making processes for risk management. Companies are therefore more likely to put in place user control procedures such as the solution proposed by Cilasoft.

 

 

 

Photo credit: © piyaphat - Fotolia.com