Kisco User Auditing Tool Casts a Wider Net

October 5, 2010 Alex Woodie

“Trust, but verify.” Former president Ronald Regan was referring to the Soviet Union when he made that remark more than 20 years ago. But the idea applies just as well to the sometimes rocky relationship between employers and the people who are paid to run the business. For companies that rely on the IBM i server to manage data, a new DB2/400 auditing tool from Kisco Information Systems can go far trusting employees to do their jobs, while verifying that they aren’t sampling sensitive data on the side.

There is no way around the fact that, to some extent, companies simply have to trust their employees not to steal from them. That doesn’t mean that petty cash gets stored next to the coffee machine, or that every worker gets full access to the company database on their very first day. Leaving things so far out in the open would just be asking for trouble.

But the opposite of full and complete trust doesn’t work, either. It is possible to configure IBM i security in such a way that it’s completely locked down, and workers have practically no access to any sensitive data. Some access controls are obviously necessary, but an excessive amount can make a system too cumbersome to use for the 99 percent of employees who are honest and just want to do their jobs. It usually doesn’t make financial sense to hamstring a business system simply to prevent 1 percent from dipping their hands in the cookie jar.

A good security policy doesn’t necessarily eliminate all potential ways that a company can be victimized. Instead, a good security policy will identify all of the risk factors, at which point it’s up to the owners and managers to decide what to do about it. In some cases, they will decide that no risks can be taken, and the path is buttoned up. In other areas, compromises must be made for the sake of doing business.

This is where trust, but verify comes in. IBM i shops must trust employees with access to some customer records if they’re going to provide good service to those customers. But, there is always the possibility that employees can go rogue, and will use their access to business systems as part of a scheme to defraud organizations.

Rouge employees could be scrolling through customer records in search of old or inactive customer accounts, which they will hijack for their own means. Or maybe they’re looking for customers with heavy sales volume, with the idea that they’ll surreptitiously add a few items to an order. Whatever they’re up to, it’s bad. But a company is not powerless to stop it.

There are a host of good security tools for IBM i that would tell administrators that something’s amiss in these types of situations. One of these is Kisco’s iFileAudit.

Traditionally, iFileAudit has only been able to track certain activities in DB2/400, including additions, deletions, and changes to files, records, and fields. In addition to identifying these changes, the product tells the user about the user profile, the program, the location, or the job involved in the change made to the data, giving auditors a complete picture of activities surrounding IBM i data.

With iFileAudit Release 4, Kisco added the capability to detect reads of files, records, and fields. This is a powerful new feature that will be able to detect that rouge internal user who is browsing through company information without making changes.

Release 4 also brings a series of filters that tells the product which types of file read activities to look for, and which ones to ignore. Most file read activity is harmless, and tracking it all would be pointless and consume hardware resources unnecessarily. Filters can be based on user profile, job name, or type of job (batch or interactive). For performance reasons, only the record ID is captured by iFileAudit when doing read activity tracking, Kisco says.

Another handy new feature is the capability for authorized end users without security officer clearance to access iFileAudit to create and print reports. This eliminates the need to give visiting auditors QSECOFR user profiles to audit systems. Users accessing iFileAudit reports as guests are not allowed to modify the utility in any way.

iFileAudit Release 4 is available now. Pricing starts at $1,295 for a single LPAR, or $2,195 for an unlimited number of LPARs on a single server. For more information, see www.kisco.com.