SkyView Gets Tough on User Profiles

August 24, 2010 Alex Woodie

Hackers get all the glory, but statistics show a company is more likely to suffer a security-related loss at the hands of an employee. To that end, a new release of SkyView Partners‘ security and compliance product should make it easier for System i shops to establish and maintain a good internal security posture when it comes to their users and user profiles. Policy Minder version 1.5, which debuts next month, includes new features aimed at identifying user profiles that are unnecessarily lax.

Surveys repeatedly show that the average System i shop isn’t as serious about security as it should be. The latest survey from PowerTech (which competes with SkyView in the market for security and compliance tools for the IBM i operating system), was telling on a couple of points.

For starters, the survey found the average System i shop has 67 user profiles with *ALLOBJ authority. When one considers that security experts recommend an organization have no more than 10 user profiles with this powerful authority, one realizes the vast potential for abuse, let alone the probability of failing a PCI audit. The widespread use of default passwords in IBM i user profiles is another big problem, the survey shows.

SkyView’s Policy Minder can help in these situations. The software enables IBM i shops to periodically run their own compliance checks to make sure that security settings–like the state of individual and group user profiles–haven’t gotten out of whack since the last check. If a setting is found to be out of compliance, a Policy Minder report will alert an administrator to this problem. The software’s “fix it” function can also be used to automatically bring the setting back to a state that is compliant.

Policy Minder version 1.5, which SkyView announced last week, includes two new features to address the big role that user profiles play in regulatory compliance, and the challenges that IT administrators have in keeping them under control.

The first new user profile-related feature added to Policy Minder is the capability to have system information added to the CSV and outfile versions of the user profile template reports generated by the product. This will ensure that administrators and auditors have all the necessary information to judge compliance with the regulation.

Version 1.5 also gives users more flexibility in defining the user profile component of their compliance templates. SkyView says users now have the capability to define templates based on the nature of the password (such as whether it’s the default password); based on whether the user profile has limited access (as opposed to full *ALLOBJ authority); and based on the status of the user profile, among other choices.

One Policy Minder beta tester found this new feature to be very useful. “I have the new SkyView Policy Minder version 1.5 on our systems and I really like it,” says CDW’s Bill Shalck in a Sky View press release issued yesterday. “I appreciate the GUI interface as well as the ability to select/omit *GROUP and *STATUS on the user profile template.”

Version 1.5 includes two other new features. Users gain the capability to specify the security-relevant attributes of out queues when creating an object template. This release also brings the capability to have reports e-mailed automatically when certain commands are run, such as the Print Policy (PRTPOL) or Print Message Log (PRTMSGLOG commands.

Policy Manager is resonating with IBM i shops that desire to automate their compliance activities, according to John Vanderwall, SkyView chairman and chief operating officer. Vanderwall stressed that, while having a strong IBM i security policy in place is a good idea, it’s even more important to have a defined and repeatable method available to prove that one is complying with one’s own security policy.

“Whatever way you choose to secure your system and thereby establish a security policy, is there a way for you to document that policy, prove compliance with that policy, and demonstrate a procedure for checking adherence to that policy?” Vanderwall writes in an e-mail. “When it comes to compliance, it’s not about how you lock down things, it’s about developing a sound security policy and adhering to that policy.”

Policy Minder version 1.5 is in the final beta stage, and is slated for general availability September 13. Pricing for the software ranges from $3,450 to $10,950. For more information, see www.skyviewpartners.com.