IBM i的解决方案

IBM i访问控制解决方案

IBM i access control requires strong password security, careful management of elevated authorities, 并对所有系统访问尝试进行全面分析,以确保符合法规并保护您的数据

控制系统和数据访问

IBM i systems contain the data that drives your business, including financial transaction information, 医疗记录, and other personally identifiable information for customers, 合作伙伴和员工.

Much of this data is subject to regulations such as SOX, PCI DSS, HIPAA, and GDPR. 因此, any data breach can result in regulatory fines, 收入损失, 修复的成本, 法律费用, 生产力损失, 品牌的伤害, 和更多的.

To fully secure data and comply with regulations, 您需要重叠的安全层来检测和响应威胁,并处理不断变化的需求.

除了, monitoring system events and encrypting data to protect its privacy, you need tools that control access to your IBM i and its data.

访问控制 solutions allow you to address three critical areas:

  • 谁可以登录到您的IBM i;
  • What they have the authority to do;
  • What 命令 they can run and what data they can access.

IBM i访问控制

As hacking techniques become more sophisticated, and the costs and consequences of data breaches continue to rise, simple password policies are no longer enough to protect IBM i systems. 多因素身份验证(MFA)通过要求用户提供密码之外的另一种身份验证形式来加强登录安全性. 几个 遵守法规 require MFA today, and it’s likely to become more widespread in the future.

多因素身份验证要求用户提供两种(或更多)形式的证据来验证其身份. Those authentication factors can be something the user knows (e.g. a password or PIN), something they have (e.g. an authentication token or cell phone), or something they are biometric data (e.g. biometric data like a fingerprint or iris scan).

由硬件令牌或软件程序提供的一次性密码通常用作身份验证因素. One-time passwords can be delivered by a wide variety of authentication services. 您的IBM i MFA解决方案应该与为其他平台提供令牌的现有解决方案集成, 例如RSA SecurID或其他radius兼容的认证器,如Duo和微软Azure认证器. 您还可以选择在IBM i上生成令牌的MFA解决方案,而不需要其他平台上的软件.

一个有效的IBM i多因素身份验证解决方案还应该提供基于上下文和用户身份验证以多种方式调用的灵活性. 例如, your MFA solution should allow you to configure the situations, 用户, or groups of 用户 that require MFA. 它还应该能够从登录屏幕调用或集成到其他工作流中.

最后, IBM i MFA solutions must log any authentication failures, 在多次失败尝试后禁用帐户,并可选地提醒管理员潜在的安全问题.

了解如何从precise中确保多因素身份验证能够满足您的IBM i MFA需求.

When too many user profiles on an IBM i system possess powerful permissions, it leaves the system and its data exposed to breaches and other forms of cybercrime. 规定像袜, HIPAA, the Federal and North American Information Practice Act, 和GDPR要求IT组织限制对强大特权的访问,并监控那些拥有这些特权的人.

On IBM i systems, special authorities define user privileges. They authorize 用户 to create/change/delete user profiles, 改变系统配置, 更改/限制用户访问, 和更多的. 像*ALLOBJ和*SECADM这样的特殊权限因造成破坏而臭名昭著,因为这些权限提供对系统上所有数据的完全访问.

法规遵循审核员建议只给用户执行其工作所需的最小权限集. When special privileges are required, they should only be granted as needed and for a limited amount of time. 和, while 用户 are in possession of elevated authority, an audit log of their actions should be maintained.

手动管理授权授予过程,并在需要的时间后撤销授权, 容易出错. As a result, user profiles are often left unmonitored with a high level of privilege. 一个有效的权限管理工具可以在需要时自动授予更高权限, maintaining comprehensive logs of the actions taken by privileged 用户, and revoking authorities at the end of the required period. 与帮助台解决方案集成,可以实现权限请求的端到端管理.

By automating the management of elevated authority and producing alerts, reports and an audit trail of activities performed by elevated profiles, you can reduce the risk posed by accounts with excess authority, 演示遵从性,并成功地将职责隔离作为一种安全最佳实践.

了解更多关于Assure Elevated Authority Manager如何自动管理IBM i系统上的用户权限的信息.

Intruders will look for any means of gaining access to your systems and data, 是否通过网络, 一个com端口, 开源数据库协议, 或者命令行. Potential points of access only continue to expand, 以及SOX等法规, HIPAA, GDPR, and others require you to take steps to control all forms of access to your data.

对于IBM i商店来说,幸运的是, IBM允许为各种与操作系统相关的操作调用用户编写的程序. The points where programs can be attached are called “exit points,” and the programs are called “exit programs.” Exit programs provide a powerful means to control access. By attaching them to various OS operations, 您可以检查访问尝试,并根据用户的身份和请求的上下文允许或拒绝它们.

例如, 退出程序可能监视和记录所有FTP活动,并允许或拒绝特定用户传输文件的能力, based on parameters such as profile settings, IP地址, 对象权限, 时间/日期窗口, 和更多的.

阅读完整的案例研究.

考虑到访问IBM i数据的现代方法的广度,以及创建和维护退出程序所需的技能程度, 第三方解决方案对于保护进入IBM i系统的入口点是必要的. 有效的第三方解决方案必须不断扩展和增强,以解决新的出口点和访问方法.

Exit programs can be written with granular, rules-based logic that controls access under specific circumstances for a nuanced, 安全的上下文方法.

除了控制访问, exit programs must maintain a log of all access attempts, 生成报告并发出警报. This gives security officers full visibility into system access attempts, 执行职责分离, and provides the compliance information auditors require.

了解如何确保System Access Manager提供强大、全面的IBM i出口点安全性.

Toyota Material Handling Australia

澳大利亚丰田材料处理公司(TMHA)需要建立有效的内部控制制度,以保持财务报告的可靠性, 基于金融工具和交易法(所谓的日本萨班斯-奥克斯利法案或J-SOX).  经过一段时间的增长,TMHA被要求满足更严格的审计和治理要求.

它的挑战之一是定期授予外部供应商对其Infor M3应用程序的访问权. Using 精确的’s Assure Elevated Authority Manager, TMHA grants vendors the level of access they need for a specified period. 在那段时间结束的时候, 访问被自动撤销, 尽管它可以很容易地被扩展, 再次修改或授予, 如果有必要的话.

阅读完整的案例研究.

 

保持安全

合规法规的网络安全要求在很大程度上是为了迫使企业采用技术和流程,将未经授权的用户排除在系统之外, while maintaining tight control over what authorized 用户 can do once logged on. Ensuring your IBM i systems are secure and compliant is complex and requires a 多方面的方法. 您必须加强登录安全性, manage the privileges 用户 have within the system and restrict how they can access data, 系统设置, 还有命令行选项.

Implementing IBM i multi-factor authentication, 高权限管理, 系统访问控制对于确保您的组织在数据泄露和其他网络犯罪中保持合规和安全大有帮助.

重要的是要记住,遵守规则并不等同于坚如磐石的安全,因为规则并不总是关注全面保护所需的所有安全层. 最大限度地减少入侵的可能性需要充分了解所有潜在的漏洞.

The Essential Layers of IBM i Security  以获得保护您的IBM i系统的路线图,该路线图将引导您通过六层安全最佳实践和技术.

友情链接: 1 2 3 4 5 6 7 8 9 10