Thursday, August 18, 2016

IBM i, PCI DSS 3.2, and Multi-Factor Authentication

Townsend Security Data Privacy Blog


IBM i, PCI DSS 3.2, and Multi-Factor Authentication

Posted by Luke Probasco

With the recent update to the Payment Card Industry Data Security Standard (PCI DSS) regarding multi-factor authentication (also known as Two Factor Authentication or 2FA), IBM i administrators are finding themselves faced with the requirement of deploying an authentication solution within their cardholder data environments (CDE). Prior to version 3.2 of PCI DSS, remote users were required to use two factor authentication for access to all systems processing, transmitting, or storing credit card data. With version 3.2 this is now extended to include ALL local users performing administrative functions in the CDE.

Wednesday, August 17, 2016

The Unknown IBM i - An Amusing Tale From My Recent Travels.

Many of you may be old enough to remember the Gong Show and the “Unknown Comic” who wore a paper bag over his head. You could not see his face, so you did not know who he really was. That was part of the gag.
 I have a similar tale. Too bad the punchline of this real story is so true.
 I recently traveled to Salt Lake City to visit four clients.
After checking in to my hotel, I drove to a nearby restaurant for dinner.
 The restaurant had very friendly service. The mid-twenty year-old waitress shared with me that she had served overseas in the armed services. Now she was studying to get her MBA and someday wanted to start her own healthcare company. I was very excited for her.
 Then she asked what I did for work.
 “I work with technology. I work with users of a technology you may not have heard of … IBM i.”
 Structured Query Language Integrated In OS
“What’s that?” she asked.
 I asked, “Are you familiar with SQL?”
 “Of course,” she said. “It is Structured Query Language. It’s used for managing a relational data base.”
 I was impressed with her knowledge. I continued. “As you may know, with most SQLs such as MS SQL or Oracle, the application logic and operating system are separate.”
 She acknowledged, “That’s right.” She had a good understanding of SQL and software.
 I continued, “Imagine if SQL was integrated in the operating system.”
 “Wow,” she said with surprise, “That’s possible?”
 Imagine SQL In The Background
“Yes. And, imagine that the server could manage itself so it optimized the SQL database in the background, so you did not have to.”
 “Wow. That’s also possible?”
 Virus Free And Can’t Be Hacked
“Better still, the way the system is designed, unless you have the proper credential you cannot hack it and the system is virus free.”
 “That’s really impressive,” she said.
 “Now, imagine this system is very reliable. It does not ‘lock up’ or suffer ‘the blue screen of death’ like older versions of Windows.”
 “I have never heard of anything like that.” She was intrigued.
 Salt Lake City Clients With 70-200 Users, Only 1 IT Person Needed
“You told me you also work in a clinic with Windows and you have an IT staff of 5 for 50 users. My Salt Lake City clients have 70 to 200 users on this technology with 1 person managing the server,” I explained.
 “That’s unbelievable. I have never heard of such a system. What is it?”
 “It’s called IBM i. Also known as AS400 or iSeries.”
 Never Heard Of It But Could Really Use It
“Cool. I wonder why I have never heard of it before. We could really use that at my clinic.”
 Seems to me IBM i is like the Unknown Comic with the paper bag over his head. Seems like no one other than those who work with IBM i know what it is.
 Unknown Until Known
 Then, once they get it, they are amazed.