Thursday, September 14, 2017

Using a Break Glass Strategy to Control IBM i User Authorities

Using a Break Glass Strategy to Control IBM i User Authorities


Jeremy Sacher

Jeremy Sacher

IBM i Technical Sales Manager at Software Engineering o…  




 With the increasing complexity of IT regulations such as SOX or HIPAA, it’s harder than ever for IBM i security managers to keep their business moving, while satisfying auditor requirements. To meet the need for a separation of duties, IT user profiles have become more restricted. These restrictions often slow down the ability of IT responders to resolve problems in an emergency, since the responder must first request access for higher authorities to perform the tasks that will solve the problem.
One of the greatest challenges of security management is reducing user authorities while still allowing the user to function properly. This challenge can be met by implementing a break glass strategy, which enables your IT department to solve problems faster, while meeting audit requirements and reducing the risk of a security breach.
A break glass strategy refers to having a method to temporarily grant IBM i access to the authority an IT user needs in an emergency, without the user having to wait for that authority to be reviewed and granted. It eliminates the needs for administrators to permanently give user profiles higher authority levels than what they really need day to day, a practice which increases a company’s risk of a security breach. Many vendors such as SEA with its iSecurity Authority on Demand product, offer software with break glass capabilities.
Without a break glass strategy, one of three things usually happens.
  1. Your IT user profiles may permanently have authority levels that are higher than what they need on a daily basis, or:
  2. IT personnel have to request access to or know the password for a shared high authority user profile such as QSECOFR for emergency response, or:
  3. The IT user has to request and wait for their authority to be increased as the emergency is happening.
All of which are risky strategies. Having higher authority than really needed is just bad practice, and invites disaster. Granting higher authority on an emergency basis means you have to remember to take it away.  Sharing a QSECOFR profile amongst the IT team is dangerous and doesn’t provide a real audit trail. You may have a formal process in place to track back who requested the access and compare that to the log files, but that can be a manual, time consuming procedure.
Break Glass solutions simplify the process of granting increased authority as needed and provide a complete audit trail and reports. The security manager provides IT personnel with PIN codes which will grant temporary authority to perform specific tasks. This is often achieved through the creation and use of service accounts, which the pin codes provide access to. Depending on the task that is being performed, the user can review a list of available accounts and authorities to choose from, and the user uses the pin code to unlock and use them. The security manager can be notified that someone is accessing a particular account and a complete audit trail of the tasks performed is kept.
A good break glass solution allows security managers to have control over the PIN process, including such basic items as how long will access be granted for, how many times the PIN can be used, and whether each user has a PIN or if they have to request it each time. It’s important to be able to implement the pin process in a way that will meet your specific security policies.
Auditors will want to know how many times your break glass strategy was used, by whom and why, because those events are the times in which your business was at the highest risk of having a security breach. Having reports readily available that can detail who requested increased authorities, who approved them, and what tasks were performed will save you a ton of time during your audit. With the reports generated from your break glass software, you won’t have to perform manual searches and compare your records with log files.
A break glass solution saves valuable time and resources in an emergency, enforces segregation of duties, and enables relevant personnel to obtain access to approved authorities as needed. Its real–time audit of access rights protects sensitive corporate assets and significantly reduces the number of profiles with powerful special authorities.

1 comment:

  1. Article is quite good. Pegasi Media is a b2b marketing firm that has worked with many top organizations. Availing its email list is fast, simple, convenient and efficient. Appending services adds the new record as well as fills up the fields that are missing. Pegasi Media Group also perform Data Refinement, Data building, Data Enchancement, and Data De-Duplication. Database marketing is a form of direct market in which the customers are contacted through their email addresses with the help of the database. There is a scope for email marketing to generate personalized communication with the clients in order to promote your sales.
    AS 400 Users

    ReplyDelete