Professional Documents
Culture Documents
IBM Tivoli Access Manager for Operating Systems: Host-Based Intrusion Prevention for Applications and Platforms
A lot of companies have gone to a lot of effort to protect themselves from being hacked, but its a lot harder to stop a rogue employee . We have the technology, but were not using it. The Washington Post, December 3, 2002 Employeesnot hackers, not virusespresent the chief threat to IT security. In the biggest identity theft case yet reported, employees stole 30,000 consumer financial reports over three years. A ring of scam artists, in turn, paid the employees $30 for each stolen report. Ultimately, consumers lost more than $2.7 million. Law enforcement estimates that more than half of all identity thefts occur as a result of employees. In this IBM Redpaper, we discuss IBM Tivoli Access Manager for Operating Systems, a simple-to-use, powerful security system that securely locks down business-critical applications, operating platforms, and files from unauthorized access. This firewall-like capability prevents both insiders and outsiders from the unauthorized access to and use of vital customer, employee, and business partner data. Additionally, Tivoli Access Manager for Operating Systems audits application and platform activity to ensure compliance with corporate policies and government regulation. In an increasingly wired yet insecure world, Tivoli Access Manager for Operating Systems provides the assurance that customers, employees, and partners expect, and the rigorous auditing that the government and senior management require.
ibm.com/redbooks
Overview
Tivoli Access Manager for Operating Systems erects and enforces a seamless security perimeter to UNIX/Linux systems to provide protection for business-critical systems and auditing of all users. These controls even apply to Root super-users, a notoriously difficult-to-secure UNIX/Linux group. Unchecked and unmonitored Root users are often the source of considerable abuse. Tivoli Access Manager for Operating Systems prevents misbehavior by Root users and all other users through the rigorous application of access controls on resources, files, and data. Further, hackers favor Root accounts as targets because Root users typically create backdoor access routes in order to bypass basic protocols. As a result, while the majority of cyber theft results from internal abusers, the application of adequate controls on Root accounts will also prevent a significant amount of external cyber theft. Tivoli Access Manager for Operating Systems ensures 24x7 protection from unauthorized access to business-critical applications by providing bulletproof controls against malicious actions. Most business-critical applications today are hosted on UNIXor, increasingly, Linuxand are deployed throughout the enterprise network environments as shown in Figure 1. These applications include ERP, CRM, SCM, Human Resource Management applications, and Middleware platforms such as IBM WebSphere. Most of these applications offer inadequate out-of-the-box security and auditing for todays enterprise.
AS/400 UNIX NT
Mission-Critical Servers
Core Network
W eb Servers Certificate Authority Single Sign-on Backup Restore Security Auditing
Internet Access
VPN
Merchant Server
Firew all
PC Security
Access Network
PC Anti-Virus
M obile Employees
running of expensive applications on insecure operating systems and ineffective protocols. Tivoli Access Manager for Operating Systems ensures that security policy is easily implementable, robust, and comprehensive. Easy-to-use: Because security policy is crucial to operational effectiveness, theres no forgiving a security policy that is difficult to understand and challenging to enforce. Tivoli Access Manager for Operating Systems simplifies policy through multiple methods. The first is through Web Portal Manager, a GUI-based, web-accessible management tool. Security policy can now be managed in a point-and-click format. Command-line interfaces and script accommodation afford UNIX and Linux experts even greater ease. Simplicity is further ensured through Tivoli Access Manager for Operating Systems Fast Track Policy Modules. Fast Track Policy Modules are pre-written, best-practice security policies. They provide a method for demanding enterprises to quickly adopt effective security. Security threats multiply daily, and CIOs cannot be expected to wait on slow security policies. While enterprises can use Tivoli Access Manager for Operating Systems Web Portal Manager to design and set detailed policy if they wish, enterprises accelerate their ROI through the use of Fast Track Policy Modules. Fast Track Policy Modules also come in application-specific versions offering customers out-of-the-box customization. These pre-written, best-practice policies make it easy to tailor security policy for specific missions. These missions may include, for instance, enhancing Web security or defending CRM, ERP, or other applications and databases. Simplicity is crucial for an effective security policy. Through Web Portal Manager, shown in Figure 2, security policies can be managed in a point-and-click fashion.
Powerful: Power is provided through Tivoli Access Manager for Operating Systems multi-threaded architecture. This enables Tivoli Access Manager for Operating Systems to operate fully 22 times faster than its leading competitor. This performance also means that CIOs no longer have to trade operating efficiency for security. Applications run smoothly even with the rigorous security added by Tivoli Access Manager for Operating Systems. With Tivoli Access Manager for Operating Systems, administrators can set and enforce three types of security policy: password policy, login policy, and resource policy. In the case of password policy, for instance, administrators can require the timely changing of passwords, or passwords of a specified length and alphanumeric mix. In the case of login policy administrators can determine where users can access systems or what files they can access remotely. Resource policy enables administrators to restrict access to systems, files, and data on a need-to-know basis. Comprehensive: As a result of its industry-leading power, Tivoli Access Manager for Operating Systems successfully scales throughout the enterprise, enforcing security comprehensively. It enables management to set a single security policy that is implemented and enforced worldwide. Centralization ensures adherence to corporate guidelines and government regulations. With Web Portal Manager, Tivoli Access Manager for Operating Systems policy can be managed from a Web-based tool. The benefit of this approach is that it enables an enterprises security managers to delegate limited authority for routine or emergency matters to specified, local sub-domain administrators. This scheme offers maximum control while affording flexibility when necessary. In a case of network interruption, control can be delegated to local subdomain administrators without granting local administrators excessive access or access to other subdomains.
Access Manager Policy Server Centralized server contains Policy database User IDs (LDAP)
Management Server maintains policy Policy Server maintains policy Security Agent enforces policy
SSL connection
Security Agent Erects security perimeter Intercepts system call Make access decision Writes audit record
Security Agent
For full security even during network interruptions, the Security Agent replicates the security policy and user identifications locally. In the event that the network connection fails, the Security Agent is fully able to make access decisions without the Policy Server being present.
able to secure and run on a variety of platforms. Tivoli Access Manager for Operating Systems can secure a wide range of Linux and UNIX operating environments, and constantly expands its coverage. Tivoli Access Manager for Operating Systems supports Linux on iSeries, xSeries, pSeries, and zSeries platforms.
Network Firewalls
Anti-Virus
Intrusion Detection
VPN
Tivoli Risk Manager Tivoli Identity Manager User Provisioning Tivoli Access Manager Application Protection IBM Directory Server IBM Directory Integrator Tivoli Privacy Manager Privacy Assurance
User Management
Directory Management
The IBM Tivoli Integrated Identity Management suite (shown in Figure 4) scales to precisely meet customers needs, whether those needs are narrowly focused or broadly conceived. These solutions work together to provide significant return on investment and exceptional levels of service to internal and external users. Close cooperation with industry partners in developing standards ensures that Tivolis Integrated Identity Management suite is both widely interoperable and remarkably rigorous.
In a recent case involving a large consumer goods company, a hacker pilfered the confidential financial, Social Security, and employee records of 450 co-workers. The employee bypassed protocols to slip into the companys computer system without authorization. Incidents of insider cyber theft are rising rapidly. With increasing amounts of valuable consumer, employee, and partner data being accumulated, the incentives for insider misbehavior are increasing as well. Organizations face growing risk. Simultaneously, regulators and legislators are targeting enterprises that do not implement effective controls with fines and increased scrutiny. CIOs face unrelenting pressure for improved security, auditability, and accountability. The most economic and effective solution for CIOs is to combine comprehensive intrusion prevention technologyhost-based firewall capability, application and platform protection, user tracking and controlswith persistent auditing capability. In a lightweight, powerful way, Tivoli Access Manager for Operating Systems does exactly this. No longer do organizations need to run business-critical applications on mainframes in order to enjoy mainframe-class security. With Tivoli Access Manager for Operating Systems they can enjoy mainframe-class security on distributed systems. And they can enjoy the peace of mind that comes when valuable data is fully secured and all users are held fully accountable.
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
IBM ibm.com Redbooks(logo) Tivoli zSeries
The following terms are trademarks of other companies: UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others.
10