5 IBM i Compliance and Security Success Stories

Packaged Food Company

With quality and operational efficiency being the key drivers of its global success, this U.S.-based producer of canned and bottled vegetable products maintains tight control over every link in the farm-to-table chain. Intense involvement with its grower-partners includes strict quality control of everything from seeds to farming practices. Its highly-automated processing and packaging operations are driven by numerous in-house developed systems and methods. It even manages all its primary transportation logistics, both inbound and outbound.

Because of its total dependency on advanced systems for running the business and need to maintain compliance with many regulations across numerous countries, it must maintain the highest levels of system and data security possible. Key applications run on IBM i servers, including its ERP system, BI/Reporting and Analytics, and Agriculture Management applications.

Security and Compliance Core Requirements

• Visibility into IBM i security activities such as authority errors, system value changes, profile add/change/delete activity and more
• Standardized approach to controlling network and command line access to IBM i servers
• Visibility into all access to IBM i systems and data Assure Security Capabilities Implemented
• Assure Monitoring and Reporting
• Assure System Access Manager

Key Results

• Real-time alerts for key IBM i security events such as system value changes, profile add/change/delete activity, authority errors and more
• Centralized control of access to 30+ IBM i Commands and 25+ other access points controlled by exit points
• Real-time email alerts for all rejected FTP or Client Access (ACS) file transfer access
• Restriction of access to a principle of “least privilege” with explicit user permissions now required for any ODBC access
• Visibility into how outside applications and end users are actually interacting with its systems

For more information, read our white paper: Four Powerful Ways to Use Exit Points for Securing IBM i Access

Insurance Company

In order to do business with residents of the State of New York, this large insurance provider, headquartered in the midwestern United States, must comply with the state’s Department of Financial Services Cybersecurity Regulation (23 NYCRR 500). While the company was already fully compliant with the federal FFIEC and Graham-Leach-Bliley Act, 23 NYCRR 500includes significant additional requirements for data privacy protection and IT cybersecurity procedures. One of these specifies that “Multi-Factor Authentication (MFA) shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network.”

While the company had already implemented MFA across most of its multi-platform infrastructure using RSA tokens, it needed a multifactor solution for IBM i that would secure Telnet access to its policy administration system in order to pass its 23 NYCRR 500 audit.

Security and Compliance Core Requirements

• RSA SecureID-certified multi-factor authentication for IBM i
• Compatibility with existing RADIUS server and RSA tokens
• Flexible, role- and context-specific configurability to allow for granular control of multi-factor authentication services and when they will be invoked

Assure Security Capabilities Implemented

• Assure Multi-Factor Authentication

Key Results

• Achieved compliance with 23 NYCRR 500, further strengthening compliance with federal regulations
• Leveraged existing RADIUS server and RSA tokens for Telnetaccessed IBM i applications
• Reduced costs by using Precisely’s built-in authenticator to deliver tokens via email to select users – rather than purchasing additional RSA tokens
• Implemented custom role- and activity-defined MFA configurations for multiple classes of users, ranging from staff and administrators using 5250 system consoles to end-user policy holders
• Invoked MFA based on specific factors, including IP addresses, IBM i special authorities, device types and other contextual factors

Industrial Equipment Manufacturer

This company’s operations and markets expanded to the point where it became classified as a Large/Global Enterprise in nearly all countries. With that designation came the requirement to comply with additional regulations and more stringent cybersecurity requirements for financial and data governance, including increased reporting and more rigorous compliance audits.

One of the many systems subject to increased compliance auditing is its Infor M3 ERP system, which runs on the IBM i platform. As a result of an initial “dry run” audit conducted by a major global accounting firm, the company identified deficiencies related to tracing changes to its financial database and managing vendor access to its M3 system. Because system access for vendors was administered manually, revocation of access was often overlooked, creating a potential security exposure.

Security and Compliance Core Requirements

• Ability to fully and accurately trace all changes to its financial database
• Detailed reporting on monthly changes to the M3 database
• Tighter control over revocation of user authorities for vendors
• High level of automation to eliminate administrative burden for security management

Assure Security Capabilities Implemented

• Assure Monitoring and Reporting
• Assure Elevated Authority Manager

Key Results

• Stringent control of user authorities for all vendors, including automated revocation of authority at a specific date and time
• Enhanced data security and compliance audit readiness through continuous monitoring and reporting of M3 database table changes
• Simplified design and generation of clear, readable compliance and security reports, without losing the granular detail required for effective auditing
• Increased confidence in their ability to audit and control access to its data and systems for the company and its auditors