Carol Woodbury on IBM i 7.2 Security Enhancements
Paul talks with security guru Carol Woodbury about whether or not the i is really such a secure system and if people are securing it properly. While finding out what Carol thinks is the most overlooked security “breaches” in i applications, Paul also gets her take of the new database security enhancements in IBM i 7.2. And Carol fills Paul in on one of her non i ventures that is bringing business development to third-world countries.
Paul: Hi everybody and welcome to another iTalk With Tuohy. I am delighted to be joined today by royalty because on the other end of the line, I have with me the queen of security on i, Carol Woodbury. Hi, Carol.
Carol: Good morning, Paul.
Paul: Your Majesty. So I think obviously, Carol, we are going to chat about security but this is an enormous topic so I think I am going to talk maybe about a couple of broad things. So firstly, the i has this reputation of being this uber-secure system. So, true or false?
Carol: Ahhhh. It is secure-able but in most cases, it is not secure and it certainly does not come secure out of the box. After vendors put their applications on it, the data is usually far from secure.
Paul: Yeah. I see.
Paul: Yeah, because and you have to bear in mind—okay, Carol—you are talking to a developer here so—
Carol: Oh yeah. One of those.
Paul: Yeah, security is a four-letter word to me, so it is.
Carol: Yes, yes, you are right. And so I understand that. Security especially to developers is as you say a four-letter word. It usually just stands in the way of making progress. Right? Is that not how you—yeah. So, the problem with it today is that there are so many ways to get to the data, right, and there is data that we never thought would ever have been private data or could be used against somebody; those social security numbers and the social insurance numbers you know in Canada and Europe. How many database files do you know that used to use those as keys?
Paul: Oh yeah.
Carol: Right? These have become private and if stolen can be used for data loss and data theft. So, it is really become an issue that developers have had to kind of rethink how they do things. It is not often an easy way to get them to bend their minds around it but unfortunately given the day and given the times it is a necessity. So. The other thing is that the laws and regulations, things like PCI for the payment card industry. That is a global issue and I am shocked at the number of IBM i shops and developers in particular that somehow think that it does not apply to them. I am really serious. I have sat across from people and it is like well, we do this on IBM i. It does not mention that in PCI standards. They don’t mention any operating system in the PCI standards. It is a standard. Right?
Paul: Yeah. I can sympathize on the PCI when it is something we have gone through over the last couple of years with the RPG and DB2 Summit because obviously we take credit card bookings over the ‘net and do i with that.
Paul: So, yeah. Now don’t get me started on PCI because there are some things that they check there that are—but just to come back a sec, Carol, if I can ask you something more about the system itself. I do know compared to other operating systems you know like UNIX, Linux and things like that, there are certain types of virus that I know it is impossible to write for i.
Paul: So, so, so writing something at the microcode level.
Paul: Like an assembler level, we, like you just, unless you are in the labs, you have no way of doing that.
Carol: Absolutely. Absolutely true. Yes.
Paul: Yeah, so that is sort of one point in its favor. There is another thing that they say, you know, IBM come out with a statement. I heard a few IBMers saying this that the system has never been hacked. Now is that a thing of security through obscurity, you know, that most of the hackers don’t know it exists or is it a thing that it is really a hard system to hack?
Carol: Well, I think it is probably the former, that it is security by obscurity.
Carol: And you cannot say that it has never been hacked because a lot of time—well, for one thing, all of the very public hacks that have occurred within the last say five years, a lot of those shops are IBM i shops and they never say exactly which databases were breached or where the data was residing.
Carol: A lot of those details never come out. Then you also have to think of the word “hack” and what the actual definition is. So, if you look at it and say that a hack is where somebody gets that data that they were not supposed to get at, I have to believe that happens all the time.
Paul: Oh, yeah. I mean, I mean because surely one of the biggest security risks is internal, not external. It is not somebody like you see in the movies you know sitting on their…
Paul: With their dial-up modem dialing into your system and managing to hack it. It is more than likely one of your employees…
Paul: Who is taking the information.
Carol: Yes, absolutely.
Paul: So, now I do know over the years, Carol, I mean, like IBM have tightened things. I mean I remember the days when the system used to come shipped with profiles enabled with default passwords.
Carol: Absolutely. That does not happen anymore.
Paul: Actually that is the one thing I knew that had gone up on one of the hacker’s bulletin boards.
Paul: About i, you know, was that list of passwords and the lovely thing that said if you managed to sign on with them, the commands you should try is PWRDWNSYS.
Carol: Nice. I love the guidance that they give. Right?
Paul: Maximum trouble in the shortest—
Carol: Yes, so, so.
Paul: Carol, then just for sort of standard shops, what do you see as being sort of the secure—the thing that is lacking in security for most shops, the things most people don’t do?
Carol: Right so the most—most people don’t lock down their database files and you know I can fault the IBM i shops. I can fault the vendors on that one for making it difficult to make that happen. You can do it but it does take some work. So the thing is most applications have database files that are public change. That means that anybody can download that data to an Excel spreadsheet or upload that data. I have seen people—I walked into a—it was a hospital actually and I was there for another reason but that morning their HR manager had, I don’t know if the cursor drifted or she was not paying attention or what, but she meant to download a fresh set of data into a spreadsheet and she hit the wrong button and it uploaded it instead.
Paul: Oh, wow.
Carol: Yeah. So you know they were spending hours trying to recover that data that had happened so I mean that is the real exposure there.
Paul: Yeah. Well interesting you say this about the database because, of course, this is the big thing now in 7.2 with the announcement they have made with the new database level security in 7.2. So, what is your take on that? Well actually maybe, maybe, just do you want to explain it to people first of all what the change is? And then give us your take on it.
Carol: Sure. Well I suppose that would be polite, wouldn’t it. Okay so yes, it is called row and column access controls. RCAC. I don’t really like that acronym when you say it out loud but RCAC for short. So there are two different kinds of functions in the RCAC, one at the row level and one at the column level. So if you look at what can be done at the row level, you can put permissions in place that say—well let us use the old banking application, shall we Paul? You know you have tellers and you have loan improvisers and usually each of them can see different kinds of records. Maybe you have a sales application and the regional salespeople should not see—like Region 1 should not see Region 2’s data but it is all mashed up in the same database file. So now, you can put permissions at a row level that says, for instance, if you are in Region 1’s group, you can see Region 1’s rows, so very cool there.
Carol: It will allow you to get rid of those logical files and logical views, which I know system administrators will love because those are just a pain in the behind. So, that is great. The other thing is that you can put a mask on a column so think of that social security number. You know, I don’t know about you, Paul, but sometimes when I call in for my cable TV or something, I have to give the last four of my social security number as verification. So you can imagine that you can put a mask on so that maybe your customer service representatives can see that last four but if it is anybody else that gets a row that includes that column, they will not see anything.
Carol: So it is very powerful and if you think about especially things like that masking feature. How many people take their production databases and put it on their test machines, Paul?
Carol: You know for regular development work or for regular testing so they can put a mask in place that says when that data for that column is returned, if it is a credit card number maybe it is all 1’s or it is all 2’s or you know it can match the type of the field. You know you can bring it back as all 1’s or something, not X’s. So it is awesome.
Carol: And it really adds yet another layer on top of what is already there.
Paul: Yeah. I think that—
Carol: So I am excited about it actually.
Paul: Yeah. I mean I do recognize the need for it. People don’t quite realize it but the system is opening up more and more. I mean IBM talk a lot about this as being a change for mobile and I think it is just more that mobile is the latest point—well point of attack that we have on the system with applications coming in or people getting data from the system.
Paul: So I mean I think the days of oh, well if you cannot get to it on a green screen, you cannot get to the data. I think those days are long gone.
Carol: They are long gone. I just hope that people you know start to recognize and realize that. There are way too many people with their heads still in the sand unfortunately.
Paul: So listen, Carol, before we go because we are getting to the end of our time so something totally away from security because I happen to know that there is a little venture that you and your business partner John get involved in every year. So do you want to tell people about that?
Carol: Yes. Oh, yes. It is something I love to talk about so thank you for asking. My business partner John Vanderwall and another gentleman have a nonprofit where they go to developing nations and give business seminars. Basically how do you do business, how do you start a business, how do you develop the business, get funding for a business and then various aspects of running that business, so the last couple of years I have gone to let me see Kazakhstan with them. I have gone to Thailand with them and the last couple of years I have gone to Uganda so it is such a very cool expanse. First of all, you get to understand their culture and how business is run there. Then you can take what we have learned in a practical sense through Skyview Partners and apply it to their business and help them grow their business. So especially in Uganda, John has gone back a number of times that we have now started to see people come back and give testimonials for how the seminar has helped them develop their business and to stay in business so that is just a very, very cool way to, you know, give back if you will and help share what you have learned.
Paul: Yeah, I think it is a great thing, Carol. I mean for anybody—I mean to be able to take something that you do as your day-to-day work and make it something that it benefits people.
Paul: It is going to be of enormous benefit obviously in developing countries.
Paul: I think it is a great thing, a great thing. Long may you keep doing it.
Carol: Yes, it is cool. Thank you.
Paul: So listen, Carol, many thanks for taking the time to chat with me. I am sure we will be talking again at some stage in the future, near or far. I don’t know when but we will be talking again so thanks a lot, Carol.
Carol: You are welcome.
Paul: So thanks everybody and that is it for iTalk this week. Talk to you all again in a couple of weeks. Bye for now.
Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.
comments powered by