Robin Tatam on IBM i Security
Paul Tuohy interviews Robin Tatum of Help Systems on IBM i Security.
By Paul Tuohy01/01/2019
Paul Tuohy: Hi everybody and welcome to another iTalk with Tuohy. So I'm sitting here in Sweden at the moment, at the Data3 conference, and I'm joined today by one of the―well I think what's considered today one of the security experts that we have, Robin Tatam from HelpSystems. Hello, Robin.
Robin Tatam: Hello. How are you?
Paul: I'm good thank you. How are you? So Robin, I think maybe let's just start if you can give people a―just give us the quick rundown on what you have done in the industry.
Paul: I found this interesting when we were talking about it.
Robin: Yeah, yeah. So I actually got my start as a trainee RPG developer, and did that for about six weeks and then they put me in a project team, so my entire career was based on development to begin with. That was in the U.K. I moved to the U.S. after a couple of years and brought that RPG programming with me, and then ended up doing a lot more with the system side of things as well: so installing disks, doing the OS upgrades, swapping out the chassis. So I've worn a lot of different hats in this industry and I'm talking―dating back now you know almost 30 years. So a lot of different stuff.
Paul: Oh, you're one the newcomers on the platform.
Robin: Yeah, yeah, yeah. I'm the young kid [laughs]. No, I'm not a fresh face.
Paul: So Robin, I mean―so the big thing for the last 15 or so years for you has been security.
Robin: Yup, yup, absolutely.
Paul: So let's talk about security a bit. I mean I've got a―to me there is this interesting thing where, okay, so we have the securest system in existence. Correct?
Robin: Yup. Sure. That's what I'm told.
Paul: Yup and I get the feeling at times that what that kind of means is that most of us don't bother about security, which means we probably have the most unsecure system in existence, some of us, because we think it's all being done for us.
Paul: Is that a fair statement?
Robin: That is actually a startling fair statement just from the standpoint of we have heard, and I've heard it for years in my career, that this system is fully secure. It's very robust. We sell it to management on that fact, you know. It's available. It never goes down. It's secure. We don't get a virus and there's disclaimers that come with those kind of comments, and the biggest one is that the platform is not secure and I know, you know, "gasp," right?
Robin: That's a little controversial. The word I use is securable, and when I paint a picture for people what I do is typically show a padlock that is open and a padlock that is closed. They are both capable of being secure but one takes some effort to get it there and that's us. That's our platform is in that unsecured state.
Paul: Okay. So is it also fair to say then that sort of security has kind of been changing over the years, because you've got to bear in mind like for old guys like me―
Robin: And me.
Paul: Well not you young guys with only the 30 years behind you [laughs]. No, no. It's―but I mean back when everything was good old green screen―
Paul: I mean security was simple, okay.
Robin: It was very simple.
Paul: So what for you is sort of―what is the thing that sort of gets your goat at the moment? What thing that annoys the hell out of you that you see that is or isn't being done security wise?
Robin: Sure. I'd say it is a stretch to say it annoys me. It disappoints and frustrates me―
Robin: Because really what it is for me is exactly what you said. We're still in a mindset that this is AS/400 running on a green screen. And so our approach to security is based on that era, right? And there's a lot of discussion about what is the current name. People still like to call it AS/400 despite you know of course, not―
Robin: The fact that it's not but the reality is a lot of us are still running green screen applications, but we access the data in other ways. And so we have this environment that is defined with menus, command line restrictions and everything like that, but the reality is I can go straight into the database with a SQL statement, right?
Robin: In AS/400 days that wasn't a consideration. It wasn't something we had to worry about. And so those menus worked; they worked very, very well and completely masked us from the complexities of object level security and the system values being right. And so my frustration is that people still take that same approach today, and management is unwilling to look at this as a modern database server and protect it accordingly in the same way they would any other operating system platform.
Paul: Yeah. So yeah, our―to me I always remember that. It was actually when query [Query/400] came out.
Robin: Sure. Yup.
Paul: And that was to me was the―you know, that lid starting to open―
Robin: Yeah because you're giving users―
Paul: Where you're going, "whoa."
Robin: The toolsV
Robin: To self serve accessing data, right?
Paul: Data, yeah.
Robin: Rather than take option three off of menu two to pull up the application that controls who can post checks, who can do ordering inquiries, where now we're just you know: boom, four clicks and it's in the spreadsheet.
Paul: Yeah. So tell me when we were talking earlier, you were mentioning this thing about exit programs.
Paul: I find that interesting so―
Robin: So there's actually a ton of different exit points scattered all throughout the operating system, and all an exit point is a point in the operating system when you can invoke an external program. So it's a way of writing, in essence, user defined functions.
Robin: So there's what I call post process exit programs, which are invoked after the process is complete, like creating a user profile. You can then have the system invoke a program that, I don't know, enrolls the user in the applications, creates a work library, does something―
Robin: But the profile has already been created. There's a whole slew of other exit points that are what I call preprocess, which means the program is called before the IBM i process runs. An example would be there: an FTP connection. So the benefit you get with those is those exit programs can act kind of like a firewall. Robin is trying to download the payroll file. Well before Robin is given that chance, the business logic can say Robin's not in a position that he should ever be touching the payroll file, and even if he has permission in the eyes of the operating system, set a reject flag and the OS is willing to accept that and say "sorry, Robin. You may have permission in my eyes, but the business says you don't, and I'm shutting you down."
Paul: So you would be advocating more like using exit programs where you're more securing the methodologies and how they're being used―
Paul: Like FTP, like―
Robin: Yup, absolutely.
Robin: The non-5250 access.
Paul: The accesses yeah.
Robin: Yup, yeah.
Paul: Cool. Cool.
Robin: You know there's aspects to that as far as command line permissions that are not always honored through some of those interfaces. Object level security is not bypassed by those, so it's important to understand object level security always reigns supreme, but the reality is obviously most people don't do object level security.
Paul: Security. Yeah.
Robin: So that's great, but at some point there's still a need for exit programs, because simply, auditing, right? Most regulations say you cannot have data leaving a system without it leaving an audit trail―
Robin: And with a legitimate transfer like an FTP movement of a file, the operating system has no log, which is an immediate audit violation―
Robin: Right? So we're on this, quote-unquote, highly secure platform, and we are warned about as a community in things like the PCI DSS. It says, you know, these system exist. Unfortunately and embarrassingly, we're one of those systems―
Robin: Unlessyou take the necessary steps to configure it, and then we're bulletproof.
Paul: So basically you're saying we have all these open padlocks.
Robin: Absolutely. We are―we're like―what that bridge in France that has all the padlocks on it except they're all wide open? That is us. That's exactly right.
Paul: Okay so there is one other thing, Robin, and I'm sorry, this may be an unfair question at this point in time to ask you―maybe I should be asking you in another six months or something―but the big push now with open source―
Paul: And especially the introduction of YUM and this way that we have now of getting things like Node and everything onto the system―
Paul: And the way they're opening it up to sort of go "hey you guys, just do open source. You know, put anything you want on the system."
Paul: Is this another―is this another security lid that's being opened of a potential black hole coming in?
Robin: Yeah it's―you know us old guys would call it Pandora's box, right?
Robin: And that's in the essence what we've done when we open the system up to the outside world. We all complain that this thing was proprietary and there was all this valuable intrinsic business data there that we wanted to access and make good business decisions from, but as we open those doors, certainly there has to be some expansion of how we secure it. What we've shown as a statement over the history of the platform is we open the doors, and we still keep thinking it's a green screen box and secure it accordingly―
Robin: So I don't have an issue with conceptually the open source. My concern is and part what we need to be careful of as a community is that we don't just continue to think "green screen" and secure it as such―
Robin: But now we're inviting all these great new technologies into the platform, but not doing it safely and carefully.
Paul: Yeah, so I think really the message in that is, you know, you've got think about what―
Paul: You're doing and of course if you take a moment―I mean if you are doing your object security and that properly―
Paul: If you're securing your directories, etc., etc., etc.
Robin: Yeah, absolutely.
Paul: You know I mean that's―
Robin: Nothing bypasses object level security, and so that's a big part of the message. A lot of people say "well how did IBM leave all these back doors into the system?" They're not back doors. They're alternate interfaces that aren't policed by―
Robin: The limited controls we implemented. So there's nothing wrong with these technologies. They're very valuable―they'recritical, in fact, to the evolution of the system, but we can't just treat it like same old, same old. This is new stuff and we've got to make sure we take our time and secure it properly just like we do with cloud and how we had to get into that and say it doesn't alleviate security as part of the conversation. In fact it intensifies it.
Paul: Yeah. Cool. So I always like to end these things on the old personal note, so I had asked you before, I said when you're not doing all the IT stuff, what do you like to do?
Robin: Yeah, yeah.
Paul: And by the way, I think this is a first.
Paul: I think it's the first that somebody has come and sort of said like this―actually I shouldn't be surprised but anyway, what is it you like to do when you're―?
Robin: So one of the things that―like you―I do extensively is travel. So there's a lot of heads down of, you know―I'm doing technical conferences and things like that. So I find that one way to escape all that is to take photographs. So one of my hobbies and one of the pleasures I get from being able to travel the world is that I get to see some really cool places. So I've learned over the years to document that, perhaps in a little more expressive way than the average photographer would or the person just taking a picture out the window.
Robin: So I've got a lot of prints. I've actually won some awards for my photography back home.
Paul: Oh, cool.
Robin: So yeah. It's certainly a passion of mine, for sure.
Paul: So is it mainly landscape and that then you do then like buildings and―
Robin: It is mainly landscape. I for whatever reason seem to have a better eye [for] that than people that shift, pull weird faces, and I don't realize until later that picture doesn't look like I want it to look. But buildings don't move on me [laughs], so I can compose that picture and take as long as I need to. And again, it's a great way for me to reflect on the memories of my travels and the people and places that I've been around as part of it.
Paul: There's the thing I love when we were talking earlier about this and it was the answer you gave me when I was asking you about what was not―does that mean you're always bringing your camera with you everywhere you go.
Robin: Yup. Yup.
Paul: And I just love―so do you always bring your camera with you everywhere you go, Robin?
Robin: I would rarely bring my camera. I still use―well they're digital. They were advanced digitals but they're big heavy SLR cameras, so they're not the easiest things to transport. And so I actually made a trip out to Pittsburgh many years ago. I was just there for a very brief business meeting and was leaving the next morning. And rather than sit and do the usual routine of working in the hotel, I decided to do a Google image search on Pittsburgh and was stunned at how beautiful that city is at night. I actually found a great location where you're looking down on the city, which is very unique. You are normally looking up at those buildings and was kicking myself that all I had was some archaic flip phone or something that I could at least―
Robin: Just say okay, I got a picture. I know where I've got to come back to. I swore after that day I would never go anywhere without at least one of my cameras by my side. Now I've broken that rule since then because that was back when photographing things with a phone was like taking a postage stamp picture, where now we have the luxury of―quite honestly the phones are at a point where for many people they replace the camera.
Paul: Camera. Yeah.
Robin: So I don't―I don't have that bulk carried with me typically unless I know I'm going somewhere that warrants it. I was just out in Death Valley and Zion National Park, two cameras by my side―
Robin: Because that's what I want. But even coming over to Europe, I didn't bring my cameras with me.
Paul: Yeah, cool. Excellent. Well Robin, I look forward to the next time we meet.
Paul: Thank you for taking the time to talk to me.
Robin: Yeah, you're very welcome.
Robin: Thanks for having me in.
Paul: Okay everybody. That's it for this iTalk. Tune in again in a couple of weeks for the next one. Bye for now.
Paul Tuohy has specialized in application development and training on IBM midrange systems for more than 20 years.