In my opinion, exit point products, while providing a very large amount of
value add, are NOT a replacement for an exclusionary access control model.

An exclusionary model defaults PUBLIC authority to *EXCLUDE -- i.e. access
is excluded to PUBLIC by default unless and until explicitly configured
otherwise. PUBLIC authority of *USE or greater is still appropriate for
some data in this model, but it is not assumed to be the desired access.

An open access control model assumes everyone should be allowed *READ or
higher access to everything unless explicitly configured otherwise.
Because of the heritage of i5OS many, if not most, customers have an open
access control model.

iSeries systems run in an entirely different environment today than when
the System/38 and the follow-on AS400 systems were introduced.  Many
customers that started out with the System/38 successfully achieved their
security requirements using an open access control model.  Many did not
change their access control policies while they were running entirely
different workloads, on systems that had changed significantly, and were
being used in network environments entirely different than the one in which
the original access control model was put in place.

An overview of the rationale behind my opinion is:
   iSeries is a multi-user, multi-application system.  It is too difficult
   to assume that exit points protect your data when there are numerous
   interfaces both network and green-screen that are typically used by the
   same people to access your system.  For example, does an ODBC exit point
   protect you from someone using green screen commmands to display the
   contents of a database?  If you use the exit point to prevent ODBC
   access, but the data is PUBLIC *CHANGE, and a user gets to a command
   line (either on the green screen or through a client/server application
   that doesn't prevent it), does the exit point protect the data? In my
   opinion, No.  The exit point program really protects the usage of the
   interface. It doesn't protect the data because the data doesn't have to
   be accessed through a particular interface.
   In today's networked environment, there are too many "standardized"
   interfaces designed on and for other systems that assume data accessed
   through those interfaces is protected by the native access control
   mechanism.  It is further assumed that access control has been
   configured for the data by the administrator.  Changing the behavior of
   these standard interfaces will often cause the implementation to no
   longer be standard.
   There is no guarrantee that new interfaces will have associated exit
   points.
   Exit point vendors (with valid reasons) tend to be at least one release
   behind the most recent OS release.  If a new OS release does contain a
   new interface with an associated exit point, it is likely that none of
   the vendors will have a program for that exit point for a relatively
   long time.

My assertion that exit point solutions are not sufficient to achieve the
highest levels of security, is no way a statement related to the value they
can provide.

For those of you with an open access control model -- only data that has
been explicitly denied access to is protected -- exit point solutions can
buy you heck of a lot more security than you have today.  While you're
putting an exclusionary model in place, the exit point solutions allow you
to gain a higher level of protection than you have if you do nothing at all
while planning and implementing an exclusionary model.

Exit point solutions have value beyond this also as they provide ways of
limiting access to specific interfaces based on criteria not considered by
the OS (time of day, for just one example).  These functions can be
invaluable to many organizations and add to their level security beyond
that provided by an exclusionary access control model. Exit point solutions
could also be helpful in making it easier and cheaper to move to an
exclusionary access control model.  Most already have "learning modes"
which tell you which users use which interfaces.   I would love to see an
exit point vendor use these learning modes to provide solutions that use
this type of information to help automate parts of the process of moving to
an exclusionary model.

Is changing to an exclusionary access control model from an open access
model complicated? Absolutely.  Does using an exit point product in the
absence of an exclusionary model provide value? Absolutely,  Will an exit
point solution without an exclusionary access control model be able to
provide the same level of security to an organization as an exclusionary
model plus the exit point solution?  In my opinion. the answer is no.

> Charles,
>
> Rather than risk hosing something else on your box by trying to create a
> "replacement *PUBLIC profile" or even just trying to hit every object on
> your box, it seems to me it would be a lot easier to use an exit program
for
> the ODBC/JDBC remote transactions.
>
> There are several exit program security products out there, but only one
> that I know of can afford 'pinpoint' accuracy with regard to controlling
> access via the exit point without having to modify any existing OS/400
> object authorities or user profile groupings.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.