Apex Reports for Defense in Depth and Compliance
Author(s): Dr. Glen E. Newton, Posted on March 18th, 2015
ClearPath OS 2200 Release 16.0 includes Apex 2.0, the second release of the administration tool introduced in Release 15. Apex is a Web application for managing the OS 2200 operating system.
In this blog, I’ll focus on one aspect of Apex – the reports it provides for defense in depth and compliance.
First let’s look at those terms.
Defense in depth means that the strategies and mechanisms the data center employs to protect its assets go beyond secure configurations, firewalls, and other first line of defense measures. They also include procedures and tools to verify that the outer defenses have not been breached, or to discover that something may have gone wrong because there are signs of a compromise or an attempted compromise.
Compliance includes following rules established by corporate security policies, governmental regulations, and industry standards.
Defense in Depth
A good defense in depth strategy includes monitoring for failed logon attempts, which could indicate an attempted attack. Without Apex, your process for monitoring could be similar to the following excerpt from an operations manual:
- Execute the following LA (TeamQuest Log Analyzer) script:
PRINT REPORT=DUMP ENTRY=(810) FORMAT=(TEXT)
- Scan the generated output for lines beginning with: Type/Code/Caller: 33/xx where xx is anything but 00.
With Apex, your process is much simpler: run the Login Failures report, specifying the time and date span of interest. Apex delivers to your Web browser a report with a concise summary and details that you can sort by user-id, date/time, error type, or IP address.
Another part of your defense in depth strategy involves making sure that any changes in user security attributes are authorized. Apex includes a Modified Users report that shows the administrator which users have been modified, what the changes were, and who made the modifications. It even includes a before-and-after comparison of the changed attributes. Of course the report can’t tell you if the changes were authorized or not, but it provides essential data you can compare with change requests and other artifacts.
Do you have a security policy similar to the Health Insurance Portability and Accountability Act (HIPAA) requirement that users change their passwords every 60 days or the following requirement from the Payment Card Industry Data Security Standard (PCI DSS)?
- “Change user passwords/passphrases at least every 90 days.” ~ PCI DSS 3.0, section 8.2.4
Without Apex, your process for verifying compliance with this policy could involve a tedious, error-prone search through a full user-id report:
- Produce a full SIMAN or Security-Admin user-id report and scan it, looking for all “last change dates” more than 90 days ago.
With Apex, verifying compliance is as simple as examining the results of the Passwords report. This report goes beyond simply looking for users with expired passwords; it gives the administrator four views of users and their passwords:
- Users whose passwords have expired
- Users whose passwords are due to expire within the specified number of days
- Users whose password expiration thresholds do not conform to the system defaults
- Users who have never changed their passwords
Perhaps you need to comply with this similar requirement:
- “Remove/disable inactive user accounts at least every 90 days.” ~ PCI DSS 3.0, section 8.1.4
Without Apex, your process for verifying compliance with this policy could require you to look through a long report, scanning for the “days of inactivity” lines of the report and matching them with the corresponding user-ids.
With Apex, you run the Dormant Users report, which searches the security database for you, looking for user-ids that haven’t been used in the amount of time you specify. For more about this report, see the Verifying Security Policy Compliance post.
Apex reports based on system log data and user security records help you find events of special security significance, supporting a “defense in depth” strategy and facilitating compliance with policies, regulations, and standards. All Apex reports share design features that minimize the learning curve and boost productivity:
- You can sort the results by clicking column headings.
- Where appropriate, action buttons let you take immediate action, such as disabling or re-enabling a user, right from the report.
- For log-based reports that include a time span, Apex keeps track of the ending time, so you can continue a search from where you left off.
- Reports display automatically in the browser, rather than having to be explicitly requested from the host.
- For long-running reports, Apex presents intermediate status.
- To help you focus your attention, Apex lets you exclude uninteresting data (e.g., disabled users) or specify what to include in the search (e.g., with a list or a regular expression).
- Reports can be printed or exported in CSV format for viewing in spreadsheet software.
- When a report includes a lot of output, Apex separates it into pages and provides controls that make it easy to navigate back and forth.
The reports highlighted above and several others were included in Apex 1.0. In Apex 2.0, which is part of ClearPath OS 2200 Release 16, more reports have been added and the older reports have been enhanced. Give them a try and see how they can help you streamline your security defense and compliance activities.