Home > AS/400 Tips > iSeries security tips > Keeping consultants honest

	iSeries 400 Tips:	EMAIL THIS

	TIPS & NEWSLETTERS TOPICS

	ISERIES SECURITY TIPS Keeping consultants honest Rich Loeber 03.06.2006 Rating: -3.38- (out of 5) Digg This!     StumbleUpon     Del.icio.us    [TABLE]I am always surprised by the number of programming shops that, in addition to their own resources, use external consultants for programming and systems tasks. The reasons are varied, but consultants present some serious security exposures. In this article, we'll discuss those security issues, and I'll make a few suggestions of things you should consider. [TABLE]			[IMAGE]

First, you should have non-disclosure agreements in place with every consultant that you work with. That agreement must be signed before the consultant starts any work for you. While this is just a piece of paper and won't secure y

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

our system for you, it will give you recourse down the road if security issues come up.

Second, you should also come to an agreement with the consultant, in writing, defining who owns the code that is developed while the consultant is working for you. That agreement can get confusing, and you should take some time to negotiate with the consultant. What you are trying to avoid is having the consultant develop new programs and features that they can then turn around and sell to their other clients while you have paid for the development expense. Complications can arise with code that the consultant brings in with him and installs on your system. That code clearly belongs to the consultant and it is being used for your benefit. Provision in the agreement must be made for give and take in this area. If the consultant develops some code that they then wish to use elsewhere, you should be able to work out some remuneration for your company for making the code available to the consultant.

While there are many special requirements for consultants, perhaps the most important one is remote access to your system. In the old days when consultants "dialed in" to connect to your system from a terminal emulator, security was tight. But, with today's networked world, that situation is quite different. Consultants these days connect to your system via the Internet and that brings new concerns. First, your system must be sitting behind a firewall. Then, the easiest solution, which works for a lot of installations, is to implement a Virtual Private Network (VPN). That will allow a secure connection into your house network. Once that connection is made, the consultant can connect to your iSeries to get their work done. I have such arrangements with a number of customers where I do consulting. With some, we use MS VPN while others have implemented Citrix. I'm sure there are other arrangements, as well. Take the time to investigate the best solution for you. Granting direct Internet access to your system is generally not a good idea -- unless you have strict controls implemented at the server exit point level and even then I have my reservations.

This article raises only a few issues involved. If you have more ideas in this area, let me know so I can share them in a future tip. If you have specific questions about this topic, e-mail me at rich@kisco.com. All e-mail messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.