Would it surprise you to know there’s an MQ V8 System Administration certification? Normally I run down and take the test as soon as it’s available but this one has been out since January 14th and somehow I missed the announcement. So yesterday I stopped by at my local Pearson Vue affiliate and sat for Test C2180-410: IBM MQ V8.0, System Administration to earn my certification. Did I pass? You betcha! Was it what I was expecting? Sort of.
Posted in News, Security, WMQ, WMQ AMS, WMQ ESE, WMQ FTE, WMQ Security
Tagged Admin, Best Practices, certification, IBM MQ, MQ AMS, WebSphere MQ, WebSphere MQ Security, WMQ, WMQ FTE
Everyone knows that data breaches are expensive. Security venders never tire of telling us exactly how expensive breaches are, on a per-incident or per-record basis. In the case of a large retail brand, a breach can make a significant dent but it usually isn’t fatal. In fact, for one large conglomerate in particular, recent events suggest that even a series of high-profile breaches won’t cripple a company. It might be tempting to assume this experience applies across the board. It might be tempting to assume that your business would fare as well. Don’t make that assumption.
Update: IBM has reconsidered and has announced that dmpmqcfg will be fixed as a defect! Subscribe if you would like a notification when the fix is announced. But please do read the post, especially if you are using amqoamd for anything.
Most of the time when someone says “security” they are actually thinking of intrusion detection – the parts that keep unauthorized people out of the system. But security is so much more than that. We need to know if our security fails. That part is intrusion detection. After an incident we want to be able to determine how it happened and what to fix so it doesn’t happen again. The logging and accountability functions are what support that forensic analysis. Of course we also need to recover from an incident. That’s the business continuity aspect. All of these fall under the broad security umbrella and any security assessment that I perform includes aspects of all of these.
But there is an implicit assumption that that the tools to perform these functions are available. In particular, the ability to back up a configuration for later recovery is something so fundamental that many people consider it part of the baseline functionality of any Enterprise-class product. But what if it’s not? Or worse, what if you think it is but the provided tools do not actually do what you are expecting? Would you know?
If your shop is concerned about the security of the WebSphere MQ network, then chances are you consciously and deliberately configure your queue managers to prevent administration by adjacent queue managers in the network. If you do not routinely do this, then by default compromise of any one queue manager on the network compromises the entire network. Such a compromise would include any FTE, Broker, Advanced Message Security or other components or applications that can be administered by sending messages to their command queues.
The only problem is, IBM does not currently provide a tool in the product that back these security settings up accurately. There are two tools documented in the WebSphere MQ Infocenter and a Technote which are describes as providing configuration backup functionality. Assuming you want that backup to be complete, both are broken. IBM has officially responded in both cases that they are working as designed.
Posted in Fail, General, IIB, Security, WMQ, WMQ AMS, WMQ ESE, WMQ FTE, WMQ Security
Tagged Best Practices, commentary, IBM, News, security, WebSphere MQ Security, WMQ, WMQ Security
Please join AJ Aronoff and me for a Prolifics webinar: IIB: Security Defenses that Withstand the Test of Time
For the last 7 years my security focus has mainly been intrusion prevention. That’s all the controls you use to keep unauthorized people out of the messaging network. I’m happy to report that things have improved on that front. IBM has greatly improved the software and customers are enabling the security controls in record numbers. (Not that the secured systems are yet in the majority, but it’s MUCH better than before.)
Unfortunately, intrusion prevention is only one part of the story. A comprehensive security design also includes intrusion detection, forensic capability and incident recovery. One reason that these are needed is that the state of the art is a moving target. Attack technology always gets better, defensive technology moves to keep up or stay ahead. Over time the configuration you implement today gets weaker as the state of the art continues to advance.
This webinar will focus less on the specific controls and more on how to maintain security effectiveness over time. We will be addressing IBM Information Broker (the software formerly known as WebSphere Message Broker) but since it is built on top of WebSphere MQ the content will also be useful for WMQ admins who do not have IIB. I hope to “see” you there!
Much thanks to my friends at Prolifics for sponsoring the webinar.
What not to crowdsource: Specialty training
Crowdsourcing: Collaboration based on the idea that given a sufficiently large pool of talent, it is possible to create a specific deliverable of high quality and in a timely fashion, using donated excess capacity of the crowd.
Some things just don’t crowdsource easily.
At its core, crowdsourcing is a slight twist on that old saw about “You can have it fast, cheap or right. Pick any two and let me know.” The twist is that “cheap” has been stipulated as a given and replaced with “crowdsourced.”
You can have it crowdsourced.
You can have it fast.
You can have it right.
Pick any two and get back to me.
But crowdsourcing works great, right? There’s Wikipedia, Linux, FreeDB and many other examples one can point to of high quality products built by crowds. But what I’d invite you to do is to consider the one thing where crowdsourcing tends to fall down.
Got WMQ security work? I’m happy to report I’ll soon be available for consulting engagements! After a couple of years in WebSphere MQ Product Management, and 6 before that in IBM Software Services, I’ve given notice to IBM and will be available for engagements as of May 13th.
My IMPACT sessions are in process of being reassigned so I’ve adjusted the schedule on the previous blog post. I left “Meet The Experts” on the schedule, I’ll just be in the audience this time around. I’ll also be there for the book signing and there are 100 copies printed (including the updated typos) so come by the table Tuesday at Noon. I believe that Neil Casey will also be in attendance and at the book signing.
The new business is IoPT Consulting. If you’ve heard of Internet of Things, the name of the business refers to Internet of People & Things. My biggest gripe with the first wave of IoT devices is that they neglected to consider the people who would use them. The cool factor of a light switch, door lock, web cam or other device controlled from your phone wears off pretty quick when you have to have 50 apps to control 50 categories of device and they don’t talk to one another. Of course IoT has no appeal at all when your Internet connection goes dark and the house blue-screens. I’d like to build an Internet of Things that values the people who own those things and, by the way, WebSphere messaging and MQTT are one of the best ways to do that.
I’ll be available as of May 13 as an independent or, for customers with preferred vendor rosters, through one of several established firms. I can provide short- or long-term engagements for architecture design, performance tuning, outage resolution, migration, staff augmentation, and of course security. Lots of security. Call me for details st 704-443-TROB or see me at IMPACT.
Travel has been working out well lately. I’ve just sort of been making my own events. Case in point, I wanted to attend the PDCNYC meeting so I put the word out I’d be available in NYC and immediately got several requests. And that was just working with a few the IBM account folks. I didn’t exactly broadcast my availability.
Well, now I am.
IBM will send me pretty much get to anywhere in North America so long as I can meet with two or more customers (but not at the same time). If I line up 4 or more customers I can visit other continents. So if you want to meet in person to talk security…or clustering, architecture, high availability, migration, AMS, FTE, MQTT, identity, privacy, Internet of Things, whatever, let me know. Maybe I can find a few others in your area and we can work something out.
Upcoming trips include:
- Monday evening, April 8: PDCNYC
- April 9 – 10: Customer visits, Jersey City/NYC area.
- April 28 – May 3: IMPACT, Las Vegas (Book signing, Tuesday at Noon.)
- May 6 – 9: Internet Identity Workshop #16, Mountain View, CA.