Over the years I have often been asked for security templates and other canned assets to help make MQ security planning, implementation, and operation easier. These often become the source material for conference presentations, articles and videos. Some of these assets focus directly on configuration. The benefit of these is to take a lot of the heavy lifting off the hands of the MQ administrator. That leaves the administrator free to focus on the more business-specific task of designing the appropriate security architecture. The question then is whether we can take some of the heavy lifting from that task as well. I don’t believe that is easy to do safely, but the good news is that we can at least take much of the randomness out.
One of the best best tools I have ever created for helping design the MQ security architecture isn’t a script, or a set of procedures, or anything prescriptive. It is simply a long list of open-ended questions to consider in the design.
For example, when someone says “MQ Security” what comes to mind? Very likely it is certificates, setmqaut commands, exits, CHLAUTH rules and so on. These are all examples of intrusion prevention controls, which is just one category under the larger “security” umbrella. If someone managed to get past the defenses, how would you know? This is called intrusion detection. When (not if) there is a breach, you will hopefully also considered forensic analysis and recovery.
It’s a big topic.
It needs a a big list of questions.
So by all means, automate everything possible (or call me to do that for you!) with regard to implementing and operating your security architecture. That leaves you free to focus on the more critical task of designing the best security architecture for your specific requirements. If you want a template to help with that, I may have just the thing!
You can download my IBM MQ Security Requirements Questionnaire directly, but as with all my other documents, it’s permanent home is on the Links page. Please let me know if you use the document and send me any comments good or bad so I can improve the document over time.