Today's entry comes from Colleen McCretton,
Architect for IBM Maximo Asset Management Security
As many companies move their Maximo implementations outside the firewall, security becomes of a higher concern. The fundamental concept in Maximo security is ‘nothing is not everything’ – this means that users cannot do things unless they are explicitly given authorization. Even with this underlying architecture, there are vulnerabilities that exist that are worth consideration. On a daily basis we get inquiries from customers who are having some kind of audit for security best practices.
Here are some common security concerns and what you can do about them:
- Security Standards - Many clients ask about compliance with various security standards such as PCI, FIPS, Sarbannes-Oxley, ISO and others. Maximo can be configured to be compliant with most security standards but as the requirements of the standards may be mutually exclusive, the system’s out of the box configuration is flexible, not in compliance with any one standard. Most share common requirements such as limited authorizations, auditing, encryption standards and various password and userid rules that vary slightly from standard to standard.
- Cross Site Scripting - In basic terms, this is scripts that are executed when web forms are submitted. A filter can be enabled in Maximo to prevent this in web.xml (see this link) It can impact performance so not enabled by default in most release versions.
- SQL Injection - This is when users manipulate data entry fields to execute malicious SQL statements. Maximo dynamically prepares SQL statements so in almost every attribute this is not an issue. There are a few exceptions so there is a property mxe.db.sqlinjection can be enabled to further limit what can be executed. In addition, you may also want to grant the ‘SEARCHWHERE’ sigoption to applications only to the users that have a business need – this option allows users to send SQL through Maximo that is not filtered by the system.
- Security Certification - Releases of Maximo are scanned using an IBM tool from Rational called App Scan to search for common security vulnerabilities. This scan results in recommended configurations on the application server. These include:
- Deploying in an SSL environment – this encrypts traffic on the system but can also impact performance so needs evaluation at each client site.
- Deploying with LDAP authentication – this ensures that session identifiers are sent securely.
- Setting strong password requirements – passwords should be at least 6 characters long, contain at least one number or special character, expire at least every 90 days and not be the same as the login ID.
Let me know what other Maximo Security topics you would like me to address in future blogs by commenting on this blog.