What's covered
- Learn from our 30+ years of IBM-i security experience
- Find out our top 8 tips to think about for your IBM-i security
Read Article
Having worked with IBM i customers for over 30 years, we have seen several trends that has impacted the security of the IBM i environment:
- Increasing use of network based services to access data on the IBM i system from inside the corporate network
- Increased connection of the IBM i based applications to the outside world
- Dramatic increases in cyber-crime, and the negative publicity and impact on corporate brand value, that these exploits can have
- Increased focus on, and enforcement of, regulatory compliance, whether SOX/CSOX, PCI or a variety of other standards
- IBM i (or AS400 or iSeries if you prefer) has long been viewed as a highly stable and secure platform and as such, the security priorities (and budgets) of organizations have tended to be focused in other areas such Windows server/client platforms and external network access (firewalls). Compounding this, is a general lack of experience in the auditor community of the unique attributes of the IBM i environment, to the point where many audits only contain a cursory review of this platform, and usually from the 1,000 foot level.
Given the fact that the IBM i typically houses critical corporate applications and data, this general lack of attention paid by many organizations to IBM i security is a critical exposure for the hundreds (or thousands) of Canadian organizations that rely on this platform and its applications for their existence. Hence, here are some key tips that every IBM i customer organization should consider.
- Log and monitor audit journal activity: The IBM i operating system provides audit journals that allow the logging of key system activity. Unfortunately, not all organizations have these audit journals enabled, and if they do, many do not monitor or report/alert on suspicious activity taking place. The sheer size and cryptic nature of these journals can make getting useful security information from this a challenge. Use 3rd party tools to provide this extra usability. Also, consider sending key IBM i log data to your corporate SIEM solution (if you have one), for a more complete view of organizational security related events.
- Implement exit programs to audit network-based activity: In the last 10-15 years, the use of TCP/IP based services (such as ODBC and FTP) to access data housed in the IBM i has grown exponentially. Traditional access to the AS400 has been through direct attached terminals and managed through menu access controls. OS400 (now called the IBM i operating system) provides exit points to allow this “external” access but does not adequately audit access through these services. 3rd party exit point solutions are a requirement to collect the necessary level of information to satisfy most auditor requirements.
- Clean up inactive user profiles: Inactive user profiles are defined as profiles that have not been used in the last 30 to 60 days. A surprising number of IBM i shops have a large number of inactive profiles and these can pose a significant security exposure. Regular cleaning of inactive profiles should be a priority and there are tools available to help with the ease the administrative effort of this task and even provide some automated assistance.
- Don’t confuse compliance with security: Your auditor might have told you that you have met compliance with your internal policies or regulatory policies, but this does not mean you are secure. Security is an ongoing process and mindset that does not end with a positive result on an audit. Understand where your key assets are, what poses the greatest business exposure to your organization, and be proactive in addressing these risks on an ongoing basis.
- Audit power user profiles: Every organization has trusted power user profiles that have higher levels of access and control over your critical systems. However, it is exactly these user profiles that pose the greatest risk should they be compromised. Minimize the number of user profiles with these high authorization levels, and make sure you are auditing all activity on these profiles. These are the profiles that hackers love to get their hands on. Also, consider using elevated authority techniques to temporarily extend user profile authority for specific tasks, fully audited, rather than assigning excessive authority on a permanent basis.
- Implement and enforce strong password policies: Ensure that your password policies include frequent expiration of passwords, and the use of a reasonably strong password structure. Ensure you check for the use of default passwords because the IBM i operating system and many applications ship with standard defaults. Hackers love default passwords, so make sure you change them. Consider implementing Multi-Factor Authentication as an additional layer of security for specific users or tasks that might be especially sensitive.
- Use a layered approach to IBM i security: Security of any kind, is all about layering. If one layer gets compromised, the next layer should stop (or at least slow down) the attacker. Make it difficult for the hacker – they love “easy targets”. A single security approach is not enough, even within the IBM i platform. You wouldn’t secure your corporate network with just a firewall, would you? Your IBM i should at least have strongly implemented object security, auditing of all activity, and even look at encryption for your highly sensitive data. Look at integrated solutions as a way of easing the administrative burden of managing all of these layers.
- Automate security and compliance checking where possible: If security becomes onerous and difficult to manage, for most organizations, things begin to fall between the cracks, or get pushed off to be done “when you have time”. Automate your security practices where possible, or use tools to help ease the administrative burden. Run automated compliance checks for key security policies on a regular basis to ensure that you are still OK. Or if you are not, so you can correct the situation in a timely fashion. Again, 3rd party solutions are available to help you with this automation.
(Bonus Tip) – Secure your IFS to minimize risk from malware and Ransomware attacks: The IBM i can be compromised through malicious activity targeting the IFS. Do not provide excessive authority to the IFS, especially at the root level, as key IBM i libraries reside in the IFS root. Also, consider an anti-virus solution for the IFS so it cannot house malware that might infect your other systems.
Brian Olson
Director of IBM Power Server – AI and Security Solutions, Able One