The IBM i server's reputation for security is well-deserved, but it's not foolproof. Complacency and short-handed IT staffs contribute to the problem.

In a world where perfection is seldom—if ever—found, it's amazing how some users of IBM i servers manage to persuade themselves that their systems are "perfectly" protected from security threats. As news stories of Home Depots and Targets and other big-time vendors' data-security castles being breached become increasingly routine, in the IBM i world denial is still a thriving cottage industry: "No one would bother to try to breach our company's security; we're too small and our i is too secure."

A survey of four prominent security software vendors in the IBM i market space shows that security threats abound. And while the cynics among us might rationalize that security software vendors have something to gain from alarming everyone about security problems, it's professionals like them who have to be called in when corporate data protection suddenly goes south.

The Biggest Security Headaches

The three most common security threats to IBM i servers are apathy, denial, and lack of time, according to Carol J. Woodbury, president and co-founder of SkyView Partners. "[This is] based on the false belief that IBM i is secure by default, or by the idea that a breach just can't/won't happen to them. For the organizations that want to do something about security, their biggest issue is time. Their staffs have been cut in recent years, and they simply don't have time or expertise to address their security concerns."

"Unencrypted sensitive data indicating a lack of defense-in-depth is the largest threat," maintains Patrick Townsend, CEO of Townsend Security. "The second is the absence of two-factor authentication as a defense against user/password hijacking. And the third would be an absence of active monitoring of the IBM i security journal combined with monitoring of all other non-IBM i servers, switches, firewalls, and PCs."

Ty Karny, vice-president of sales and marketing at Enforcive, cites "unsecured network access points such as FTP, ODBC, remote commands," as well as a "high proportion of user profiles that have excessive authority on the system," and "undefined or limited auditing definitions on the system [that] compromise the ability of an organization to detect intruders and to conduct forensic analysis of a penetration that has occurred" as the highest security concerns.

Phil Johnson, product director at HelpSystems (Safestone products) points to network access activity, over-privileged users, and general lack of knowledge about IBM i security as the three biggest problems. "Gone are the days when we can solely rely on menu security and command-line access to control and protect access to application data using 5250 sessions," he laments. "Users are more sophisticated, and the devices they use come with an array of tools that allow external access into our application databases, which circumvents 'legacy' menu and object-security settings."

Johnson goes on to note about over-privileged users that "we tend to find that there are a lot of users on the system that have been allocated excessive special authorities. Some system administrators need these to perform their job functions. However, there are many other types of users who have also been allocated excessive special authorities [who] don't need them 24/7."

Security Officers? Not for Everyone

The IBM i provides a security officer role via the QSECOFR privileged user profile. While this can be useful, sometimes it simply adds to security problems. "Many companies take a copy, or copies, of QSECOFR and allow some of their users to sign on with these alternative security officer profiles," Johnson points out. "Some companies control the use of these while others don't. It's sometimes impossible to trace back activity to s specific person if multiple users are signed on to the alternative security officer profiles at the same time. You must also remember that, by default, the activity of such users is not recorded."

When asked what a threshold should be for an enterprise to have a designated security officer, the four vendors differ in their opinions.

"I believe that any IBM shop with more than 100 users should have a dedicated IBM i security professional," declares Townsend. "However, this number can be smaller if there is critical sensitive data stored in the IBM i database."

"We suggest that organizations with three or more production partitions, or 750 or more active user profiles, have a dedicated security officer," notes Enforcive's Karny.

"That's really one of those 'it depends' questions," opines SkyView's Woodbury. "More or less dedicated time is needed to address security concerns based on not just the number of servers but what data is on those servers. The more personally identifiable information (e.g., bank account and credit-card numbers, healthcare information) there is, the more attention organizations should pay to their systems. Also, the definition of 'personally identifiable information' is growing to include more information. Another factor is the laws and regulations with which the organizations must comply. That will vary by type of data retained as well as the country in which the organization is located."

"There appear to be no hard and fast rules for the requirement of a dedicated security officer. It's more a case of the inherent business risk associated with the systems and applications running on those systems, together with the importance of the business data," HelpSystems' Johnson offers. "Most customers that we come across don't have a dedicated security officer as such. They may have a high-level expert who is responsible for security administration as well as other functions. In the larger companies, we tend to find that the job of security officer may be split between several different people, one responsible for profile management, another for application management, and another for auditing and compliance. You may also find that these people…have responsibilities for these functions in environments other than the IBM i as well."

Facing Up to Security Audits

Of course, some of these problems are supposed to be handled—or at least exposed—by annual security audits. The trouble is, too many organizations make a priority of security only at audit time. The four vendors were asked what they consider the biggest problems enterprises face during a security audit.

"The most common problems enterprises face when preparing for a security audit are limited auditing configurations on the system, limited time resources to prepare for the audit, lack of information regarding the scope and detail of the audit that will be conducted, limited access to long-term audit information (which may be stored on tapes), lack of clarity about what sensitive information is stored and where it resides, and weak definition of roles and the types of authority and access rights for each role," lists Karny.

"An enterprise customer needs to have a good baseline of their current security posture in order to take advantage of a good security audit," notes Townsend. "Knowing where you have weaknesses going into an audit prepares you to set expectations for the auditor. And enterprise customers should always get a prioritized list of security tasks as one outcome of an audit."

"Not having enough time [is the first issue]," points out Woodbury. "The second issue is not having to put any automated processes in place to address the issues of past audits (that is, to keep their systems from going out of compliance) and having to scramble to get everything back in line. I call this 'the audit fire drill.' "

"Most of the problems that enterprises face are because they are very reactive to issues and events, as opposed to being proactive," observes Johnson. "They can be more proactive by understanding what the auditors are looking for. Common problem areas are auditing not being switched on or the scope of auditing not being extensive enough, there isn't any monitoring of exit-point activity, there's no control over allocation of special authorities to users, privileged user activity isn't monitored, general system settings are weak and not reviewed on a regular basis, some user settings can't be justified to auditors, and unless reporting tools are in place, it's difficult to provide the right kind of information from all the data being collected in the various activity logs."

Security Help for Smaller Enterprises

How can smaller organizations cope with security problems if they can't afford to have a dedicated security officer?

"Bottom line, they need to seriously consider getting outside help rather than ignoring the issue and hoping it will go away," suggests Woodbury. "As we've seen by the number of breaches in the U.S. in recent months, the problem is only getting bigger."

"I believe that the small IBM i customer can and should look to external expertise to secure their systems," agrees Townsend. "There are good third-party service organizations and independent security professionals who can help the smaller IBM i customer, and the IBM Systems and Technology Group (STG) can provide services in this area."

"Purchase a third-party [software] solution and configure it to automatically keep systems secure," Karny recommends. "Conduct quarterly security audits and use consultants to mitigate any audit findings. Provide additional training to system operators and administrators through onsite training events, vendor training events, and technical training conferences."

"Any enterprise, whether they require a dedicated security officer or not, needs to establish baseline security standards," Johnson suggests. "If [the enterprise] has little knowledge of IBM i security, [it] should have an assessment of the security status of their system and use that to build a security policy. Going forward, they'll need to identify how the IBM i will be configured, maintained, and reviewed on a regular basis. This may mean making the decision to use third-party solutions and services if they don't have the necessary resources available in-house."

Security Solutions for IBM i

What follows are security software and services for the IBM i that can help enterprises face their security challenges. Each product or service includes a link to a vendor page for more information as well as a brief description. The descriptions cover only a few high points of each offering. Be sure to consult the vendor web pages for more complete descriptions of these offerings and their uses.

System Security Software Products for IBM System i

Applied Logic Corporation

Pro/Encrypt

Pro/Encrypt provides software-only encoding of System i data for secure backup and storage, file transfer, or physical transport. The function can run interactively or in batch, can use up to 256-bit encryption, can encrypt single files or whole libraries, and uses a symmetric key or pass phrase for decryption.

AS/SURE Software

iSecure

iSecure is a utility that provides end users with self-service user-profile and password-reset services, letting them bypass help desks with these common requests. Users can review password change rules and establish challenge questions to establish their identities. The product lets QSECOFR determine what functions users may access, logs all actions for later review, tracks which users have established password challenge questions, and provides an administrator-only menu.

Bug Busters Software Engineering, Inc.

A la Carte Menu and Security System (ALC)

ALC lets administrators control access to applications and objects via a menu system based on i5/OS user and group profiles, *PUBLIC authorities, and authorization lists. Users can activate menu options or system commands at the command line, and each menu can offer up to 999 options. Menus and menu options are system objects protected by system authority settings.

Busch & Partner

PCSACC/400

PCSACC400 is a database access-control application that limits potential damage PC users can do to System i data via menu-based application controls and third-party utilities, such as file transfer. It provides a range of object-level security protections, monitors SQL query use, and provides user interfaces in either English or German. The company currently offers a three-month free testing period for the product.

Bytware, Inc.

StandGuard Anti-Virus

StandGuard Anti-Virus uses a McAfee engine to find and destroy computer viruses that may have taken up residence on a System i, including servers running AIX, Linux, and Domino. The product offers automatic updates of virus examples and both green-screen and GUI interfaces. It also lets users manage multiple machines from a single console and provides native email screening.

StandGuard Network Security

StandGuard Network Security provides network access control for System i environments. It protects all exit points, secures more than 120 server functions, and supports both public and private authorities. It also activates and deactivates all exit points without restarts, tracks and prints auditing reports on database changes, and monitors audit journals and command and program activities.

Centerfield Technology, Inc.

insure/SECURITY

Insure/SECURITY helps security officers protect application data from unauthorized access and changes, particularly via remote access, without requiring modification of enterprise applications. Officers can apply rules at the *PUBLIC or group level, set different rules for different times of the day, and restrict or lock down access methods such as FTP. The product operates independently and requires no changes to existing software applications.

Cilasoft

Cilasoft Suite

The Cilasoft Suite consists of four products. QJRN/400 enhances i5/OS journaling functions to track system events and database changes. CONTROLER offers modules that control use of system commands and access to system resources. DVM audits read access to sensitive data stored on IBM i servers. EAM helps administrators manage authorities.

CXL, Ltd.

AZScan

AZScan is a PC-based program that can analyze midrange system security, including System i machines running i5/OS, AIX, and Linux. The product copies server files to a PC for analysis. For i5/OS, it performs 53 tests, supports 15 OS releases, and doesn't require users to load any software on the System i.

Enforcive

Enterprise Security for IBM i

Enforcive/Enterprise Security for IBM i is a security and compliance solution for IBM i (iSeries) that includes more than 20 integrated, GUI-controlled security, auditing, and compliance modules. This software suite enables system administrators, security offers, and auditors to easily manage security and compliance tasks efficiently and effectively.

Cross-Platform Audit

Enforcive/Cross-Platform Audit is an enterprise-wide compliance event monitor built on the principles of database activity monitoring and log management, but it focuses on providing practical and relevant information about an organization's critical systems.

Cross-Platform Compli­ance

Enforcive/Cross-Platform Compliance (CPC) lets users create, document, and maintain a clear security policy for multiple systems of diverse platforms. CPC allows organizations to quickly check whether their security and system settings are in line with their IT policies or regulatory requirements.

Field Encryption Protection

Enforcive/Field Encryption Protection is a comprehensive platform for file and field-level encryption, as well as for masking and scrambling.

System Reporting

Enforcive/System Reporting provides a complete solution for defining, optimizing, distributing, and archiving reports within your IBM i environment.

Exit Point Security

Enforcive/Exit Point Security offers peace of mind regarding all external access to IBM i. Security officers can easily collect, monitor, and analyze exit point activity.

Password Self-Service

Enforcive/Password Self-Service (PSS) streamlines password management into an autonomous process that enables end-users of IBM i and Windows Active Directory to securely manage their passwords independently. End users who don't remember their password for a particular system or want to synchronize a new password across all or select systems can now be given the ability to do so instantly on their own without the need to be escalated to the helpdesk.

Halcyon Software

Audit Journal Manager

Audit Journal Manager tracks all activity in the QAUDJRN system-audit journal, sends alerts and takes other predefined actions if preset actions occur, and lets system managers run customized reports based either on specific criteria or one of 34 pre-supplied report criteria types.

Authority Swapper

Authority Swapper lets users track and records situations in which a lower-authority user temporarily accesses a user profile with higher privileges for a specific purpose. The product's GUI allows non-technical users to operate it, an "audit replay" feature lets system managers review the actions taken by the user with a temporarily enhanced authority, and managers can restrict profile-swapping activities to specified days and times.

Exit Point Manager

Exit Point Manager logs 21 exit-point actions and logs them so users can show compliance with auditing requirement and security standards. The product runs in the background to provide real-time monitoring of exit points, sends alerts in the event of problems, provides templates with predefined rules, and blocks unauthorized access to servers and their data.

Password Reset Manager

Password Reset Manager lets users change their passwords and re-enable their user profile without help from the Help Desk. The product also tracks and reports on password changes and failures and lets end users customize the personal questions they are asked to self-authenticate their accounts.

HiT Software, Inc., a BackOffice Associates, LLC Company

SafeConduct

SafeConduct runs on any server using Windows, or Java Run-time Environment 1.4 or later. It uses SSL and 256-bit data encryption to protect access to sensitive data being transmitted via SSL/TLS. It provides node-to-node authentication to ensure the recipient is valid, requires no changes to application code, and provides a Windows-based audit log.

IBM Corporation

IBM Security Host Protection

IBM Security Host Protection guards servers running AIX with an integrated firewall and intrusion protection, enforcement tools for corporate security policies, and auditing compliance aids.

IBM Security Server Protection

IBM Internet Security Systems' server protection is a service for servers running AIX, Linux, Solaris, or Windows. It uses two products, IBM Proventia Server Intrusion Prevention System and IBM RealSecure Server Sensor, to protect any Power Systems server against denial of service, remote exploit, SQL injection, cross-site scripting, and other security attacks. The products provide a firewall, prevent intrusions, guard against buffer overflow attacks, and inspect secure Web transactions.

Editor's Note

This is a huge topic, so we're stopping here for now. We'll finish up the vendor and product list next month!

John Ghrist has been a journalist, programmer, and systems manager in the computer industry since 1982. He has covered the market for IBM i servers and their predecessor platforms for more than a quarter century and has attended more than 25 COMMON conferences. A former editor-in-chief with Defense Computing and a senior editor with SystemiNEWS, John has written and edited hundreds of articles and blogs for more than a dozen print and electronic publications. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

Also Read

IBM i Security Essentials: 4 Components for an Effective Strategy

New IBM i Security Features and a Farewell

Securing IBM i: A Dual Responsibility