26
Thu, Dec
0 New Articles

Technology Focus: The IBM i Isn't Immune to Security Problems!

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The IBM i server's reputation for security is well-deserved, but it's not foolproof. Complacency and short-handed IT staffs contribute to the problem.

 

In a world where perfection is seldomif everfound, it's amazing how some users of IBM i servers manage to persuade themselves that their systems are "perfectly" protected from security threats. As news stories of Home Depots and Targets and other big-time vendors' data-security castles being breached become increasingly routine, in the IBM i world denial is still a thriving cottage industry: "No one would bother to try to breach our company's security; we're too small and our i is too secure."

 

A survey of four prominent security software vendors in the IBM i market space shows that security threats abound. And while the cynics among us might rationalize that security software vendors have something to gain from alarming everyone about security problems, it's professionals like them who have to be called in when corporate data protection suddenly goes south.

The Biggest Security Headaches

The three most common security threats to IBM i servers are apathy, denial, and lack of time, according to Carol J. Woodbury, president and co-founder of SkyView Partners. "[This is] based on the false belief that IBM i is secure by default, or by the idea that a breach just can't/won't happen to them. For the organizations that want to do something about security, their biggest issue is time. Their staffs have been cut in recent years, and they simply don't have time or expertise to address their security concerns."

"Unencrypted sensitive data indicating a lack of defense-in-depth is the largest threat," maintains Patrick Townsend, CEO of Townsend Security. "The second is the absence of two-factor authentication as a defense against user/password hijacking. And the third would be an absence of active monitoring of the IBM i security journal combined with monitoring of all other non-IBM i servers, switches, firewalls, and PCs."

Ty Karny, vice-president of sales and marketing at Enforcive, cites "unsecured network access points such as FTP, ODBC, remote commands," as well as a "high proportion of user profiles that have excessive authority on the system," and "undefined or limited auditing definitions on the system [that] compromise the ability of an organization to detect intruders and to conduct forensic analysis of a penetration that has occurred" as the highest security concerns.

Phil Johnson, product director at HelpSystems (Safestone products) points to network access activity, over-privileged users, and general lack of knowledge about IBM i security as the three biggest problems. "Gone are the days when we can solely rely on menu security and command-line access to control and protect access to application data using 5250 sessions," he laments. "Users are more sophisticated, and the devices they use come with an array of tools that allow external access into our application databases, which circumvents 'legacy' menu and object-security settings."

Johnson goes on to note about over-privileged users that "we tend to find that there are a lot of users on the system that have been allocated excessive special authorities. Some system administrators need these to perform their job functions. However, there are many other types of users who have also been allocated excessive special authorities [who] don't need them 24/7."

Security Officers? Not for Everyone

The IBM i provides a security officer role via the QSECOFR privileged user profile. While this can be useful, sometimes it simply adds to security problems. "Many companies take a copy, or copies, of QSECOFR and allow some of their users to sign on with these alternative security officer profiles," Johnson points out. "Some companies control the use of these while others don't. It's sometimes impossible to trace back activity to s specific person if multiple users are signed on to the alternative security officer profiles at the same time. You must also remember that, by default, the activity of such users is not recorded."

When asked what a threshold should be for an enterprise to have a designated security officer, the four vendors differ in their opinions.

"I believe that any IBM shop with more than 100 users should have a dedicated IBM i security professional," declares Townsend. "However, this number can be smaller if there is critical sensitive data stored in the IBM i database."

"We suggest that organizations with three or more production partitions, or 750 or more active user profiles, have a dedicated security officer," notes Enforcive's Karny.

"That's really one of those 'it depends' questions," opines SkyView's Woodbury. "More or less dedicated time is needed to address security concerns based on not just the number of servers but what data is on those servers. The more personally identifiable information (e.g., bank account and credit-card numbers, healthcare information) there is, the more attention organizations should pay to their systems. Also, the definition of 'personally identifiable information' is growing to include more information. Another factor is the laws and regulations with which the organizations must comply. That will vary by type of data retained as well as the country in which the organization is located."

"There appear to be no hard and fast rules for the requirement of a dedicated security officer. It's more a case of the inherent business risk associated with the systems and applications running on those systems, together with the importance of the business data," HelpSystems' Johnson offers. "Most customers that we come across don't have a dedicated security officer as such. They may have a high-level expert who is responsible for security administration as well as other functions. In the larger companies, we tend to find that the job of security officer may be split between several different people, one responsible for profile management, another for application management, and another for auditing and compliance. You may also find that these people…have responsibilities for these functions in environments other than the IBM i as well."

Facing Up to Security Audits

Of course, some of these problems are supposed to be handledor at least exposedby annual security audits. The trouble is, too many organizations make a priority of security only at audit time. The four vendors were asked what they consider the biggest problems enterprises face during a security audit.

"The most common problems enterprises face when preparing for a security audit are limited auditing configurations on the system, limited time resources to prepare for the audit, lack of information regarding the scope and detail of the audit that will be conducted, limited access to long-term audit information (which may be stored on tapes), lack of clarity about what sensitive information is stored and where it resides, and weak definition of roles and the types of authority and access rights for each role," lists Karny.

"An enterprise customer needs to have a good baseline of their current security posture in order to take advantage of a good security audit," notes Townsend. "Knowing where you have weaknesses going into an audit prepares you to set expectations for the auditor. And enterprise customers should always get a prioritized list of security tasks as one outcome of an audit."

"Not having enough time [is the first issue]," points out Woodbury. "The second issue is not having to put any automated processes in place to address the issues of past audits (that is, to keep their systems from going out of compliance) and having to scramble to get everything back in line. I call this 'the audit fire drill.' "

"Most of the problems that enterprises face are because they are very reactive to issues and events, as opposed to being proactive," observes Johnson. "They can be more proactive by understanding what the auditors are looking for. Common problem areas are auditing not being switched on or the scope of auditing not being extensive enough, there isn't any monitoring of exit-point activity, there's no control over allocation of special authorities to users, privileged user activity isn't monitored, general system settings are weak and not reviewed on a regular basis, some user settings can't be justified to auditors, and unless reporting tools are in place, it's difficult to provide the right kind of information from all the data being collected in the various activity logs."

Security Help for Smaller Enterprises

How can smaller organizations cope with security problems if they can't afford to have a dedicated security officer?

"Bottom line, they need to seriously consider getting outside help rather than ignoring the issue and hoping it will go away," suggests Woodbury. "As we've seen by the number of breaches in the U.S. in recent months, the problem is only getting bigger."

"I believe that the small IBM i customer can and should look to external expertise to secure their systems," agrees Townsend. "There are good third-party service organizations and independent security professionals who can help the smaller IBM i customer, and the IBM Systems and Technology Group (STG) can provide services in this area."

"Purchase a third-party [software] solution and configure it to automatically keep systems secure," Karny recommends. "Conduct quarterly security audits and use consultants to mitigate any audit findings. Provide additional training to system operators and administrators through onsite training events, vendor training events, and technical training conferences."

"Any enterprise, whether they require a dedicated security officer or not, needs to establish baseline security standards," Johnson suggests. "If [the enterprise] has little knowledge of IBM i security, [it] should have an assessment of the security status of their system and use that to build a security policy. Going forward, they'll need to identify how the IBM i will be configured, maintained, and reviewed on a regular basis. This may mean making the decision to use third-party solutions and services if they don't have the necessary resources available in-house."

Security Solutions for IBM i

What follows are security software and services for the IBM i that can help enterprises face their security challenges. Each product or service includes a link to a vendor page for more information as well as a brief description. The descriptions cover only a few high points of each offering. Be sure to consult the vendor web pages for more complete descriptions of these offerings and their uses.

System Security Software Products for IBM System i

Applied Logic Corporation

Pro/Encrypt

Pro/Encrypt provides software-only encoding of System i data for secure backup and storage, file transfer, or physical transport. The function can run interactively or in batch, can use up to 256-bit encryption, can encrypt single files or whole libraries, and uses a symmetric key or pass phrase for decryption.

AS/SURE Software

iSecure

iSecure is a utility that provides end users with self-service user-profile and password-reset services, letting them bypass help desks with these common requests. Users can review password change rules and establish challenge questions to establish their identities. The product lets QSECOFR determine what functions users may access, logs all actions for later review, tracks which users have established password challenge questions, and provides an administrator-only menu.

Bug Busters Software Engineering, Inc.

A la Carte Menu and Security System (ALC)

ALC lets administrators control access to applications and objects via a menu system based on i5/OS user and group profiles, *PUBLIC authorities, and authorization lists. Users can activate menu options or system commands at the command line, and each menu can offer up to 999 options. Menus and menu options are system objects protected by system authority settings.

Busch & Partner

PCSACC/400

PCSACC400 is a database access-control application that limits potential damage PC users can do to System i data via menu-based application controls and third-party utilities, such as file transfer. It provides a range of object-level security protections, monitors SQL query use, and provides user interfaces in either English or German. The company currently offers a three-month free testing period for the product.

Bytware, Inc.

StandGuard Anti-Virus

StandGuard Anti-Virus uses a McAfee engine to find and destroy computer viruses that may have taken up residence on a System i, including servers running AIX, Linux, and Domino. The product offers automatic updates of virus examples and both green-screen and GUI interfaces. It also lets users manage multiple machines from a single console and provides native email screening.

          

StandGuard Network Security

StandGuard Network Security provides network access control for System i environments. It protects all exit points, secures more than 120 server functions, and supports both public and private authorities. It also activates and deactivates all exit points without restarts, tracks and prints auditing reports on database changes, and monitors audit journals and command and program activities.

Centerfield Technology, Inc.

insure/SECURITY

Insure/SECURITY helps security officers protect application data from unauthorized access and changes, particularly via remote access, without requiring modification of enterprise applications. Officers can apply rules at the *PUBLIC or group level, set different rules for different times of the day, and restrict or lock down access methods such as FTP. The product operates independently and requires no changes to existing software applications.

  

Cilasoft

Cilasoft Suite

The Cilasoft Suite consists of four products. QJRN/400 enhances i5/OS journaling functions to track system events and database changes. CONTROLER offers modules that control use of system commands and access to system resources. DVM audits read access to sensitive data stored on IBM i servers. EAM helps administrators manage authorities.

CXL, Ltd.

AZScan

AZScan is a PC-based program that can analyze midrange system security, including System i machines running i5/OS, AIX, and Linux. The product copies server files to a PC for analysis. For i5/OS, it performs 53 tests, supports 15 OS releases, and doesn't require users to load any software on the System i.

Enforcive

Enterprise Security for IBM i

Enforcive/Enterprise Security for IBM i is a security and compliance solution for IBM i (iSeries) that includes more than 20 integrated, GUI-controlled security, auditing, and compliance modules. This software suite enables system administrators, security offers, and auditors to easily manage security and compliance tasks efficiently and effectively.

Cross-Platform Audit

Enforcive/Cross-Platform Audit is an enterprise-wide compliance event monitor built on the principles of database activity monitoring and log management, but it focuses on providing practical and relevant information about an organization's critical systems.

Cross-Platform Compli­ance

Enforcive/Cross-Platform Compliance (CPC) lets users create, document, and maintain a clear security policy for multiple systems of diverse platforms. CPC allows organizations to quickly check whether their security and system settings are in line with their IT policies or regulatory requirements.

Field Encryption Protection

Enforcive/Field Encryption Protection is a comprehensive platform for file and field-level encryption, as well as for masking and scrambling.

System Reporting

Enforcive/System Reporting provides a complete solution for defining, optimizing, distributing, and archiving reports within your IBM i environment.

Exit Point Security

Enforcive/Exit Point Security offers peace of mind regarding all external access to IBM i. Security officers can easily collect, monitor, and analyze exit point activity.

Password Self-Service

Enforcive/Password Self-Service (PSS) streamlines password management into an autonomous process that enables end-users of IBM i and Windows Active Directory to securely manage their passwords independently. End users who don't remember their password for a particular system or want to synchronize a new password across all or select systems can now be given the ability to do so instantly on their own without the need to be escalated to the helpdesk.

 

Halcyon Software

Audit Journal Manager

Audit Journal Manager tracks all activity in the QAUDJRN system-audit journal, sends alerts and takes other predefined actions if preset actions occur, and lets system managers run customized reports based either on specific criteria or one of 34 pre-supplied report criteria types.

Authority Swapper

Authority Swapper lets users track and records situations in which a lower-authority user temporarily accesses a user profile with higher privileges for a specific purpose. The product's GUI allows non-technical users to operate it, an "audit replay" feature lets system managers review the actions taken by the user with a temporarily enhanced authority, and managers can restrict profile-swapping activities to specified days and times.

Exit Point Manager

Exit Point Manager logs 21 exit-point actions and logs them so users can show compliance with auditing requirement and security standards. The product runs in the background to provide real-time monitoring of exit points, sends alerts in the event of problems, provides templates with predefined rules, and blocks unauthorized access to servers and their data.

Password Reset Manager

Password Reset Manager lets users change their passwords and re-enable their user profile without help from the Help Desk. The product also tracks and reports on password changes and failures and lets end users customize the personal questions they are asked to self-authenticate their accounts.

HiT Software, Inc., a BackOffice Associates, LLC Company

SafeConduct

SafeConduct runs on any server using Windows, or Java Run-time Environment 1.4 or later. It uses SSL and 256-bit data encryption to protect access to sensitive data being transmitted via SSL/TLS. It provides node-to-node authentication to ensure the recipient is valid, requires no changes to application code, and provides a Windows-based audit log.

IBM Corporation

IBM Security Host Protection

IBM Security Host Protection guards servers running AIX with an integrated firewall and intrusion protection, enforcement tools for corporate security policies, and auditing compliance aids.

IBM Security Server Protection

IBM Internet Security Systems' server protection is a service for servers running AIX, Linux, Solaris, or Windows. It uses two products, IBM Proventia Server Intrusion Prevention System and IBM RealSecure Server Sensor, to protect any Power Systems server against denial of service, remote exploit, SQL injection, cross-site scripting, and other security attacks. The products provide a firewall, prevent intrusions, guard against buffer overflow attacks, and inspect secure Web transactions.

Editor's Note

This is a huge topic, so we're stopping here for now. We'll finish up the vendor and product list next month!

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: