PowerTech: IBM i Security Still Needs Work

April 19, 2011 Alex Woodie

The results from PowerTech‘s latest State of IBM i Security report are in, and the results are mixed. While the software company’s survey shows signs of improvement in some areas, such as the average number of users with unfettered system access, there are still areas of grave concern to security professionals, who have almost come to expect a lackadaisical approach to security from IBM i customers.

Each year, PowerTech publishes a State of IBM i Security report that summarizes the results of hundreds of system audits the company performs on the IBM i servers of customers and prospects. For the State of IBM i Security 2011 report, PowerTech did things a little differently; it included security audit data from an independent source. Of the 243 IBM i security audits that make up the data base for the report, PowerTech performed 182 of them.

The 2011 report tracks very well with the 2010 report, and allows for a year-to-year comparison of the most important components of security for the IBM i server. There was some good news in the area of powerful user profiles, which is always a big concern to security professionals.

According to PowerTech’s report, the average IBM i shop had 52 user profiles with complete access to everything on the system, which is designated as ALLOBJ authority. That was down from 67 user profiles with ALLOBJ authority in PowerTech’s 2010 report, and a sign that maybe, perhaps, IBM i professionals are starting to take security seriously.

Then again, 52 user profiles are still way too many. “Why would you want 52 security officers on your system?” PowerTech support manager Jill Martin said in a recent webinar on the 2011 report findings. “You could set everything up exactly the way you would want it, and there would be 51 other people who could reverse that decision. It’s really important to limit that number.”

There was good news on the network access front. In the 2011 report, PowerTech finds that 54 percent of IBM i shops audited have exit programs in place to protect against unwanted access via FTP, ODBC, and other network access points that IBMers didn’t envision when building the S/3X menu-based security system, which the IBM i platform has inherited. That number is up from 43 a year ago.

Similarly, 87 percent of IBM i shops have the system auditing journal turned on today, compared to 82 percent in PowerTech’s 2010 report. Auditing gives IBM i shops the capability to review what happened on the system, such as a large number of invalid sign-on attempts. This is an absolutely critical capability when trying to figure out, for example, how a hacker got onto the system. “If you’re not auditing, crazy things can happen,” Martin said.

There was also some good news on the password front. The 2011 report found that the vast majority of shops are now using a minimum password length of six digits and that 30 percent are using passwords with seven or more digits, compared to about 20 percent a year ago. However, this isn’t quite up to snuff with the PCI data security standard, which requires passwords be at least seven digits. Most IBM i shops would fail that portion of the audit.

Another important element tracked by PowerTech year to year is the security level system settings. IBM recommends that IBM i shops run at level 40 or higher, as there are some well-known vulnerabilities in level 30, such as the capability to run a job as another user.

Out of 182 systems audited for security level in the 2011 report, 121 IBM i shops, or 66 percent, were running at level 40. That was up slightly from the 2010 report, when about 61 percent of shops were at level 40.

However, there was a big drop off in the number of shops at level 50, the highest security level. More than 15 percent of shops in the 2010 report were running at level 50, whereas just 1 percent of shops were at level 50 in the 2011 report.

While PowerTech’s report shows some improvement in certain areas of security, there is still a long way to go before IBM i shops demonstrate the same level of concern about security as their Windows, Linux, and network brethren do.

“Unfortunately, security awareness amongst IBM i professionals is generally pretty low,” PowerTech’s director of security technologies Robin Tatam said during the recent webinar. “I think this is partly because a lot of us heard from IBM over the years that the i platform is incredibly secure, and just assumed that IBM had done all the work for us. All we have to do is show up and use the applications. Unfortunately, this is far from the reality. While the server is extremely securable, it does take work to make it that way.”

To download a copy of the State of IBM i Security 2011 or to view the recent webinar on the study’s findings, see the company’s website at www.powertech.com.