IBM i Security Assessment: How About Now?

June 17, 2014 Alex Woodie

Ignorance is no longer an excuse. In this day and age, after so many mega-breaches like Target’s and so many warnings, you can no longer honestly claim that you didn’t know your IBM i server was so vulnerable–especially with the availability of free security assessment tools, like the one that PowerTech recently updated.

PowerTech has probably done more than any other IBM i vendor to pop the bubble that so many organizations live in when it comes to security on the platform. Its annual State of IBM i Security reports regularly showcase the amazing lack of awareness that most professionals have regarding the inherent vulnerabilities that exist in IBM i servers that have not been properly configured. You can read about the rather depressing results of its latest study here.

And those, of course, are the key words. The IBM i server is eminently, inherently, inexorably securable. It just doesn’t come that way from the factory. Some in the community argue that the IBM i server is the most secure business server in the world. That may or may not be true. But what’s certain is that it takes a bit of work and patience and attention to detail to ensure that the switches and settings are correctly stationed to ensure maximum protection from the various cybercriminals, viruses, script kiddies, terrorists, and rouge nations that are poking at our cyber doors, day and night.

Security is not a black and white provision; there are many layers of gray. Flip a switch in one place, and it has an effect on other settings. This complex matrix of a security shield is not a one-size-fits-all affair, but something that has to be tailored to specific sites. The grayness of uncertainty extends to other areas, too. Ask a PCI auditor what she thinks about IBM i security, which settings she looks at, and how they affect overall security, and chances are good you’ll get something of a blank look. IBM i is a different beast from your typical Windows and Linux machine, and it’s generally not well understood by auditors, which can benefit you or bite you in the buttocks. It takes a bit of study to understand how all the pieces fit together, and that’s just the way it goes.

One of the advantages of using a third-party tool to analyze your IBM i security settings is that it cuts through some of the complexity and delivers a more polished report on the state of the box. Jericho Simmons, an IT worker at Capella Healthcare, who pointed PowerTech’s Compliance Assessment product at the company’s IBM i server and was rewarded with easy-to-read results. “This assessment gave me key security components to focus on without having to go through hundreds of reports and spend time filtering through them,” Simmons says.

Last month PowerTech released Compliance Assessment version 3.0. The big new feature in this release is the addition of a routine to check whether a machine is equipped with antivirus software. Protection from viruses is one of the areas that PCI is focusing on more heavily than in the past, PowerTech says.

Antivirus protection also happens to be an area where PowerTech has an advantage over other providers of third-party security software on IBM i, since Bytware is one of its sister companies. About 10 years ago, Bytware developed the first antivirus software for OS/400 at the behest of IBM and in conjunction with McAfee. Bytware and PowerTech have since been bought by the company that owns HelpSystems. Other vendors, for instance Raz-Lee Security, have incorporated open source AV tools into their IBM i security offerings. But for enterprises that eschew open source software, Bytware remains the only game in town when it comes to antivirus software that runs natively on the machine.

Compliance Assessment takes about 10 minutes to provide a snapshot of current system security, the company says. It runs directly from a network-attached PC and doesn’t modify any settings. It focuses on the most important aspects of IBM i security, including user access, public authority, user security, system security, system auditing, and administrative rights.

The software, which is free, is also the vehicle through which PowerTech collects the security-setting data that it uses in its annual State of IBM i Security report. The data is used completely anonymously; PowerTech will not disclose to anybody how horrible specific customers’ IBM i security configurations are.