Do ‘Non-Standard’ OSes Like IBM i Pose Security Risks?

November 17, 2014 Alex Woodie

As an IBM i professional, you’re familiar with the platform and comfortable working around it. But you’re also aware that the IBM i is different from other systems, and that it makes some people uncomfortable. According to new report from the SANS Institute, the mere existence of “non-standard” operating systems such as IBM i has the potential to introduce a security risk in the data center.

In its October paper Data Center Server Security Survey 2014, the SANS Institute attempted to learn how organizations are implementing security in the data center, to define some best practices, and to see what changes need to be made to meet compliance obligations and generally lower risk. The survey of 254 data center professionals looked at many aspects of technology, such as the rise of virtualization, the lack of dedicated security staff, and the lack of automation in the areas of monitoring and compliance.

Not surprisingly, SANS ran into a healthy mix of applications and server types in the data centers, about 75 percent of which were located on the grounds of private enterprises. DNS and Web servers topped the list, while email, database, and line of business servers were also in abundance.

As expected, most of the servers ran Windows and Linux operating systems, with Microsoft Windows Server 2008 R2 and Windows Server 2012 R2 running in 80 percent and 60 percent of the data centers, respectively. Red Hat Enterprise Linux was the third most popular OS, running in 55 percent.

But the long tail of other OSes in use seemed to surprise SANS.

“Perhaps somewhat surprising is the number of non-Windows/Linux OSes in use in respondent data centers,” the report says. “AIX was the most common non-standard OS (18 percent), followed by Solaris on X86 (16 percent), Solaris on Sparc (14 percent), HP-UX (14 percent) and AS/400 (13 percent). Employing security and compliance tools that work on a majority (if not all) of these non-standard OS versions is critical to achieving success in data center operations. However, this is not so easy.”

The prevalence of operating systems in SANS’ data center security report.

SANS analyst Jake Williams, who authored the survey results paper, elaborated on those findings. “The survey highlights the large number of data center operations still relying on legacy technologies, including mainframe computers, AS/400, SCO, and Windows 2000,” he says in a press release. “Organizations still using these technologies should recognize that, although they are not alone, they must take steps to manage their current needs and plan for changes in their systems.”

While SANS stopped short of saying these “non-standard” OSes posed security threats in and of themselves, the institute clearly is saying that it can be a challenge to obtain and maintain a suitable security posture when these platforms are present.

In particularly, SANS says getting the needed tools to adequately secure the non-standard platforms will be difficult. “Many new vendors and services providers in the data center automation market have focused on current-generation OS offerings,” the company writes. “With so many respondents using OS versions that are (or soon will be) at the end of their lives and not receiving security patches, securing legacy environments is obviously another challenge.”

While it’s true that X86 Windows and Linux platforms have grown to dominate the server business, we’re a long way from a final solution that will totally cleanse the world of “non-standard” platforms like z/OS, HP-UX, AIX, Solaris, SCO, Windows 2000, and IBM i. (Note to SANS: IBM‘s proprietary midrange platform hasn’t been named AS/400 since 2000.)

In the meantime, data center staff are probably best off embracing diversity as they seek to harmonize all aspects of IT management–security and otherwise–in this big heterogeneous world.

“Having disparate technologies in play might make things a little more complex for administrators but I donâ€™t predict that we will ever see a single standard in any data center,” says PowerTech director of security technologies Robin Tatam. “This means we will probably also never have a single security mechanism that can work as well as the best of breed solutions for they cannot consider the nuances of each server’s hardware and OS.”

It’s true that many IBM i shops are not sufficiently securing their environments. But that’s a result of user error and users’ inability or unwillingness to use the security controls that are available. It’s most definitely not the result of an inferior operating system.

“I’m not a subscriber to the belief that unifying with a single, more popular server platform will improve security, unless it is a more secure platform like IBM i,” Tatam says jokingly, “as it allows hackers to focus on discovering the weaknesses of that platform. I also don’t believe that a single security solution can fit perfectly to all of the different servers that are used. I do, however, believe that more success will be had if the enterprise subscribe to a more unified model of best-of-breed controls. That means utilizing firewalls, SEIM monitoring, and oversight of the use of privileged accounts.”

IBM i may be a weird beast to those who are unfamiliar with it. But for those who take the time to learn and understand its unique architecture and capabilities, they’ll soon come to realize that security is actually one of the platform’s biggest advantages, not a disadvantage.