Thoroughly Modern: IBM i Security Is No Longer Set It And Forget It
March 14, 2022 Amal Macdonald
For most IBM i shops, who are busy creating and maintaining the applications that run the business and who are not just chronically understaffed but structurally understaffed, the smartest thing they can do when it comes to security is give up.
You heard that right. They need to put their arms in the air and surrender, absolutely and completely.
No, we don’t mean they need to open all of the ports on their server, turn off the firewall, and let the ransomware and malware in and let the hackers and phishers do whatever they will. What we do mean by surrender, however, is that most IBM i shops have to stop thinking that they have the tools, much less the expertise to use them to properly, to secure their machines in this increasingly hostile IT world. They need to admit that they need to get help and they need to have security as a regular part of their IT budget.
With the average ransomware breach costing $4.6 million, and the downtime associated with recovering from such breaches being anywhere from days to weeks to never coming back – yes, we know of companies who have been literally knocked out of business by security breaches – security of the IBM i platform, and indeed any critical systems that interact with it, has to be a top priority. Arguably, the top priority, and starting now.
How Did We Get Here?
For many reasons, people are overwhelmed about security. They have certain things set up and they are working, so they are afraid to touch anything because they do not have the expertise to know the effect of any changes they might make to settings in the security within the IBM i operating system, in the Db2 for i database, or in the security perimeter – firewalls, intrusion detection systems, and so forth. Security may be the top concern, but in terms of its priority on the action list, it drops way down because people don’t know where to start in this new, more insecure computing, network, and Internet environment. People tend to do what they can do, and put off what they can’t do and hope for the best.
This is obviously not a healthy strategy, particularly when it comes to security. And we all know it.
But neither is trying to foment an environment of fear, which is what we are definitely not trying to do right here in this column. The truth is, vendors in the security space have been trying to scare customers for years, and it has not really worked as a means of getting them to act. We have had exit point security for the OS/400 and IBM i platform for over two decades now, and less than 10 percent of the base has employed this technology. This strategy doesn’t work.
So what can be done? We come back to the premise at the top of this column. Admit that you are over your head, and ask for help. There are experts who know exactly what to do in your particular situation, who can help you to secure your systems and – here is the important part – to work with you to keep them this way. And you need to just give up and let the experts handle it. You need to convince your company owner or president or board of directors that in the current environment, anyone can have a Target Moment, and given the exponential rise in hacker threats, the damages could be like those the retailer had after it had a data breach in late 2013, when 41 million credit card accounts and 110 million personal information accounts were stolen. Not only was this embarrassing to Target’s IT department and to its reputation as a Fortune 500 business, the company had to pay a $18.5 million class action lawsuit and also gave out a year’s worth of monitoring software. The total cost of the data breach up through the end of 2016 was $292 million, and chief executive officer Gregg Steinhafel had to step down. Some of those costs were covered by a cybersecurity insurance policy – and if you don’t have one of those, you should get one immediately – but some of them were not.
This is not fear mongering, just data. And if you don’t have security on your application exit points and if you don’t have security on the Integrated File System and if you don’t have cybersecurity insurance, then you know you need to get this done pronto. We know that IBM i shops are not afraid to spend a premium on a premium system, and they have to start thinking that they also need premium security – quite possibly as a service – as part of that system. You can be stingy on a lot of things – and IBM i customers are legendary for being frugal, believe us, we know – but security can no longer be one of them. Like other business critical software and services – high availability clustering is the obvious example – there are new security licensing models that are bringing the cost of security software down significantly. Fresche, who just acquired Trinity Guard and the TGSuite of security and compliance software just announced a subscription model.
So where do you start? There are free and minimal investment assessments that highlight areas of your system that could be at risk. Security isn’t something you do once. After an assessment, you will remediate and put safeguards in place. Even the largest, most sophisticated and secure IBM i shops in the world monitor and apply the least privileged access management – adjusting authority settings when they need to. That includes IBM i shops that have the tools from various vendors that can make this easier. But you can’t just use the tool once and set it and forget it. You have to be vigilant and constantly monitor and manage security.
And here is a very important point that needs to be stressed. Just because you are compliant with various security regulations – GDPR, SOX, JSOX, PCI-DSS, HIPAA, the alphabet soup bowl just keeps getting bigger and bigger – does not mean that your system and its applications and data are secure. Just because your auditors say that your systems are compliant with regulations does not mean your systems are secure.
I recommend that companies start with an assessment to figure out where they are at, identify potential threats and build a plan to deal with it that starts with the areas that you can remediate right away. A breach or a hack is extremely unsettling and there are so many steps that need to happen to give your situation the best possible outcome. This is where an expert like Fresche can make the difference.
Getting help from the experts lets you focus on the business and gives you peace of mind knowing that your business critical systems and data are in good hands – and sleep at night so you can get up and do it again tomorrow.
Amal Macdonald is a senior account manager at Fresche Solutions.
This content is sponsored by Fresche Solutions.
RELATED STORIES
Thoroughly Modern: Taking Charge of Your Hardware Refresh in 2022
Thoroughly Modern: Building Organizational Resilience in the Digital Age
Thoroughly Modern: Time To Develop Your IBM i HA/DR Plan For 2022
Thoroughly Modern: Infrastructure Challenges And Easing Into The Cloud
Thoroughly Modern: Talking IBM i System Management With Abacus
Fresche Buys Abacus To Integrate From IBM i To Cloud To Code
What IBM i Shops Want From Cloud, And How To Do It Right
A Chat With Steve Woodard, The New CEO At Fresche Solutions
Thoroughly Modern: Making The Case For Code And Database Transformation
Thoroughly Modern: Making Quick Wins Part Of Your Modernization Strategy
Thoroughly Modern: Augmenting Your Programming Today, Solving Staffing Issues Tomorrow
Thoroughly Modern: Clearing Up Some Cloud And IBM i Computing Myths
Thoroughly Modern: IBM i Web Development Trends To Watch In the Second Half
Thoroughly Modern: Innovative And Realistic Approaches To IBM i Modernization
Thoroughly Modern: Running CA 2E Applications? It’s Time To Modernize The UI
Thoroughly Modern: Understanding Your IBM i Web Application Needs With Application Discovery
Thoroughly Modern: What’s New With PHP On IBM i?
Thoroughly Modern: A Wealth Of Funding Options Makes It Easier To Take On Modernization
Thoroughly Modern: Speed Up Application Development With Automated Testing
Thoroughly Modern: The Smart Approach to Modernization – Know Before You Go!
Thoroughly Modern: Strategic Things to Consider With APIs and IBM i
Thoroughly Modern: Why You Need An IT Strategy And Roadmap
Thoroughly Modern: Top Five Reasons To Go Paperless With IBM i Forms
Thoroughly Modern: Quick Digital Transformation Wins With Web And Mobile IBM i Apps
Thoroughly Modern: Digital Modernization, But Not At Any Cost
Thoroughly Modern: Digital Transformation Is More Important Than Ever
Thoroughly Modern: Giving IBM i Developers A Helping Hand
Thoroughly Modern: Resizing Application Fields Presents Big Challenges
Thoroughly Modern: Taking The Pulse Of IBM i Developers
Thoroughly Modern: More Than Just A Pretty Face
Thoroughly Modern: Driving Your Synon Applications Forward
Thoroughly Modern: What To Pack For The Digital Transformation Journey