Thoroughly Modern: Still Making These Six IBM i Security Faux Pas? STOP!

June 10, 2024 Alan Hamm

As the backbone of many enterprise IT environments, IBM i platforms are known for their robustness, reliability, and security. However, even the most resilient systems are not immune to vulnerabilities if not properly managed.

Despite their powerful capabilities, IBM i environments often suffer from outdated security practices that can expose your organization to significant risks. This article highlights the most common IBM i security faux pas and provides actionable mitigation strategies.

The Most Common IBM i Security Challenges

1. Outdated Operating System

One of the simplest yet most overlooked steps to secure an IBM i environment is to keep the operating system up to date. Outdated systems are a haven for vulnerabilities that have been patched in later releases. When these updates are ignored, you expose your organization to known exploits, and reduce the efficacy of your entire security framework. It is critical to regularly update your IBM i operating system to the latest version.

Solution: Establish a robust update policy that includes:

• Scheduled Maintenance Windows: Plan regular maintenance windows to apply updates. Be careful not to disrupt operations.
• Automated Patch Management: Use tools that automate the identification and application of PTFs.
• Testing Procedures: Before you deploy updates, test them in a staging environment to ensure compatibility and stability.

2. User Profile Management

Administrators often accept default settings when creating user profiles, leading to weak passwords and excessive privileges. Default passwords that mirror user profile names are particularly dangerous, offering an easy entry point for unauthorized users. Additionally, the practice of copying user profiles can inadvertently grant administrative access to users who do not require it.

Solution: Implement strict user profile policies:

• Strong Password Policies: Enforce complex password requirements and regular password changes.
• Least Privilege Principle: Assign the minimum necessary permissions for users to perform their roles.
• Regular Audits: Conduct periodic reviews of user profiles and their permissions to ensure compliance with security policies.

3. Overly Permissive File Server/Share Settings

These can expose your IBM i environment to ransomware and malware attacks. Unless reined in, these permissions often grant unrestricted access, allowing malicious software to steal or encrypt your data.

Solution: Conduct regular audits of file server and share permissions:

• Access Control: Utilize authorization lists to specify who can access or modify files.
• Principle of Least Privilege: Limit access to sensitive data strictly to those who need it.
• Regular Permission Reviews: Schedule periodic reviews to ensure permissions remain appropriate.

4. Unrestricted/Object Data Access

Developers often create objects or tables with default or overly permissive settings, granting excessive access rights to public users. This unrestricted access can lead to unauthorized data manipulation or theft.

Solution: Review and tighten permissions on all objects and data tables:

• Role-Based Access Controls (RBAC): Implement RBAC through group profiles to ensure only authorized personnel can access sensitive information.
• Regular Audits: Conduct frequent audits to identify and rectify overly permissive access settings.

5. No Monitoring of Common and Non-Common Services

IBM i environments often lack monitoring for common services like ODBC and Telnet. By default, IBM does not provide exit points for monitoring these services, leaving a significant security gap. Additionally, these environments often run open-source solutions using various technologies that are not monitored by default. This lack of oversight can also lead to undetected vulnerabilities.

Solution: Extend your monitoring efforts:

• Comprehensive Monitoring Tools: Utilize IBM’s socket exit points and third-party monitoring solutions like the Fresche IBM i Security Suite to monitor and control access.
• Regular Log Reviews: Implement procedures to regularly review logs for suspicious activities.
• Alerting Systems: Set up alerts for unusual access patterns or potential breaches.

6. Minimal Logging and Auditing

Insufficient logging and auditing make it difficult to trace security incidents and comply with regulatory requirements. Without adequate logs, the ability to identify the root cause of a breach becomes nearly impossible.

Solution: Enable extensive logging and auditing across your IBM i environment:

• Detailed Log Settings: Configure your system to log detailed information about access and changes.
• Secure Storage: Ensure logs are stored securely and cannot be tampered with.
• Regular Reviews: Regularly review logs to detect and respond to anomalies promptly.
• Automated Tools: Utilize automated tools to help parse and analyze log data efficiently.

Advanced Strategies to Address These Faux Pas

Zero Trust Architecture

This security model requires strict verification for every user and device attempting to access resources, regardless of their location. The approach ensures that no internal or external user is inherently trusted.

Best Practices:

• Identity Verification: Enforce stringent identity verification processes for all users and devices. This includes multi-factor authentication (MFA) and continuous identity assessments.
• Micro-Segmentation: Divide your network into smaller segments to limit lateral movement of threats. By isolating different parts of your network, you can contain breaches and protect critical resources.

Policy and Templates

Standardize your security configurations with policies and templates to ensure consistent security settings across your IBM i environment. This reduces the risk of configuration drift and enforces uniform security standards.

Best Practices:

• Policy Frameworks: Develop and enforce comprehensive security policies that align with industry best practices and regulatory requirements. These policies should cover all aspects of your IBM i environment.
• Configuration Templates: Use templates to apply consistent security configurations across all systems. This simplifies management and ensures that all systems adhere to the same security standards.
• Regular Reviews: Periodically review and update policies and templates to keep pace with evolving security threats and business needs.

Exit Point Solutions

Exit point solutions monitor and control access to critical services within your IBM i environment. These solutions act as a firewall, blocking unauthorized access and providing detailed logs for auditing purposes.

Best Practices:

• Custom Exit Programs: Develop custom exit programs tailored to your specific security needs. These programs can intercept and control access requests, ensuring that only authorized users can perform certain actions.
• Third-Party Solutions: Consider third-party exit point solutions that offer enhanced features and support. These solutions can provide comprehensive monitoring and control capabilities, helping you secure critical services more effectively.
• Detailed Logging: Ensure that all access attempts and activities are logged in detail. This provides a valuable audit trail that can be used for compliance and forensic investigations.

IBM i Navigator & SQL

IBM i Navigator is a powerful web-based interface for managing and monitoring your IBM i systems. It simplifies administrative tasks and enhances the visibility of system performance and security settings.

Best Practices:

• Centralized Management: Use IBM i Navigator to manage user profiles, monitor system activities, and configure security settings from a centralized location.
• Custom Queries: Develop custom SQL queries to extract specific security-related information, such as user access logs, permission settings, and configuration changes.
• Automated Reports: Schedule automated SQL reports to regularly review critical security metrics and ensure policy compliance.

Challenges in Integrating Modern Security Measures with IBM i

Implementing modern security measures on IBM i systems presents a variety of challenges. An understanding of these challenges is crucial for developing effective strategies to secure your environment.

Uniqueness of IBM i

Its unique architecture poses a challenge for the implementation of modern security protocols. This integration differs significantly from other platforms, making it difficult to adapt traditional security measures and integrate advanced security tools. Compatibility issues often require customized scripts and configurations, demanding a deep understanding of IBM i architecture.

Skill Set Shortage

The scarcity of professionals experienced with IBM i systems is one of the biggest challenges with the integration of modern security measures. Younger IT professionals often lack exposure to IBM i, necessitating extensive training and development. This not only consumes time and resources but also makes it difficult to retain experienced IBM i professionals, who are in high demand and require continuous education and professional development.

Compliance and Regulatory Challenges

Compliance with industry standards and regulatory requirements is a continuous challenge due to the evolving nature of regulations. Staying current with these changes requires dedicated resources to regularly review and update security policies and practices. Detailed compliance reports can be particularly burdensome, and often necessitate automation, which itself can be complex and resource intensive.

Secure Your IBM i Environment

Unsecured systems are vulnerable to ransomware, unauthorized access, and data breaches, which disrupt operations and incur legal and financial repercussions. To fortify your IBM i environment, it is crucial to address common security pitfalls and leverage advanced strategies, third-party software like the Fresche IBM i Security Suite, and tools like IBM i Navigator and SQL.

Proactive measures protect against potential threats and ensure compliance with regulatory requirements to maintain the integrity and reliability of your IT infrastructure. Just as employees undergo security training for compliance, IBM i enterprise servers should meet similar standards.

Fresche Solutions has assisted numerous clients who have faced security breaches, providing expert guidance and solutions to strengthen defenses and mitigate risks. An improperly configured system is unacceptable; even small steps toward improvement are crucial. If uncertain, seek guidance from peers or security professionals. Remember, all businesses are only as strong as their weakest link. Emphasize proactive over reactive measures to strengthen your security effectively.

Alan Hamm is a senior security services engineer at Fresche Solutions with over 20 years of industry experience. He helps organizations strengthen their security, uncover vulnerabilities, and implement automated solutions for rapid threat detection and response.

This content is sponsored by Fresche Solutions.

RELATED STORIES

Thoroughly Modern: How To Navigate IBM i Cloud Success – Beyond Migration

Thoroughly Modern: Proceed With Caution With AI In The Landscape Of Cybersecurity

Thoroughly Modern: A Practical Primer For The IBM i Cloud Journey

Thoroughly Modern: From Tradition To Transformation For IBM i In The Era Of Cloud And AI

Thoroughly Modern: How IBM i Shops Can Navigate The AI Landscape In 2024

Thoroughly Modern: Practical Ways IBM i Developers Can Use AI Today

Thoroughly Modern: How X-Analysis Transforms IBM i Challenges Into Solutions

Thoroughly Modern: What’s New In IBM i IT Planning

Thoroughly Modern: Top Things To Stop IBM i Hacks

Thoroughly Modern: The Mid-Year Check – Accelerating IT Projects and Modernization for the Second Half of the Year

Thoroughly Modern: Remote Managed Services Fill In For Retiring And Overburdened IT Staff

Thoroughly Modern: Proven Strategies For Innovating IT And IBM i In A Digital Age

Thoroughly Modern: Unlocking the Full Potential Of Your IBM i Applications

Thoroughly Modern: Why Modernizing IBM i Applications Is Important And Where to Start

Thoroughly Modern: What You Need to Know About IBM i Security

Thoroughly Modern: Flexible And Fractional Staffing Models That Deliver

Thoroughly Modern: How To Optimize IT In 2023

Thoroughly Modern: A Swiss Army Knife For IBM i Developers

Thoroughly Modern: Digital Solutions For IBM i And Beyond

Thoroughly Modern: Simplify IBM i Application Management and Extract Key Insights

Thoroughly Modern: Four Ways Staff Augmentation Is Helping IT Get Things Done

Thoroughly Modern: Bring Security, Speed, And Consistency To IT With Automation

Thoroughly Modern: Good Security Is Just As Important As Good Code

Thoroughly Modern: The Real Top 5 Challenges For IBM i Shops Today

Thoroughly Modern: Improving The Digital Experience With APIs

Thoroughly Modern: IBM i Security Is No Longer Set It And Forget It

Thoroughly Modern: Taking Charge of Your Hardware Refresh in 2022

Thoroughly Modern: Building Organizational Resilience in the Digital Age

Thoroughly Modern: Time To Develop Your IBM i HA/DR Plan For 2022

Thoroughly Modern: Infrastructure Challenges And Easing Into The Cloud

Thoroughly Modern: Talking IBM i System Management With Abacus

Thoroughly Modern: Making The Case For Code And Database Transformation

Thoroughly Modern: Making Quick Wins Part Of Your Modernization Strategy

Thoroughly Modern: Augmenting Your Programming Today, Solving Staffing Issues Tomorrow