Laurie Leblanc

Four Reasons to implement MFA for your IBM i

Four Reasons to Implement MFA For Your IBM i

As I like to say, “IBM i runs the world.” The major industries such as Financials, Manufacturing, Distribution, Trucking, Healthcare, and Insurance all run their core business functions on IBM i. They do this because it is the most reliable, available, and secure platform. If all the IBM i data disappeared, I’m not sure what would happen. I know it wouldn’t be good.

#1 Data Protection

Data is your company’s most critical asset, and protecting your data should be on the top of your list. Ransomware attacks continue to rise worldwide, making data protection the most crucial area companies should focus on today. Companies spend lots of money to ensure their IBM i systems are reliable and available, but sometimes they neglect the security because they believe it’s secure out of the box. A false sense of security has been the cause of successful ransomware attacks on IBM i.

Compromised credentials continue to be a leading cause of data breaches, followed by misconfigured software settings and third-party software vulnerabilities. When Steve Pitcher does a penetration test, he looks for users with default passwords. That is often the foot in the door he needs to be able to exploit the vulnerability of a system. If compromised credentials are part of the problem, then this is where we need a solution.

What is Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) can help prevent bad actors from accessing your sensitive data even if they can compromise the credentials of one of your IBM i users. MFA isn’t a new concept. We’ve all logged into an application and have had to enter a code we receive in our email or cell phones. In some cases, you may even have a physical token you need to use to access data. While we see companies have adopted MFA for some of their environments, many have not implemented it on IBM i.

The basic premise of MFA is that you sign on with something you know, have, or are. Your password and user ID is typically the thing you know. It’s also the easiest thing for someone else to know. Something you have is typically your email or your phone. The assumption is that someone else doesn’t have access to your password, email, or phone. Something you are refers to biometrics, such as your fingerprint or facial recognition. This added layer of protection is meant to stop someone …

How Do We Fix The Great IBM i Resource Shortage

How Do We Fix The Great IBM i Resource Shortage?

I’ve had the chance to get out and meet with people from the IBM i community lately at COMMON and the NHMUG meeting. After two long years of isolation, it was great to be out again and talk with people. Everyone was excited to get together, but there was another topic on everyone’s mind; how do we fix the great IBM i resource shortage and find more people to support IBM i?

It’s an interesting problem when you think about it. IBM i is the backbone of many industries, from financials and trucking to manufacturing and everything in between. IBM i runs the world, literally. Yet, for a platform so critical to industry and its success, there is very little education available for students to learn about this platform. There are a few opportunities for students to learn about IBM i, such as Gateway Technical College (They do a great job, and their students are successful in landing jobs in the IBM i world.), but they are few and far between.

Why is it that every student knows how to use a PC? But when they go to college, don’t learn about IBM i as an option? When I was attending classes, I could take AS/400 courses. Half of the class were adult learners who worked with the platform and wanted to learn more about it. I needed college credits at the time, and I had been an AS/400 administrator at my previous job and was working at a software company for AS/400 change management, so it seemed like a good idea.

I was a System Administrator for an AS/400 shop running JDE when I was twenty. I was tossed into the role when I was laid off from the same company as a Sales Administrator the week before. Two people in the IT department gave their notice on the same day. I received a call from my friend who was promoted to IT Manager, and she asked if I wanted to learn about the system.

That was it. I had an aptitude for computers my whole life. It started in the fifth grade when our Principal decided we all needed to learn about computers. He taught small groups of students at a time about the computer and how we could write Basic programs to make it do things. Before we could even touch the computer, he made us memorize …

Protecting your IFS with Anti-virus and Anti-ransomware Solutions

Protecting your IFS with Anti-virus and Anti-ransomware Solutions

We’ve said it before, and we will continue to say your IBM i may not be secure. There’s a lot of misconception about the IBM i and whether your system can become infected with a virus or ransomware attack. Let me be clear, your IBM i can get infected, and your data can be encrypted. We’ve seen it happen. We’ve done it to prove a point, and we’ve helped customers recover. It’s highly securable; however, you need to do the work to ensure adequate controls and solutions to help protect your data.

Protecting your IBM i requires a layered approach where you implement system controls, user controls, and object controls and put solutions in place to help identify potential risks and even take action to resolve them. There isn’t one size fits all solutions, and there isn’t a magic bullet for getting it done. It requires some analysis and planning to ensure that the users can do what they need to, but they have the least authority.

Protecting your IFS from anti-ransomware attacks and viruses was something we thought we didn’t need to worry about with the IBM i. We thought the IBM I database was protected. It was at one time, but now the IFS creates a new vulnerability and one that people didn’t even realize existed: root shares. With a root share, someone can access the entire IBM i. That’s right, and they can get to your IBM file systems. From there, they can destroy your data.

The good news is that you can implement solutions to help protect your data from those who wish to harm your business. Raz-Lee provides both Anti-Virus and Anti-ransomware solutions for IBM i.  iTech has been selling this solution to our customers to help them implement another layer of protection around their data

Anti-virus and Anti-ransomware solve separate issues.

Viruses are malicious code that attaches itself to a file. Viruses can be automatically executed through websites or files and even spread across networks. You should never click on a link in an email from an unknown source, and even then, you need to verify it’s a credible link.

Ransomware attacks encrypt your files, and the contents of mapped drives and cloud storage, preventing you from being able to access your data. The purpose of the attack is to get you to pay for the key to unencrypt your data. One customer reported …

What is Zero Trust?

Security is top of mind for CIOs, CISO’s and even CEOs today. Ransomware attacks are happening to companies every day. Even those who think they are prepared are surprised when hackers find a gap somewhere in their security strategy. Despite implementing all kinds of monitoring and anti-virus protection at the network layer, the hackers can still wreak havoc. So, what’s the solution?

We need to turn our security methodology on its head. The current approach to secure the network is to implement VPNs and anti-virus. The thought is if we keep the hackers out of the network, then our data is safe. The problem is that the hackers can find a way through the perimeter, or worse, they are already inside the network. If you assume that your data is safe once somebody is inside the perimeter, you are at risk. This isn’t the best way to protect your data from getting into the wrong hands.

Zero Trust

Zero Trust is a methodology based on the premise that all access is a potential threat. All users are verified and authenticated before gaining access to the network, an application, data, or any workload. All user access is segmented, and if you need elevated authority to do a task, that authority should only be granted when you need it and only after you are verified and authenticated as authorized. All data is encrypted from end to end. Monitoring the network and access to sensitive data is critical to mitigating risk and stopping the hackers before they access your data or worse.

There isn’t a step-by-step manual that you can follow to implement Zero Trust. It’s a framework. Your environment and business are unique, and your security is no different. No provider alone can help you achieve Zero Trust. It will take a team approach to get your environment genuinely secure.

Zero Trust focuses on seven key pillars. These pillars offer a comprehensive approach to layered security, which will ultimately provide you with the lowest risk. By reviewing each of these areas and implementing a strategy to ensure you have a good solution is in place, you can better protect your data. Let’s take a closer look at each one of them.

1. User access

It’s critical to ensure that the users accessing your data are who they say they are. It’s also essential that they have the least amount of authority …

Three Steps to Protect Your IFS

We will never stop saying it, the IBM i is the most securable platform, but it doesn’t come that way. It’s up to you to ensure that you properly secure access to your system, grant users the appropriate authority to objects, and put tools in place to prevent problems from happening.  This includes the IFS.

The IFS is the integrated file system designed to support streaming input and output and manage the storage of those objects. The IFS has a tree structure, similar to a Windows PC where you can store files and objects.  With a common interface, users can access their locally stored files and other objects on the IBM i. It’s the access to these other objects that is why you need to secure your IFS properly. You don’t want the wrong person getting to your data.

There are three things we recommend you do to protect your IFS from unwanted access or, worse, having your data corrupted or held ransom.

#1 – Eliminate unnecessary IFS File share

If you have root shares happening on your IFS, eliminating them should be your top priority.  Sharing the root is like granting someone access to your C:/ drive. We’ve found that most people don’t realize that everything below the root becomes accessible when you do this. That’s right when you share the root; you expose your system.

We recommend you change the root to *Read/Execute to best protect your IFS data. If you are on IBM i 7.4, you can take advantage of authority collection and run it over file shares.  This will allow you to identify what is in use and make the change in a controlled way. However, this needs to be done carefully, as changing authorities can break applications, depending on how they are coded.

Once you have properly secured the root, you should look at the other folders below the root to ensure that they have the proper level of security too. It’s essential to start at the root first and work your way down the tree to ensure that you protect all of your sensitive files.

#2 – Tighten object-level security

Once you restrict access to your IFS file shares, you can start to put additional user and object-level security controls in place.  The idea is you want to structure access to your IFS the same way you approach DB2 access, by providing users …

Why External Storage Makes Dollars and Sense for IBM i

IBM i can make use of internal disk in your Power system or external disk through a SAN.  For years, IBM i shops have relied on internal storage because of the simplicity and the cost savings.  As time marches on, we have to reconsider our approach to things and see if what once was a good fit makes sense now.

External storage offers a ton of value. 

 

With features like FlashCopy, hardware replication, and Easy Tier, you can implement a solution that reduces your downtime and improves the efficiency of your data processing—resulting in actual savings for your business.

Converged Storage

With an internal disk on IBM i, you can’t share the disk amongst other platforms. With an IBM FlashSystem, you have the opportunity to have a single platform for all your storage needs.  The single user interface simplifies management.  Easy Tier automatically manages your data efficiently, moving hot data to faster storage and storing long-term data on a slower, less expensive disk.

IBM FlashSystems use software-defined storage with Spectrum Virtualize. With a single interface, you can manage and maintain all of your storage.  You can even manage disparate storage on another provider’s SAN, such as HP or Dell. Bringing all your storage under one solution saves your administrators time.

According to a recent Forrester report, “The Total Economic Impact of IBM Spectrum Virtualize“, the benefits of implementing software-defined storage saves your business money. Customers who implemented Spectrum Virtualize to consolidate their storage achieved a 60% reduction in administration efforts. That’s a lot of time that can be put to use in ways that benefit your business and help it grow.

Data Reduction

Data is king, but having too much data can be expensive. Depending on your environment, adding disk can be a relatively easy task, adding a drive, for example. Or it can be more complicated and costly when you need to add expansion units before you can add drives. Better utilization of disk space means you spend less. According to the Forrester Report on Spectrum Virtualize, companies achieved a 33% improvement in utilization by reducing their data on an average of 3:1.

Not only does the solution positively improve your current disk utilization. It also provides you with the ability to save money in the future. With the average amount of storage growth at 15% per year, companies that implement Spectrum Virtualize are …

Evaluating the State of Your IBM i Security

We are all aware of the Colonial Pipeline and JBS ransomware attacks recently reported in the news.  Ransomware is a significant threat to businesses around the world. The problem isn’t that people don’t consider the risks. It’s that they don’t know for sure if they are protected.  They put controls in place but don’t take steps to ensure that those controls are adequate, leaving them with a false sense of security.

Some companies are a bigger target than others, but there is no denying that the threat is real and that any company can be affected.  According to Check Point Research, ransomware attacks are up 300% in the past nine months.  We have had to recover as many companies IBM i environments in 2021 due to ransomware attacks as we did in all of 2020.  Luckily, these companies had a good backup and only lost a small amount of data.  Now they are serious about investing in security remediation, but the damage is done.…

Getting to Know COBIT and IBM i System Administration

If you don’t have to comply with any regulations or meet auditor’s demands today, you probably will eventually.  Compliance is challenging to achieve. Part of the reason for this is because the regulations are vague and open to interpretation. To help companies to implement controls to mitigate risk and meet auditor’s demands, the Information Systems Audit and Control Association developed the COBIT (Control Objectives for Information and related Technology) Framework.


4 Disaster Recovery Services That Can Improve your IBM i Recoverability

Being prepared is the first step in any Disaster Recovery (DR) plan. That means you need to make a plan and test it. Only then are you truly prepared for a disaster. You need to practice your DR plan if you want to ensure that it is successful when you really need it.

When I was a kid, my uncle came over and made sure that we knew what to do if there was a fire in our house. He taught us to touch the doorknobs to see if it was warm and had us practice climbing out the window and going to the designated meeting place. We practiced our fire drill to be sure we were prepared.…

Getting your IBM i Backups Offsite: What Are Your Options?

It’s not often that we hear the stories of a data center being destroyed, but it happens. If your backups remain onsite, or even worse — they stay in the tape library for a week before you remove them, then you are at risk if a disaster strikes.  We actually had a customer who had a fire in their building.  The tape was still in the tape drive.  Pete’s advice was to cut the cable and grab the tape drive and run. This is not a good disaster recovery plan.

 

Security, recoverability, ease of restoring

When I was a System Administrator in the early 1990s, my colleague and I took our backup tapes home to keep them offsite. I didn’t have a fireproof safe, I just had a box with tapes that I kept safe. On Friday night, the backup would run sometime after the JDE nightly process would finish and the tape would stay in the tape drive until Monday morning at 6 AM when one of us arrived.  That tape stayed in the building all day until after work when it would leave with whoever had the early shift that week. We had a backup, we even took it offsite, but was it really the best solution? No. It was what we knew at the time.

 …

Should I upgrade to IBM i 7.3 or IBM i 7.4?

One of the most frequently asked questions we receive regarding the IBM i OS is, should I upgrade to 7.3 or 7.4? The answer is: it depends.  When it comes to deciding whether you should go to 7.3 or 7.4 you have to take dependencies, features and life expectancy into consideration.

Identify which versions of IBM i your hardware can support

Before you decide, you need to verify which IBM i versions your hardware can support. There are dependencies between the hardware you are running and what OS level it can support.  If you are limited by your hardware, then you don’t have much choice in the matter.  We suggest you upgrade to the highest OS level that is compatible with your Power System.

 

POWER7 and POWER7+ servers support IBM i 6.1, 7.1, 7.2 and 7.3, there are a few caveats on some models so be sure to check your specific model.  POWER8 can support 7.1, 7.2, 7.3 and 7.4, which means you have more choices with this hardware. POWER9 can support 7.2, 7.3, 7.4, and will support iNext.

You also should consider that IBM supports upgrades that skip one release.  For example, upgrading from 6.1 to 7.2 or from 7.1 to 7.3.  If you have to skip more than one release and you do not perform multiple upgrades you could find yourself in hot water.  There are ways to upgrade multiple releases without encountering issues, but this is not the IBM supported method.

Investigate compatibility between business applications and IBM i

Beyond hardware dependencies, there are software dependencies to take into consideration.  It’s critical to verify which IBM i versions your critical business applications can support. By now, any vendor applications should be ready to support 7.4.  You may need to upgrade to a new version of your applications, so be sure to check this too.

You also have look at the software dependencies of your applications with ancillary solutions like Java, and WebSphere.  Both of these applications need to be at the right version to support 7.3 and 7.4. Pete wrote several articles on upgrading to 7.3 and 7.4 which detail more about compatibility with Java and WebSphere.

iTech President Pete Massiello wrote a series of articles on upgrading to 7.3 and 7.4, which go into more detail about the things you need to plan for when upgrading.  You can access that article below, as well as an

Can your backup survive a hurricane?

No matter the time of the year, there’s always a chance of the unplanned happening. This means you’re at risk, especially if you haven’t done a recovery test of your backups recently.  What are you waiting for, a natural disaster?

Store Backups offsite

While it may be common sense that you need to keep a copy of your backups offsite for recoverability, we encounter many companies who are not religious about removing tapes from the drive. It’s imperative that you store your backups offsite in case of a disaster.  It doesn’t matter if you use physical tapes or virtual tapes, you need to make sure there is a copy in a second location.…

How to tell if your Disaster Recovery System is a Boat Anchor

Now that I have your attention, I want to discuss a serious topic; disaster recovery.  In the event of an actual disaster, you want to be able to recover as quickly as possible to reduce the number of transactions that you lose, and the business you will lose as a result. 

The real question is: Have you ever tested your disaster recovery process?

If the answer is, “no” or “not in a few years”, then your DR system might be nothing more than a boat anchor.

How to Evaluate Your Managed Service’s Needs

 

Managed Services can be tailored to fit the needs of your business, which means you need to evaluate where a third party provider can provide you with the most benefits. Identifying where you have vulnerabilities or gaps with your system administration is the easiest place to start.

When building your case for managed services, we recommend you focus on three key areas:

  1. Your resources
  2. Their available time
  3. Skills gaps

Existing System Administrator Resources

Do you have only one IBM i System Administrator?  Is this person a dedicated System Administrator?

Replacing an IBM i system administrator can be a challenge. If your current administrator is near retirement, now is a good time to consider managed services.  You should compare the cost of a full-time employee versus the cost of outsourcing tasks to a third party.…

6 Steps to Execute an IBM i Security Project

Many companies want to improve the state of their IBM i security, but they often don’t know where to start. They also might not understand the long-term impact of recommended changes. Having a partner who can help you navigate through your security project can be the difference between success and failure. 

Let’s take a closer look at six steps to properly execute a security improvement project.

Step #1 – First seek to understand

One of the habits highly successful people practice is to first seek to understand, then seek to be understood; this applies to IT projects too. In order to successfully improve your security, you need to first understand what the state of your current security is. Many companies offer free assessments, which will evaluate your system values and compare them to industry standards for compliance.…