No. Your IBM i Isn’t Secure
I had an interesting but not surprising conversation with a customer last week to talk about IBM i security. They said:
“IBM i is just bulletproof. We don’t have to worry about security. That’s the value of IBM i.”
It’s something heard all too often. And that’s my cue to tell someone just how ugly their baby is. I’m not going to sugar coat it because the stakes are far too high.
Once again, IBM i is highly securable.
Perhaps more than any other operating system ever created. It is not secure out of the box. In fact, it’s actually shipped wide open. The system value QCRTAUT has a good hand in making it that way. If QCRTAUT is the default value of *CHANGE (and it usually always is), then any object created on the system has *PUBLIC *CHANGE authority. In layman’s terms, it means that all objects are wide open to any authenticated user. This is the shipped value. And it’s only one of many things you need to keep under control.
With that being said, when we do security assessments the results are usually a shock to customers. To be honest it’s usually pretty quiet on the other end of the phone. The only time it’s not quiet is when people expect some bad news. They know their particular environment needs help so they want to have a remediation discussion, rather than an exposure and risk explanation.
So what do we find? Most libraries are not secured. Special authorities are widespread. IFS shares are out of control. Guest NetServer accounts. Default passwords. Password level 0 and subsequently way too short passwords. There’s next to no encryption set up on disk, network or backup media. Security auditing is either off or, if it’s on, it’s not being reviewed.
You always have to worry about security.
You have to be. Because somewhere out there someone’s trying to thwart yours.
In the last four months, we’ve been called in to repair malware damage on more systems than I’d like to count. In those situations, it’s been a recovery effort first then a security review second. What’s the old saying about quitting smoking? It’s really easy to do after a cancer diagnosis. The irony with that is that the damage has already been done. In retrospect, every single one of those breaches could’ve been outright prevented or significantly reduced with very simple yet proactive security work. How much unscheduled downtime could’ve been prevented? What about lost confidence in the IT teams in keeping their companies’ data protected?
In order to promote security literacy in our customer base, we put together a very simple solution called VERIFi Security Advisor.
It’s a semi-monthly report that offers a proactive single pane of glass review of your IBM i security. As well, we include an annual security advisory session where we explain the problem areas and help direct where you need to prioritize your remediation efforts.
From an auditing and compliance perspective, customers will be able to provide their financial auditors a documented and non-biased, independent 3rd party review of IBM i security attributes. Given that most financial auditing firms are not familiar with the IBM i operating system, their ability to understand let alone make recommendations are highly suspect. Our ability to provide a proactive analysis ensures auditors are aware that security is a priority in their organizations.
While satisfying auditor requirements is one thing, acknowledging and repairing high-risk areas are far more important. We want to ensure customers are reducing their risks of exposure by showing them exactly what’s vulnerable so they can take steps to mitigate it. If customers don’t have the wherewithal or resources to do that then we’re more than happy to assist.
What I like about the VERIFi Security Advisor offering is that it’s not a “one and done” engagement. Let’s say you download a different tool to review your security. You get some baseline results and you’re never prompted to do anything ever again, until you run the tool again sometime down the road. VERIFi Security Advisor sends you an update every two weeks so that you can track your progress. It’s prompts a tension for change; something no other tool effectively does.
So let’s be proactive as a community. I ask you to join us to make your IBM i security as bulletproof as it can be. I’d so much rather do that then help you recover your system from tape.
Believe me, you will too.