Three Steps to Protect Your IFS

We will never stop saying it, the IBM i is the most securable platform, but it doesn’t come that way. It’s up to you to ensure that you properly secure access to your system, grant users the appropriate authority to objects, and put tools in place to prevent problems from happening.  This includes the IFS.

The IFS is the integrated file system designed to support streaming input and output and manage the storage of those objects. The IFS has a tree structure, similar to a Windows PC where you can store files and objects.  With a common interface, users can access their locally stored files and other objects on the IBM i. It’s the access to these other objects that is why you need to secure your IFS properly. You don’t want the wrong person getting to your data.

There are three things we recommend you do to protect your IFS from unwanted access or, worse, having your data corrupted or held ransom.

#1 – Eliminate unnecessary IFS File share

If you have root shares happening on your IFS, eliminating them should be your top priority.  Sharing the root is like granting someone access to your C:/ drive. We’ve found that most people don’t realize that everything below the root becomes accessible when you do this. That’s right when you share the root; you expose your system.

We recommend you change the root to *Read/Execute to best protect your IFS data. If you are on IBM i 7.4, you can take advantage of authority collection and run it over file shares.  This will allow you to identify what is in use and make the change in a controlled way. However, this needs to be done carefully, as changing authorities can break applications, depending on how they are coded.

Once you have properly secured the root, you should look at the other folders below the root to ensure that they have the proper level of security too. It’s essential to start at the root first and work your way down the tree to ensure that you protect all of your sensitive files.

#2 – Tighten object-level security

Once you restrict access to your IFS file shares, you can start to put additional user and object-level security controls in place.  The idea is you want to structure access to your IFS the same way you approach DB2 access, by providing users with the least authority necessary to do their job.  If a user is only going to ever retrieve data from a file, why give them *write authority.  Give them *read only.

The data management interface supports the use of APIs to restrict access to objects.  Adopted authorities do not work on file systems, which means the API will use the user’s authority.  This makes it even more critical to provide users with the least authority necessary.  Excessive object authority puts your system at risk, whether those are native DB2 objects or IFS objects.  Properly securing your IBM i is critical to protecting your data.

#3 – Implement anti-virus and anti-ransomware software

The first two steps are about getting good controls in place to protect access to your objects through the IFS.  This final step involves implementing a solution to ensure that the bad guys don’t infect your system with a virus or ransomware.  What Benjamin Franklin said in the 1700s still applies today, “An ounce of prevention is worth a pound of cure.”

Ransomware attacks are on the rise, and we’ve already had to help two dozen customers recover following an attack this year.  That may not seem like a lot but, until the past three years, there was zero.  The number of companies impacted will continue to rise at an alarming rate as the attacks get more sophisticated.

Companies have been using virus protection for decades on their Windows servers. Yet, they have largely ignored their IBM i due to a false sense of security. Unlike the native DB2 database, which cannot execute a virus, IFS can carry a virus and infect the IFS files.  Those files can then spread the virus when someone uses a mapped drive on their PC. All of a sudden, a virus is spreading through your Windows network.  For this reason, it’s important to protect your IBM i from viruses and ransomware too.

Not only is it important, but compliance also requires anti-virus protection.  Exactly like PC virus protection, IBM i virus protection works the same way.  The system is scanned in real-time, and any suspicious files are quarantined. Preventing viruses from getting to the files on your IFS is the best way to protect your data.  You can try to do this manually, but real-time scanning will net you better results and reduce your risk.

It’s time for everyone to take the threat seriously and put the controls and tools in place to help protect your business.  Not only will you better protect your IFS, but you will also protect your whole network from a potential virus or ransomware attack.

More from this month:

Leave a Comment

Your email address will not be published. Required fields are marked *