System i security: How much is enough?

In the good old days, enough security meant that you had a lock on the computer room door and you actually used it. Keeping people out of the computer room was all that was necessary. Then came cathode ray tubes (CRTs) and cabling that reached outside computer room environs, making security more of an issue. Someone devised the idea of requiring a CRT user to log in to the system with a user identifier and password. With this little invention, things got back under control. But before long PCs arrived, followed closely by client/server applications and then the Internet. Now what do we do?

For many shops, a strict reliance on the user profile and password is still the watchword of the day. But given today's technology, is that enough? I think not. The problem with today's networked environment is that you can never be absolutely certain w...

RELATED CONTENT iSeries security tips IBM i security tightening: Preventing data theft Security considerations for IBM i backups Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access iSeries system and application security IBM i security tightening: Preventing data theft Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" System i security administration Tracking System i program object changes Recovering your AS/400 security configuration System i security report roundup Six common System i security lapses Too much System i security? System i security: Watch for hackers using FTP

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ho is at the other end of the line.

Security policy backs firewalls, passwords
So what is enough? Over the past few years, the concept of the firewall has captured the hearts of many security officers. In fact, for many companies, the firewall is the be-all and end-all of their security plans. "We've got a firewall in place!" they say; case closed. But is a firewall, along with a user profile/password implementation, enough? Again, I think not. Multiple studies of computer break-ins and data compromises reveal that half of all such incidents are inside jobs committed within the boundaries of a firewall's "protection."

What you really need is a multifaceted approach to security. You need passwords, a firewall and more. In the old days, if the bad guy could get into the computer room, he could do some damage. But if you had multiple doors with multiple locks, it would take him longer to break in and you would have a much better chance of catching him in the process. Today's environment needs to be viewed the same way. Relying on a single security defense is just not enough. You have to deploy multiple defense strategies to be successful.

Your System i installation should include all the security tools at your disposal. It means implementing object security based on a coherent company-wide policy. It means strictly limiting those profiles that have all-object authority. It means implementing exit-point security with object-level controls as well. It means controlling which IP addresses you are going to trust and allow access into your system. It means creating a good user-profile and password-maintenance plan with regular password rotation. It means quickly rescinding access rights for employees who leave or change job assignments. The list goes on and on.

Of course, no computer system is 100% secure. But if you build enough fences that an intruder must climb and add enough doors that must be unlocked, the result will be as secure a system as possible. What you don't want is to make it easy to get into the system, which, unfortunately, is an all-too-common reality for many of today's IT shops.

If you have any questions about this topic, you can reach me at rich@kisco.com. All email messages will be answered as quickly as possible.

About the author: Rich Loeber is the president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company provides various security products to the iSeries market.