Six common System i security lapses

"IBM has done a good job, over the years, of selling the public on the idea that the System i is 'the most secure processor available today,'" Loeber said. "However, they have not done nearly as good a job in explaining how to make the system secure."

The survey determined that there are six areas of lax security that warrant immediate inspection: user profiles, user and password management, data access, network access control and auditing, system auditing, and system security values.

"I'm not seeing the prominence of ALLOBJ as I once did," Woodbury said. In addition to unacceptably powerful profiles, the study found that inactive profiles -- easy targets for hijackers -- are not maintained and that many users don't change their default passwords, leaving accounts vulnerable.

Too much information available
System i libraries are also a primary security concern. According to PowerTech, "virtually every system user will have access to data far beyond their demonstrated need." The average system user can access and change data in a System i library, and companies have not implemented exit-point programs to monitor and restrict network access, the study found. But when it comes to unrestricted System i library access, Woodbury noted that while the system's library may be open, the data itself could be secure.

"It's like the house analogy," she explains. "You may leave your house open, but your safe is locked. You can make that same analogy that the library -- where data is contained -- may be open, but your data files may be secured properly." So while the study may have found the libraries to be open, it's not 100% accurate to assume that the data is also open. Woodbury believes that it's necessary to scrutinize the individual files in the library and not just the library as a whole.

Finally, the overall system security levels of more than one-third of companies in the study were set below the recommended minimum security level 40.

System i may be known as an exceptionally secure platform, but unless proper settings are applied, its security capability is meaningless. "The system is only as secure as the implementation of the security features," said Loeber. "I5/OS may be the most secure OS around, but if it is not used correctly, you might as well have any OS in place."

While the PowerTech study reports some pretty grim numbers, Woodbury sees a gradual improvement in security implementation on System i. "There's still significant work to be done across the System i community when it comes to security, but I see it trending the right direction," she said. "SOX started it, I think the PCI requirements are requiring people to take a much closer look, and … other laws and regulations, like the states' breach and notification laws, are causing people to take a much harder look at how their data is secured because they're having to consider what would happen if it was lost or stolen."

The full PowerTech 2008 State of IBM System i report can be found here. To learn more about System i security, check out expert responses from Carol Woodbury, Search400.com's System i security expert for information on Removing *ALLOBJ access and raising system security levels, security auditing, audit journal monitoring and more.

Jeannette Beltran is an assistant editor for TechTarget's Data Center Media Group. Write to her at jbeltran@techtarget.com.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries system and application security Is your AS/400 secure?: How a hacker could get valuable information from your system System i security report round-up A guide to System i security, part 2: Landing and establishing access Creating a System i database security policy: Implementation Creating a System i database security policy: First steps Overriding the timeout interval on specific terminals Deleting iSeries audit logs Moving to security level 40 Enhancements in the intrusion detection system for i5/OS V6R1 Working with exit programs in i5/OS V6 iSeries security tips Is your AS/400 secure?: How a hacker could get valuable information from your system System i security report round-up A guide to System i security, part 2: Landing and establishing access Creating a System i database security policy: Implementation A guide to System i security: Descending into the heart of darkness of IT security Creating a System i database security policy: First steps Enhancements in the intrusion detection system for i5/OS V6R1 Working with exit programs in i5/OS V6 New password-control security features for i5/OS V6R1 Fill in your System i security knowledge gaps RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.