Six common System i security lapses

[IMAGE]

A recent PowerTech Group study of System i servers concludes that almost half of 200 responding companies surveyed don't follow security best practices. System i security expert Rich Loeber finds the study's results in line with his own experience.

"IBM has done a good job, over the years, of selling the public on the idea that the System i is 'the most secure processor available today,'" Loeber said. "However, they have not done nearly as good a job in explaining how to make the system secure."

The survey determined that there are six areas of lax security that warrant immediate inspection: user profiles, user and password management, data access, network access control and auditing, system auditing, and system security values.

"I'm not seeing the prominence of ALLOBJ as I once did," Woodbury said. In addition to unacceptably powerful profiles, the study found that inactive profiles -- easy targets for hijackers -- are not maintained and that many users don't change their default passwords, leaving accounts vulnerable.

Too much

To read more you must become a member of Search400.com

As an existing member of the TechTarget network please provide your password to activate your account (Forgot your password?):

Password:

By joining Search400.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment System i security administration Tracking System i program object changes Recovering your AS/400 security configuration System i security report roundup Too much System i security? System i security: How much is enough? System i security: Watch for hackers using FTP

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

information available
System i libraries are also a primary security concern. According to PowerTech, "virtually every system user will have access to data far beyond their demonstrated need." The average system user can access and change data in a System i library, and companies have not implemented exit-point programs to monitor and restrict network access, the study found. But when it comes to unrestricted System i library access, Woodbury noted that while the system's library may be open, the data itself could be secure.

"It's like the house analogy," she explains. "You may leave your house open, but your safe is locked. You can make that same analogy that the library -- where data is contained -- may be open, but your data files may be secured properly." So while the study may have found the libraries to be open, it's not 100% accurate to assume that the data is also open. Woodbury believes that it's necessary to scrutinize the individual files in the library and not just the library as a whole.

Finally, the overall system security levels of more than one-third of companies in the study were set below the recommended minimum security level 40.

System i may be known as an exceptionally secure platform, but unless proper settings are applied, its security capability is meaningless. "The system is only as secure as the implementation of the security features," said Loeber. "I5/OS may be the most secure OS around, but if it is not used correctly, you might as well have any OS in place."

While the PowerTech study reports some pretty grim numbers, Woodbury sees a gradual improvement in security implementation on System i. "There's still significant work to be done across the System i community when it comes to security, but I see it trending the right direction," she said. "SOX started it, I think the PCI requirements are requiring people to take a much closer look, and … other laws and regulations, like the states' breach and notification laws, are causing people to take a much harder look at how their data is secured because they're having to consider what would happen if it was lost or stolen."

The full PowerTech 2008 State of IBM System i report can be found here. To learn more about System i security, check out expert responses from Carol Woodbury, Search400.com's System i security expert for information on Removing *ALLOBJ access and raising system security levels, security auditing, audit journal monitoring and more.

Jeannette Beltran is an assistant editor for TechTarget's Data Center Media Group. Write to her at jbeltran@techtarget.com.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.