Manage Learn to apply best practices and optimize your operations.

IBM i security tightening: Preventing data theft

A firewall should be the first line of defense to protect your IBM i system, but not the only security measure you take. Rich Loeber counsels you to not ignore the enemy within. Build strong object level controls and restrict *ALLJOB access.

In many System i shops, we have been forced to find new ways to save on expense while still providing the same level of support as in the past. This is not always easy, and I have seen evidence that some shops are sacrificing security to conserve on their budgets.

One significant area where I've seen this is data asset protection. More than one shop that I've been in touch with have decided to put their complete trust for data asset protection into their firewall at the expense of other means of protecting their data.

With your system attached to a network, and with the network connected to the Internet, trusting your data protection to a single piece of technology is just a bad idea. Imagine yourself living in a neighborhood with a high crime rate. Would you have a single lock on your door? Like most people in this situation, wouldn't you use two or three (or even more) methods to keep your doors and windows locked?

When your system is connected to the Internet you are in a high crime neighborhood, and you need to use the same approach to protecting your data. When someone breaches your single point of protection it could leave your entire system open to malicious abuse.

Trusting your data protection to just a firewall completely ignores the issues of intrusion from sources within the firewalled network. In a small shop, where you can see who is in and who is doing what, maybe this is not much of a concern, but in today's large shops with widespread deployment of networks, you cannot keep an eye on what everyone is doing. Anyone who is within the "secure" network can find access to your system using a variety of tools available to today's savvy computer users.

If you have deployed your firewall as your primary defense against intrusion, you are completely ignoring the enemy from within your organization. Most security experts will tell you that at least half of all intrusions come from within your organization. With the ease of downloading data and storing it in a convenient portable form, anyone in your organization could easily take home critical data assets on a laptop or USB stick.

What you need to ask yourself is, "Am I saving money or am I thinking in the short term just to look good?" In today's environment, you cannot put all your eggs in one basket. To adequately protect your system, you need to present multiple hurdles for your enemies to overcome. If they get past one, there is a good chance that the next one they encounter will defeat them.

The good news is that your System i comes with a lot of tools available to build these additional lockouts. To protect yourself from the enemy within, you will need to build strong object level access controls. You will need to rigorously enforce a policy of no user profiles with *ALLOBJ authority. You will need to also enforce a policy of password rotation on a frequent basis with password controls that prevent the reuse of passwords and the use of passwords that are easy to guess. Lastly, the strong lock of exit point controls will also help keep your data safe.

All of these options are open to you. Some may cost you some money, but the alternative of seeing your organization on the front page of the paper for data theft would be much more expensive in the long run.

If you have any questions about this topic, you can reach me at, I'll give it my best shot. All email messages will be answered.

About the author
Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Dig Deeper on iSeries system and application security