A recent PowerTech Group study of System i servers concludes that almost half of 200 responding companies surveyed don't follow security best practices. System i security expert Rich Loeber finds the study's results in line with his own experience.
"IBM has done a good job, over the years, of selling the public on the idea that the System i is 'the most secure processor available today,'" Loeber said. "However, they have not done nearly as good a job in explaining how to make the system secure."
The survey determined that there are six areas of lax security that warrant immediate inspection: user profiles, user and password management, data access, network access control and auditing, system auditing, and system security values.Too many high-level users
According to the study, companies grant ALLOBJ authority, which enables users to view, change and delete any file on the system in extremely high numbers. It's recommended that 10 or few users have this authority, but PowerTech found that only seven of more than 200 systems surveyed followed this guideline. Still, companies have had to reduce the number of *ALLOBJ profiles in their systems because of Sarbanes-Oxley (SOX) requirements according to Search400.com resident security expert Carol Woodbury.
"I'm not seeing the prominence of ALLOBJ as I once did," Woodbury said. In addition to unacceptably powerful profiles, the study found that inactive profiles -- easy targets for hijackers -- are not maintained and that many users don't change their default passwords, leaving accounts vulnerable.
Too much information available
System i libraries are also a primary security concern. According to PowerTech, "virtually every system user will have access to data far beyond their demonstrated need." The average system user can access and change data in a System i library, and companies have not implemented exit-point programs to monitor and restrict network access, the study found. But when it comes to unrestricted System i library access, Woodbury noted that while the system's library may be open, the data itself could be secure.
"It's like the house analogy," she explains. "You may leave your house open, but your safe is locked. You can make that same analogy that the library -- where data is contained -- may be open, but your data files may be secured properly." So while the study may have found the libraries to be open, it's not 100% accurate to assume that the data is also open. Woodbury believes that it's necessary to scrutinize the individual files in the library and not just the library as a whole.Using audit journal tool for security
The lack of audit journaling has created a lapse in System i security as well. Of the companies surveyed, 30% don't use the journal at all. Of those that do, only 14% have tools to effectively manage the information they gather.
Finally, the overall system security levels of more than one-third of companies in the study were set below the recommended minimum security level 40.
System i may be known as an exceptionally secure platform, but unless proper settings are applied, its security capability is meaningless. "The system is only as secure as the implementation of the security features," said Loeber. "I5/OS may be the most secure OS around, but if it is not used correctly, you might as well have any OS in place."
While the PowerTech study reports some pretty grim numbers, Woodbury sees a gradual improvement in security implementation on System i. "There's still significant work to be done across the System i community when it comes to security, but I see it trending the right direction," she said. "SOX started it, I think the PCI requirements are requiring people to take a much closer look, and … other laws and regulations, like the states' breach and notification laws, are causing people to take a much harder look at how their data is secured because they're having to consider what would happen if it was lost or stolen."
The full PowerTech 2008 State of IBM System i report can be found here. To learn more about System i security, check out expert responses from Carol Woodbury, Search400.com's System i security expert for information on Removing *ALLOBJ access and raising system security levels, security auditing, audit journal monitoring and more.
Jeannette Beltran is an assistant editor for TechTarget's Data Center Media Group. Write to her at email@example.com.