Manage Learn to apply best practices and optimize your operations.

Six common System i security lapses

Using the most secure processor available doesn't ensure a secure system. A recent survey identified six common System i security lapses, including a failure to change default passwords and a lack of audit journaling.

This is the third chapter of the Ensuring security on i runbook. The aim of this is to provide AS/400 users advice from security experts for the i on how you can advocate for security in your organization effectively, and what to watch out for, and how to review your System i security situation to ensure it's working as well as it needs to be.

A recent PowerTech Group study of System i servers concludes that almost half of 200 responding companies surveyed don't follow security best practices. System i security expert Rich Loeber finds the study's results in line with his own experience.

"IBM has done a good job, over the years, of selling the public on the idea that the System i is 'the most secure processor available today,'" Loeber said. "However, they have not done nearly as good a job in explaining how to make the system secure."

Ensuring security on i runbook
Spreading the System i security message
Becoming a System i security officer
Is your AS/400 secure?: How a hacker could get valuable information from your system
System i security policy: Time for a check up
System i security report round-up

The survey determined that there are six areas of lax security that warrant immediate inspection: user profiles, user and password management, data access, network access control and auditing, system auditing, and system security values.

Too many high-level users
According to the study, companies grant ALLOBJ authority, which enables users to view, change and delete any file on the system in extremely high numbers. It's recommended that 10 or few users have this authority, but PowerTech found that only seven of more than 200 systems surveyed followed this guideline. Still, companies have had to reduce the number of *ALLOBJ profiles in their systems because of Sarbanes-Oxley (SOX) requirements according to resident security expert Carol Woodbury.

"I'm not seeing the prominence of ALLOBJ as I once did," Woodbury said. In addition to unacceptably powerful profiles, the study found that inactive profiles -- easy targets for hijackers -- are not maintained and that many users don't change their default passwords, leaving accounts vulnerable.

Too much information available
System i libraries are also a primary security concern. According to PowerTech, "virtually every system user will have access to data far beyond their demonstrated need." The average system user can access and change data in a System i library, and companies have not implemented exit-point programs to monitor and restrict network access, the study found. But when it comes to unrestricted System i library access, Woodbury noted that while the system's library may be open, the data itself could be secure.

"It's like the house analogy," she explains. "You may leave your house open, but your safe is locked. You can make that same analogy that the library -- where data is contained -- may be open, but your data files may be secured properly." So while the study may have found the libraries to be open, it's not 100% accurate to assume that the data is also open. Woodbury believes that it's necessary to scrutinize the individual files in the library and not just the library as a whole.

Using audit journal tool for security
The lack of audit journaling has created a lapse in System i security as well. Of the companies surveyed, 30% don't use the journal at all. Of those that do, only 14% have tools to effectively manage the information they gather.

Finally, the overall system security levels of more than one-third of companies in the study were set below the recommended minimum security level 40.

System i may be known as an exceptionally secure platform, but unless proper settings are applied, its security capability is meaningless. "The system is only as secure as the implementation of the security features," said Loeber. "I5/OS may be the most secure OS around, but if it is not used correctly, you might as well have any OS in place."

While the PowerTech study reports some pretty grim numbers, Woodbury sees a gradual improvement in security implementation on System i. "There's still significant work to be done across the System i community when it comes to security, but I see it trending the right direction," she said. "SOX started it, I think the PCI requirements are requiring people to take a much closer look, and … other laws and regulations, like the states' breach and notification laws, are causing people to take a much harder look at how their data is secured because they're having to consider what would happen if it was lost or stolen."

The full PowerTech 2008 State of IBM System i report can be found here. To learn more about System i security, check out expert responses from Carol Woodbury,'s System i security expert for information on Removing *ALLOBJ access and raising system security levels, security auditing, audit journal monitoring and more.

Jeannette Beltran is an assistant editor for TechTarget's Data Center Media Group. Write to her at

Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.