How much System i security is enough? This tip explores this question and, hopefully, will get you thinking about your own environment.
In the good old days, enough security meant that you had a lock on the computer room door and you actually used it. Keeping people out of the computer room was all that was necessary. Then came cathode ray tubes (CRTs) and cabling that reached outside computer room environs, making security more of an issue. Someone devised the idea of requiring a CRT user to log in to the system with a user identifier and password. With this little invention, things got back under control. But before long PCs arrived, followed closely by client/server applications and then the Internet. Now what do we do?
For many shops, a strict reliance on the user profile and password is still the watchword of the day. But given today's technology, is that enough? I think not. The problem with today's networked environment is that you can never be absolutely certain who is at the other end of the line.
Security policy backs firewalls, passwords
So what is enough? Over the past few years, the concept of the firewall has captured the hearts of many security officers. In fact, for many companies, the firewall is the be-all and end-all of their security plans. "We've got a firewall in place!" they say; case closed. But is a firewall, along with a user profile/password implementation, enough? Again, I think not. Multiple studies of computer break-ins and data compromises reveal that half of all such incidents are inside jobs committed within the boundaries of a firewall's "protection."
What you really need is a multifaceted approach to security. You need passwords, a firewall and more. In the old days, if the bad guy could get into the computer room, he could do some damage. But if you had multiple doors with multiple locks, it would take him longer to break in and you would have a much better chance of catching him in the process. Today's environment needs to be viewed the same way. Relying on a single security defense is just not enough. You have to deploy multiple defense strategies to be successful.
Your System i installation should include all the security tools at your disposal. It means implementing object security based on a coherent company-wide policy. It means strictly limiting those profiles that have all-object authority. It means implementing exit-point security with object-level controls as well. It means controlling which IP addresses you are going to trust and allow access into your system. It means creating a good user-profile and password-maintenance plan with regular password rotation. It means quickly rescinding access rights for employees who leave or change job assignments. The list goes on and on.
Of course, no computer system is 100% secure. But if you build enough fences that an intruder must climb and add enough doors that must be unlocked, the result will be as secure a system as possible. What you don't want is to make it easy to get into the system, which, unfortunately, is an all-too-common reality for many of today's IT shops.
If you have any questions about this topic, you can reach me at firstname.lastname@example.org. All email messages will be answered as quickly as possible.
About the author: Rich Loeber is the president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company provides various security products to the iSeries market.