Manage Learn to apply best practices and optimize your operations.

Too much System i security?

System i security is always a compromise between operating efficiency and data integrity. This tip discusses how to find that balance.

Rich Loeber
In my last tip, I asked just how much security is enough for your System i. This tip will explore the contrary question. In other words, how much security is too much? Is there a point where there is just too much security for your installation?

First, we need to admit that all security involves overhead expense. If you are running security software features in the operating system, they take some computing resources to perform access validation routines. When you run additional security validation, such as exit point processing, it adds more processing overhead. For example, requiring users to regularly change their passwords translates to time spent changing their logins to different values. When someone has a security-related problem during the business day, this is additional overhead, not only on the part of the end user, but also by your support staff. No matter how you look at it, good security costs money.

But is there a point where you have too much security and the benefits are outweighed by the security protection deployed? I think the answer is a clear yes in certain circumstances.

Overly-complicated technology inflates security costs
Last year, I did a consulting gig for a large company in North America. This company had a very aggressive security implementation for outside vendors, and they apparently used a lot of outside vendors who need access to their network.

More on System i security decisions:
Preventing adopted special privileges on i5/OS

What's new with System i password controls

Spreading the System i security message
This company had a complicated VPN installed that required a remote token generator, which was shipped to me. When the token arrived, it included indecipherable instructions on how to gain access, which ultimately did not work. It took me three days and countless hours of trial and error with various members of their support desk team to get access to their system just to start a project that was behind schedule at the outset. Once I got into their System i processor, I found that my profile had not been properly set up and there was a further delay in getting started.

In this case, the costs associated with the security implementation became excessive. I was on the clock for this entire experience and the customer paid dearly for this wasted time. In this case, I'd conclude that either there too much security or the security deployed was insufficiently funded. The whole point was to provide a secure sign on to their System i from a remote location, but there were too many layers to go through.

Security considerations checklist
If normal business transactions are regularly stopped due to security checking, you might consider whether or not you've reached the point of diminishing returns. If people in your organization can't get their day-to-day work done due to security hurdles, there may be too much security and a review of your setup is in order.

Are your support costs on budget or running way over? If you're spending significantly more money on support that can be traced to security issues, that's another red flag that something is wrong in your security environment.

Some security officers out there are going to cringe at this, but security is always a compromise between operating efficiency and data integrity. You need to have a good balance tempered by an honest assessment of what you're protecting.

If you have any questions about this topic, email me at, All email messages will be answered as quickly as possible.

ABOUT THE AUTHOR: Rich Loeber is the president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company provides various security products to the iSeries market.

Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.