Top 5 Secrets to Protecting Your Data with IBM i

Publication date
ibm i security

IBM i serves as the IT foundation of many retailers, large banks, stores, hotels, and more. Businesses choose it for its robust security. But just because you use IBM i on your servers, doesn’t mean that your business’s IT systems are secure.

In fact, many businesses built on IBM i have high levels of security risk. That’s not because of an error with IBM i. It’s because many businesses don’t use it properly.
Imagine IBM i as a heavy door with dozens of locks screwed on it.

If you want to protect your data, you can’t simply install the door. You have to close the door, and then lock every lock. Many companies believe they are protecting their data simply by choosing IBM i, but they need to follow best practices and implement the right features to truly secure their IT system.

In some ways, how to use IBM i securely is a well-kept secret. In this article, we share those secrets and show you how best to use IBM i to protect your data.

Isn’t IBM i automatically secure?

IBM i is a fully-integrated operating system that runs on a IBM power system server. It’s an older technology, but one that remains popular for its robust security. Security is IBM i’s main feature.

Because IBM i is so robust and integrated, it takes very few staff to manage it. In many companies, the person in charge of the IBM i system isn’t even an IT specialist: they may be an accounting clerk or in a similar position. There are even stories of companies leaving their IBM i server completely unattended: one company lost track of their server and eventually realized a wall had been built over it.

An IBM i server is so robust, it can fix itself and keep running with little to no support from IT technicians. That’s a feature, but it also creates risks. With few people, and possibly no IT experts, watching over the server, the system can become outdated. Security exposures and risks can increase without the company realizing it. That’s especially true if a company assumes that their IBM i server is secure by nature, and doesn’t take steps to keep up with the latest security features and updates to protect their data.

Attacks on IBM i servers are infrequent, but if an IBM i server does go down, the consequences are disastrous. Many companies have their entire business on their IBM i server. If they lose it, they lose everything.

With so much at stake, it’s essential to make sure your IBM i server is protecting your data to the best of its ability. There are many new and old features of IBM i that companies don’t realize they can use to protect their systems. Here are the top five IBM i features that we recommend you start using today.


Top 5 secrets companies don’t know about IBM i

     1. You can add Multi-factor Authentication (MFA).

More and more companies are seeking insurance for cyber attacks as ransomware attacks become increasingly common and increasingly expensive. The consequences of a successful ransomware attack can be deadly for a business, so obtaining insurance makes sense.

Insurers, however, now usually require multi-factor authentication (MFA) as a prerequisite to obtain insurance for cyber attacks.

Most people are familiar with multi-factor authentication (MFA) from logging into their bank’s online portal or a similarly secure site. When you enter your password online, you also receive a text with a passcode to confirm your identity.

What many companies don’t realize is that IBM i allows you to implement MFA directly through the operating system.

If you are seeking cyber insurance and need MFA, it is straightforward to begin using it. And if you are not seeking insurance for cyber attacks, we at R2i still highly recommend implementing MFA as a best practice for any company’s cybersecurity.

     2. Immutable backups are supported.

There are three traditional pillars in cybersecurity: high availability, disaster recovery, and backups. But recently, a fourth focus has emerged: cyber resiliency.

While disaster recovery is focused on protecting your data from natural disasters or other catastrophic events, cyber resiliency describes your company’s ability to prepare for and recover from cyber attacks from bad actors.

A key part of cyber resilience is immutable backups. These are backups that can’t be changed by any user. This is essential, because ransomware attackers know to target backups. In most ransomware attacks, the attackers first destroy the metadata and indices related to your backups. That makes your backups unusable. Then when the ransomware attackers take down your system, you have no choice but to pay the ransom, since your backups are not accessible.

Immutable backups address this issue. Ransomware attackers aren’t able to modify or destroy them, so when you suffer an attack, you can still restore your data from those backups.

The good news? IBM i allows you to make immutable backups of your servers.


     3. The Integrated File System (IFS) exposes you to risk.

In recent years, IBM has opened up the IBM i platform to receive Windows-like files through an Integrated File System (IFS).

IFS offers a lot of functionality, but it also opens up your company to risk. IMB  i files are well-secured because their extensions can’t change. In a system like Windows, for example, a file can look like a text document, then change to an executable and attack your system. With traditional IBM i files, that’s not possible. But with the new IFS, IBM i is now vulnerable to more attacks of that nature.

There’s one main issue with IBM i’s IFS that many companies aren’t aware of. By default, the general public is able to read, write, and change IFS files. That means if any regular user gains access to your IFS, they can do whatever they want.

To protect your data, the solution is simple. Change the permissions of your IFS so that only the appropriate users can modify your files.

IFS opens a window into your IBM i system. A window can give you advantages – just make sure that you lock it.


     4. Passwords can have rules.

IBM i allows companies to set rules for their users about password complexity. This has been possible with IBM i for several years, but many companies are still unaware of it.

For example, IBM i lets you make users use mixed characters by requiring that every password have any three of lower case letters, upper case letters, numbers, or special symbols. This makes passwords much more secure.

IBM i also lets you require users to change passwords every 30 or 60 days, another best practice for password security. Our experts at R2i highly recommend that you use both these features to make your passwords more robust.


     5. Start Authority Collection can minimize authority levels.

One key principle of cybersecurity is to give each user the minimum amount of authority they need to do their job.

This can be difficult in practice, however. When a user needs to do something and encounters a security roadblock, it may be difficult to determine exactly which additional privileges they need. IT admins may save time by giving that user broad permissions so they can complete the task.

Over time, this leads to many users having much more authority than they truly need to do their jobs. But if the company tries to fix this data protection issue by reducing authority levels, they may end up breaking something in the system. Tasks can’t get done, and operations may be impacted. The company will usually stop trying to tighten their security in order to avoid those breakdowns.

IBM i’s new Start Authority Collection tool solves this problem. It creates a trace that tracks users as they do their jobs, so you can see exactly which permissions each user needs. Then you can reduce each user’s authority level with confidence, knowing that you’re giving them access to exactly the data they need.


Protect your data with security checks

Implementing the IBM i features above is highly recommended to protect your data. But there’s one more essential part of data protection that the R2i team recommends: security checks.

Since IBM i runs so well, too many companies take it for granted that it’s secure. But it is essential to review your IBM i server’s security.

There are three pillars to IBM i, and a security review should consider all three.


  1. System Values – System values set the rules for the entire system. For example, you can set a rule that everyone has to change their password every 60 days. This pillar sets a default level of security for the whole system.
  2. Users – People who can access your system are grouped into different types of users. General users have limited access. But superusers or administrators have high authority, and can override system-level rules.
  3. Objects – Objects are the data, programs, and source code that you’re protecting. Objects are protected by the system-wide rules, but you can also protect them individually.


If you imagine your IBM i server as a house, the system values are front door locks. The user rules determine who has keys to which locks. And the objects are specific rooms, which you can also lock down on their own for additional protection.

When doing a quick security review, companies sometimes only review the system values. But it’s important to consider all three levels. Here’s why. Take the example of requiring users to change passwords. Your IBM i may have a system-level rule that users must change their password every 60 days. This is a great way to protect your data. However, an individual admin may give themselves an override so they don’t have to change their passwords. This can be tempting for an admin to do, because changing their many passwords takes a lot of time. But if their password gets stolen, and you don’t have MFA, then your system is vulnerable to an attack.

This is why it’s essential to not only check your system-level rules, but also to check individual users and objects to make sure there are no loopholes. It’s also important to ensure that you have very few people with high-privileged accounts, and that none of them have left the company or dodged a rule.

A security check also gives you an opportunity to ensure that you’re following all security best practices. Since IBM i goes down so rarely, it’s easy to let security go slack. At R2i, we once encountered a company that hadn’t done a backup of their IBM i server in a year. IBM i is robust, but if that company had lost their server, they would have lost their entire business. Don’t take chances. Make sure to review your systems and follow best practices.

At R2i, we recommend reviewing your IBM i security twice a year. Your internal IT team can do the checkup, but it’s also valuable to have an external team like R2i review your system regularly. Outside experts have a new perspective and additional knowledge that help ensure your security review is as complete and valuable as possible.

Keep up with patches

During your twice yearly security checkup, we recommend that you take the opportunity to patch your system. Patches keep your security and software up-to-date.

Sometimes, companies fall behind on patching their IBM i systems. In that case, it can be intimidating to do the patches, because catching up will require making many changes at once and may affect or even break some of your applications.

However, falling behind on patches leaves your company vulnerable to security risks. We recommend patching about twice a year. That way, you never have to make big changes that can cause problems.

Protect your data and IBM i systems with the help of experts

If you would like advice on how to implement the security features we describe here, or if you want to set up an external security review of your IBM i system, the R2i team can help.

Our IT experts have in-depth knowledge of IBM i security, and can help you choose how best to protect your data. We can work with your current system or guide you on your digital transformation.

Since R2i has a large team with diverse IT specializations, we can also do a complete security review that considers your entire IT system above and beyond your IBM i.

If you would like to have an R2i expert review your IBM i security, or if you have any questions about IBM i and protecting your data, simply contact us.

What is protection data?

Protection data, also known as data protection, refers to the practices and measures implemented to safeguard sensitive and valuable information from unauthorized access, loss, corruption, or theft. In the digital age, where data plays a crucial role in business operations and personal interactions, data protection has become a critical concern.

Effective data protection involves a combination of technical, organizational, and legal measures. These measures aim to ensure the confidentiality, integrity, and availability of data throughout its lifecycle. Data protection includes activities such as encryption, access controls, regular backups, secure storage, and disaster recovery planning.

Organizations must comply with relevant data protection regulations and standards to avoid legal and financial consequences. The General Data Protection Regulation (GDPR) in Europe and the Health Insurance Portability and Accountability Act (HIPAA) in the United States are examples of such regulations that outline requirements for data protection and privacy.

By implementing robust data protection practices, businesses and individuals can mitigate risks and maintain trust by safeguarding sensitive information from potential breaches or unauthorized use. As technology continues to evolve, staying vigilant and proactive in data protection is essential to maintaining a secure digital environment.

How can data be protected?

Data protection is crucial for safeguarding sensitive information from unauthorized access, loss, or corruption. Implementing effective data protection measures involves a combination of technical, organizational, and procedural strategies. Here are some key ways to protect data:

  1. Encryption: Utilize encryption techniques to convert data into a coded format that can only be deciphered with the appropriate encryption key. This ensures that even if unauthorized individuals gain access to the data, they cannot read or use it without the decryption key.
  2. Access Controls: Implement strict access controls to limit who can access specific data. Use strong authentication methods, such as multi-factor authentication (MFA), and assign access rights based on roles and responsibilities.
  3. Regular Backups: Regularly back up your data to secure locations, both on-site and off-site. This ensures that in case of data loss or corruption, you can restore the information from a recent backup.
  4. Secure Storage: Store data on secure and reliable storage systems. This may involve using encrypted storage solutions, firewalls, and intrusion detection systems to prevent unauthorized access.
  5. Patch Management: Keep software and systems up to date with the latest security patches. Regularly update operating systems, applications, and firmware to address vulnerabilities that could be exploited by attackers.
  6. Employee Training: Provide comprehensive training to employees on data protection best practices. Educate them about phishing threats, social engineering, and the importance of maintaining strong passwords.
  7. Data Classification: Classify data based on its sensitivity and value. Apply appropriate security measures to different data categories to ensure that sensitive information receives the highest level of protection.
  8. Endpoint Security: Implement security measures on devices that access the data, including antivirus software, firewall protection, and mobile device management solutions.
  9. Incident Response Plan: Develop a detailed incident response plan to address data breaches or security incidents promptly. This plan should outline the steps to take, roles and responsibilities, and communication strategies.
  10. Data Privacy Regulations: Stay informed about relevant data privacy regulations and compliance requirements that apply to your industry and region. Ensure that your data protection practices align with these regulations.
  11. Physical Security: Implement physical security measures to protect data centers and server rooms from unauthorized access. Use access controls, surveillance systems, and secure entry points.
  12. Vendor Management: If you work with third-party vendors or service providers, ensure they have robust data protection measures in place. Perform due diligence before sharing sensitive data with external parties.
  13. Regular Audits and Assessments: Conduct regular security audits and assessments to identify vulnerabilities and weaknesses in your data protection practices. This proactive approach helps you address issues before they are exploited.

By implementing a comprehensive data protection strategy that encompasses these measures, you can significantly reduce the risk of data breaches and unauthorized access, ensuring the confidentiality and integrity of your valuable information.

Why is Protecting Your Data Important? Secure Your Information for Peace of Mind

In today’s digital age, the significance of safeguarding your data cannot be overstated. As we become increasingly reliant on technology for various aspects of our personal and professional lives, the need to protect sensitive information has become paramount. Data breaches and cyberattacks have become prevalent, leaving individuals and businesses vulnerable to identity theft, financial loss, and reputational damage.

By prioritizing data protection, you ensure the confidentiality, integrity, and availability of your valuable information. Here are key reasons why data protection should be a top concern:

  1. Prevent Unauthorized Access: Unauthorized access to your data can lead to severe consequences. Implementing robust security measures, such as encryption and strong authentication, ensures that only authorized individuals can access your data.
  2. Safeguard Personal Privacy: Your personal information, including financial details and contact information, must be kept secure to prevent identity theft and intrusive privacy breaches. Protecting your data safeguards your personal and financial well-being.
  3. Maintain Business Continuity: For businesses, data loss or breaches can disrupt operations, leading to financial losses and eroding customer trust. A well-protected data infrastructure ensures seamless business continuity, even in the face of unexpected challenges.
  4. Compliance with Regulations: Many industries are subject to strict data protection regulations, such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). Failing to comply with these regulations can result in legal penalties and damage to your reputation.
  5. Preserve Reputational Integrity: A data breach can tarnish your reputation, causing customers and clients to lose trust in your ability to protect their information. Protecting your data demonstrates your commitment to maintaining the highest ethical and professional standards.
  6. Mitigate Financial Loss: The fallout from a data breach can lead to significant financial repercussions. The costs associated with remediation, legal fees, and potential fines can be astronomical. Investing in data protection measures is a proactive approach to avoiding such financial strain.
  7. Foster Customer Trust: Customers are more likely to engage with businesses that prioritize their data security. Building a reputation for data protection fosters trust and strengthens your relationship with your audience.
  8. Prevent Intellectual Property Theft: For businesses, protecting sensitive data extends to safeguarding intellectual property, trade secrets, and proprietary information. A breach in this realm can lead to lost competitive advantage and market share.

In conclusion, the digital landscape is rife with threats, making data protection an essential aspect of modern life. By taking proactive steps to secure your data, you empower yourself or your business to thrive in a digital world while minimizing risks and maximizing peace of mind. Prioritize data protection today for a secure and promising future.

Share on your social media