Isn’t IBM i automatically secure?
IBM i is a fully-integrated operating system that runs on a IBM power system server. It’s an older technology, but one that remains popular for its robust security. Security is IBM i’s main feature.
Because IBM i is so robust and integrated, it takes very few staff to manage it. In many companies, the person in charge of the IBM i system isn’t even an IT specialist: they may be an accounting clerk or in a similar position. There are even stories of companies leaving their IBM i server completely unattended: one company lost track of their server and eventually realized a wall had been built over it.
An IBM i server is so robust, it can fix itself and keep running with little to no support from IT technicians. That’s a feature, but it also creates risks. With few people, and possibly no IT experts, watching over the server, the system can become outdated. Security exposures and risks can increase without the company realizing it. That’s especially true if a company assumes that their IBM i server is secure by nature, and doesn’t take steps to keep up with the latest security features and updates to protect their data.
Attacks on IBM i servers are infrequent, but if an IBM i server does go down, the consequences are disastrous. Many companies have their entire business on their IBM i server. If they lose it, they lose everything.
With so much at stake, it’s essential to make sure your IBM i server is protecting your data to the best of its ability. There are many new and old features of IBM i that companies don’t realize they can use to protect their systems. Here are the top five IBM i features that we recommend you start using today.
Top 5 secrets companies don’t know about IBM i
1. You can add Multi-factor Authentication (MFA).
More and more companies are seeking insurance for cyber attacks as ransomware attacks become increasingly common and increasingly expensive. The consequences of a successful ransomware attack can be deadly for a business, so obtaining insurance makes sense.
Insurers, however, now usually require multi-factor authentication (MFA) as a prerequisite to obtain insurance for cyber attacks.
Most people are familiar with multi-factor authentication (MFA) from logging into their bank’s online portal or a similarly secure site. When you enter your password online, you also receive a text with a passcode to confirm your identity.
What many companies don’t realize is that IBM i allows you to implement MFA directly through the operating system.
If you are seeking cyber insurance and need MFA, it is straightforward to begin using it. And if you are not seeking insurance for cyber attacks, we at R2i still highly recommend implementing MFA as a best practice for any company’s cybersecurity.
2. Immutable backups are supported.
There are three traditional pillars in cybersecurity: high availability, disaster recovery, and backups. But recently, a fourth focus has emerged: cyber resiliency.
While disaster recovery is focused on protecting your data from natural disasters or other catastrophic events, cyber resiliency describes your company’s ability to prepare for and recover from cyber attacks from bad actors.
A key part of cyber resilience is immutable backups. These are backups that can’t be changed by any user. This is essential, because ransomware attackers know to target backups. In most ransomware attacks, the attackers first destroy the metadata and indices related to your backups. That makes your backups unusable. Then when the ransomware attackers take down your system, you have no choice but to pay the ransom, since your backups are not accessible.
Immutable backups address this issue. Ransomware attackers aren’t able to modify or destroy them, so when you suffer an attack, you can still restore your data from those backups.
The good news? IBM i allows you to make immutable backups of your servers.
3. The Integrated File System (IFS) exposes you to risk.
In recent years, IBM has opened up the IBM i platform to receive Windows-like files through an Integrated File System (IFS).
IFS offers a lot of functionality, but it also opens up your company to risk. IMB i files are well-secured because their extensions can’t change. In a system like Windows, for example, a file can look like a text document, then change to an executable and attack your system. With traditional IBM i files, that’s not possible. But with the new IFS, IBM i is now vulnerable to more attacks of that nature.
There’s one main issue with IBM i’s IFS that many companies aren’t aware of. By default, the general public is able to read, write, and change IFS files. That means if any regular user gains access to your IFS, they can do whatever they want.
To protect your data, the solution is simple. Change the permissions of your IFS so that only the appropriate users can modify your files.
IFS opens a window into your IBM i system. A window can give you advantages – just make sure that you lock it.
4. Passwords can have rules.
IBM i allows companies to set rules for their users about password complexity. This has been possible with IBM i for several years, but many companies are still unaware of it.
For example, IBM i lets you make users use mixed characters by requiring that every password have any three of lower case letters, upper case letters, numbers, or special symbols. This makes passwords much more secure.
IBM i also lets you require users to change passwords every 30 or 60 days, another best practice for password security. Our experts at R2i highly recommend that you use both these features to make your passwords more robust.
5. Start Authority Collection can minimize authority levels.
One key principle of cybersecurity is to give each user the minimum amount of authority they need to do their job.
This can be difficult in practice, however. When a user needs to do something and encounters a security roadblock, it may be difficult to determine exactly which additional privileges they need. IT admins may save time by giving that user broad permissions so they can complete the task.
Over time, this leads to many users having much more authority than they truly need to do their jobs. But if the company tries to fix this data protection issue by reducing authority levels, they may end up breaking something in the system. Tasks can’t get done, and operations may be impacted. The company will usually stop trying to tighten their security in order to avoid those breakdowns.
IBM i’s new Start Authority Collection tool solves this problem. It creates a trace that tracks users as they do their jobs, so you can see exactly which permissions each user needs. Then you can reduce each user’s authority level with confidence, knowing that you’re giving them access to exactly the data they need.
Protect your data with security checks
Implementing the IBM i features above is highly recommended to protect your data. But there’s one more essential part of data protection that the R2i team recommends: security checks.
Since IBM i runs so well, too many companies take it for granted that it’s secure. But it is essential to review your IBM i server’s security.
There are three pillars to IBM i, and a security review should consider all three.
- System Values – System values set the rules for the entire system. For example, you can set a rule that everyone has to change their password every 60 days. This pillar sets a default level of security for the whole system.
- Users – People who can access your system are grouped into different types of users. General users have limited access. But superusers or administrators have high authority, and can override system-level rules.
- Objects – Objects are the data, programs, and source code that you’re protecting. Objects are protected by the system-wide rules, but you can also protect them individually.
If you imagine your IBM i server as a house, the system values are front door locks. The user rules determine who has keys to which locks. And the objects are specific rooms, which you can also lock down on their own for additional protection.
When doing a quick security review, companies sometimes only review the system values. But it’s important to consider all three levels. Here’s why. Take the example of requiring users to change passwords. Your IBM i may have a system-level rule that users must change their password every 60 days. This is a great way to protect your data. However, an individual admin may give themselves an override so they don’t have to change their passwords. This can be tempting for an admin to do, because changing their many passwords takes a lot of time. But if their password gets stolen, and you don’t have MFA, then your system is vulnerable to an attack.
This is why it’s essential to not only check your system-level rules, but also to check individual users and objects to make sure there are no loopholes. It’s also important to ensure that you have very few people with high-privileged accounts, and that none of them have left the company or dodged a rule.
A security check also gives you an opportunity to ensure that you’re following all security best practices. Since IBM i goes down so rarely, it’s easy to let security go slack. At R2i, we once encountered a company that hadn’t done a backup of their IBM i server in a year. IBM i is robust, but if that company had lost their server, they would have lost their entire business. Don’t take chances. Make sure to review your systems and follow best practices.
At R2i, we recommend reviewing your IBM i security twice a year. Your internal IT team can do the checkup, but it’s also valuable to have an external team like R2i review your system regularly. Outside experts have a new perspective and additional knowledge that help ensure your security review is as complete and valuable as possible.
Keep up with patches
During your twice yearly security checkup, we recommend that you take the opportunity to patch your system. Patches keep your security and software up-to-date.
Sometimes, companies fall behind on patching their IBM i systems. In that case, it can be intimidating to do the patches, because catching up will require making many changes at once and may affect or even break some of your applications.
However, falling behind on patches leaves your company vulnerable to security risks. We recommend patching about twice a year. That way, you never have to make big changes that can cause problems.
Protect your data and IBM i systems with the help of experts
If you would like advice on how to implement the security features we describe here, or if you want to set up an external security review of your IBM i system, the R2i team can help.
Our IT experts have in-depth knowledge of IBM i security, and can help you choose how best to protect your data. We can work with your current system or guide you on your digital transformation.
Since R2i has a large team with diverse IT specializations, we can also do a complete security review that considers your entire IT system above and beyond your IBM i.
If you would like to have an R2i expert review your IBM i security, or if you have any questions about IBM i and protecting your data, simply contact us.