It’s Time For Security Administrator Roles At IBM i Shops, Skyview Says
September 16, 2013 Alex Woodie
It’s time for system administrators to give up security-related tasks and hand them over to a dedicated security administrators in IBM i shops, says Skyview Partners. While the jack-of-all trades approach has succeeded in keeping costs down, the risks of losing data are becoming too great to rely on the skills of a generalist, says the company, which just published a new guide describing the role of an IBM i security administrator.
“Security administration can no longer be lost in the list of things that a system administrator is supposed to do on a regular basis,” says Skyview president Carol Woodbury, a renown IT security expert and former security architect at IBM for the AS/400 (now IBM i) server.
“IBM i administrators do a bit of this and a bit of that,” she continues. “Unfortunately, for whatever reason, security administration is one of those tasks that quite often falls off the list. The effect is that the risk to the system and data is increasing because security administration–from our experience–is not being performed.”
Woodbury’s colleague, Skyview CEO John Vanderwall, agrees. “While systems administration is a well-founded discipline and it’s easy to define what a systems administrator is supposed to do, that is not the case for a ‘security administrator,'” he says. “Often times security administration is a just another task on the ‘to do’ list of the systems administrator. What we’ve discovered is the security administration is pretty far down on the list, mostly because system admins aren’t quite sure of what they should be paying attention to. Sure they know some basics, but in reality it’s the details that count. The old adage that the ‘devil is in the details’ seems to apply here.”
Woodbury’s and Vanderwall’s observations are backed up by years of security studies performed by PowerTech, where Woodbury also used to work. Year after year, PowerTech publishes annual State of Security reports that demonstrate the dismal state of security on the IBM i platform. In most cases, the problems come down to using incorrect configurations. In many cases, IBM i shops never change the default settings, opening up rather large gaps in security on production systems.
SkyView hopes to address that problem with its new e-book, called the IBM i Security Administrators Guide. “Some people administering the system have been trained to run the system but not attend to security,” Woodbury continues. “So we’re trying to raise the awareness that security administration needs to occur. In light of the fact that not everyone is trained, or it’s not something they do every day… we’ve provided this e-book to explain what should be accomplished by the person whose job it is to perform security administration.”
Skyview took it upon itself to describe the security administrator’s role and the specific tasks that need to be performed on the IBM i server. “This book is a quick read intended to get to the heart of the matter, giving very specific guidance and help to companies so that security is properly addressed on the platform,” Woodbury says.
Introducing the security administrator role to an organization doesn’t necessarily mean it needs to hire a new employee to take that role. It can be performed by an existing member of the IT staff, or even by an outside consultant. (SkyView provides such services, by the way.) The important thing is that more emphasis needs to be placed on the job of the security administrator. That means more time is allotted to it and (yes) more money is spent ensuring that the job is getting done.
It will be a tough sell. IBM i organizations are notoriously tight with the purse strings, and the Great Recession has only solidified their approach to getting much more out of their IT staffs than with Windows and Unix servers. However, the writing is on the wall. Just as it’s becoming clear that IBM i shops may be best served by hiring dedicated database administrators (DBAs) to oversee the handling of data, it’s also become clear that security isn’t something to mess around with.
SkyView has seen its share of security horrors at its customer shops, which it will never discuss publicly (despite the best efforts of nosey reporters). However, the company will share general observations about what it’s seen through its Security Check-up security assessment services.
“In some cases, we have discussed vulnerabilities that we discovered and then the next year, we discuss the same vulnerabilities,” Woodbury says. “Things like profiles with never-changing passwords, inactive profiles that remain available for use, IFS directories that need to be secured, etc. They know they need to address the issues–they have intentions to do it each year–but it never gets done.”
It’s time to get them done.
To download the IBM i Security Administrators Guide, go to Skyview’s website at www.skyviewpartners.com.