Meet IBM’s New Security Architect for IBM i
June 17, 2019 Alex Woodie
Security isn’t just a feature of the IBM i operating system. It’s a fundamental concept that all IBM engineers share as they go about their business building and maintaining the system that’s used by over 120,000 organizations around the world. But when it comes to bringing it all together, there’s one person in charge of ensuring the operating system is as protected as it can be: the security architect.
The security architect job has been held by several folks in the IBM Rochester lab over the years, including Patrick Botz, Carol Woodbury, and Jeff Uehling. Botz and Woodbury now work at HelpSystems, of course, and in late 2018, following Uehling’s departure to Syncsort, IBM promoted software engineer Timothy Mullenbach to the position.
Mullenbach has worked with the IBM i platform and its predecessors for decades. In fact, he worked with OS/400 while still enrolled at Minnesota State University – Mankato in the early 1990s, according to his LinkedIn profile. He joined IBM in 1999, and has worked on networking and security aspects of the IBM i platform in the Rochester lab ever since.
At the recent POWERUp meeting at Disneyland, IT Jungle got a chance to sit down and talk with Mullenbach about the security architect position, his views on IBM i security, and what we’ll see from IBM security-wise coming up next.
When IBM i 7.4 ships this Friday, the IBM i community will be able to see the results of Mullenbach’s work. There are two big security features in the new release: the new object-level view of authority levels in the Authority Collection, and support for TLS 1.3.
As somebody who wears two hats at IBM – security and networking – over-the-wire cryptography is absolutely core to Mullenbach’s interest. “I’ve been working on that TLS and SSL for 22 years, since we first had it on the platform,” Mullenbach said. “That’s my deep focus.”
Getting TLS 1.3, which was only ratified by the Internet Engineering Task Force in late 2018, into IBM i 7.4 is something that Mullenbach is rightly proud of. “There was not a lot of time here on the release cycle but it was good to get it into 7.4,” he said.
Don’t be surprised to see the IBM i community move quickly to adopt TLS 1.3, which is the latest and most secure form of over-the-wire encryption available, Mullenbach said.
“I think you’re going to see the pickup in the market a lot faster than we had with TLS 1.2,” he said. “There’s just so much more focus from the security standards board that they’re going to drive TLS 1.3 into those requirements sooner than ever before.”
Similarly, the early responses to the new object view of the Authority Collection have also been positive. “I’ve heard this week, one of the business partners said it was one of the greatest security things we’ve added in a long time from their perspective,” Mullenbach said.
Could there be another view added to the Authority Collection? “I’d say we’ll see what kind of requirements or feedback we get in the market here, when people get a chance to use it in 7.4, to see if we provided what they need or it here something more in that space,” he responded.
“We haven’t even GA’d 7.4,” added Alison Butterill, the IBM i offering manager, who was also in the meeting. “Security is one of those things that Tim and his team are very modest about. But Tim’s team does an excellent job of constantly viewing what is required. So I would expect there will be some additional things that come out, but we just don’t know what those are until people play with this and see what else is required.”
Mullenbach’s technical expertise is cryptography, but as the security architect for IBM i, he spends his time looking at all aspects of security on the box and managing a team of engineers to ensure that a high degree of security is maintained.
That means he spends time daily looking at the requests for new security features that come in through the various mechanisms (the LUG, CAAC, and RFEs), assessing those requests, determining which ones are worthwhile to pursue, and then allocating resources from his team to actually develop it. His day-to-day may also involve reviewing security bulletins (if not writing them).
The Internet is full of hackers, identity thieves, and enough malware to sink a ship. IBM i customers may be segregated from the worst of what the Internet can offer. What worries Mullenbach the most security-wise is when IBM i customers don’t apply security PTFs.
“We have issues where customers don’t load the PTFs and the fixes as soon as we put them out, and that, I’d say, is their biggest risk,” he said. “We’ve published a security bulletin and their maintenance schedule has them six months out before they’ll put it on. We get it to them as quick as we possibly can.”
Short maintenance windows are nothing new, but the problem has gotten worse in recent years, according to Dave Nelson, a director at IBM Rochester (who was also in the meeting at Disneyland).
“We hear from larger customers who have hundreds and hundreds of production LPARs,” Nelson said. “That’s something that’s changed from 30 years ago. We did have partitioning but we didn’t have hundreds and hundreds of LPARs around the world and then trying to find a maintenance window to apply critical updates.”
Mullenbach sees a potential solution to this dilemma in Db2 Mirror, another major new feature in IBM i 7.4, and one which was spearheaded by another relatively young IBM Rochester engineer named Kris Whitney.
“When you are active-active, you can bring one down and apply the PTFs and bring it back up,” Mullenbach said. “I see that as another way for our customer to put security PTFs on faster so that they don’t have to wait so long.”
Security is always a big deal to security professionals. That’s the nature of the job. But security hasn’t always been something that keeps regular IBM i customers up at night. Many customers are aware that IBM i is one of the most secure platform on the planet. That could be why so many customers have done so little to secure their applications and data once they take the server out of the box.
But that mentality is slowly changing, according to Mullenbach.
“I would say in my 20-plus years of paying attention, that you’re having a lot more people actually paying attention and caring about security,” he said. “If you go back 15 or 20 years, they didn’t care what TLS protocol version they were running. They probably weren’t even running encryption. They were running unsecure Telnet, or things like that. Some of those named vulnerabilities in the last five-plus years have a lot of different people paying attention that weren’t paying attention before.”
Editor’s note: This article has been corrected. Carol Woodbury is employed by HelpSystems, not Syncsort, as the article originally stated. IT Jungle regrets the error.