Feeling Insecure About The Weak Security At Most IBM i Shops
February 8, 2021 Timothy Prickett Morgan
It is always a wonder to us that, in this day and age, every IBM i shop, which is by definition running mission critical workloads, is not using high availability clustering of systems in their datacenter, disaster recovery and failover of some type or another to a remote site, and supplemental security to lock down those parts of the system that are not, by default within the IBM i platform, locked down.
It’s a bit of a mystery. Of the 120,000 to 150,000 unique customers running IBM i platforms in the world, maybe 20,000 have some sort of HA/DR and maybe 10,000 have supplemental security. We want to understand why, after decades or exit point security as well as security add-ons to cover the Integrated File System, a variant of the OS/2 High Performance File System that IBM brought onto the platform to make it speak ASCII and SMD way back in 1995. We wanted to get a better understanding of the security situation, with somewhere between 6.7 percent and 8.3 percent of the installed base having security add-ons for exit points and IFS, so we had a chat with Tony Perera, co-founder and president of Trinity Guard, who has a long and complex history in the IT sector and who can give us some insight.
Perera, who is from Sri Lanka, started his career at IBM developing the Employee Trust Fund System for that country, which is akin to the applications that run the Social Security Administration here in the United States. He then went on to be a programmer analyst at United Overseas Bank and at application developer FISERV, including porting a Unix-based banking system to OS/400. In July 1999, Perera joined PentaSafe and was one of the key developers of the set of security products the company had, which were acquired by NetIQ, which was acquired by Attachmate, which was acquired by Novell, which were finally spun put into Micro Focus. Back in the day PentaSafe had three employees and were doing security products for OS/400, but today, Trinity Guard is a 15-person company, with a dozen of them – including Perera – working in programming, QA, product management, and such and only three of them working on sales. Perera has seen security from the side of the customer and from the side of the vendor, and offers some good perspective why security add-ons are not ubiquitous in the IBM i realm, but why they should be.
Timothy Prickett Morgan: What’s different about security today compared to 20 years ago or even 10 years ago? What do people worry about more? Is it getting any easier, or is it just getting worse and you guys can’t keep up with providing enough tools and customers can’t keep up with the threats?
Tony Perera: Even 20 years ago, IBM had the features in OS/400 that let us create the security tools. Our biggest seller is our network security module, which is our exit point solution, which was in some form two decades ago – and people were slow to get on board on that.
And 10 years ago, IBM converged down to one Power Systems hardware platform, which was going to host multiple operating systems platforms. A neglect I saw at that point is where you can host all these operating systems –AIX, Linux, and IBM i – and you also have the Hardware Management Console, which is actually running Red Hat Enterprise Linux, and here companies are just focusing on IBM i and not all of the other components which are actually not IBM i hosted. So you need to be aware of all of this and you need to be monitoring all of that.
I’m on the ISV council and there has been a gradual change by IBM to totally focus on the Power Systems, and IBM is a part of Power Systems. This is the messaging.
TPM: That’s exactly right. I don’t think IBM i is treated badly. It’s just not treated differently from AIX or Linux.
Tony Perera: It has been treated pretty well so far. But it’s just another OS that runs on the Power Systems is what it’s coming to. By the way, I love the IBM i platform and I hope I die coding on IBM i.
TPM: Well, I hope not any time soon! [Laughter]
Tony Perera: No, no, no, no, no. [Laughter]
But seriously, in the past 10 years, IBM i was isolated, everybody thought it is a closed system, you don’t have to worry about outside threats. Not any more. I have dealt with companies who got their ransomware bill. Hackers don’t care when they come into the network and you have the IFS directory, which looks like a Unix directory to all hackers. They will penetrate and attack. So I see again and again that people neglect the IFS. I meet a lot of customers who have done nothing. They don’t even know their security settings on the IFS, which is kind of scary. And that is the most risky area currently, in my opinion.
TPM: So how are people actually managing security on this platform? The threats seem to be worse than ever. And let’s be honest here, how many customers buy supplemental security software.
Tony Perera: We have about 1,000 customers and let’s say 10,000 worldwide have some kind of security solution from us, HelpSystems, whoever. That’s it. And if you don’t have an exit point monitor, you don’t even know you have been hacked because the IBM i does not have the capability of showing you people connecting remotely. So that is one big threat. And again, data might be stolen and you don’t even know.
People could have secured this ten or fifteen years ago because exit point solutions existed. And I think a lot of customers are not even aware that they have even been breached because they do not have a mechanism to capture that breach.
The other big issue here is open source. I mean, I love what IBM has done with open source, and I think that is helping to keep the IBM i platform alive for many, many more years. But with that open source software, a new risk has come because the traditional exit point solutions don’t cover is the socket layer. IBM has recently introduced a socket layer exit point, and again, we now cover that. This is important because a lot of open source software runs in the PASE AIX runtime environment and if you are not actively monitoring connections and blocking the ports, you have the same exit port issue.
TPM: Who are the customers who tend shell out the extra cash for security tools like those from Trinity Guard? I mean, there’s a lot of sensitive information on IBM i platforms and a lot of transactions run through them. A lot of big customers are in the financial services sector and healthcare sector, around the world, and they have very sensitive information that hackers might try to get. What about Trinity Guard customers in manufacturing, distribution and retail?
Tony Perera: As you might expect, we are mainly in the banking and financial sector so far. We have some healthcare and manufacturing customers, but our penetration in insurance is low. We have a lot of local government customers, too.
TPM: Here is the key question I want to understand. Why aren’t many, many more companies buying your software or that from your competitors? the software? Why is this not on 85 percent of primary IBM i systems? What is the barrier to adoption? Is it money? Is it that companies they think that they are secure? Do they think a firewall is enough? I have had a firewall and intrusion detection on my PC for decades, so why not on much more important critical systems like those running on IBM i shops?
Tony Perera: So, again, this is my opinion.
TPM: That’s the one that matters, Tony. [Laughter].
Tony Perera: Believe it or not, there are a lot of people who are not aware of the risk, even now. After all of these years. That’s the first thing.
Also, implementing an exit point solution is not always easy at first. You have to create the proper rules, and sometimes customers don’t want to go through the trouble of doing that. We have some customers who have our exit point tool, and they are just monitoring the data and they’re not creating rules to block people from coming because it can be become a nightmare trying to manage all the rules of who can access from outside and all that. So, initially you need a person who is going to do that.
Money comes next as a barrier, but in the long run, I think money should be a no brainer. The return on investment should be far greater than having a security breach.
When we started rewriting the stuff from PentaSafe to Trinity Guard, our goal was to trying to make it more user friendly, to make it more manageable. So managing firewall rules is akin to what you’re doing when you are managing an exit point solution.
TPM: And going to the cloud can’t fix this particular type of security issue because you have to understand who the users are and what applications they need to set up these rules, which would have to be the same if you are on-premises or in the cloud.
Tony Perera: Going to the cloud increases the chances of getting hacked. You have to be more cautious. Right. And I think some of the cloud providers tell customers they have a firewall, which is great but it is not enough. Again, this is the education part of our job at Trinity Guard. Anybody can have an extensive and expensive firewall, but if you are not protecting the data once it’s on the IBM i, that’s a huge problem. If you don’t know what’s happening, you don’t know what’s happening. It’s that simple. And that scary.