‘Alarming’ Security Gaps Exposed in IBM i Marketplace Report
February 10, 2021 Alex Woodie
If you’ve ever met Ian Jarman, you’d know that the IBM Power Systems business unit executive for IBM Lab Services is not a man who gets easily excited. So when the longtime IBM Rochester executive said he was “alarmed” by the decided lack of basic security precautions in IBM i shops during the recent webinar to discuss the HelpSystems IBM i Marketplace Report, you might get the sense that something is quite wrong.
Once again, security was at the top of the list of top concerns of IBM i shops in HelpSystems’ annual survey and report, which is now in its seventh year. Seventy-five percent of the nearly 500 folks who participated in this year’s survey and report listed security as a top concern. That was down 2 percent from 2020, but it was up from 2019 (69%) and 2018 (72%).
“We’ve seen that security has been top of the list I think all the time that we’ve done this survey,” Jarman said during the webinar. “So there’s a very high interest in this. But the real challenge is actually implementing some of these security techniques.”
What caught Jarman’s steely eye were the percentages of IBM i professionals who have implemented, or are planning to implement, specific security protections in their IBM i environment.
“I was frankly quite alarmed at the fact that that so few people have exit point security in place or privileged user management,” Jarman continued.
HelpSystems said 38 percent of survey respondents have exit point security in place (up 4 percent from last year) while 14 percent more say they’re planning to implement it (up 1 percent from last year). That leaves 48 percent of IBM i shops who apparently have no plans to implement exit point software.
Exit point software, available from HelpSystems and other IBM i security software providers, can monitor (and enforce, if desired) network traffic that comes into the system through exit points that IBM inserted into the operating system to enable Internet connectivity through protocols like FTP, HTTP, Telnet, ODBC, and JDBC. Exit points are a widely known vulnerability on the box because the traffic bypasses the menu-based security system that IBM relied upon to protect system integrity back when all applications were green screen. In the Internet world, menu-based security is an anachronism.
The situation is somewhat better on the privileged user management front, as the HelpSystems report found that 54 percent have implemented it (up from 49 percent last year), and another 14 percent say they’re planning to implement it (down from 16 percent last year).
But overall, the percentages of shops that have implemented various security capabilities — ranging from antivirus software, SIEM or SYSLOG collection and monitoring, compliance and audit reporting, database encryption, multi-factor authentication, and secure managed file transfer — range from around 30 percent to 60 percent, meaning in any given category of security, a large chunk of the IBM i marketplace lacks core capabilities.
HelpSystems, through its PowerTech subsidiary, has been documenting the lack of security capabilities in the IBM i installed base for nearly two decades. This is not a new problem. But the lack of novelty doesn’t mean the situation has been resolved or has gotten any better. Sometimes it takes being jolted back to reality to realize how bad the existing situation has gotten, and to take the impetus and make the commitment to improve.
Jarman’s comments should be that wake-up call, the reminder that IBM i shops should take security more seriously before it’s too late.
“I think collectively, as a community, we need to focus more not just on the security capabilities that we have, but convincing executives in our companies that security is a challenge that we need to address together,” he said during the webinar. “I’m not surprised at these numbers because they’re not that different to last year. But I am concerned. I think many of the security experts — from your team from HelpSystems and Lab Services on the call today — are not surprised. But they’re also concerned that people are not addressing even some of the simple things that we have there.”
Tom Huntington, the executive vice president of technical services at HelpSystems and the host of the IBM i Marketplace webinar, acknowledged that the security situation must change.
“I think it’s the need to realize that IBM i can be vulnerable to attacks into your organization and that you need to have the proper things in place” to stop those attacks, Huntington said. “We just haven’t seen enough investment in this. And it’s a carryover, I think, from the fact that IBM i has just kind of always been known as that secure system to most people.”
Some of the bad habits need to change, including thinking about IBM i as a “secure platform.” In fact, it’s a “secure-able” platform. It’s a key difference, because it means that there is some work required on the part of the user to properly configure the server and eliminate well-known vulnerabilities, like the aforementioned exit point situation, not to mention default user passwords and lax governance of super-user user profiles.
“There’s a lot of things like All Object authority,” Huntington said, “that kind of thing where people just give ALLOBJ to everybody, so every user on the box has ALLBOJ security. That’s not security. You need to go through and look at those things and clean it up.”
Business leaders must be made aware of the lack of good security configurations in IBM i servers, especially in light of the increased security threat due to the COVID-19 pandemic and the work-from-home mandate, Jarman said. Internet access patterns on the IBM i server have changed dramatically, especially with users remotely access the server through VPNs. VPN access was by far the number one technology IBM i users used to adapt to the work-from-home mandate, with 59 percent of survey-takers reporting using VPNs, according to the HelpSystems report.
“It’s quite concerning that management underestimates security risk,” Jarman said. “There’s a group of people who underestimate this risk. This is why, I think, collectively, we need to put more focus on this because there are some skills challenges in this area. Although there are great tools from HelpSystems and others, and there are great skills in HelpSystems and Lab Services. But it’s really making sure that there’s a commitment to addressing even some of the basic areas of security.”
The security threat is real. Huntington recounted an experience where one of HelpSystems’ customers found IP addresses from China trying to access the IBM i server. They weren’t expecting to see the foreign IP addresses, but there they were, showing up in the exit point monitoring software.
“Thankfully they were using Unix-based user accounts against an IBM i database, so they weren’t working very well,” Huntington said. “But things like that happen.”