A Conversation With Carol Woodbury on IBM i Security
February 15, 2021 Dawn Winston
(Sponsored Content) Carol Woodbury has been a one of the most active and respected voices on IBM i security for decades. She is also an award-winning and internationally recognized speaker and writer on IBM i security. She has authored several books addressing IBM i security and is the only author with commercially available books dedicated to the topic.
Currently, Carol Woodbury is the president, chief technology officer and co-founder of DXR Security. Precisely’s product marketing director, Dawn Winston, had a virtual Q&A session where she had a chance to discuss Woodbury’s insights on the current state of IBM i security.
Dawn Winston: You and your long-time colleague, John Vanderwall, started a new company last year – DXR Security. Tell us a bit about what your goals were when starting this new venture.
Carol Woodbury: When John and I thought about going into business again, we wanted to make it practical for the IBM i community. In the past, we had been providing a lot of information to clients with a formal risk assessment. Unfortunately, we often saw no progress when repeating that assessments, a year later. I honestly think we overwhelmed people and they didn’t know where to start. So, we decided to take a different approach.
Rather than overwhelm customers with a multi-page report of every vulnerability, we’ve decided to focus on a few of the top vulnerabilities and provide very detailed instructions for addressing just one of those vulnerabilities. Our hope is that this format will be more ‘consumable’ and our clients will be more successful in addressing security on their IBM i partitions. Our tag line is “Security – one step at a time” and I think that explains our approach well.
Dawn Winston: We hear from customers all the time that they feel good about their IBM i security because the IBM i is a secure system. Do you find that companies underestimate the risks on their IBM i platform?
Carol Woodbury: Unfortunately, yes. I fought with IBM Marketing even before leaving IBM to stop saying IBM i (iSeries at the time) was secure. To be sure it’s secure-able but it’s not secure by default.
Dawn Winston: You are speaking with IBM i customers all the time. Once you get past the idea that IBM i is secure by default, what is the most frequent vulnerability you see customers leaving open on IBM i?
Carol Woodbury: Most organizations don’t secure their data. They think that since they don’t store credit cards or have other private information on their IBM i that they don’t need to bother. What people fail to consider is the vast amount of data stored on IBM i and what that data means to their organization – business decisions are being made based on that information and the business is assuming it will be accurate and available. Assembly lines and retailers run the business based on this data, etc.
It’s amazing all the business processes that run on IBM i – literally around the world – and I find it amazing that people fail to consider the business impact if that data isn’t accurate or available. I think many people just think something bad can’t happen to them and haven’t considered the business impact – that is, the cost of cleaning up after accidental errors.
Dawn Winston: What do you mean by “accidental errors”?
Carol Woodbury: I’ve pretty much stopped talking to people about attacks by hackers because many administrators dismiss it as “that can’t happen to us.” But when I start to talk about unintended data updates or deletions that happen because people have too much authority, well. . . everyone can relate to that.
Dawn Winston: Give us some examples, if you would.
Carol Woodbury: Sure. I’ve seen a production file updated when a developer intended to run an SQL against a test file. In that case, the application had to be stopped, the production file restored from backup and then brought up-to-date by hand. And until the application was up and running again, the people that would normally have been using the application were sitting with nothing to do. The developer didn’t mean to update the wrong file – obviously – but because he had more authority to production objects than he should have, it happened. A good security scheme would have prevented that situation and the business wouldn’t have suffered the outage.
Then there was the client that had a firewall change that opened their entire organization to the Internet. We were called to help them determine if their system had been breached. Clearly the person that made the change didn’t mean to expose the organization, but they did. That made the organization evaluating whether they had the technology in place that would help detect and prevent attacks should mistakes like this happen again.
Dawn Winston: We hear a lot about government regulations and compliance requirements across the world. It seems like there are new regulations or new modifications coming out all the time. Do you see the government regulations driving companies to make security purchases?
Carol Woodbury: If someone is actively striving to become compliant with a new or updated law or regulation, then yes. Otherwise, if they’re already compliant, they tend to move on to other projects.
Dawn Winston: So, if regulations are not the primary driver, what are the sorts of risks and vulnerabilities that drive customers to look for security solutions?
Carol Woodbury: IBM i shops will focus on security when they or one of their friends in the industry have been affected – by malware, for example. Or if they are written up by an auditor for not following a best practice or failing to review settings such as group profile membership. They will also be interested when the rest of their organization is implementing a technology such as MFA and need to implement it on IBM i.
Dawn Winston: Is there a particular security vulnerability that you find customers are most surprised about?
Carol Woodbury: To be sure, ransomware and other malware is the biggest risk today. Malware can and does affect IBM i through a mapped drive to a file share. The workstation is initially infected and then the malware marches through any drives the workstation has mapped – including an IBM i. Worse, it used to be that if you didn’t have any read/write shares you really didn’t have to worry about it. But today’s thieves are often exfiltrating (downloading) data prior to encrypting it. So now you have to worry about all file shares along with who’s authorized to the shared object, making sure you’ve secured the shares to reduce the risk of information being downloaded and posted on the Internet.
Regardless of whether their IBM i was infected, the cleanup after a malware attack is costly and exhausting. Even if the IBM i wasn’t infected, investigations often occur to ensure that was actually the case. Best to reduce the risk of having the system infected prior to any infection.
Dawn Winston: While no one has a crystal ball, what do you think is security trend that you see impacting IBM i customers in the next five years?
Carol Woodbury: I think the majority of installations are going to be in a cloud-hosted environment and technologies such as MFA and encryption are going to be vital in protecting access to the system and to the data itself.
Dawn Winston: You have been working with customers for years and have “seen it all” when it comes to IBM i security. If I asked you to recommend your most important security best practice for IBM i, what would you say?
Carol Woodbury: Secure your critical data! I’m a big fan of “multiple layers of defense” or you may hear it called “defense in depth.” IBM i has technology that you can use to implement many layers to protect your critical database files. Object level security is first and foremost. It’s my favorite simply because it applies to the object regardless of how the object is accessed. But beyond object level security there’s Row and Column Access Control (RCAC) that adds even more granularity as to who can see data as well as provides masking capabilities, FIELDPROC which allows you to much more easily implement field encryption as well as exit points as the outermost layer of protection.
Dawn Winston is product marketing director at Precisely.