• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • 3 Takeaways from the 2021 PowerTech Security Report

    April 14, 2021 Alex Woodie

    PowerTech tomorrow will officially release its report on the state of IBM i security, which will be the 18th straight year it has published aggregated data collected from security scans of actual IBM i machines. We caught up with the report’s author, HelpSystems Director of Security Technologies Robin Tatam, for a quick preview.

    Tatam and Sandi Moore, HelpSystems principal security consultant, will share the full results of the PowerTech security study in two webinars tomorrow, including one at 8 a.m. CT and another at noon CT. You can find more information about these free events and register to attend at this link.

    In the meantime, Tatam teased us with three findings from the report. Two of the findings are cause for alarm, while one of them gives us a glimmer of hope.

    1. ALLOBJ Authority Widens

    In years past, the number of user profiles with all object (ALLOBJ) authority was in the middle of the pack in relation to the seven other special authorities on the IBM i system. This year, for whatever reason, ALLOBJ surged ahead and was the second most popular special authority, behind Job Control.

    The average IBM i shop had more than 300 user profiles with ALLOBJ, which Tatam said was “kind of mind blowing, considering what a privileged account authority that is.”

    “Out of the eight special authorities, that is by far the most critical one,” Tatam added. “It’s one people seem to have some level of concept of, ironically. At least they know it’s a bad thing, when a user has it and doesn’t need it. So for there to be over 300 on each box is an interesting twist over prior years.”

    In PowerTech’s 2020 State of Security report, the average number of users with ALLOBJ authority was 159. The figure has nearly doubled in the past year, and Tatam is stumped as to the sudden increase.

    “I don’t really have a hypothesis on why,” he said. “There tends to be a disregard in the IBM i community based on, hey the system is secure, hey the system is inside firewall — all the traditional things we have espoused during the conversations and documentation that we put forth.”

    1. Exit Points Failures

    The study found that 30 percent of the IBM i systems scanned were using at least one exit point program. However, 70 percent of them were not using any programs to monitor what was going on with the 27 exit points on the system, which provide external access to IBM i data via FTP, Telnet, ODBC, etc.

    Having one exit program is nice. It shows some level of investment and concern. But the story gets a little more distressing when PowerTech looked at the percentage of IBM i systems that cover all of the “standard exit points,” which is basically everything but the socket exit point that IBM introduced a few years ago. When an IBM i shop has all of the standard exit points covered, that usually means they are using a network security product, such as the one from PowerTech, Tatam said.

    “When we say that every standard exit point has to be covered, we have a 13 percent success rate,” he said. “When we up the ante and say someone invested money in this, we go from 30 percent success rate to 13 percent.”

    In other words, 87 percent of IBM i systems scanned for the 2021 security study are basically wide open. That is a distressing statistic, to say the least.

    “Exit programs are doors that are attacked the most frequently,” Tatam said. “And as we can see, they are the doors that are least protected.”

    Level 40 Victory

    However, it was not all doom and gloom for the PowerTech report (it was mostly doom and gloom, but not all). The study found the “vast majority” of IBM i systems were using Level 40 security. That was a “positive,” Tatam said.

    Running an IBM i server at Level 40 is good because it influences what the default security settings are, Tatam said.

    “So if you create a new user account at level 20 or level 40, it will either be given ALLOBJ or not by default,” he said. “It also influences the integrity of the operating environment. At level 40, there are a whole bunch of things that come into play under the covers.”

    For example, you can’t run a job with somebody else’s permissions at security level 40, but you can do that at security level 30. The operating system will log it as a violation, and then allow it to happen anyway, Tatam said.

    However, running at security level 40 or higher isn’t a panacea.

    “I can have a level 40 or 50 machine that looks great on paper but is running effectively like a level 20 machine,” Tatam said. “If I give all my users ALLOBJ [on a level 50 machine], I’m effectively running a level 20 machine. A lot of people don’t see the nuances of how the synergy between these different attributes adds up to the overall security stance.”

    Head Vs. Wall

    As previously stated, this is the 18th straight year that PowerTech (now HelpSystems) has put this study together. We have covered all of those reports here at IT Jungle. There is rarely any good news that comes out of the security report.

    Like Bill Murray’s character Phil Connors in the 1993 classic “Groundhog Day,” PowerTech and HelpSystems security experts seem to be stuck in a rut, saying the same things, year after year after year.

    So rather than continue to beat his head against the wall on the security question, Tatam is taking a new approach this year.

    “This is the 18th study that has been done with arguably very similar issues across the board. And so I have to figure out a way to get that message to resonate more to the point where people do something about it,” he said.

    “What I’d like to do is help people transition from what we’re telling as a story into a state that is more manageable,” Tatam continued. “We’re over 30 years into the IBM i DNA at this point. We’re not going to fix this overnight. But what can be worked on? What can be mitigated What are the easy low-hanging fruit items, things like default passwords?”

    When an IBM i professional realizes the extent of security misconfigurations in their systems, it can be overwhelming. Tatam wants to help that professional get past the state of frozen fear and moving in a positive direction. The way he intends to do that is by starting small by suggesting a few action items, and going from there.

    “The intent with the report that the customer walks away with is theoretically not to be too overwhelming,” he adds. “Just give them an at a glance view of these are areas that might be eligible for improvement and kind of ease them into it.”

    Hopefully it works. Because after nearly two decades, these IBM i systems are still wide open.

    RELATED STORIES

    Security Gaining Attention On IBM i, But More Progress Needed

    IBM i Data Vulnerable, Security Report Says

    State Of IBM i Security: Seven Areas That Demand Attention

    State of IBM i Security? Still Horrible, After All These Years

    State Of IBM i Security? Dismal As Usual, PowerTech Says

    State Of IBM i Security Remains Poor, PowerTech Says

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: HelpSystems, IBM i, PowerTech

    Sponsored by
    ARCAD Software

    Embrace VS Code for IBM i Development

    The IBM i development landscape is evolving with modern tools that enhance efficiency and collaboration. Ready to make the move to VS Code for IBM i?

    Join us for this webinar where we’ll showcase how VS Code can serve as a powerful editor for native IBM i code and explore the essential extensions that make it possible.

    In this session, you’ll discover:

    • How ARCAD’s integration with VS Code provides deep metadata insights, allowing developers to assess the impact of their changes upfront.
    • The role of Git in enabling seamless collaboration between developers using tools like SEU, RDi, and VS Code.
    • Powerful extensions for code quality, security, impact analysis, smart build, and automated RPG conversion to Free Form.
    • How non-IBM i developers can now contribute to IBM i projects without prior knowledge of its specifics, while ensuring full control over their changes.

    The future of IBM i development is here. Let ARCAD be your guide!

    Watch Now

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Four Hundred Monitor, April 14 IBM Unveils New and Improved IBM i Services

    Leave a Reply Cancel reply

TFH Volume: 31 Issue: 29

This Issue Sponsored By

  • Maxava
  • Fresche Solutions
  • ARCAD Software
  • UCG Technologies – Vault400
  • RPG & DB2 Summit

Table of Contents

  • Query Supervisor Gives Database Engineers New Power
  • IBM Unveils New and Improved IBM i Services
  • 3 Takeaways from the 2021 PowerTech Security Report
  • Four Hundred Monitor, April 14
  • IBM i PTF Guide, Volume 23, Number 15

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Liam Allan Shares What’s Coming Next With Code For IBM i
  • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
  • VS Code Will Be The Heart Of The Modern IBM i Platform
  • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
  • IBM i PTF Guide, Volume 27, Number 25
  • Meet The Next Gen Of IBMers Helping To Build IBM i
  • Looks Like IBM Is Building A Linux-Like PASE For IBM i After All
  • Will Independent IBM i Clouds Survive PowerVS?
  • Now, IBM Is Jacking Up Hardware Maintenance Prices
  • IBM i PTF Guide, Volume 27, Number 24

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle