The Three Challenges To Securing Your IBM i Platform
July 28, 2021 Timothy Prickett Morgan
Whenever you have to tackle a complex problem, it is best to break it down and then figure out a way to take on the most important and impactful issues first. And when it comes to securing the IBM i platform, nobody knows better than Carol Woodbury, president and chief technology officer at DXR Security, about how to take this “securable” system and lock it down.
Woodbury spent 16 years at IBM from 1984 through 2000, rising to become security team leader for the AS/400 platform and eventually becoming chief engineering manager for security for the platform. After leaving Big Blue, Woodbury was president and co-founder of SkyView Partners, which created security administration and compliance software for the IBM i, AIX, and Linux platforms as well as offering managed services for security. SkyView was sold to HelpSystems in the summer of 2015, and Woodbury stayed at the company until she and her long-time business partner, John Vanderwall, last year had the urge to create a different kind of security company and founded DXR Security together. (We did an interview recently with Vanderwall, which you can see here, about some of the common perceptions and misperceptions of IBM i security and how companies can – and should – take a more inclusive, comprehensive, and integrated approach to securing their various platforms.
At the end of June, Woodbury hosted a webcast in conjunction with Precisely, which you can view in its entirety here, that took a slightly different angle in discussing the priorities that companies should have with security the IBM i platforms in particular. The approach she discussed is known as “defense in depth,” and it means implementing multiple IBM i technologies and techniques to detect or prevent accidental errors, malware, and malicious attacks from compromising your IBM i systems and possibly releasing sensitive information into the world.
As an example of what not to do, Woodbury talked about how the Colonial Pipeline was hacked and subjected to ransomware, which in turn messed up the gasoline supply on the East Coast of the United States for more than a week. And this is a perfect example of why multiple layers of defense – not just a plain vanilla user name and password – are necessary to ensure only the right people or applications get access to data on your IBM i platform.
“If you look at the anatomy of how the Colonial Pipeline attack occurred,” explains Woodbury, “its initial access into the network at Colonial was via a VPN connection that did not use multifactor authentication and it was using a user ID that was not in use – it was an old user ID – but it had not been deprovisioned, and they think, although they can’t prove it, it was using a password that had been stolen and posted on the dark web.”
And in this case, the layers that might have prevented the attack are:
- Educate users, and make sure they don’t use the same passwords everywhere.
- Manage the passwords on the system, meaning enforce policies that make passwords change regularly – even for service accounts.
- Manage profiles, and delete or at least disable inactive profiles.
- Require multifactor authentication.
Any one of these techniques would have prevented the initial access, and these several layers increase the odds if something goes wrong somewhere, the other layer will block access.
Protecting the data is also an important thing. Once someone gets in, there are ways to make sure that they can’t mess with data. On the IBM i platform, Woodbury recommends:
- Implementing object level security on critical data.
- Reducing the number of users with *ALLOBJ special authority.
- Using row and column access control (RCAC) to implement additional privileges for the Db2 for i database management system.
- Encrypting critical data.
- Using exit point software to log access to applications and data or further restrict access to applications and data.
How many layers of defense are enough? Well, you have to ask yourself this question: What is the cost to your company if your data is corrupted, unavailable, or stolen?
To find out more about how you can implement a rock-solid IBM i security plan, you are going to have to tune into the webcast, which you can do at this link. Woodbury says a lot more than this outline suggests, and you can learn something and start tackling your security issues so your platform is ready for the Wild West of the 21st Century Internet.
This content was sponsored by Precisely.