With IBM i Security, You Don’t Know What You Don’t Know
March 23, 2022 Ron Venzin
It is not enough to be worried late into the night about the security of your mission critical systems. The IT managers who are in control of the infrastructure at IBM i shops, who also have a lot of Windows Server infrastructure and a smattering of Linux and AIX systems, too, need to actually do something about security. And they have to do something more than just rely on the legendary security of the IBM i platform.
Security software for the IBM i platform has been around since the early days of the commercial Internet, and while a handful of vendors have grown to be reasonably large, well under 10 percent of the installed base has any kind of security on their IBM i systems that goes beyond the security baked into the platform by Big Blue. The reasons are twofold, we think, and we are going to do something about it so you can do something about it.
First, securing any kind of complex system is a nightmare. As the IBM i platform has gotten more complex, particularly with the addition of the Integrated File System two decades ago and with the addition of open source software a decade ago, that job has only gotten more difficult.
Most of the customers we do business with or interact with through our engagements simply do not have people with the skills to take on security. They just don’t. Tapping someone to be chief information security officer is a step in the right direction, but often the CISO comes from a non-technical section of the company and they are in way over their heads because they simply do not know what they do not know. It doesn’t matter if someone has a college degree in a technical field, or even a computer science degree, when you appoint them to the CISO position.
That technical background and bent of mind will help, to be sure. But someone who is an expert in compilers or application architecture or even systems management is not, by default, going to be an expert in system and application security. This background may increase your odds for success in securing your systems over the long run, to be sure, but remember this: Back in the old days, when data processing was new and there was not yet this field called information technology, companies put the head of accounting in charge of mainframes and minicomputers because they were automating the back office accounting functions first. A good accountant did not make a good programmer or systems architect, and that is why the industry created specialists – and university degrees expressing a base level of expertise – in information technology.
Lack of expertise is precisely how companies are being hacked from the outside, or attacked by ransomware, or worse still having data breaches or compromises by disgruntled employees inside the corporate firewall. Yes, the inside job absolutely happens, and if you don’t think it can happen to you, you are wrong. Hopefully fate won’t prove it to you, but playing the odds is not the same thing as beating them. Maybe you have beaten the odds so far, and good for you. But it is not smart to play the odds too long.
Appointing a CISO can make you feel more secure, and lots of companies are doing it. But the infrastructure in the datacenter is so broad, and so heterogeneous, that many CISOs do not – or cannot, given their backgrounds – understand the intricacies of the IBM i platform, its applications, and the supporting infrastructure of X86 servers and their software stacks, switches, routers, and firewalls (not to mention cloud variants of all this infrastructure) that make up a modern IBM i shop. And even if they do have expertise in a certain area – they know the IBM i platform well, for instance – they do not have the breadth or depth of knowledge that is necessary to secure the entirety of their hardware and software infrastructure.
So the first problem the IBM i base has when it comes to security is a lack of broad and deep knowledge of how to secure the entire stack.
The second problem is they have not realized that they need to spend money on security, and that it has to be a regular and proportionately significant part of the overall IT budget. You can tell how much someone takes something seriously by their behavior here. Use dental floss daily and you don’t have to get root canal down the road.
The good news is that the IT industry is re-evolving into a rental model after a few decades of ownership, and IT shops are coming to learn that renting hardware, software, and expertise – that latter bit is the important part – is a better and more economically efficient way of getting access to IT functions. We see managed services on the rise with core IBM i compute and storage capacity being available on the clouds, and security is the next place where managed services is going. Spreading the cost of security out over years on a monthly basis makes it easier to sell to upper management, and so does shifting it from the capital budget to operating expenses. But more importantly, sharing the deep expertise that managed service providers like Focal Point can bring to bear in managing and securing infrastructure – whether it is your infrastructure in your datacenter or our infrastructure in our datacenter doesn’t matter to us. We can do whatever you want, including your infrastructure in our datacenter or our infrastructure in your datacenter.
The fact is, there are very few IBM i customers who are doing security right. When companies get into trouble and they contact us, it usually gets scary because when they stumble across a security hole, it is usually a very big hole and they have gotten themselves into big trouble. And it is not because people are reckless, it is just that they have added a lot of software to their systems over the years and they have no experience in securing it. They didn’t know what they didn’t know.
Our philosophy is that every single company running the IBM i platform needs to have security, and for the vast majority of them, this will mean having a managed security service by an expert team put together by a company like Focal Point. We know what you do not know, and we are putting together a portfolio of security services, using well-established tools in the IBM i space, to remotely manage the security of the applications and data that are vital to your company.
We make this really easy, and affordable. And we can do it now.
Ron Venzin is chief executive officer at Focal Point Solutions Group.
This content was sponsored by Focal Point.