Glimpsing Hope in the IBM i Security Situation
April 6, 2022 Alex Woodie
These are dark days in the security business, thanks to the boom in ransomware, the looming threat of cyberwar with Russia, and the poor security of IBM i servers. But just as it’s darkest before the dawn, there could be some preliminary indications that the IBM i community is finally starting to wake up when it comes to securing their most important applications, systems, and data.
It’s hard to be optimistic in the face of repeated failures. When it comes to IBM i security, those failures have been well-documented in annual State of Security reports for nearly two decades by the folks at PowerTech, which is owned by HelpSystems.
For example, with last year’s report, which you can read about here, there was a sudden, large, and inexplicable increase in the prevalence of user profiles with ALLOBJ security among the IBM i systems that HelpSystems surveyed as part of its report.
ALLOBJ, of course, is the special authority that essentially grants users full access to the entire server, the equivalent of root access in industry standard servers. Robin Tatam, HelpSystems director of security technologies, said the sudden increase in ALLOBJ usage was “kind of mind blowing.”
There was a similar situation with exit points in 2021. While only 30 percent of the IBM i systems it surveyed were using exit points, according to the report, 70 percent of the systems using exit points had nothing in place to monitor them. This essentially gave cybercriminals and internal hackers the ability to come and go into the system via Telnet, FTP, ODBC, and other network protocols that IBM enables and protects via exit points.
There’s really no way to sugarcoat how bad the security situation historically has been on IBM i. Year after year, HelpSystems publishes the State of Security report, which showcases the particular security failures of this particular system. Next week, we’ll get a glimpse of the HelpSystems’ 2022 State of Security report.
If there’s one caveat to the poor state of IBM i security, it is the fact that the data in the HelpSystems State of Security reports reflect the hundreds of organizations that are concerned enough about their poor security that they permitted the vendor to assess their security configurations. That may point to the average IBM i shop in the real world having better security than the folks who volunteer their systems to HelpSystems. (Then again, it could just as easily be the opposite.)
One cannot fix something that one is not aware is broken in the first place. Raising the awareness factor is the basic first step that many in the IBM i security business are concentrating on today. So if being aware of bad security is the first step in eventually taking steps to fix it, then the data from another of HelpSystems reports — the IBM i Marketplace Study — shows that maybe, possibly, (hopefully) we’re starting to get on the right track.
Security was the number one concern of IBM i shops for the fifth straight year according to the 2022 IBM i Marketplace Study, which HelpSystems released in earlier this year. Specifically, cybersecurity and ransomware (which HelpSystems paired together for the first time) beat out other concerns, such as high availability/disaster recovery, modernizing applications, IBM i skills, and IT and business automation.
“IBM i is to me the most securable system on the planet,” Tom Huntington, the vice president of technical services for HelpSystems, said during the online presentation of the Marketplace Study “It’s just that, as administrators or developers, we maybe made some mistakes along the way when we configured our application or our objects on the system and what kind of security have.”
The report showed that about 20 percent of the IBM i shops that participated in the HelpSystems survey are looking to implement antivirus and ransomware protection sometime soon. “These are real threats to the platform unfortunately,” Huntington said. “Even IBM i is not totally immune to that.”
The ransomware epidemic has also spurred an increase in interest and adoption of multifactor authentication (MFA), which is being sought by 21 percent of survey participants, according to the Marketplace study. MFA provides stronger protections against unauthorized access to sensitive data and applications, and is being required in some cases by the providers of cybersecurity insurance, Huntington said.
The survey found 17 percent of participants were looking to adopt exit point security monitoring and management, the survey found. The same percentage is looking to adopt compliance and audit reporting solutions to help with new data regulations. Sixteen percent are looking at implementation database encryption for data at rest, and another 16 percent are looking at privileged user management, which can help alleviate all those user profiles with ALLOBJ authority.
The sorry state of IBM i security cannot go on forever. The data suggests that IBM i professionals are aware of the poor state of security on their boxes, and the C-suite is now paying attention to security thanks to the ransomware epidemic. And recent acquisitions of IBM i security vendors — such as Fresche’s purchase of Trinity Guard — give further evidence that investments are being made in solutions that can automate remediation of security problems.
With awareness building and better tools too, the table is set for the IBM i community to make some improvements on the security front. Will the general population show up for dinner?
You can sign up to attend a webinar on HelpSystems 2022 State of Security Report, which is taking place Tuesday, April 12, at 9 a.m. ET, at this link.