Security Checklist for IBM i Systems

For the past three years, Precisely has annually surveyed IT professionals who are responsible for IBM i systems at their companies. When respondents were asked to indicate their organization’s top five IT priorities for the coming year, IBM i system security came up as the most-selected priority for the second year in a row.

Respondents also expressed a drop in confidence that their IBM i security programs could prevent a breach. While IBM i systems have historically been regarded as highly secure, more and more companies are realizing that without proactive security management, any system is at risk. In other words, IBM i systems are securable, but not necessarily secure by default.

For most respondents to the Precisely survey, the key challenges cited were regulatory compliance, securing data integrated with other platforms, and maintaining security expertise and training throughout an organization.

Top IBM i security challenges

Data privacy and security have appeared frequently in the headlines of the past decade or more. No one wants to be at the helm when a high-profile breach occurs at their company. The considerable legal and reputational consequences are obvious.

The regulatory environment is getting even more challenging, though. Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have imposed stringent new requirements, with potentially severe penalties for noncompliance. Add that to existing SOX regulations, HIPAA, and a host of other regulations, and it adds up to significant challenges, many of which directly impact integration scenarios, record retention, and data sovereignty.

At the same time, the need for secure, robust data integration has increased and will continue to grow. In Precisely’s survey, the adoption of cloud services was ranked high among the security challenges faced by this year’s respondents, followed by the need to secure data from new sources.

Here are some key steps to ensuring sound security practices for your IBM i system.

1. Begin with best practices for IBM i systems

Of the executives that responded to this year’s survey, 42% said that their company has experienced at least one breach throughout its history. Thirty-one percent of breaches were attributed to internal staff members or contractors. Best practices for IBM i systems can help an organization to harden itself against most common attacks, including those that come from the inside.

Some of the most important practices include:

• Encrypting all communications with TLS 1.2 or higher.
• Limiting special authorities (particularly “All Objects” authority, but all special authorities should be assigned only when needed).
• Avoiding sharing Root, or if absolutely necessary, making it read-only and creating it as a hidden share by appending “$” to the share name.
• Applying object-level security rather than relying on menu-based restrictions.
• Running QSECURITY at level 40 or higher.
• Ensuring that new user profiles are created from scratch (or from a template) rather than copying an existing user profile.
• Eliminating the use of default passwords throughout the system. Testing for the use of default passwords is often a hacker’s first line of attack.
• Requiring that all user passwords (including Admins) be changed on a regular basis.
• Ensuring that audit controls are turned on (QAUDCTL), and that audit logs are retained so that vulnerabilities can be investigated thoroughly.
• Ensuring that the Guest Profile is not assigned to the NetServer by setting “Guest user ID” to a blank value in NetServer properties settings.
• Setting “Limited Capabilities” (LMTCPB) to “YES” for most users. If this value is set to “NO” (as it is by default in “Create User Profile” (CRTUSRPRF), it allows users to execute commands via a command-line.

2. Data security begins with data governance

Data governance encompasses all aspects of effective data management throughout an enterprise, including security. When we say that data security begins with data governance, we mean that security simply cannot be viewed in isolation. Data security, availability, consistency, and integrity are closely interrelated, particularly when in the area of integration between IBM i systems and external data sources.

The importance of securing data shared with external sources was a top concern in this year’s Precisely IBM i Security Insights survey. According to respondents, 20% of breaches resulted in the theft of unencrypted data. Systems, processes, and policies must be in place to quickly detect a security event. In addition, systems must be capable of supporting regular, in-depth security audits, and organizations must conduct such audits on a regular basis.

A comprehensive approach to data governance implies that organizations must see themselves as stewards of corporate data, not simply as gatekeepers whose job is to keep hackers at bay. That means having a robust data quality program in place alongside enterprise-grade integration tools designed with a security-first perspective.

3. Foster a culture that understands and values security

The root cause of most security breaches, ultimately, is apathy. Weak policies for lax enforcement dramatically increase the risk of a successful attack. The most important security policies can be implemented at little or no cost. The key lies in creating and nurturing a security-conscious organizational culture.

When data governance policies – including security policies – are taken seriously throughout the organization, it will inevitably result in improved insights, better regulatory compliance, and more robust defenses against malicious attacks.

To this end, organizations should:

• Educate their workforce about phishing, social engineering, and similar tactics commonly used to gather information and/or install malware.
• Regularly communicate with employees to reinforce the importance of security fundamentals.
• Insist that vendors comply with internal security policies, and that vendor software is designed and configured in conformance to IBM i security best practices.

IBM i systems have an outstanding reputation for security, but organizations must keep in mind that security requires an intentional and proactive approach. By following these guidelines, companies running IBM i can dramatically lower their chances of experiencing an adverse security event.

To learn more about how to achieve data security with your IBM i system, download Precisely’s report entitled  IBM i Security Insights for 2020.