Secure IBM i With Vigilance and Culture Change
Trevor Perry describes holistic IBM i security measures.
Security, security, security. A topic for the ages—and crucial for the 21st century. It’s a topic that should be the highest priority for every IT organization.
For every application development or modernization project, security should always be considered first. Every customer who has attempted to apply security post-project understands the high cost and complexity that comes with retrofitting.
Approaches to Application Security
From an application perspective, multiple approaches to security are available. First, there’s a top-down approach, where every user accesses applications through some authentication process, often a portal. Inside that portal environment, once the user has supplied credentials and been authenticated, they have access to the tasks and applications that are necessary for their job role or profile. For example, an accounting supervisor will have access to a broader range of applications than a consumer who can only access their personal information and history.
For any access to applications, simple security protocols such as password rules are needed. A certain amount of research is required before selecting protective tools that must be installed for security purposes. Compatibility to all end-user devices, ease of implementation and ease of use all need to be considered.
Next, there’s a layer of application functions that are accessed. Often, the functions are written with the assumption that they’re called only by authorized access. However, an elegant security implementation using cross-cutting functionality will check independently to ensure the access is authorized.
Sometimes a front-door process is used to check credentials between the consumption of a service and the delivery of that service. This is obviously important if the consumer is unknown or from sources outside the control of the application. That authentication could contain some form of artifact—potentially a token that’s carried with the request.
A well-designed security implementation makes no assumptions about the origin of a request, ensuring every transaction is consumed with the appropriate credentials. Many IBM i applications assume security by obscurity and don’t include security checks within the application itself.
Data is the lowest layer. While IBM i supports authority based on user profile to libraries and objects, modern applications may not use IBM i user profiles for every authenticated user. A combined security effort through other architectural layers and through effective database security is needed.
With an IBM i user profile authentication, multiple security tools such as Row Column Access Control (RCAC), along with the ability to obfuscate data values for different levels of authority are available. This will mean more setup and management work than traditional IBM i shops are used to, but attention is required.
Infrastructure, Social and Beyond
Outside of applications, infrastructure security in many companies is often missing or incomplete. External access to internal servers can be managed using exit points. Firewalls and VPNs are traditional infrastructure tools, but as attacks grow more sophisticated, defense mechanisms must be enhanced, evolved and maintained.
Physical security is another topic to consider. ID badges and door keycard access are standard security procedures. Even security and background checks on employees are part of a security methodology. The most difficult aspect for traditional IBM i companies is culture change. When staff have been employed for decades and everyone is regarded as family, a false sense exists that no one would do anything to breach security. Even a friendly thing such as holding open a secure door for a co-worker can be a security threat.
This leads to a discussion of social hacks. Simple actions such as a fake IT person calling and asking for a password to solve a problem can potentially expose your applications and data to theft. Email and website phishing need to be addressed—a process that often requires education and cultural shift.
Balancing Security and Usability
In a world replete with access to the internet and applications with mobile devices, appropriate defenses are needed to defend against leaving company data and access on a device that may easily be lost or stolen. However security is applied, a balance needs to be made between usability of a device and its security features.
Ultimately, security is a deep and wide topic that requires appropriate attention to detail and an elegant architecture. It bears repeating that addressing security at the start of application development and modernization is key to effectiveness and helps avoid more complex and costly implementation.
Ongoing attention to, and maintenance of, security processes and protocols will also require research of what’s happening in the IT ecosystem. New hacks, new attacks, new defenses and new applications must be reviewed regularly. Security isn’t something to implement and forget.
In summary, two tasks must become part of your IT world: vigilance and cultural change. It’s a new world of IT, one that evolves constantly, and security will ensure your business survives for the longer term.