Tackle Enterprise Security With IBM i 7.4
A security assessment is the first step to securing your IBM i.
By Neil Tardy11/01/2019
Terry Ford has a succinct way of describing the challenges that IBM i administrators face when it comes to adopting and maintaining security standards in their IT environments.
“Hackers, they work 24-7 to take you out. You work maybe eight hours a day,” he says. “So who’s going to win that battle, and how soon?”
Of course, it’s an advantage to have IBM Power Systems* hardware and IBM i, which offer industry-leading securability features. More on that in a bit. But those who work with the OS are still subject to the same corporate realities facing the IT world at large: Staffs and budgets are shrinking, while in many established shops, those who architected the computing environment are long retired, leaving enterprises with decades-old core applications that they’re hesitant to touch.
“A lot of our clients don’t have the skills anymore. The people who implemented their systems, set them up, they’ve been gone for years—they’re out sipping tea on the beach somewhere,” says Ford, a senior managing consultant with IBM Systems Lab Services. “So a lot of clients won’t make any changes because they’re afraid they’ll break something while trying to fix something.”
To help get clients moving forward, Lab Services has developed a suite of service offerings called PowerSC* Tools for IBM i. The tools are designed primarily to simplify the process of managing enterprise security and compliance while improving detection and reporting of security exposures.
Putting Time on Your Side
Ford is keenly aware of the role that time plays in an administrator’s life. And it’s not just that hackers work around the clock; it’s that, for many, if not most admins, there simply aren’t enough hours in the workday to proactively address system security.
“Companies are stretched so thin. Everybody’s wearing five or six different hats,” he says. “Businesses aren’t investing properly in what’s essentially their crown jewels. Without the data that they process, they wouldn’t be able to compete globally. They would be in the stone age.”
With this is mind, PowerSC Tools aren’t just a package of security tools; they provide a security blanket for busy admins. For instance, the compliance tool includes a utility that automates the reporting process. Enterprises don’t always have processes built in to gather information across computing environments that, for large shops, may span dozens of LPARs, as Ford explains.
“Several times a year, management or governance will come in and say, ‘I need this information.’ It may be an hour here or an hour there for some, but for others, it may end up being 20-30 hours just to gather information about X, Y, Z, and they have to do that several times a year,” he says. “That could be more than 100 hours a year spent on nothing more than acquiring data and putting it into a table or spreadsheet. That’s 100 hours that could have been spent doing security.”
Over the past few years, Ford developed a utility for Lab Services that allows this information to be accessed and compiled in minutes rather than hours.
“That’s my tact,” he adds. “I want to give them back some of that time, and hopefully they’ll spend it on security. “
With what I've seen with 7.4, it gives clients more tools to protect the fortress.
Ford believes many clients fail to administer systems and applications with consistent rigor. Corporate security policies may be lacking; or they may exist but aren’t being followed. Of course, to truly transform an environment’s security takes executive buy-in. But before making a case for additional budget and/or staffing, you have to know what you’re dealing with. You have to start somewhere. That starting point is an independent security assessment.
Several IBM i vendors perform assessments, as does IBM Systems Lab Services. Clients that have recently purchased systems can apply IBM vouchers to receive an assessment.
According to Ford, a quality assessment will produce a thorough analysis of a computing environment as opposed to simply presenting data on a few selected partitions.
“Some of our larger clients have 50, 100, even hundreds of LPARs. You can’t do proper analysis on data in that much volume,” he says. “We’ve constructed our assessments in such a way that you can see side by side how every system looks. Most clients don’t have that type of visibility to their system data. Once they see it, at that point, the differences make themselves apparent.”
Upgrade Your Security
A final piece of advice: If you haven’t already, upgrade to the latest version of the OS. IBM i 7.4, announced in April, includes an array of security-related enhancements. The set of rules for SST user passwords has been expanded, certificate management using DCM APIs has been automated and authority collection now allows for information to be compiled for specific objects.
“From a networking standpoint, the auditing mechanism provides the capability to identify and remove weak ciphers from the system. And the updated Authority Collection tool could be a major win when it comes to application security if the time is spent analyzing its output,” says Ford. “With what I’ve seen with 7.4, it gives clients more tools to protect the fortress.”
A Quick Word About Passwords
You may have noticed that passwords have become considerably more complicated in recent years. Even if you’re signing up for something as noncritical as an online fantasy football league, you can be expected to create and retain a password of letters, numbers, and multiple cases and characters.
So, at the corporate level, passwords have really gotten long and strong, right? And surely in IBM i environments, where security is always a foremost consideration, everyone is doing their best to make this virtual front door as unbreakable as it can be, yes?
Terry Ford wishes this were so, but as a senior managing consultant and security focal point for IBM Lab Services, he finds ample evidence to the contrary.
“I still see financial institutions and other entities where their passwords are only six to eight characters, or they don’t prevent the use of a default password,” he says. “For several years now, the OS has had settings to prevent users and administrators from setting passwords such as ‘abc123,’ and yet I recently had a client that had more than 100 accounts with settings like that, or just the first name of the user.”
One good thing about this situation is that these openings can be used to get the attention of IBM i clients. As part of its independent security assessments, Lab Services conducts a “dictionary attack.” To accomplish this, Lab Services assembles lists of the most commonly used passwords (this information is freely available online). For each word in the dictionaries, a hash is created in the same way that IBM i creates user passwords. Using a system API, this derived password hash is then compared against the password hash of the user being checked. When the hashes match, the passwords can be identified. Both upper case and mixed case passwords are checked, which doubles the amount of processing that occurs.
“I’m pretty confident that we’re the only ones doing this kind of analysis in our assessments,” says Ford, “but when we do a dictionary attack, it’s not ‘oh cool, look what we can do.’ It’s to open their eyes, because people don’t believe the system can be penetrated.”
Sponsored Advertising Content
The Right Credit Card Questions and Answers
Which questions are you asking?
- How can I integrate seamlessly into IBM i-based order entry/financials?
- How can I improve security when it comes to handling card data?
- What can I do to reduce my card processing fees?
The answer to No. 1 is using a local, IBM i, RPG-friendly API.
Solve the second question with remote tokenization, which can eliminate touching card data by your systems. Tokens from a service provider refer to a transaction, or refer to a card-on-file. Taking your existing infrastructure out of PCI scope reduces vulnerability, simplifies your security audit and reduces reporting burdens.
Eliminate downgrades to reduce card fees. Review your bank/acquirer report to identify yours. Some are unavoidable due to your business requirements. Transaction content, such as corporate purchasing card Level 2 and 3 data, can be an expensive omission for B2B. Timelines matter, since the more days before settlement, the more you pay. And omitting an attempt at address verification is a costly downgrade.
Request and study your bank fee reports, and save big bucks.
CTO, Curbstone Corporation
Ira is the author of the first commercial AS/400 credit card software in 1993, Ira and Curbstone focus on IBM i payment security.
Neil Tardy is a contributing writer to IBM Systems Magazine. More →