A recent PowerTech Group study of System i shops concludes that many companies are lagging behind when it comes to implementing proper security measures on their systems. Rich Loeber, president of iSeries security product provider Kisco Information Systems Inc., shares his thoughts on the study.
Over the years, IBM has done a good job of selling the public on the idea that the System i is “the most secure processor available today.” However, the company has not done nearly as good of a job explaining how to make the system secure. Doing that takes work, some of which is not necessarily intuitive. Someone needs to be put in charge of the security setup of the system and design an approach to security for the installation. Often, security takes a back seat to other more pressing needs for the company … until a disaster happens.
Another observation I have is that security efforts are very much focused on the network and keeping outsiders out of the system. But studies clearly reveal that nearly as many security breakdowns happen from inside sources as from outside hackers. Too often it is the insider with too much access to the system who compromises sensitive information. With the advent of convenient storage media, some that you can pass off as a fob on a key chain, the inside threat cannot be ignored.
The system is only as secure as the implementation of the security features. I5/OS may be the most secure operating system around, but if it is not used correctly, you might as well have any OS in place. I have customers who’ve purchased our network security product, SafeNet/400 and have had it in place for years without activating it to control access. They’re just logging activity, when the software has the ability to control activity and prevent unauthorized access attempts. When I hear of one of these accounts, I try to chide them into taking the software up to the next level of protection, but I’ve had little success with these attempts.
One of these days, there is going to be a TJ Maxx or Hannaford security breakdown that’s tracked to System i, and all those who’ve been touting the box’s strong security are going to be back-pedaling like mad.
I don’t really know what to do about this except to sing this song over and over again. I write a monthly column on System i security for Search400.com and I regularly raise these basic issues with my readers. I think that may be my small contribution — educating System i users on what they have and how to use it.