Book Review: IBM i Security: Administration and Compliance PDF Print E-mail
Security - IBM i (OS/400, i5/OS)
Written by Robin Tatam   
Friday, 09 November 2012 00:00

Support MC Press - Visit Our Sponsors

Forums Sponsor





Search Sponsor





If you have any interest in IBM i security, whether as an administrator, a programmer, or an auditor, then this book is the perfect resource.


In this era of legislative and regulatory mandates, computer security has quickly become one of the most popular—and critical—initiatives for organizations of every size and in every business sector. Even those that are not forced to comply with an official directive should consider enhancing their security to ensure protection of their business data assets.


The IBM i operating system contains integrated security functions. These functions work in conjunction with the Power hardware to provide world-class integrity features and object-level controls. Unfortunately, these functions often remain at their IBM-shipped value, which—contrary to popular belief—means that users have access to system operations and permission to read, change, and update application data.


I work in the IBM i security industry. I'm a security subject-matter-expert for COMMON, and I conduct IBM i security assessments. I'm also responsible for publishing my employer's annual "State of IBM i Security" study. These activities provide me with insight into the security challenges of organizations operating on IBM Power Systems servers running IBM i.


In my opinion, one of the biggest inhibitors to the widespread deployment of these controls is that there's an assumption that the operating system is naturally secure and that nothing remains to be configured. While IBM i might be one of the most securable server operating systems, it certainly doesn't come configured that way. In addition, there's a marked lack of knowledge of this topic in both the technical and audit community.

System values need to be reviewed and established. Audit controls need to be understood and configured. Unfortunately, overly powerful users often undermine controls that may have been implemented and should be aligned using Role-Based Access Control (RBAC). Without a good foundation of knowledge, different controls can conflict and undermine the benefit that should be gained from their deployment.


As the AS/400 Chief Security Architect for more than 10 years, Carol Woodbury packs more security expertise in her petite stature than most people twice her size! IBM i Security: Administration and Compliance is the fourth book that Carol has authored on the subject, and I own all of them. For me, the most standout feature of all four editions has been the clarity with which the subject matter is explained. Unlike most documentation, this book is actually readable, and I recommend it to any client who is looking for educational material.


The book is divided into 20 chapters that span 350 pages. Written content includes discussion of critical technical topics, as well as planning and deployment techniques. Comprehensive—but easily understood—explanations are given for object-level controls, Integrated File System, auditing, system values, and user profiles. There's even a chapter on the creation of an incidence response plan—a task that's often overlooked until it's too late. I continue to use this book as reference source, and I love how I still discover tidbits of information.


It's my professional opinion that this book is the work of a consummate expert in this field. If you have any interest in IBM i security, whether as an administrator, a programmer, or an auditor, then this book is the perfect resource.



Robin Tatam
About the Author:

Robin Tatam is the global director of security technologies for HelpSystems and is an ISACA-Certified Audit Manager and PCI Professional. Mr. Tatam is an award-winning speaker on security topics and the author of HelpSystems’ annual “State of IBM i Security” study.


HelpSystems is a leading provider of security products and services for IBM i, AIX, Linux, and Windows. Service offerings include vulnerability assessments, penetration testing, remediation work, and managed security contracts. Software solutions are available to address requirements for intrusion detection and prevention, database encryption, anti-virus, compliance reporting, and policy management.

Last Updated on Friday, 09 November 2012 00:00
User Rating: / 0