MC Press Online

Thursday, Feb 23rd

Last updateWed, 22 Feb 2017 3pm

You are here: Home ARTICLES Security IBM i (OS/400, i5/OS)

Security / IBM i (OS/400, i5/OS)

Insiders Are a Threat to IBM i? No Way! Yes Way!

Carol Woodbury

Carol discusses how the current thoughts on insider threats needs to be redefined and how insider threats can leave IBM i vulnerable.

Written by Carol Woodbury

I read an interesting article that discussed a study done by the Ponemon Institute on the “Cost of Insider Threats.” It piqued my interest because most of the people I talk to in the IBM I world don’t believe there’s any threat by people from inside their organization. The two reasons I hear most are “I trust our employees” and “Our employees would have no clue how to get access to the system through something like ODBC. They can barely sign on to their green-screen menu.” I decided to read the actual study to determine if there was applicability to the IBM i world.

The Study defined three types of insider threats:

Read more ...

Carol’s IBM i Security Wish List

Carol describes 10 things that she wishes were different when it comes to IBM i security.

carol woodburyWritten by Carol Woodbury

It’s the time of year when all children are making their Christmas wish list, hoping Santa will deliver on Christmas morning. While I’m a few years beyond believing in Santa Claus (!), I’ve created my list, just in case.


Wish #1: V7R3

I wish all IBM i customers would upgrade to V7R3. The Authority Collection feature added in V7R3 alone justifies the upgrade. This feature helps administrators to stop over-authorizing and enables them to remove *ALLOBJ from profiles that don’t really need it. If you are considering upgrading to V7R2, skip that thought and move right to V7R3!

Read more ...

IBM i Security Without Breaking the Bank

Stop neglecting IBM i security. Consider a risk assessment and two control layers to enjoy substantially less risk of data loss—without sending your organization into the red.

robin tatamWritten by Robin Tatam

The time is now!

While some companies take a proactive stance on becoming more secure, many more act as a result of regulation. Governments and industry bodies have enacted numerous enforceable mandates, typically as a result of a scandal or high-profile breach. The growing list of these mandates includes PCI-DSS for credit card data, MAS-TRM for financial organizations in Singapore, BASEL for the banking industry, SOX for publicly traded companies, and HIPAA for those in the U.S. healthcare industry. Operators in the European Union face a dramatic increase in fines that may be levied for data breaches since the General Data Protection Regulation (GDPR) was adopted in April 2016. This replacement for the previous “directive” will become law in May 2018, and the financial impact on companies within this territory could be quite dramatic.

Read more ...

The Lesser of Two Evils: Choosing the Better IBM i Security Configuration

Carol describes scenarios where the configuration options aren’t optimal, but a choice must be made.

carol woodburyWritten by Carol Woodbury

By the time you read this, the election in the United States will be over. Many in the States view this election as having to choose between the lesser of two evils. While I’m not going to discuss the way I voted, I thought I might discuss some similar situations—where I’ve been presented with two IBM i configurations to choose from, and neither is optimal.

Read more ...

Tightening IBM i Security with Little Fear of Breakage

Carol describes five IBM i security settings that eliminate exposures and can be changed with very little risk of breaking anything.

Written by Carol Woodbury

I know that many of you feel handcuffed. You want to make changes to improve your IBM i security posture, but your organization is so risk averse that it’s almost impossible to make changes that have the possibility of breaking a production process. While I can’t guarantee that these changes will not cause an issue, it’s unlikely that they will.

Read more ...

Popular Security Terms and How They Relate to IBM i

Carol describes terminology prevalent in the security world, explains what it means, and identifies how it applies to IBM i.

carol woodburyWritten by Carol Woodbury

I subscribe to several security-related newsletters. I was reading an article the other day, and it used the phrase “good security hygiene.” I thought I knew what that meant but did a bit of research to make sure. That experience made me think that it might be helpful to explain some security terminology and describe how it relates to IBM i. Let me start with the phrase that inspired this article.

Read more ...

5 Practical Ways to Use the Audit Journal to Solve your Administration Woes

The IBM i Audit Journal contains a wealth of information yet remains a mystery to those who can use it most. Carol describes practical ways that security and system administrators can use this information to help them in their daily jobs.

carol woodburyWritten by Carol Woodbury

The past few weeks, I’ve found myself helping our clients solve their issues by looking for specific entries in the audit journal. Most administrators think that the IBM i audit journal is only good for compliance reporting or just used during a forensic investigation. Nothing can be further from the truth. So I thought I’d share a few examples of how you can use the audit journal to solve daily problems. Or to help you debug problems or investigate administration-related issues.

Read more ...

Security Considerations for IBM i CL Commands

Carol answers the questions you’ve been asking about securing IBM i commands.

carol woodburyWritten by Carol Woodbury

Every once in a while, I get asked a question that spurs on an idea for an article. That’s what happened this week when I was asked whether one had to secure proxy commands. That made me realize that I hadn’t written about the security considerations one needs to make regarding Command Language (CL) commands, so I decided to make that the focus of this month’s column.

Read more ...