The current breach epidemic could impact IBM i, but it doesn't have to.
Unless you're filing your taxes with an address listed as "under a rock," you're probably painfully aware of a few high-profile data breaches that have occurred in recent years. While Target, Home Depot, and Anthem might not openly share whether any of their compromised systems included IBM Power Servers, we all need to learn numerous lessons, regardless of the technology platform our critical data resides upon.
First, we must never assume that a breach won't happen to us. Perhaps we don't have the corporate revenue or the cybersecurity budget of a massive organization like Sony, but we would be totally remiss if we operate under the false assumption that we could never fall victim. Recent breach events have taught experts that criminals are becoming even more creative and resourceful. We know there are many variations of a data breach and likely many more that haven't been discovered yet. State-sponsored attacks, organized crime, and wayward employees who abuse their employers' trust have all resulted in critical data and servers being accessed in ways that caused embarrassment and significant financial losses.
Incorrect Assumptions Put Data at Risk
With its 27-year tenure as the chosen platform for Fortune 1000 companies around the world, the Power Systems server with its proprietary IBM i operating system continues to enjoy a reputation as one of the most secure operating systems available today. In my professional opinion, a belief prevails that the security controls are automatically configured and maintained. This dangerous misconception is where IBM i security implementations begin to derail.
Your Security Project: Step One
In my dual role as an IBM i security specialist and as an ISACA-certified audit manager (CISM), I propose that the first phase of a security project should be to gain executive sponsorship. This initial task sometimes proves surprisingly difficult in the IBM i world because of the aforementioned reputation. A severe lack of security skills in IBM i staff and a lack of IBM i knowledge in audit and security experts do not improve the situation, but acquiring sponsorship is possible.
I recommend my clients start by engaging our experts for a no-charge risk analysis. Each year, the HelpSystems PowerTech division performs several hundred assessments using a custom software probe that interrogates the configuration of six critical areas of the machine. The use of this software is overseen by an IBM i security engineer who will help interpret the findings via an online meeting. Once the analysis is completed, it will be easier to establish what resources are required and how they should be allocated.
Even IBM i Has a Weakness
Misconfiguration—or simply leaving the security controls in their default "allow-all" state—is the Achilles heel of the IBM i platform. The annual "State of IBM i Security Study" published by PowerTech includes reports on risk metrics extracted from more than 2,000 servers. Many of these risks can be mitigated with a stricter mindset about how easy it is to compromise more servers. Not facing an enterprise server to the outside world does not eliminate risk but instead shifts it toward insider activities. Whether nefarious activities originate inside or outside the network, a data breach is no less costly and impactful.
Risks and vulnerabilities evolve over time, but regulatory compliance is here to stay! The scope of industry and government mandates may ebb and flow after a particular form of breach increases pressure to protect information. That oversight will then become a permanent part of the compliance landscape. As long as there's a way for someone to benefit from accessing information without permission, there will always be a need for oversight. Unfortunately, many organizations under-invest in security until they're required to do so or until they're breached, because we tend not to learn from the painful lessons of others.
Leverage the Tools Available
Companies like PowerTech will continue to evangelize the necessity of action by offering free webinars, seminars, and our sponsorship of user groups around the world. Our hope is to spread the word that, while IBM i is an amazing operating system, it requires a major configuration overhaul before there can be any expectation of server and data security.
There's no better time to take that first step or to validate the work that's already been done by leveraging the same no-cost risk analysis process that has benefitted thousands of organizations worldwide. Visit the PowerTech website to sign up for an assessment of your own.
MC Press Online