2015 State of IBM i Security Study

IBM i (OS/400, i5/OS)
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Given the mission-critical data stored on these systems, maintaining a secure configuration should be a top priority.


Editor's note: This article introduces the white paper 2015 State of IBM i Security, which is free to download from the MC White Paper Center.


Another day, another data breach in the news. You tune it out—unless the details are as juicy as the Sony hack. Your corporate data and applications are safe on an IBM i server that your go-to IT guy set up years ago. No worries here!


But then your new system admin notices some strange activity on the network and realizes your system was breached ten months ago. That server you thought was so well-protected? Turns out, there were some security gaps that had never been addressed. With the legal fees and all the bad press, it might take just as long for the company to recover from the data theft.


For every Sony, Target, or Anthem, dozens of other organizations have had data stolen or corrupted by hackers—or even their own users. Cyberthreats become more sophisticated every year, raising the importance of proper security controls.


The 2015 State of IBM i Security Study proves that many IBM i shops are relying on system settings that leave data vulnerable.


Simple passwords, lax system auditing, and overly privileged users leave your server vulnerable to internal and external threats. While some businesses have the resources to survive a cyberattack, many others do not.


The annual State of IBM i Security Study strives to help executives, IT managers, system administrators, and auditors understand the full extent of IBM i security exposures and how to correct them effectively and economically.


Why This Study Is Important

PowerTech has followed the evolution of the AS/400 to iSeries, System i, and finally Power Systems running IBM i. For 12 years, the State of IBM i Security Study has provided invaluable security insight from more than 2,000 servers worldwide.


The results from the 2015 study, and the universal nature of IBM i vulnerabilities, lead us to conclude that if you have IBM i systems in your data center, your organization might suffer from similar internal control deficiencies.


What This Study Means for You

Your IBM i server likely runs your mission-critical business applications—and has been for years. By now, the staff that set up server security is probably long gone.


To complicate things, the integrated nature of many IBM i security controls has caused confusion over who is responsible for the configuration—IBM, the customer, or the application provider. As such, many systems operate with default settings due to lack of ownership.


You know an IBM i audit is long overdue, but you're too busy grappling with:

• Knowledge gaps

• Overextended staff

• Lean IT budgets


Because Windows and UNIX platforms tend to require more resources to secure them, it's much easier to let IBM i security projects take a back seat.


Consequently, the administration of IBM i security controls has lapsed and guards are down even as threats to your system grow.


Here's the good news: the weaknesses identified through our assessments and documented in this study are caused by poor or missing configurations that can—and should—be corrected.


This study shows you the most common and dangerous IBM i security exposures; outlines best practices for improvement; and explains how these relate to compliance legislation, industry regulations, and IT guidelines and standards.


The Power Systems Landscape

IBM introduced the AS/400 in 1988 as its computing system for small- and medium-sized companies. Today, the Power Systems product line ranges from small servers with a single processor to the high-end mainframe-class POWER8 Model 880, which can have up to 128 processor cores.


The IBM i community is a large and loyal one, with IBM estimating 120,000 customers around the world. The PowerTech data was collected from a cross-section of systems of varying sizes, the most common being MMB, which comprised 14 percent of the reviewed servers.


Companies in retail, financial, manufacturing, and distribution industries typically purchased their Power Systems server as part of an integrated business system. Today, approximately 16,000 banks run their core banking and financial applications on an IBM i server.


Many organizations use applications that store credit card data on the system. Some of the well-known software vendors that provide applications are:


• Oracle (JD Edwards EnterpriseOne and World)

• FISERV (Premier and Signature)                                


• Medhost                                                                    

• Siemens Medseries4

• Agilysys Resort Management                                    

• Island Pacific Retail

• Jack Henry (SiverLake, 20/20)                                   

• Infor (LX (BPCS), XA (MAPICS),

• Manhattan Associates                                    

• Infinium, System21 Lawson, Movex (M3))


Given the mission-critical data stored on these systems, maintaining a secure configuration should be a top priority.



Find out more by downloading the free white paper 2015 State of IBM i Security from the MC White Paper Center.