Security on IBM i :
10 major risks and how to avoid them
Security threats are on the increase. Whether it’s a cyber attack or a virus, identity theft is becoming more and more common, not to mention the fact that certain vulnerabilities can also lead to data loss without any malicious intent on the part of the user.
The IBM i, although particularly secure compared to other platforms, is not 100% risk-free, as Bob Losey tells us.
With kind permission of Bob Losay. Sept. 2022.
As you know, security on IBMi has nothing to do with security on Windows, UNIX or Linux. The aim of this post is to briefly highlight 10 major IBM i security risks and explain what you can do about them.
1. Too many IBM i Operator/Admin users
Almost all IBM i systems address too many users with far more authorizations than they need. In fact, many organizations grant access to all database files and objects on the IBM i OS to a colossal number of user profiles. In concrete terms, there’s nothing to prevent employees from accessing and sharing unauthorized data, or even deleting the entire operating system.
Solution: Make the effort to evaluate user profiles and activities on a regular basis. Standardize profiles with role-based authorizations, keep track of who has access, and keep an eye on employees who gain access in surprising ways.
2. Allow default IBM i passwords
Users often keep passwords that correspond to their usernames… BIG MISTAKE. As you probably know, hackers always try to use login credentials whose username and password match or are easier to guess.
This allows hackers to check whether they can access the system (and they often succeed). Your entire IBM i system could then be exploited, or all important and confidential data erased.
Solution: Changing passwords on joining the company and during training is a must to solve this problem. Continuous compliance monitoring also enables reports to be created to determine how many users have default passwords, and to search for appropriate password settings.
3. Ignore compliance rules
Some organizations fail to properly implement the security measures they need to meet their obligations, because they don’t master the necessary tools or controls.
Postponing the task means risking sanctions, or hoping that the auditors won’t detect any problems. Especially since it’s quite possible that an auditor won’t realize that the IBM i is not protected against viruses, because he or she doesn’t understand how the platform works. And it offers administrators a loophole, at least from a legal point of view.
Solution: It’s essential to be fully aware of the specific requirements your organization needs to meet. From there, you can use appropriate software or other procedures to assure auditors that you are doing everything possible to fully comply with these guidelines and safeguard your data.
4. Using an unsupported version of IBM i
As with any operating system, not using the latest version can cause problems, especially if you’re using a version that is no longer supported by the vendor.
Using an obsolete version of IBM i means (often) not having the latest updates for your security tools, and therefore being vulnerable. What’s more, if your version is too old, you may not be able to get support from IBM.
Solution: The only wise option is to stay up-to-date and upgrade.
5. Rely on menu security
Green screen menu security offers each user unique options according to their profile. However, there’s nothing to control in the system, as these are the only places a user can access.
Except that experienced users can easily access areas beyond the menu options. These entry points allow a user to bypass the menu options that are initially displayed.
Solution: It is essential not to rely on the security policies of the menus that users can access via the system. Similarly, you need to pay attention to the other PC interfaces used, and set up an object-level authority.
6. Rely on a single security layer
Assuming that a PC firewall or antivirus protection offers sufficient security against an attack is misguided. A multi-tiered solution is required, including endpoint management, antivirus protection, firewalls and rigorous user profiles.
Solution: Evaluate your security position from several angles, as malicious users or actors will use any means to impersonate authorized users to gain access to the system.
7. Do not use multi-factor authentication (MFA) with privileged accounts
The use of multiple levels of authentication to ensure that you identify the people accessing the IBMi system is becoming increasingly widespread. This is particularly important when working with users with administrative access.
Solution: Some directives, such as PCI DSS, require multi-factor authentication for any IBM i system administrator entering the cardholder data environment. This additional layer of security, combined with other access control measures, can significantly minimize the damage that can be caused by divulged credentials.
8. Enable end-users to have command-line permissions
Organizations frequently use menus to limit users’ ability to use a command line. However, even the most inexperienced user can cause errors that allow him/her to access the command line. And they could execute more than 2,000 commands in the IBM i operating system, some of which could have disastrous effects: deleting data, disabling subsystems, even exposing data!
Solution: You need to control the environment in which any IBMi operator can execute commands, such as green screen or FTP. You also need to keep track of what permissions users have, as mentioned in the previous threats.
9. Operation below safety level 40, or even 30
IBM strongly recommends that you set the security level of your operating system to at least 40. Some users, however, reset the configuration during updates to integrate obsolete programs, with the intention of restoring the security level later. Except they never come back.
This is a major vulnerability, as a user could possibly execute a task under another profile, without authorization.
Solution: It’s essential to reach security level 40, even if it’s not a quick procedure on IBM i. You therefore need to plan the update and carry out the necessary tests to ensure that no related processes are disrupted.
10. Not having a cyber-attack response plan
A cyber-attack response plan is not the same as a disaster recovery plan, as each cyber-attack may require a very different response. You’ll need to determine where the security threat comes from, how to prevent access and determine the best strategy for restoring damage or assessing data loss.
Dealing with a virus has nothing to do with a malicious attack that attempts to steal data from your system: in the first case, the server may be irreparably damaged, in the second, it’s the data that leaks out.
Solution: Make sure you have two separate countermeasures in place to deal with these scenarios, as well as the necessary solutions and communications.
When it comes to IBM i security, there are many options. Unfortunately, many are not specific to IBM i to help you protect your system against data breaches. In fact, many of the security solutions on offer are not specific to IBM i. What’s more, solution providers often lack the IBM i administrative expertise to provide effective security against data breaches.
Find out more at
Original article in English :
Other articles you might like
customer case Terres du Sud makes the most of its IBMi environment with Armonie-Notos About Terres du Sud The Terres du Sud group is the leading cooperative in Lot-et-Garonne. A major player in agriculture and food in the South-West of France, it is made up of...
ID-INFO blog How to choose your IBM i security consultant? Despite all the security advantages that an AS/400 can offer, current attacks are forcing their owners to implement best practices for their organization: at stake is their ability to ensure continuous...
Fortra 2023 study IBM i: security remains the main concern On February 1, 2023, The Four Hundred's Alex Woodie explained how security remains the number one concern for IBM i resellers. In its ninth annual survey, Fortra questioned over 300 members of the IBM i...
ID-INFO blog IBM i legacy users: what you need to know in 2022 Switching to the cloud to keep costs down, security issues, spare parts problems, increased IBM support costs: keeping your AS/400 sometimes has to be earned! Bob Losey's thoughts on what to consider......
ID-INFO blog IBM i: four key trends affecting the market These are interesting times for everyone. Indeed, no one could have imagined global containment, or such a widespread pandemic with such restrictions to prevent the virus from spreading. This may be stating the...
ID-INFO blog The strange story of the IBM i IBM i developments are now almost as famous as the Fitzgerald novel in which Benjamin Button, the protagonist who was born old, gets younger as time goes by. Instead of "aging", becoming a "legacy" system and on the verge of...
ID-INFO blog 6 IBM i features that give it an edge Here are the main features of IBM i, in response to critics who claim that IBM i is "old". He's not "old", he's always ahead of the game. Last week, one of my customers confided in me that his network team leader...
ID-INFO blog Does your IBM i have a future? Of course! As an IBM Business Partner and cloud hosting provider, I talk to IBM i users every day. Many "experts" claim that IBM i is an old and dying technology. I've even heard accountants and auditors ask their clients...
ID-INFO blog Your IBM i has security flaws you don't know about. And they can be repaired. The IBM i has earned a reputation for reliability based on decades of performance and availability for good reason. Despite this, as the operating system and IBM i appearances...
ID-INFO blog How long does it take to leave IBM i? Last week I was talking to an IBM expert who explained that 5 years ago, new management complained that their IBM i system was really old. Why? Because it was based on characters instead of a graphical interface. As a...