Creating an IBM i Authentication, Authorization, and Accounting (AAA) Framework

Authentication, authorization, and accounting (AAA) is a common IT security framework for managing, securing, and monitoring access to digital resources (Figure 1). It is widely used to control resource access, enforce security policies, and audit system usage. 

Figure 1: The IT Authentication, Authorization, and Accounting framework 

Today’s blog explores the fundamentals of the AAA framework and its application to IBM i systems for enhanced cybersecurity protection. 

Identity and Access Management (IAM) & the AAA Framework 

The AAA framework is integral to Identity and Access Management (IAM). IAM policies and technologies ensure appropriate user access while preventing unauthorized access. IAM manages digital identities and their resource access permissions. IAM settings configure authentication, authorization, and accounting within the AAA framework.  

System values, native commands, and Navigator for IBM i manage IAM settings for IBM i servers. Vendor software, like the iSecurity suite available from SEA, provides additional cybersecurity and auditing capabilities. Shown in Table 1, key IBM i IAM functions include: 

Table 1: Key IBM i Identity and Access Management (IAM) Functions 

With IAM configured, the IBM i AAA framework strengthens cybersecurity through: 

• Authentication: Verifying user or device identities for resource access. 

• Authorization: Defining permitted resource access and actions for users or devices. 

• Accounting: Monitoring and auditing access to IBM i objects. 

Here’s how each AAA framework component can be enabled on an IBM i server. 

Authentication: Verifying User and Device Identities

Authentication ensures that only verified users and devices gain access to IBM i resources. Organizations can leverage IBM’s robust user profile and password management capabilities, eliminating vulnerabilities associated with password theft and unauthorized logins, including: 

• Reviewing, updating, and implementing password security policies, requirements, and controls. A comprehensive IBM i password security policy aligns with internal and external stakeholder requirements. Ensure compliance with relevant regulations. Defining and enforcing a password security policy enhances authentication security. 

• Eliminating default IBM i user passwords. Default passwords pose a security risk, as they are easily exploited by malicious actors for unauthorized system access. 

• Disabling and removing obsolete user profiles. Ghost profiles from users who have left the organization should be removed per your user termination policies. 

• Implementing multi-factor authentication (MFA) for IBM i logins. Utilizing an IBM i-specific MFA solution, like iSecurity Multi-Factor Authentication, authenticates and validates user identities beyond using a single password, providing enhanced security against stolen user IDs, phishing scams, and cyberattacks. 

• Using single sign-on (SSO) techniques for IBM i authentication. SSO allows users to access multiple IBM i servers and applications with a single login, reducing password management and the risk of unauthorized access. Incorporating MFA with SSO further strengthens security. 

• For device access, implementing device certificates or other authentication mechanisms to ensure only authorized devices can connect to IBM i systems. 

Authorization: Controlling Access 

Authorization dictates the actions authenticated users and devices can perform on IBM i servers. This is achieved through: 

• Limiting and controlling IBM i users with special authorities. Reduce the number of users with elevated privileges, especially *SECOFR and *ALLOBJ, on production systems to minimize security risks like malware, ransomware, data breaches, data modification or deletion, and compliance violations. 

• Granting and revoking special authorities as needed. Consider using solutions like iSecurity Authority on Demand (AOD) for temporary special authority elevation during vendor installs, maintenance, data integrity tasks, or emergencies. Solutions should require documented approvals for elevation and subsequent authority revocation after approved tasks are completed. 

• Implementing group- and role-based security for IBM i objects and IFS file shares. Use user groups, authority lists, and third-party software to streamline authorization. Assigning authorities to groups and roles, rather than individual users, enhances security and simplifies administration. 

Accounting: Monitoring and Auditing 

Accounting tracks user and device activity for security breach detection, audit compliance, and general security. Consider implementing these capabilities for IBM I servers: 

• Enabling IBM i security auditing to log critical events like logins, object access, and command execution. Utilize the QAUDJRN and solutions like iSecurity Audit for analysis and reporting. IBM i security event data can be collected in the IBM i audit journal (QAUDJRN). QAUDJRN job entries can be queried, analyzed, and reported on, including analysis by third-party IBM i security solutions like iSecurity Audit from SEA. 

• Using IBM i database journaling to track changes and detect unauthorized modifications to critical objects. Database journals can track libraries, files, access paths, data areas, data queues, and Integrated File System activity. Similar to QAUDJRN data collection, database journal entries can also be queried, analyzed, and reported on. 

• Transmitting IBM i security data to Security Information and Event Management (SIEM) solutions for enterprise-wide analysis. SIEM systems collect, aggregate, and analyze security information from various organizational systems, including firewalls, routers, servers, applications, network devices, and endpoints. Products such as iSecurity Syslog can export IBM i security data to SIEM servers for comprehensive enterprise-wide analysis. 

• Implementing exit programs to monitor and control specific security functions, such as Telnet, ODBC, FTP, SQL, and file transfers. IBM i exit point monitoring software, such as the iSecurity Firewall product, can help manage and report on exit point security activity. See SEA’s Guide to Understanding IBM i Security Exit Points for more information. 

• Using third-party security and auditing tools, such as the iSecurity Suite from SEA, for advanced monitoring and reporting capabilities. These tools can provide real-time alerts, history logs, comprehensive audit trails, security reporting, and more. 

• Performing regular reviews of security logs and audit trails to identify potential security issues. Conducting routine security log analysis ensures early detection of threats and helps maintain compliance with security policies. 

Conclusion 

Implementing a robust AAA framework on your IBM i server strengthens cybersecurity by combining strong authentication, granular authorization, and comprehensive accounting. Regularly update your security policies to address evolving threats. Leverage IBM i security features with third-party tools to ensure a resilient defense.