Most IBM i security capabilities can be grouped into three important categories and objectives, as shown in Table 1:
- Confidentiality: Protecting information against unauthorized access and disclosure.
- Integrity: Protecting data against unauthorized changes and manipulation, and assuring data is trustworthy.
- Availability: Protecting data against accidental changes, destruction, and attempts to abuse or destroy system resources.
Source: IBM i 7.5 Documentation: Introduction to IBM i Security
Most IBM i native, vendor, DIY, and open-source security capabilities address these objectives in one way or another. Security stakeholders including auditors, regulators, and government agencies frequently require organizations to implement controls that satisfy these objectives, even if the objectives are not explicitly listed.
This blog looks at the critical IBM i security capabilities to address these IBM security objectives. It also looks at two valuable evaluation tools that help identify system vulnerabilities and check your IBM i security for compliance.
IBM i Capabilities That Satisfy Security Objectives
Table 2 lists several critical IBM i and Power system capabilities (controls) that organizations can use to satisfy their security objectives. Note that to facilitate server installation, many native IBM i capabilities are not activated when an IBM i server is created. Organizations must review and activate most native i security capabilities themselves as they stand up each IBM i server.
Each capability is expanded on below. To understand where each capability can be configured in IBM i security schemes, all capabilities are designated by whether they are activated through native IBM i functions, third-party software, DIY programming, off-system capabilities, or a combination of activation types.
Physical Security
Security procedures for physically accessing the IBM Power Hardware that hosts your IBM i servers. Hardware access is typically controlled by an entry desk, mantraps, keyed locks, key fobs, keypads, or biometric controls that safeguard your system from unauthorized entry.
Activation: Off-system capability.
Further reading: Hardware Security & Auditing Considerations for IBM i Servers
Security Level (QSECURITY)
The IBM i Security Level (QSECURITY) system value sets global requirements for password security, object security, and operating system integrity.
Activation: Native IBM i function.
Security System Values
System values that can be set on either a green-screen or in IBM Navigator for i. These settings designate password composition rules, job time outs, actions to take for failed logins, object restoration controls, audit controls, and more.
Activation: Native IBM i function.
Resource Security
Resource Security: Setting system and user object authorities that specify who can access specific objects and what users can do with each object (read, write, execute, etc.).
Activation: Native IBM i function and third-party software.
User Profiles
User Profile security identifies system users. Used to grant system access and specify what each user can do.
Activation: Native IBM i function.
Further Reading: Limiting and Controlling IBM i Users with Special Authorities
Group Profiles
Group Profile security defines resource authorities for groups of users.
Activation: Native IBM i function.
Exit Points
Exit point security attaches custom-written exit programs to IBM i exit points to provide additional processing capabilities for OS security functions.
Activation: Native IBM i function combined with third-party software or DIY programming.
Single Sign-On (SSO)
Single Sign-On is an authentication and authorization technique where a user can log in and access multiple IBM i and other servers/applications using a single set of login credentials.
Activation: Native IBM i functions in combination with a Kerberos server, a Network Authentication Service (NAS), and an Enterprise Identity Mapping domain (EIM).
Further reading: What is IBM i Single Sign-On (SSO)?
Security Audit Journaling (QAUDJRN)
IBM audit journaling can collect and analyze IBM i security auditing information. IBM i and Third-party software can analyze and produce security event reporting. Audit journal information can also transmit security info to Security Information and Event Management (SIEM) systems for enterprise DevOps analysis.
Activation: Native IBM i functions and third-party software.
Anti-Malware and Anti-Ransomware Protection
Anti-malware protection provides real-time detection, marking, quarantining, and deleting malware-infected Integrated File System (IFS) objects. Reports on and analyzes malware activity.
Anti-ransomware protection provides real-time detection, marking, quarantining, and deleting ransomware-infected IFS objects. Detects and stops ransomware attacks in progress. Reports on and analyzes ransomware activity.
Activation: Third-party software.
Multi-Factor Authentication
Multi-Factor Authentication (MFA) validates user identities using up to three verification factors, providing enhanced security against stolen user IDs, phishing scams and cyberattacks. Provides MFA compliance reporting for auditors and regulators.
Activation: Third-party software.
Data Encryption
Encrypts business critical and sensitive data, making stolen IBM i data meaningless to cyberthieves.
Activation: Third-party software.
Compliance Checking and Identifying IBM i Security Vulnerabilities
Your enterprise security, auditors, regulators, consultants, and industry best practices can provide information on how to set these and other capabilities for protection and compliance.
Software Engineering of America (SEA) also offers two services that can help you perform IBM i compliance checking and identify security vulnerabilities: iSecurity Compliance Evaluator and iSecurity Assessment.
SEA’s iSecurity Compliance Evaluator performs IBM i compliance checking for several common standards and regulations, including PCI DSS, SOX, and HIPAA. It rates and scores your IBM i compliance against your company’s predefined security plans and policies. Compliance Evaluator can send out full reports as well as non-compliance reports that only highlight your problem areas, using the criteria provided by you and your security stakeholders. A sample PCI compliance report is shown in Figure 1.
SEA’s free iSecurity Assessment provides an in-depth look at any unaddressed IBM i security vulnerabilities and risks that may exist on your system. It produces a detailed report covering potential threats and vulnerabilities in several key IBM i security areas, including:
- User authorities
- Password control
- Exit point vulnerabilities
- Network access issues
- System values
- IFS vulnerabilities
- Other common auditing issues
SEA developed iSecurity Assessment as a PC software package that you download, install, and run on a PC, not on your IBM i partitions. After performing the assessment, SEA’s experienced IBM i experts can review the report results with you, allowing you to identify your system’s security vulnerabilities and understand how to improve your security.
Further reading: How to Get a Free IBM i Security Assessment
Please Contact SEA if you’re interested in learning more about IBM i security or using our compliance and security checking offering.