May 22, 2024 | IBM i

Hardware Security & Auditing Considerations for IBM i Servers

image

Recent IBM i research suggests that up to 90% of IBM i servers run on IBM Power systems residing on-premise or in a hybrid/cloud environment. Each Power server must satisfy hardware security and auditing requirements imposed by enterprise stakeholders, including security teams, auditors, regulators, governmental agencies, and insurance companies. Hardware security requirements complement and support the operating system protection and access requirements also required by enterprise stakeholders. 

 

Here are some common auditing and security considerations that may pertain to your on-premise IBM Power hardware running IBM i servers and associated devices. Review these hardware-based requirements to stay secure and in-compliance before your next audit occurs.  

 

1. Secured locations for IBM Power hardware 

2. Secured locations for IBM i servers for PCI DSS  

3. Secured locations for sensitive peripheral equipment, backups and supplies 

 

Details for each hardware security consideration are listed below. 

Secured locations for IBM Power Hardware 

IBM Power systems running IBM i servers should be housed in a secured environment (Data Center, equipment room, Managed Service Provider, etc.). The secured environment must have an access control system such as a locked door, numeric keypad, or biometric access device. Access should be recorded and a historical record of who accessed the equipment room on what dates and times should be available.  

 

Secured locations are usually climate controlled and have a fire suppression system in place. Other possible requirements include dual power supplies and UPS capabilities to power the systems in case of a utility power failure.  

 

IBM i also has an Uninterruptable power supply delay time system value (QUPSDLYTIM) that specifies a delayed wait time before saving main storage and powering down its IBM i servers after a utility power failure. If the system switches to auxiliary power or a UPS, IBM i will detect the switch and wait the number of minutes specified in QUPSDLYTIM before powering down. Many UPS systems have limited backup power capabilities. This setting helps protect your IBM i systems from a hard crash if its backup power runs out.  

 

You can also specify a message queue that will receive notifications from a UPS system when it begins powering your IBM i systems. These messages can be monitored by IBM i Message and Resource monitoring software such as absMessage to automatically send alerts to administrative personnel when a power outage occurs.  

Secured locations for IBM i servers used for PCI DSS  

There are special location, network, and segmentation requirements if your IBM i servers running on Power systems are considered within scope of a Payment Card Industry Data Security Standard (PCI DSS) environment. PCI DSS requirements are intended for all entities that: 

 

1. Store, process, or transmit cardholder data (CDH) and/or sensitive authentication data (SAD) 

 

OR;

 

2. Could impact the security of the cardholder data environment (CDE) 

 

Any IBM i server running on an IBM Power system that falls into either of these categories is considered part of a cardholder data environment (CDE) and PCI DSS requirements will apply.  

 

Being part of the overall scope for PCI DSS increases the cost, difficulties of maintaining PCI DSS controls, and risks to payment card account data. IBM i servers can be removed from a PCI DSS scope if they are segmented (isolated) away from the CDE. Segmented servers cannot impact CDE security, even if that server is compromised. 

 

This is a simplified explanation for determining whether an IBM i server/Power system is considered within scope for PCI DSS audits, and where to house and network that server. You may need a separate secured environment location where a system must be housed depending on whether your IBM i servers fall inside or outside of a PCI DSS CDE scope.  

 

The Payment Card Industry Data Security Standard, Requirements and Testing Procedures version 4.0 contains more information on how to determine if an IBM i server/Power system is in a PCI DSS scope and how to segment a server to remove it from that scope, if necessary. 

Secured locations for sensitive peripheral equipment, backups and supplies 

If you are using a physical IBM i system console–5250 console, Hardware Management Console (HMC), etc.–it should also be housed in a secured area.  

 

If you’re using your IBM i to produce sensitive documents or other output–such as checks, tax forms, employee forms, customer statements, etc.—any equipment used to produce that output (including printers) and the forms themselves may also need to be secured. This requirement is intended to prevent fraud.  

 

Note that insurance companies or other regulators may prohibit you from printing or storing boxes, documents, and blank forms in the same secured environment as your IBM Power systems. The concern stems from dust from paper products damaging equipment. If required, you may need to create a second secured location for producing and storing sensitive records and supplies. Check with your stakeholders to determine whether a historical record of who accesses a second location is needed. 

 

In addition to printers and forms, you may also need to house other equipment and supplies that store or transmit sensitive IBM i data in a secured area. Tape drives, backup devices, fax machines, etc. may be required to reside in the same room as your IBM Power servers. Networking equipment must also be located in a secure area to prevent it from being disconnected or having its configuration settings changed. 

 

Pay particular attention to your IBM i backup media, especially removable media (including tapes) and disk-based backup. Backup media should always be stored in a secure location. You may also be required to encrypt removable media so that if it is intercepted, lost, or stolen, no one can access sensitive IBM i data without an encryption key. Encryption for removable media can be achieved by either: 

  • Using encryption-capable hardware, including tape drive and disk encryption 
  • Using data encryption software such as iSecurity Encryption and absCompress that provide field-level encryption and high-speed encryption for data or objects residing on disk. Encryption software helps ensure sensitive data is encrypted whenever it moves off an IBM I, either on removable media or when transmitted remotely to another device.  

Don’t forget your hardware  

When planning for an audit, make sure you understand and have implemented any hardware security and auditing requirements imposed by enterprise stakeholders. These requirements should also be reviewed when a system change is required, such as acquiring new IBM i servers in an acquisition, moving hardware to a managed service provider, or expanding an on-premise equipment room.  

 

Please Contact SEA to learn more about IBM i hardware and software auditing and security requirements.