Implementing Privileged Access Management (PAM) on the IBM i

IBM i Identity and Access Management (IAM) policies help secure user access and prevent unauthorized access to system resources. Privileged Access Management (PAM) tools and practices—a subset of IAM—focus on limiting the number of privileged accounts (user IDs with elevated special authorities) and on managing, tracking, and auditing privileged access to IBM i systems and data. 

This post explores how to implement PAM tools and practices on IBM i servers. It examines how PAM can secure privileged accounts, reduce unauthorized access, detect suspicious behavior, ensure compliance, and more. 

Related reading: Creating an IBM i Authentication, Authorization, and Accounting Framework 

The Three Pillars of Privileged Access Management  

Privileged Access Management (PAM) integrates processes and tools to regulate the assignment, access, and use of IBM i privileges (elevated special authorities and object permissions). Many IBM i PAM frameworks are structured around three common strategic pillars for controlling privileged access (Figure 1): 

1. Privileged account management – Provisioning, maintaining, and securely retiring IBM i privileged user accounts. 
2. Privilege management – Managing how, when, and for how long users can use IBM i privileges (special authorities), as well as defining what users are allowed to do with those authorities. 
3. Privileged session management – Monitoring, tracking, and reporting on privileged user access to detect suspicious behavior, document user activity, ensure compliance, and more. 

Several IBM i tactics and practices can be deployed within each pillar. While IBM i includes some native capabilities to support PAM functionality, achieving comprehensive PAM protection typically requires a user authority management solution such as iSecurity Authority on Demand along with other third-party solutions.  

Here are the key tactics and practices for implementing an IBM i PAM security framework built around these strategic pillars. 

Privileged Account Management 

Privileged account management practices help reduce the number of privileged users on an IBM i system. Fewer privileged accounts mean fewer potential attack vectors for cyberattacks and less potential damage in the event of unauthorized logins. 

Account management tactics focus on the creation, privilege demotion, and retirement of accounts with elevated authorities. On IBM i systems, privileged accounts generally include users with the following user classes or special authorities in their user profiles: 

1. User class (USRCLS) set to *SECOFR (Security Officer) or *SECADM (Security Administrator). Programmer profiles (USRCLS = *PGMR) may also be considered privileged, depending on how much additional authority they have to production systems or whether they populate testing or quality assurance environments with live data. 
2. Special authority (SPCAUT) list containing *ALLOBJ (All Object) or *SECADM (Security Administrator) authorities. Depending on organizational security requirements, users with other special authorities—such as *JOBCTL (Job Control), *SERVICE (Service), or *AUDIT (Audit)—may also be considered privileged. 

Key practices to reduce and control the number of IBM i privileged accounts include: 

• Discovery: Inventory all existing privileged accounts on your IBM i servers. A step-by-step process for identifying users with special authorities is available in SEA’s blog post on Limiting and Controlling IBM i Users with Special Authorities. 

• Provisioning new privileged accounts: Privileged users should be required to use multi-factor authentication (MFA) or other secure login technologies, such as single sign-on (SSO). Authorities should be assigned through role-based access controls (RBAC) or group membership. Depending on audit requirements, assign longer and more complex passwords for privileged accounts than those required for non-privileged users, in accordance with enterprise security standards. 

• Provisioning existing user accounts requiring privileged access: Consider using a third-party user authority management solution to change existing IBM i profiles to use elevated authorities. This process should also document who requested the authority change, who approved it, time period when the elevated authorities will be active, and any other relevant information. 

• Privileged account demotion and disposal: Review the privileged account list and determine the current elevated authority each account requires. Remove special authorities as needed (demotion) or delete (dispose of) inactive accounts according to IT procedures. 

Perform these steps on a regular basis. A best practice is to perform privileged authority review before any required IBM i audits.  

Related reading: Limiting and Controlling IBM i Users with Special Authorities 

Related reading: FAQ: Using iSecurity Multi Factor Authentication versus Native IBM i MFA 

Privilege Management 

Privilege management replaces static privilege models with just-in-time (JIT) privilege management. In static privilege management, IBM i user profiles are permanently assigned elevated authorities and object permissions at the user ID level. These elevated privileges are rarely, if ever, revoked. As a result, more users hold privileged access than necessary, increasing risk when unauthorized logins occur and expanding the number of attack vectors on IBM i systems. 

With a privilege management model, elevated privileges are dynamically assigned and revoked as needed. Privileges are requested and temporarily granted based on business need, with all elevations and removals fully documented. This just-in-time approach helps reduce the number of users with elevated access and minimizes the security vulnerabilities that attackers could exploit. 

Consider implementing these privilege management tools and methodologies to replace static privilege management.  

• Use a user authority management tool for temporary elevated privilege assignments:
  Tools such as iSecurity Authority on Demand allow personnel to request, approve, document, and revoke temporary elevated access, on an as needed basis. 

• Assign and revoke elevated authorities using IBM i group membership and role-based access controls (RBAC): Instead of assigning elevated privileges to individual users, use group memberships and RBAC to manage access. Elevated authorities can be easily granted or revoked by adding or removing users from groups and roles. Group assignment and RBAC can provide a clear, centralized view of users with elevated access, eliminating the need for individual user elevated authorities and object permissions.  

• Monitor and control privileged user access with an IBM i exit point manager: Use third-party solutions such as iSecurity Firewall to define rules that restrict the actions of privileged users. Exit point managers can also trigger alerts and initiate automated responses when security events are detected. 

Related reading: 3 Ways to Manage IBM i Exit Programs 

Privileged Session Management 

Privileged session management tools monitor, track, and report on privileged user activity to detect suspicious behavior, document actions, ensure compliance, and more. IBM i session management tools include screen capture solutions and user authority auditing and change management capabilities. 

Screen capture solutions: Products such as iSecurity Capture automatically record and store screen activity for privileged users on IBM i workstation sessions. Screen capture technology offers several key benefits, including: 

• Creating audit trails for compliance and regulatory requirements 

• Verifying the actions performed by privileged users on IBM i systems 

• Supporting forensic investigations into unauthorized access or system issues caused by developers or DevOps personnel 

• Aiding in the detection of suspicious or unauthorized behavior 

• Maintaining a historical archive of actions performed under privileged access 

User Authority Auditing and Change Management Capabilities: User authority management solutions, such as iSecurity Authority on Demand, provide audit trails and reporting for privileged account access. Automated delivery options can send predefined change management and audit reports to security and auditing personnel whenever a privileged user signs on. 

Related reading: Screen Capture: 6 Great Uses for an IBM i Screen Capture Program 

Conclusion  

Implementing a robust privileged access management (PAM) framework on your i servers strengthens IBM i security by shrinking potential attack vectors, reducing unauthorized access, ensuring compliance, and more. Consider implementing IBM i PAM practices to regulate the assignment, access, and usage of IBM i privileges.  

Please contact SEA if you’d like to learn more about using privileged access management for IBM i security.