How Secure Is IBM i?
As we all know, very secure.
No IBM i Viruses
Let’s start with viruses, since they still represent the single largest threat to computer security. In a nutshell, there are no known IBM i viruses. Compared to its main rivals, Windows, UNIX and Linux, this is impressive. For example, a quick Google search for Windows viruses reveals more than 55,400,000 hits.
No IBM i Vulnerabilities
What about vulnerabilities? Well, one of the most respected information resources is that of CIAC – the Computer Incident Advisory Capability of the US Department of Energy. A search of their website for ‘Unix’ reveals 169 files discussing UNIX vulnerabilities. A search for ‘Windows’ reveals 54 files. And a search for ‘IBM i’ finds zero matches in zero files.
This is impressive.
IBM i Secure Design
The IBM iOS security lies in its design – it is object rather than file based. Everything that can contain data that can be accessed via the operating system is an object. Objects also have attributes and an owner. The owner can grant, or revoke, other users’ access rights to owned objects. Each object comprises the object header and the functional component (i.e., the data or instructions).
The header includes information such as the object type, owner, date created, and an authorization list. The authorization list defines what ‘authority’ each user has over the object (e.g., *USE, *CHANGE, *ALL, etc.). Thus there is a very finely grained access control capability built into the very heart of the system.
It is this design structure that gives people confidence in the IBM i security. This security was designed into the product, NOT ADDED ON after the fact.
Let’s take a closer look.
The IBM iOS security is implemented in hardware (aka firmware or microcode). Even if a hacker is familiar with IBM i, the system’s security is built in below the machine-level interface layer. The actual security implementation is included in the microcode of IBM i, down below a place where anyone can get at it and change it. While a user could use service tools to get access below the machine interface, access to these powerful service tools should be restricted.
Next, the IBM i architecture prevents viruses. On a PC, program objects are stored as file objects, which can be modified. With IBM i, the program objects are encapsulated or stored in an internal form that cannot be modified. You can delete a program and recreate it from source, but there is no interface to go in and tinker with the internals of a program.
Because of this secure IBM i design, and probably the smaller install base of IBM i compared to Windows, UNIX and Linux, we don’t see any IBM i anti-virus products. Basically, IBM i is a secure system – or at least as secure as you can get.
Caution Still Required
Despite the IBM i security, the potential exists for what we might call ‘high-level’ manipulation. There are many places in IBM iOS where a program can be tucked away, to run at a specified moment, or whenever a particular event occurs, or a special signal is sent. Still, a programmer with sufficient knowledge or ill intent has ways of causing damage and disruption, probably fewer ways for actual theft or fraudulent use of data, even in a secure site.
And it may be more vulnerable simply because of the server’s reputation for security. The weak point becomes the users and administrators, who may well take less care than they need, believing the system to be safe enough on its own. It is in these two areas, protection from the outside and security administration, that we find the majority of third party security software. So while we can say with some confidence that IBM i is still a very secure system, the network it serves may not be.
Leave a Reply