A few weeks ago I published a blog about IBM i security built in at the beginning.
I want to highlight sections of Frank Soltis book “Inside the AS/400.”
Dr. Soltis notes that the AS400 security features were not an afterthought.
Specifically, the IBM i has actually 2 operating systems – the IBM iOS and the License Internal Cover (LIC or microcode). IBM iOS runs on top of LIC, which is part of the POWER server hardware.
LIC runs “under” iOS. LIC knows the details of the hardware and how to execute hardware instructions from iOS.
Built into LIC is object identification. So as objects enter LIC, they are identified as data or programs and “encapsulated” as such in “containers”. This means that malicious programs that might sneak in as data, like with other systems, cannot be executed on IBM i. The IBM i servers are virus and malware resistant because of this design and there is no way around LIC.
The LIC kernel is proprietary and secret. The IBM LIC developers did not share it outside the IBM i design team which contributes to the security of the IBM i OS to avoid compromised integrity. This means that nothing outside of the microcode can be processed in LIC.
In contrast, portions of all other OS kernels are available for developers to modify, which leads to hacking, viruses and malware.
There is more good news with IBM i LIC being closely guarded. While sharing common software parts across multiple operating systems may seem like a nice cost savings for other systems, they cannot match the consistency and integration the IBM i enjoys.
LIC provides two other advantages – 1) integration and 2) hardware independence.
First, in terms of integration, the POWER server hardware and LIC are designed to work closely together – tight integration. LIC is designed to work with each specific new version of POWER hardware.
Second, because of this tight integration of LIC and the hardware and the way IBM iOS works with LIC, the user never has to deal with integrating their applications or IBM iOS with the hardware – it is already done for them.
Perhaps you may have purchased separate electronic entertainment components for a home theater. The salesman assures you that because they are all made by the same manufacturer, the remote controls “are universal” and will all work together. You are surprised when you get home to set them up for total system operation when you discover you need each remote control. Further, the interface for each remote control is different. Buttons for the same function are in different places and often have different sizes and shapes. Even the names for some of the same functions are different.
Many business people are using several “remote controls” to run their business computer installations.
In terms of hardware independence, LIC is unique to each version of hardware. This means that an IBM user can move from a legacy POWER5 server, say 9406-520, to a new POWER8. Clearly, the hardware instruction set and capabilities are very different between POWER5 and POWER8. LIC serves as the interface between the IBM iOS and the different hardware. LIC is an “expert translator” so your applications that run on IBM iOS talk properly to the new hardware – and YOU never have to be concerned. LIC handles those details.
An integrated system like IBM i POWER server makes more sense. IBM iOS LIC provides 1) tight security against viruses and malware, 2) integration, and 3) hardware independence.
This helps explain why IBM users have smaller staffs and far fewer system operation headaches.
