The purpose of this blog is to highlight the 3 most common IBM i security vulnerabilities and what you can do about it.
Disclaimer: IBM i is an operating system. iSeries and AS400 are servers. I use the terms interchangeably to make it easy for folks to find this information on the web.
IBM i has a well-earned reputation for being one of the most reliable, secure platforms on the planet.
Even so, many IBM i users may be unaware of vulnerabilities.
I have been researching IBM i security and vulnerabilities. You may already know that one of my favorite authors is Carol Woodbury. She has written and updated several excellent books about IBM i Security. These books are go-to resources that guide you where to look and how to remediate your IBM i vulnerabilities.
Another favorite author of mine is Alex Woodie, who writes for IT Jungle. In particular, Alex posted on August 12, 2019 the article “Is Authority Collection The Right Thing For IBM i Security?”
Check out:
https://www.itjungle.com/2019/08/12/is-authority-collection-the-right-thing-for-ibm-i-security/
This article highlights the 3 most common IBM i vulnerabilities:
1) Overuse of power authority levels,
2) Weak password rules, and
3) Lack of oversight of exit points.
If you are an IBM i admin and security expert you are most likely already aware of these vulnerabilities.
On the other hand, if these vulnerabilities are new to you let me provide you a high-level overview.
Overuse Of Power Authority Levels
IBM i OS offer its users the ability to adjust certain levels of authority. For example, you may want an Account Payable clerk to ONLY SEE information related to accounts payable, and NOT payroll information.
Alex Woodie notes:
The excessive authority problem is largely a byproduct of the legacy application situation. In the old days (i.e. before the Internet), IBM i developers weren’t concerned with using good security practices when building their applications, and so they did things like using ALLOBJ to allow regular users to access applications and data. As the world became more connected and dangerous, following good security practices became a higher priority. But that gap between the legacy IBM i applications and the current security environment remained in place.
A quick fix? Alex offered:
Adopted authority represents one way that IBM has tried to tackle the problem. Instead of opening up the applications and undertaking a major overhaul of authorities, IBM’s Uhling recommended that users address the problem by utilizing adopted authority. IBM i is one of the most secure-able platforms on the market, and adopted authority – by way of the authority collection – provides one way for IBM i shops to boost their security.
Even so, Alex points out that there are issues with this quick fix:
But is this the best approach? Some folks in the community have a difference of opinion, including Schmuel Zailer, chief technology officer at Raz-Lee Security, which develops IBM i security software. According to Zailer, the authority collection generates so much information that it’s practically unusable.
“What do you do with that information? That’s the question,” Zailer explained to us recently. “Now you have so many details. Every time that each one of us touch the files, we have all the possible authorities, and all the authorities needed for the file, and we have to compare it by how?”
The data generated by the authority collection is too voluminous and complex for your average system administrator to do much with, he said. “The authority collection information is several thousands of records, if not tens of thousands or hundreds of thousands,” he said. “It’s very complex.”
While Zailer dubs authority collection a “mistake,” he still oversees the development of Authority Investigator, which is a tool released in 2017 that helps IBM i users to make sense of the data generated by the authority collection. “We need a tool to compress the data so that we can see the forest and not the trees,” he says. “We see too many trees.”
Part of the problem is that there are multiple paths that administrators, users, developers, and even IBM can take to address the security problem. Authority collection was created, ostensibly, as a bridge to use the adopted authority mechanism that IBM makes available in IBM i. But there’s also debate as to whether adopted authority is the best approach for eliminating the excessive authority problem.
Alex continues:
The adopted authority mechanism brings its own set of limitations, the biggest of which is the IFS. If the user has objects stored in the IFS, the operating system will ignore adopted authority when checking whether the user has authority to access the object.
An alternative to adopted authority is profile swapping, in which a user temporarily switches in a more powerful user profile that has the necessary authority to accomplish some task, then switches back when it’s over. Many IBM i vendors, including Raz-Lee, offer some version of a profile swap or profile switch.
At the same time, some folks in the IBM i community argue that authority levels shouldn’t be handled according to user profiles, but should be managed by the job. And they also maintain that it’s the responsibility of the developer to ensure these jobs have the appropriate authority levels, not the job of an administrator.
Authority collection remains a work in progress. IBM is resolute that the new object-based views added in IBM i 7.4, not to mention new SQL capabilities, will boost its usefulness. It will take some time for the user community to use the product and decide whether it fits the bill, and, if necessary, make further changes, which Alison Butterill, IBM i Offering Manager, suggested could be made if needed.
Conclusion:
Security is one of the most important IT issues facing us today.
I’ll address the other most common vulnerabilities in a future blog.
In the meantime, for IBM i users concerned with security and limited resources, start investigating your 3 most common vulnerabilities:
1) Overuse of power authority levels,
2) Weak password rules, and
3) Lack of oversight of exit points.
Need Help?
Call me at 714-593-0387 or email me at blosey@source-data.com. Let us know how we can help!
To learn more about us, and view our customer testimonials, please visit our website: www.Source-Data.com and see our other links:
1) IBM I on POWER (iSeries/AS400)
https://www.source-data.com/ibm-i-on-power-server/
2) IBM I (iSeries/AS400) Cloud Hosting
https://www.source-data.com/cloud-400/
3) IBM I (iSeries/AS400) Disaster Recovery Options
https://www.source-data.com/cloud400-disaster-recovery/
4) IBM I (iSeries/AS400) Version Upgrade
Leave a Reply