6 Pro Tips from the 2021 State of IBM i Security Study

Each year, Fortra conducts hundreds of Security Scans on IBM i servers around the world. The purpose of these free security checks is to identify common areas of vulnerability and help IT pros prioritize corrective action.

Security Scan recipients have the option to anonymously submit their data for inclusion in the annual State of IBM i Security Study, which was first published in 2004. Thousands of organizations have participated in the study over the years, and the data provide incredible insight into baseline settings, technology used to secure IBM i data, and the security gaps that exist.

The purpose of publishing this data is to help IT management and auditors understand IBM i security exposures and develop strategic plans to address—or confirm—high-risk vulnerabilities. The 2021 State of IBM i Security Study is now available to download, and this year it reviews seven major areas of IBM i security:

1. Administrative privileges (powerful users)
2. Public authority (to libraries and data)
3. Network access (through TCP interfaces)
4. User vulnerabilities and password policy
5. System security values
6. System audit controls
7. Antivirus controls

If you want to learn more about cybersecurity on IBM i, the study is a unique resource because it shows what’s actually happening on IBM i systems. If you’re responsible for IBM i security, you might wonder what your peers at other organizations are doing to protect their systems—the State of IBM i Security Study pulls back the covers to show you what’s going on at hundreds of organizations.

Without further ado, here are the top six expert tips garnered from the 2021 data:

Police the Perimeter Using Exit Programs

The most impactful way to improve your IBM i security posture is to deploy a commercial exit program solution. Unsecured exit points are most common vulnerabilities we see, and it’s also the area where taking corrective action can have the biggest impact.

This is also topic where we get lots of questions from IBM i pros. If you want to learn more about this topic, The Complete Guide to Securing IBM i Exit Points is a comprehensive resource. Our on-demand webinar, Security Alert: Prevent FTP and ODBC Data Breaches on IBM i, is another great place to start.

Restrict User Access to Database Information

Virtually every user on every system has access to far more data than they need. This situation increases the risk of a data breach and it violates most compliance mandates, like HIPAA and PCI DSS. The cybersecurity best practice is to follow the rule of least privilege, where users only have access to the applications and data they need to do their jobs—and no more.

Limit IFS Access and Scan File Systems for Viruses

Make sure you’re controlling access to the IFS. Since the IFS has an exit point associated with it, an exit program can do a good job of monitoring and controlling access, but it’s also important to be scanning these files for viruses and malware, leveraging the functionality that’s built into the OS.

Assess System Value Settings

Review your system values. So many of them are left in a default state, which certainly doesn’t mean they’re in the right state! Review them, establish a baseline, and then make sure they stay consistent. QSECURITY is one important example, but there are several dozen others that pertain to security and it’s important to evaluate all of them.

Harden User Access Policies

User access policies pertain to good password strength. Single sign on and multi-factor authentication are effective ways to counteract unsecure passwords that so many end users tend to use. It’s important to ensure the people connecting to your system have a reason to be there and that they are who they say they are.

Take Advantage of the Focus on Cybersecurity

There’s a growing understanding of the necessity for good security. This is true not only on IBM i but across the entire IT ecosystem. People in the Windows world have understood the importance of good security for a while, and the IBM i community is catching up. More and more IBM i pros are reaching out to request Security Scans, and they’re looking to better understand the business risks posed by security vulnerabilities.

Because security is such a hot topic right now, it’s a good time to get in front of your management team and get budget allocated to make sure IBM i isn’t left out in the dark. It’s such a critical system and the consequences of leaving it unsecured can be severe.

How You Can Take Action

If IBM i security is important to you, the first thing you should do is also the simplest: check your security configuration with a free Security Scan or get a detailed Risk Assessment. Before you start trying to fix things, get a health check. If you’ve already had an assessment, make sure it was done by someone who knows the platform well. And an assessment is something that really should be done at least once a year, and even more frequently in some cases.