Should You Prioritize Hardware and OS Upgrades Over IBM i Security?

In business, technology staff often struggle with tight budgets and under-staffing which forces strict prioritization of resources. Should that OS upgrade project precede a security project? Or vice-versa? These questions will yield a different answer when asked at different times for different people.

There are a large number of factors that influence this relationship and this blog post explores the key ones.

Distraction: Multiple Projects Compete for Attention

IT professionals are pulled frequently from their intended tasks to fight “fires” and are forced to juggle a dynamic list of priorities that has them rapidly and repeatedly shifting from one activity to another.

How else would one interpret HelpSystems’ Marketplace Survey showing security as one of the top three concerns for the past three years and yet the State of IBM i Security Study reporting a 15-year pattern of even the most basic of controls remaining non-configured? Security is deemed to be something worked on “after lunch” or when there is nothing else to do and that opportunity simply never comes around. After all, as many companies (perhaps incorrectly!) verbally state, “we’ve never been breached” and assume or hope that their luck will hold out long term.

Urgent projects will always arise and continue to be addressed based on criticality, but strategic maintenance tasks tend to be less susceptible to ongoing deferral. This is due in part to maintenance-related projects being more easily defined. Maintenance is planned out well in advance because funding for new hardware may have to be obtained, the resources involved are already busy, and there is the potential for planned outage. Upgrading the IBM i operating system before the installed one becomes unsupported, or to gain access new features, or installing additional disk units before all of the free space is consumed are all activities that have a tangible value to management and are assigned a clearly-defined timeline.

In contrast, security is viewed in the same vein as an insurance policy: its value negligible until needed. But unlike insurance, where a protection policy doesn’t influence the chance of the insured action from occurring, the value of security can be even less clear depending on the perception of the stakeholders as to whether the existence or lack of controls influences whether a security risk might be realized. Of course, it is always interesting (as well as frustrating) to see how all barriers to progress are lifted after an all-consuming data breach, when companies are scrambling to contain catastrophic damage that often occurs after that inevitable wake-up call.

Distractions can never be eliminated, so security projects must be scheduled alongside other maintenance and upgrade initiatives. The timing of each will have to be assessed individually. New security functions might require a more current version of the operating system and therefore should be scheduled first. In other instances, security should be prioritized over or done in conjunction with those other tasks such as when the OS upgrade will do nothing to enhance the current lack protection.

Resource Constraints: Teams Are Lean

It’s a well-known fact that most IBM i servers are maintained with minimal staff. Ask any member of the administrative team about their—often unwritten—job descriptions and you will likely get an exhaustive list of responsibilities. Security might appear in the lower third of the list and it is rare to find anyone who has received any formal training in security disciplines.

IBM i contains integrated security controls, which means they exist on every server and that’s the main reason that there is even basic familiarity. Day-to-day administrative tasks, such as performing saves and work management, are familiar ground to virtually every administrator, but security continues to be a largely ignored area.

The alarm for weak security is often muted for fear it will be blamed on the current administrative team. Ignoring clearly undesirable configurations can also be due simply to a lack of awareness (you don’t know what you don’t know), or the not unreasonable concern that tending to security will become yet another thing to learn, fix, and maintain when there are barely enough hours in the day already.

Administrators are hard-working, responsible, and proud of their computing environment; but expecting a lean team to proactively take on an additional responsibility without an edict from management is wholly unrealistic. Empowering staff with a capital and operating budget for acquiring required resources and security automation tools enhances their experience alongside improving the security stance for the entire organization.

Money: Funding Is Limited

The noted shortage cybersecurity skills has resulted in a field of job openings that are both appealing and financially rewarding; however, that does not mean every security project receives instant approval and unlimited financing.

In fact, one of the most common objections to the implementation of improved security controls continues to be that funding has not been established.

This is arguably less of an issue for popular server platforms, such as Microsoft Windows, due to the perception that they are more prone to being attacked and potentially breached. For midrange technology, consisting of application servers that are typically housed inside the perimeter defenses, there is a perception of lower risk and less urgency to address possible security issues.

When it comes to security versus maintenance, again, there is a perception of a tangible value from a faster processor or more storage space as opposed to the questionable ROI from a security lockdown. Management needs to be gradually brought up to speed on the well-documented costs from a data breach and possible non-compliance with a formal regulatory mandate.

Thanks to the popularity of leasing, servers often have about a three-year lifespan before the topic of a new lease is revisited. Security is something that should also have an ongoing cyclical lifespan as threats evolve and adoption of new technology changes the landscape. Security policies should be reviewed and updated on an annual basis and additional remediation steps taken and controls deployed as necessary. As with tradition maintenance, this takes money and resources, and both should be budgeted for annual allocation.

Perception: People Think IBM i Is Already Secure

IBM i enjoys an envious reputation for being highly secure. Eyebrows are raised when there is discussion about vulnerabilities in this technology as it undermines one of the most enviable and unique qualities of the platform.

The reality is a little more sobering. The State of IBM i Security Study reports that most servers continue to leverage security configurations that pre-date networking technology, not to mention popular business use of the internet. The IBM-supplied default for object permission is “allow all” instead of the more desirable “deny all” and there is little alteration of this during or after application deployment.

New user profiles are typically duplicated from an existing profile and this leads to a propagation of attributes that were appropriate only on the servers of yesteryear. In the ‘80s and early ‘90s, users leveraged green screen terminals and had physical point-to-point connections to the server. A menu was all that was needed to fence the user into having access only to approved application functions. Stripping the profile of command line privileges further increased the restrictions and provided important separation between the user and server tasks.

When network connectivity was introduced in the mid 90s, it brought with it an era of fast, easy-to-use services such as ODBC, DDM, and FTP. Users quickly discovered they had direct access to the databased and, in some instances, the ability to circumvent the command line restrictions. This new openness was great for the users and their productivity—but far less desirable to the security team who suddenly discovered application data was being corrupted and also leaving the server without generating an audit trail!

Misplaced perception about how secure an environment is remains a challenge to experts in the field and lowers the urgency for “fixing” what has been considered for decades as inapplicable to servers powered by IBM i. Certainly, many organizations do acknowledge that there is work that should be done and that their security configuration is likely out of date, often by generations, but the old adage of “if it ain’t broke don’t fix it” comes to mind.

Discard the dangerous notion that perimeter protection alone will protect an internal server from abuse. Also discard any perceived correlation between not having been breached in the past and the risk of being breached in the future. Security configuration review and remediation, along with critical event monitoring and notification, must be incorporated with OS and hardware upgrades as anticipated, budgeted, and mission-critical projects.

In a related observation, IBM’s X-Force Threat Intelligence Index 2018 reports that an overwhelming percentage of publicly disclosed security incidents that occurred as a result of inadvertent actors, 2015 through 2017, are attributable to misconfiguration rather than exploitation of an actual weakness. Thanks to the robust security features of IBM i, most of which are unfortunately not correctly deployed, this is the only real avenue to unauthorized access to application data.

Regulations: Compliance Violations Have Serious Consequences

Regulation creeps in the shadow of the most egregious data breaches. Industry bodies and national governments respond to outcries from their customers, members, and citizens when access is unauthorized or is grossly abused.

These legislative and industry efforts are an attempt to discourage a continued disregard for security controls to prevent a similar reoccurrence. Many regulatory mandates speak to the necessity of staying on current—and therefore supported— versions of operating systems and business applications. Important patches are mandated to be applied in a timely manner.

Malware has shone a global spotlight on this issue in recent years by exploiting unpatched environments with dramatic speed and reach. This is one of the few times time when security arguably comes out ahead of maintenance. Ironically, the process of patching and updating to current application and OS versions is typically considered a maintenance activity!

Comprehensive security controls are fully integrated within the IBM i operating system. Security system values, public and private authorities, authorization lists, and field procedures are just some of the numerous mechanisms that should be leveraged to lock down the environment and to satisfy the generic regulatory edict to harden security. While voluntary compliance to best practices is often met with the “after lunch” response, auditors and regulators tend to get the attention of the board room as non-compliance can bring both financial and legal consequences to the business and even to the officers themselves.

Surprisingly, even IT seasoned personnel have been heard to say that they are not a target for criminals as they do not host financial data, or that their users are not sophisticated enough to use tools like FTP or ODBC connections. This naivety is extremely dangerous as all data has some level of intrinsic value otherwise there would be no need to collect and store it. Users are often familiar with these common tools from prior positions or experience; not to mention that overly-powerful profiles can potentially be exploited by people other than their namesake.

With the honeymoon phase of the EU’s General Data Protection Regulation (GDPR) now over, regulators will be watching for violations of the eight data rights afforded to EU citizens. Astronomical fines will likely be levied against those that fall victim and are unable to provide proof that adequate protection was applied to the server and the database. Regulations like GDPR are only ground-breaking until the next mega-breach and the next regulation. They should be considered the basics of what should be done to protect information rather than configuration utopia, but they are also likely to raise the average cost of a data breach significantly if the existing GDPR fine structure is enforced.

While we now live and work in an era of headline-grabbing mega-breaches, that does not mean that there are not thousands of much smaller, less noteworthy breaches happening on a constant basis., a consumer advocacy agency, maintains an online chronology of data breaches that have occurred since 2005 and their running tally of breached records changes almost daily. Threats are becoming more frequent, attacks are increasingly sophisticated, and the financial impact is increasing.

Security vs. Maintenance: What Wins?

Arguments will always be made about whether security projects should be prioritized above traditional maintenance tasks or vice-versa. In my opinion, each initiative needs to be evaluated on its own merits.

Security is a critical task and there are things that must be fixed sooner rather than later. Best practices in IBM i security have been ignored for years with outdated and inadequate configurations.

Operating system enhancements can certainly make corrective action an easier. Introduced in v7.1, Field Procedures made encryption of data at rest a far less invasive proposition than it was previously. Authority Collection Services makes discovering the object authorities required by a user a simple task starting in v7.3. In these instances, it makes sense for an encryption or object-level security initiative to be prioritized after upgrading to the applicable OS release.

But in most cases, the OS doesn’t heavily influence the before and after security strength and so waiting on the “new server” or “new upgrade” does nothing but further delay the chance of good security and increase the risk of being breached.

Security is so much more than an insurance policy. It can prevent corruption of data from malicious and careless internal users that otherwise would be just as damaging as an external breach. For IBM i shops, security is long overdue, desperately under-deployed, and it’s time for emphasis to be placed on bringing the configuration out of the ‘90s.

Cyber Threats Are Relentless

Plans for hardware or OS upgrades shouldn't delay good security. Start by finding out where your system is at risk with a free Security Scan.