IBM i Security - A Dual Responsibility

Watch the above video replay of this webinar with Steve Will and Carol Woodbury hosted by Kisco Systems on April 23, 2025.

Webinar Summary

This is an edited version of an ai generated meeting summary.

IBM's Security Enhancements in 7.6

Carol Woodbury and Steve discussed the security enhancements and changes introduced by IBM in their recent announcement. They highlighted the development process of IBM's operating system, emphasizing the importance of security by default and the integration of security and privacy by design. They also mentioned the provision of necessary artifacts from the operating system to meet various industry and country-specific certifications.

New Default Settings for Security

Carol discussed the new default settings for password levels and password rules in the system. She highlighted the need for users to review the memo to users before upgrading to a major release, as the changes could impact their environment. Steve agreed, noting that the new default settings were intended to provide a minimum level of security for new installations. Carol also mentioned the significant impact of multi-factor authentication on thwarting various types of attacks, particularly social engineering attacks.

Multi-Factor Authentication in Operating System

Carol and Steve discussed the integration of multi-factor authentication (MFA) throughout the operating system. Steve explained that the decision to implement MFA was based on client requests for increased security. He mentioned that the process took almost 10 years to develop and was finally implemented in the 7.6 release. Steve also clarified that while MFA is important, it is not the only security measure, as applications also handle their own MFA. Carol emphasized that IBM's access to the operating system made it the only organization capable of implementing MFA as comprehensively as needed.

IBM I 7.6 Release and MFA

Carol and Steve discussed the upcoming IBM i 7.6 release and its potential impact on their operations. Carol highlighted the importance of vendor relationships and the ease of configuring MFA on the system. She also mentioned the need for security configuration and user registration for MFA. Steve emphasized the need for flexibility in implementing MFA, allowing for staged rollouts.

MFA Integration and Upcoming Red Book

Carol and Steve discussed the integration of MFA with various software vendors, including Kisco, and how IBM has accommodated these vendors. They highlighted the flexibility of the solution, which can be rolled out as needed. Carol also mentioned the upcoming Red Book related to the major release, which will provide detailed information on MFA. Steve emphasized the importance of providing feedback on the draft Red Book. Carol also promoted the upcoming Power Up event, where Tim Mullenbach, the security architect, will be discussing MFA in several sessions.

IBM I Vulnerabilities and Reporting

Carol and Steve discussed the vulnerabilities found in IBM i systems. Steve explained that vulnerabilities can be discovered internally or externally, and when found, they are reported via CVE (Common Vulnerabilities and Exposures). He emphasized the importance of internal vulnerability reporting to allow for quick remediation. Steve also mentioned that the IBM i system has been under more attacks in the last five years than in its previous history. He appreciated the efforts of those who report vulnerabilities to IBM i before posting them publicly.

Maintaining Accurate Software Inventory and IBM I

Carol emphasized the importance of maintaining a software inventory and having accurate vendor contacts to stay informed about vulnerabilities. She also highlighted the need to include IBM i in the incident response plan and to stay updated on IBM security bulletins and alerts. Steve added that even if certain technologies are not being used, they can still pose vulnerabilities if they are included in IBM i. Carol clarified that IBM would alert users if a vulnerability affects a product they have included.

Staying Current With Security Updates

Carol emphasized the importance of staying current with updates and removing outdated profiles and vendor products to prevent security vulnerabilities. She highlighted the need for regular system cleanups and the removal of unused file shares to protect against malware. Steve agreed, noting the risks associated with using outdated technology.

Securing the System With User Responsibility

Carol and Steve discussed the importance of securing and proving security in their system. They emphasized that they can't lock the system down to a single level of privacy and security, as it needs to cater to different standards. They highlighted the need for users to implement security measures and invest in tools like authority collection to ensure the system's security. They also mentioned the team in Rochester's efforts to improve the system's security and encouraged users to do their part in securing the system.

IBM White Paper and Power Up Event

Carol and Steve discussed a white paper they worked on, which covers the topics discussed in the meeting. They also mentioned some IBM articles, including one on MFA. Justin invited attendees to attend the Power Up event to learn more about the new features directly from IBM. He also offered to help with readiness for 7.6 and MFA. Carol and Steve will present a shorter version of the meeting at the Power Up event. Justin promised to send out the presentation, video, and other resources in a follow-up email.