How Much Security Is Enough?

By Rich Loeber

Just how much security is enough security for your IBM i? This tip will explore this question and, hopefully, get you thinking about your own environment.

In the good old days, enough security meant that you had a lock on the computer room door and you actually used it. Keeping people out of the computer room was all that was necessary. Then along came CRTs and cabling started reaching outside the computer room environs and security became more of an issue. Someone came up with the idea of requiring a CRT user to log into the system using a user identifier and a password. With that little invention, things seemed to get back under control. But, before long, along came PCs followed closely by client/server applications and then the Internet. Now what do we do?

For many shops, a strict reliance on the user profile and password is still the watchword of the day. But, is that enough given today's technology? I think not. The problem with today's networked environment is that you can never be absolutely certain who is at the other end of the line.

But, what is enough? The concept of the Firewall has captured the hearts of many security officers to address this issue. In fact, for many companies, the firewall is the be-all and end-all of their security plan. "We've got a firewall in place!" .... case closed. But, is that enough along with your user profile/password implementation? Again, I think not. Multiple studies of computer break-ins and data compromises reveal that fully half of all such incidents are inside jobs committed within the boundaries of the firewall "protection".

What you really need is a multifaceted approach to security. You need passwords, a firewall, and more. In the old days, if the bad guy could get into the computer room, he could do some damage. But, if you had multiple doors with multiple locks, it would take him longer to break in and you'd have a much better chance of catching him in the process. In a way, today's environment needs to be thought of in this same way. Relying on a single security defense is just not enough today. You have to deploy multiple defense strategies to be successful.

For your IBM i installation, this should include all of the security tools that are at your disposal. It means implementing object security based on a coherent company-wide policy. It means strictly limiting those profiles that have all object authority. It means implementing exit point security with object level controls there as well. It means controlling which IP addresses you are going to trust and allow access into your system. It means having a good user profile and password maintenance plan in place with regular rotation of passwords. It means quickly rescinding access rights for people who leave or change job assignments. And the list goes on and on.

I suppose that it is a true statement that no computer system is 100% secure. But, if you build enough fences that have to be climbed and add enough doors that have to be unlocked, the result will be as secure a system as is possible. What you don't want to do is make it easy, which unfortunately is all too common in today's IT shops.

If you have any questions about this topic you can reach me at rich at kisco.com, All email messages will be answered as quickly as possible.