By Rich Loeber
IBM i owners regularly boast about the security built into their systems, and rightly so, but if you don't implement and use the features, they're not going to do anything for you.
I have mentioned before that I live in upstate New York, in the heart of the Adirondack Mountains. In our neck of the woods (literally), security is not much of an issue for most people. In fact, most of our neighbors never lock their homes or cars since theft is just not a problem. At our house, we have extensive outdoor "security" lighting installed, and we use it whenever we go out at night. We even have one light on a motion detector that comes on automatically in case we forget the other lighting. But, even with the lighting on, we usually leave the door unlocked just because it is easier to get back in when we return home. If we ever get ripped off, we shouldn't be surprised as to how it happens.
I'm surprised, however, when I hear about and work with IBM i shops that have this same approach to computer security. An alarming number of shops just do not pay attention to security issues and are surprised when a problem develops. The IBM i OS provides robust security capabilities and tools, but too often they go unused just because it is easier without them.
I remember an IT director I knew, I did some consulting work for his company. I encouraged him to move up to security level 30 and implement object level controls on several mission critical files on their system. He gave it a try and, without any planning, moved the security level from 20 to 30 and IPL'd their system. When nobody could sign on except the security officer from the console, he backed the system back to level 20 and never tried it again. It would still be running at level 20 today if the company had not gone out of business.
My company sells a number of security solutions for the IBM i market. I am always amazed at the number of customers who buy our solutions and then never fully implement them. Some of these, it turns out, purchased our software just to satisfy an audit recommendation or someone else's concern. For others, they probably just don't have the time or the people resources to do the implementation correctly, so they shelve it or put it on the back burner.
The same is true for the shop that never bothers to set up the IBM i OS security. They've made a significant investment in IBM i, but are not bothering to use what they've paid for. Security is just as much of an investment as the computer hardware that it runs on.
You would probably never think of leaving the front door of the building open all night with the lights on. By that same measure, you should not leave your system exposed to intentional or even accidental abuse when you have it within your grasp to correct the situation and you have all the tools to do so at your disposal.
If you're reading this and see your own shop (or even yourself), don't worry. Its not too late to do something. Take an incremental approach and develop a plan. Don't rush into it, like my friend above, and do something you'll regret, but don't just sit there leaving your system exposed. The important thing is to get started and stop putting this off or waiting for enough resources or budget support.
If you have questions about details of the report, feel free to contact me directly by email (rich at kisco.com).