By Rich Loeber
For many, this has been a hard year. In many IBM i shops, we have been forced to find new ways to save on expense while still being asked to provide the same level of computing support as in past years. This is not always easy, and I have seen evidence that some shops are sacrificing security to conserve on their budgets.
One significant area where I've seen this is on data asset protection. More than one shop that I've been in touch with this year has decided to put their complete trust for data asset protection into their firewall at the expense of all other ways of protecting their data.
With your system attached to a network on a full time basis, and with the network interconnected to the Internet on an around the clock basis, trusting your data protection to a single piece of technology is just a bad idea. Imagine yourself living in a neighborhood with a high crime rate. Would you have a single lock on your door? Like most people in this situation, wouldn't you use two or three (or even more) methods to keep your doors and windows secured?
When your system is connected to the Internet, you are in a high crime neighborhood and you need to use the same approach to protecting your data. When someone breaches your single point of protection, that could leave your entire system open to malicious abuse.
Also, trusting your data protection to just a firewall completely ignores the issues of intrusion from sources within the "protected" network. In a small shop, where you can see who is in and who is doing what, maybe this is not much of a concern, but in today's large shops with widespread deployment of networks, you cannot keep an eye on what everyone is doing. Anyone who is within the "secure" network can find access to your system using a variety of tools available to today's savvy computer users.
If you have deployed your firewall as your primary defense against intrusion, you are completely ignoring the enemy from within your organization. Most security experts will tell you that at least half of all intrusions today (some say more) come from within your organization. With the ease of downloading data and storing it in a convenient portable form, anyone in your organization could easily take home critical data assets from your organization on a laptop or even on a USB drive that looks like a key fob.
The question you need to ask yourself is, am I saving money wisely or am I thinking short term just to look good. In today's environment, you simply cannot put all of your eggs in one basket. To adequately protect your system, you need to present multiple hurdles for your enemies to overcome. If they get past one, there is a good chance that the next one they encounter will defeat them.
The good news is that your IBM i comes with a lot of tools available to you so you can build these additional lockouts. To protect yourself from the enemy within, you will need to build strong object level access controls. You will need to rigorously enforce a policy of no user profiles with *ALLOBJ authority. You will need to also enforce a policy of password rotation on a frequent basis with password controls that prevent the reuse of passwords and the use of passwords that are easy to guess. Lastly, the strong lock of exit point controls will also help keep your data safe.
All of these options, and more, are open to you. Some may cost you some money, but the alternative of seeing your organization on the front page of the paper for data theft would be much more expensive in the long run.
If you have any questions about this topic, you can reach me at rich at kisco.com, I'll give it my best shot. All email messages will be answered.