Not so fast! “It won’t happen to me” is the most dangerous mindset a company can have towards security breaches and the possibility of stolen data. Information and data are the foundation of a successful business, dictating everyday decisions, so it’s imperative to take steps towards protection. Lack of protective measures and mishandling such data can result in compliance fines, legal settlements, profit decline, and, worst of all, a damaged reputation. In fact, the average cost of a data breach is 3.86 million dollars, and that’s before factoring in the loss of potential revenue due to losing customer trust. To help avoid these damaging repercussions, companies can look to IBM i security systems and their admin configurations.
A Jumpstart to IBM i Security
IBM i security is a crucial aspect when it comes to helping organizations protect themselves from data breaches and misuse of confidential information. However, to properly configure IBM i security to fulfill your company’s security needs, you need to identify your company’s points of vulnerability. Knowing your points of vulnerability runs deeper than knowing about external threats such as hackers, it also involves knowing your internal points of weakness such as misconfigured user profiles and poor password protection. It is key for companies to realize the existence and seriousness of internal vulnerabilities and acknowledge the possibilities of security breaches due to these internal threats.
An internal threat is categorized as a threat originating inside a company, government agency, or institution, and is typically an exploit by a disgruntled employee or a criminal insider. Internal threats also come in the form of uneducated employees who are unaware of how to properly handle sensitive data. This lack of knowledge can result in confidential data falling into the wrong hands or ending up on the wrong platform. Through IBM i security, there are various steps admins can take to help mitigate internal threats and protect their company from network hacks and data breaches.
The strength of your system security should support your company’s overall security goals. In order to determine your security goals, examine the confidentiality, integrity, and availability of your data.
The biggest vulnerability in IBM i’s current system security is the established password rules. Current rules allow:
- Use of the default password
- Minimum password length of less than 7 characters
- No expiration date on passwords
- Letters only (digits are not required)
These rules would be unacceptable in a variety of other network systems and leave your system vulnerable to a network breach. In fact, in many cases, these rules violate compliance regulations under other systems. For example, the Payment Card Industry Data Security Standard requires all passwords to be changed from the default password. We recommend that you create stricter password rules in consistency with the network you are working on to protect internal users from vulnerability.
Administrator privileges allow admins to set access to data based on an employee’s need to access that information. IBM i has eight admin level privileges that give you the power to set different necessities.
When determining which level an employee has access to, you should use the rule of least privilege. This rule states that users should only have access to the systems and data they need to do their job effectively, and nothing more. Implementing the rule of least privilege involves analyzing each employee’s job requirements and determining the minimum amount of data needed to reach these requirements.
Furthermore, you should follow the rule of thumb that less than ten users should have special system privileges. Those users with special system privileges should undergo regular audits to ensure access to the data is still required and that they are using it correctly. Operating under that rule will force you to think about who truly needs access to this information and help keep it out of the wrong hands.
Typically, users access IBM i applications through the green screen, which is controlled by command line restrictions, menus, and application security. Non-traditional users can access the database through modern interfaces by using desktop tools such as Microsoft Excel and Access.
A problem with the current system is users can execute commands through some of these alternate interfaces without command line permission. To prevent this, existing programs should be used as an additional measure to ensure the correct permissions are granted to the right parties. For both routes, control is possible without setting up private and public authority, however it is highly recommended to set them up.
There are also various safe guards that can audit and control network-initiated access. A commonly overlooked safe guard is object level security. This tool acts as the final decision maker is determining who has the permission to access different objects of information. Correctly implementing this safeguard acts as another layer of protection from potential human error.
On average, 30% of companies have over 1,000 sensitive folders open to everyone, leaving a large chance that sensitive data will fall into the wrong hands. This can be easily fixed by reviewing the default configurations and making sure they are properly set up.
For example, public authority is applied as the default level of access if a user lacks explicit permission to access something or not. The preconfigured setting on IBM i is *CHANGE which allows the user to read, change, and delete data and execute programs. Companies often don’t reconfigure the default programs, leaving sensitive data open to many parties. To tighten security and further prevent misuse of data, admins should set the setting to *EXCLUDE which authorizes user access on an as-needed basis. *EXCLUDE supports the rule of least privilege by giving only the necessary parties access to critical information.
Calling All Admins
There are many safeguards and configurations within IBM i systems security that can help protect your company. These are just a few important but commonly overlooked configurations that an admin can easily change to create powerful results. Each proper configuration you make is an added layer of protection for your company and its data.