This document discusses layers of security for system access on IBM i systems. It covers four main areas: password management, multi-factor authentication, network access control, and command control. The webinar provides an overview of these areas, outlines best practices for strengthening security in each, and notes that third-party solutions can help administrators more easily implement granular security controls. The overall message is that a layered approach to security is needed to protect against modern threats to IBM i systems.
2. Housekeeping
Webinar Audio
• Today’s webinar audio is streamed through your computer
speakers
• If you need technical assistance with the web interface or audio,
please reach out to us using the Q&A box
Questions Welcome
• Submit your questions at any time during the presentation using
the Q&A box
Recording and slides
• This webinar is being recorded. You will receive an email following
the webinar with a link to the recording and slides
2
3. Today’s Agenda
• Layers of Security Overview
• IBM i System-Access Security
• Password management
• Multi-factor authentication
• Network-access control
• Command control
• Q & A
3
5. IBM i System-Access
Security
Keep unauthorized users
out of your IBM i; maintain
tight control over what
authorized users are able
to do once logged in
5
6. IBM i System-access Security
1
Password
management
2
Multi-factor
authentication
3
Network-access
control
4
Command control
6
8. Password management
8
• Weak passwords and dormant user profiles pose a
significant security vulnerability
• Regularly review the validity of user profiles
• Activate the QPWD* system values that require
strong passwords
• Many companies have some form of
Password Protection to be compliance with
Corporate Policies
9. Password Management Basics
Passwords alone are
weak. The frequency
of breaches due to
stolen or guessed
passwords and brute-
force attacks requires
an additional layer of
user authentication
security.
Basics Benefits
System Value for security level QSECURITY
(10,20 & more)
Makes passwords required
System Values for Signon attempts
QMAXSGNACN & QMAXSIGN
Protects from guessed password & brute
force attacks
System Value for Password Level QPWDLVL
(0,1,2,3)
Strengthens passwords
Additional System Values for Password
management QPWD*
Strengthens passwords
Single Sign On & EIM Simplifies password management
SSL, TLS Encrypts passwords
These measures provide basic password security. How do you take
the next step in password security?
9
11. Why Adopt Multi-Factor
Authentication?
• Regulations are evolving to require or recommend MFA
• MFA avoids the risks and costs of:
• Weak passwords
• Complex passwords
• MFA can support internal strategy and legal requirements
• BYOD (Bring Your Own Device) vs COPE (Corporate Owned,
Personally Enabled)
• MFA uses two or more of the following factors :
• Something you know or a “knowledge factor” (user ID, password, PIN)
• Something you have or a “possession factor” (phone, smartcard, token
device)
• Something you are or an “inherence factor” (fingerprint, iris scan, voice)
11
13. Network-access control
13
The IBM i is increasingly connected
• Prior to the 1990s, the IBM i was isolated
• In the 1990s IBM opened up the system to TCP/IP
• The numbers of ways the system could be accessed grew
• Legacy, proprietary protocols now cohabitate with new, open-source protocols
– creating access point headaches
• The worldwide hacker community now recognizes the IBM i as a high-value
target
Prevent unauthorized access via sockets and network protocols
• Examples include ODBC, FTP, DRDA, etc.) can be prevented
• Use exit programs that cover network and socket exit points
• Because exit programs can be difficult to create and maintain, many shops
choose to utilize third-party solutions
• Streamline these tasks
• Provide the ability to trigger alerts should suspicious activity be detected.
15. Command control
15
• Across all platforms, companies are installing additional
security stacks to control access
• Installing additional software
• Accessing files with sensitive information
• Challenges with securing command access in IBM i
• The incorrect use of commands by users can cause considerable
damage (deleting files, ending processes, or worse)
• Access to commands can be controlled to some extent through
user profiles and object-level security
• A more refined approach to command control is often required –
especially for powerful profiles
• Third-party solutions provide rules-based exit programs that give
administrators a more granular approach to locking down
commands
16. Top Takeaways
• Review your company password
standards
• Implement Multi-factor Authentication
• The IBM i is a high-value target for
hackers
• Lock down commands
• Know what your people are doing
16
18. Download the White Paper
The six layers of IBM i security and how
Precisely can help
18
https://www.precisely.com/resource-center/whitepapers/the-essential-
layers-of-ibm-i-security
19. Layers of Security Webinar Series
19
Topic 1 Topic 2 Topic 3
access on Resource Center
Topic 5 Topic 6Topic 4
register now!today
The increased frequency of high-profile breaches and the corresponding rise of new and expanded regulatory compliance requirements is putting enormous pressure on IT departments to assure their corporate executives that business-critical systems and data are secure. One particular statistic from a recently conducted Precisely survey of IT professionals is revealing in that 69% of respondents said they were only “somewhat confident” (or worse) in the effectiveness of their company’s IT security program. Given today’s rapidly evolving security threats, even being “somewhat confident” doesn’t cut it.
Improving confidence in one’s IT security posture requires a solid understanding of all potential vulnerabilities as well as the most effective best practices and technologies in order to minimize the possibility of a breach. To help, Precisely has created this white paper as a roadmap, grouping together important security best practices and technologies into six primary categories or “layers.” These layers cover physical devices, networks, configuration of the IBM i OS, access to systems, protection of data at the file and field level, and monitoring and auditing of systems. The reason it’s particularly helpful to view these security categories as “layers” is that, to some extent, each category overlaps with the others to provide multiple lines of defense. In other words, should one security layer be somehow compromised, there’s a good chance that another layer will thwart a would-be intruder. The six layers of IBM i security are summarized in the following diagram and are detailed in the remainder of this white paper
In instances where users need to access IBM i environments containing especially sensitive data, third-party technologies can be implemented that require two or more identifying factors from users before access is granted. Most people are implementing MFA today. Some regulations require MFA per system not just once when sign into the network. Everyday examples.
This is a way to take a step further to resource access. In addition to being used to control access to systems, multi-factor authentication solutions can typically be implemented via API calls to control access to specific databases, individual files, or even commands..
The increased frequency of high-profile breaches and the corresponding rise of new and expanded regulatory compliance requirements is putting enormous pressure on IT departments to assure their corporate executives that business-critical systems and data are secure. One particular statistic from a recently conducted Precisely survey of IT professionals is revealing in that 69% of respondents said they were only “somewhat confident” (or worse) in the effectiveness of their company’s IT security program. Given today’s rapidly evolving security threats, even being “somewhat confident” doesn’t cut it.
Improving confidence in one’s IT security posture requires a solid understanding of all potential vulnerabilities as well as the most effective best practices and technologies in order to minimize the possibility of a breach. To help, Precisely has created this white paper as a roadmap, grouping together important security best practices and technologies into six primary categories or “layers.” These layers cover physical devices, networks, configuration of the IBM i OS, access to systems, protection of data at the file and field level, and monitoring and auditing of systems. The reason it’s particularly helpful to view these security categories as “layers” is that, to some extent, each category overlaps with the others to provide multiple lines of defense. In other words, should one security layer be somehow compromised, there’s a good chance that another layer will thwart a would-be intruder. The six layers of IBM i security are summarized in the following diagram and are detailed in the remainder of this white paper