A lack of adequate internal controls can compromise the otherwise solid security offered by IBM's vaunted System i platform, according to a recent study by The PowerTech Group in Washington. The study, based on an audit of 188 System i computers at 177 sites over the past year, showed that a majority of users surveyed failed to properly restrict access to the data contained in the systems. Ian Jarman, product manager for the System i at IBM, talked about the findings in an interview.
What do you think of the PowerTech report?
I read the report. The study was across a wide range of industries. As far as I can see, they were of companies that were asking PowerTech to audit their security practices. Probably they were interested in committing to implementing the right security practices and perhaps thought they needed additional assistance.
One of the biggest takeaways was that the people responsible for managing these systems don't appear to be paying as much attention as they should to securing these systems. Is that your assessment as well?
The System i is very well respected for its integrated security and has a very strong reputation for security and high availability. We have never had a reported virus on the System i. But in the same way that you have to lock your doors and windows at home, you certainly need to be making sure that you are taking the necessary security precautions.
So why aren't more companies doing that with the System i?
People looking at security very often are concerned about systems that are affected by [viruses] and [other network security issues]. It is sad to say that sometimes they don't necessarily put the same emphasis on the back-end system, and that is an important priority as well. At the same time, it is also reasonable to reflect that security policies, practices and compliance requirements [have] changed so significantly that all companies running System i or any other platform ought to be periodically reviewing their security practices.
In doing so, of course, we have on the Systems i and in the operating system all the security features that you need. For example, we have an in-built audit journal that can record system security events -- an incorrect password or an attempted access to data without the right authority. If you look at [companies such as] PowerTech and Bytware, SkyView and Tango/04, [they] are helping out Systems i customers with deploying best practices for security and compliance. PowerTech and SkyView, for example, have compliance products that help companies analyze the audit journal that we have in the System i. Bytware has StandGuard antivirus, which is a native antivirus checker on the System i. And even though we have never had a virus on the System i, some companies want to demonstrate compliance with AV requirements.
Who, typically, is responsible for securing the System i environment within enterprises? Is it the operating team or the central IT security organization?
That varies considerably with size and type of company. For example, there are 16,000 banks running on System i, so, obviously, security is a top priority for them. In many of those banks, there will be a security team working in cooperation with the different operating platform teams. If you look at more traditional smaller to midsize companies, you probably would find that they have the System i operations teams in charge of security. By the way, I think it's a strong reflection of our reputation for security that we have 16,000 banks running their core operations on our systems.
The PowerTech study also showed that projects involving System i security are not often given the proper priority because the system is assumed to be secure. Do you agree?
It is fair to say that System i has always had a very strong reputation for security and availability. As a result, perhaps some resources get focused on fighting fires and plugging holes elsewhere, where there have been more problems. It is sometimes a challenge to raise the priority where there isn't necessarily a perceived problem.