Expert Interview (Part 1): Patrick Townsend on IBM i Security
Is your IBM i system secure? Are there ways that you can make it even more secure? How are IBM i security features like multi-factor authentication changing?
We sat down recently with Patrick Townsend, founder and CEO of Townsend Security, to get answers to these questions. Here’s what he had to say about securing IBM i systems.
If you had to pick your top three IBM i security best practices, what would they be?
I think the first thing I would do is to implement IBM’s guidance on securing an IBM i platform. IBM produces an easy-to-follow best practices guide, and following it is an obvious first step for securing IBM i.
Second, customers are typically not paying attention to the need for data protection. If you look at companies that have suffered the most embarrassing breaches in recent years, like Anthem, Equifax, and Adobe, you’ll notice that they were not encrypting their data at rest. That’s what made their breaches so bad. When other breaches occurred with companies whose data was encrypted, they were basically non-stories. So you want to be sure you are encrypting data.
Keep in mind, too, that IBM i servers are high-value targets. They tend to run important applications – such as applications for CRM, HR, ERP and so on. They are rich in sensitive data, and the unfortunate fact is that the IBM community as a whole is lagging other sectors in encryption. Based on surveys we’ve done, there is far more pickup in encryption in the Linux and Windows communities than there is in the IBM i community.
The third IBM i security best practice that I’d recommend is to make sure you are doing continuous monitoring. That means collecting system logs in real time and consolidating those logs with logs from your other platforms, like PCs and servers. You then want to deploy a SIEM solution that can detect anomalies and patterns from that data. Those solutions can digest patterns among huge amounts of data that is impossible for human beings to see.
How do IBM i security practices vary between different organizations? Are some types of organizations doing a better job of securing IBM i than others?
Larger organizations are generally aware of the importance of continuous monitoring for IBM i, but mid- and small-size companies may not have a great deal of security expertise in-house, and may not be doing outside security audits on a routine basis. They’re short-staffed, and focused on solving business problems rather than security problems.
This matters, because statistics show that cybercriminals are moving down the food chain to these smaller companies because they’re easier targets.
Lots of companies use a SIEM to help secure their infrastructure. How useful is a SIEM for protecting IBM i, and what should organizations do to ensure they use their SIEM properly for IBM i?
For starters, I’d encourage you to remember that it’s not enough to collect IBM i events alone for your SIEM. You need to consolidate IBM i events with those of other systems.
The reason why is that you might get into a situation where, for example, a PC gets infected, and the PC then begins scanning the network looking for vulnerabilities, and it scans the IBM i server. A SIEM solution would detect that behavior quickly so that you can identify the problem, as long as the SIEM can collect events from both the PC and the IBM i system.
You also want to ensure that your SIEM is collecting and analyzing events in real time. You defeat the value of the SIEM if you are doing batch processing, rather than collecting events as they occur.
Finally, be sure that the collector you use to transfer data from the IBM I to your SIEM is able to enrich that data. Data enrichment means providing contextual information about an event that helps the SIEM to interpret it more effectively.
Check back for part two where Patrick Townsend talks about data enrichment, compliance, and multi-factor authentication for the IBM i.
Download our eBook on security solutions for FieldProc on the IBM i.