Carol Woodbury’s Security Advice from CIO Summit at OCEAN 2024
Carol Woodbury
I had the privilege of hosting security expert Carol Woodbury as she led a roundtable discussion at this past summer’s OCEAN TechCon. Carol is IBM i Security SME and Senior Advisor with our friends at Kisco Systems.
Security is a Lifestyle
“Security is a lifestyle, not a one-time event.” Security requires regular evaluation and change over time. Without it, security settings degrade and new threats remain unaddressed.
Data Sprawl
A term first mentioned at the conference by IBM’s Scott Forstie, data sprawl occurs when data from a core system such as IBM i is exported into external analytics systems, spreadsheets, and the like, creating a larger attack surface.
Recently revealed data breaches from the Snowflake data warehouse/analytics platform is one example, where stolen passwords became the way in; the vulnerable companies had not implemented Multi-factor Authentication (MFA).
Multi-factor Authentication
Speaking of MFA, Carol advises everyone to use it as an essential layer of defense. “Assume passwords have been stolen.”
Ransomware Defense
Carol advises limiting use of IFS file shares, especially at the root level, and setting them to be read-only when possible. However, even with read-only access, hackers can download and threaten to sell the data. Access to shared objects should be restricted and Carol highly recommends using the IBM i 7.5 feature allowing shares to be restricted with an authorization list.
Layers of Security
You need multiple layers of defense to achieve sufficient security.
Don’t Rely on 5250 Menus, etc.
Legacy security includes 5250 menu-based security, but that can be bypassed easily.
Conservative Access
Evaluate who needs access to what, and provide just that access.
Shadow IT
Related to Data Sprawl, “Shadow IT” occurs when departments outside IT create or purchase systems that are not managed by IT. Shadow IT can create issues with:
- Disaster Recovery (DR)
- Privacy and compliance
Engage Business Leaders
Just as Shadow IT poses security challenges, IT cannot implement security alone. The business must be involved.
Carol also gave an enlightening talk on IBM i’s Function Usage capabilities, which can help to lock down a system while allowing the access that is truly needed.
We collaborate with Kisco Systems on system and application security. If you plan to be at NAViGATE Toronto, stop by the Kisco booth (#40) to ask questions about IBM i security, application development techniques, and open source.
The problem with requiring MFA on IBM i is there is no solution available that meets the requirements of PCI-DSS. I believe such a solution would have to come from IBM, as all third party (and even IBM’s ‘experimental’ current offering) separate the second factor from the initial user ID and password process, which is what PCI-DSS says must not happen. (The user must not be aware which factor has failed.)
A reply from Carol:
Hello Allister,
Perhaps your PCI auditor is requiring something different but there’s good news! According to this PCI DSS FAQ posted Sept 2024 [https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/for-pci-dss-can-multi-factor-authentication-mfa-implementations-indicate-the-success-of-a-factor-prior-to-presentation-of-subsequent-factors/], it IS acceptable for MFA implementations to meet PCI criteria and allow the success of one factor to be presented prior to presenting the second factor. I continue to maintain that MFA is a strong force in defeating phishing and other attempts by bad actors to gain access to IBM i.
Carol Woodbury
Thanks! That is not at all clear from the v4 standard, but this FAQ is unequivocal. I still believe we would be best served by IBM baking in MFA (and passkeys!) at the OS level, but at least this leeway allows for current solutions to be used.