Brought to you by Blue Chip

IT security

Carol Woodbury from HelpSystems on IBM i security

At this year's i-UG International i-Power event, we spoke to Carol Woodbury about the evolution of IBM i, particularly in terms of security. Issues such as the upcoming IBM i 7.4 release and GDPR are discussed in this interview.

Carol Woodbury

Vice President of Global Security Services at HelpSystems and a Certified Information Systems Security Professional (CISSP)

Charlie Hawkins

Marketing Executive at Blue Chip

What should systems administrators and developers look out for when considering IBM i security? We decided to talk to one of the experts...

Charlie Hawkins: Today, we're at the i-UG User Group event in Milton Keynes, where everything IBM i is being talked about. Today, I'm here with Carol from HelpSystems, and we're going to be asking her a few questions about IBM i security. So Carol, tell us a bit about yourself and you entered the IBM i security environment.

Carol Woodbury: I first started at IBM in Rochester, Minnesota in the United States and I started out as a programmer. I wanted to do something a little different and so I became security team leader and I was that in that role for 10 years, until the fall of 2000.

Charlie: Women in IT is being talked about more and more what has your experience been throughout your career.

Carol: Well, I have often been the only woman in a room, especially at the clients that I work with. Now at IBM there were actually a fair amount of women working there, but at our clients, like I say, I've often been the only person in the room. So, it's... I've never had too awkward of a situation, but, certainly to have more women in the room would be a good experience.

Charlie: How did your IBM i security workshop go yesterday?

Carol: I thought that the workshop went quite well yesterday. The attendance was good and there was good interaction and good interest in, especially the new features that have come in, in v7R3 and v7R4.

Charlie: And what do you think of this year's i-UG event?

Carol: Again, the i-UG event has been good from my perspective just because of the interest in the attendees of security. I think there's a good interest, and again, in the new features of v7R3 and v7R4 and even some older features like encryption, so we're gaining more and more interest in, for example, our HelpSystems product for encryption for IBM i because more people are realising that they need to protect their data.

Charlie: What tools do HelpSystems provide, to help businesses with IBM i security?

Carol: HelpSystems provides a full range of the Powertech products, which add on to base operating system features, so I like to talk about defence and depth and so those add-on features add on to a great base that IBM provides us. But there are things that make using those features easier, like our Compliance Monitor tool, allows you to get reporting out of the audit journal much easier than doing it yourself. But then there's also additional areas of defence, so the first layer of defence for data may be exit points. So that allows you to take control of who can do things like FTP or download to an Excel spreadsheet for example, and then we see a great deal of uptake and interest in our field encryption product which allows you to have that data, be fully encrypted on disk and allow only certain users to see the fully decrypted data or a masked field or no data at all. So there's a lot of layers of defence there, we have native virus scanning for IBM i, we have policy compliance, we have risk assessment, so, we do quite a few things that add on to that basic strong defence that IBM has provided and we add all those great layers of defence.

Charlie: 72% of IBM i administrators say security is their greatest concern. Why do you think that is?

Carol: I think that adminstrators are quite concerned about security just because of the headlines. We see headlines every day about data that has been lost or stolen, hackers that have breached organisations and claimed data, you see people hacking into other companies, stealing intellectual property. So I think from that perspective, they're concerned, I think also from a regulatory compliance issues, they're concerned. GDPR here in the UK is certainly a huge concern and so I think that weighs heavily on IBM i administrators because they realise there's so much vital data residing on these servers and it needs to be protected.

Charlie: Do you agree that the current IBM i culture has been slow in adopting some of the ideas you're proposing?

Carol: Yes! Unfortunately, the IBM i culture has been that "IBM i is secure", rather than taking the approach and the proper feeling that "IBM i is secur-able". We have a lot of features in IBM i that come right with the operating systems, but they aren't all turned on by default and so we need to use those features, and for many years, administrators and programmers have just taken the tack that menu security is fine. Totally neglecting the fact that you can access this system now through many outside interfaces and many modern interfaces that are easily searched on the internet, so anybody can find out how to access IBM i data.

Charlie: What would you suggest businesses look for in an IBM i security partner?

Carol: When looking for a partner for IBM i security I think you need to look for depth of the product range. So, do they do one product or do they do many? So a full broad range of products. Also look for partners that have a depth of knowledge.

Charlie: If you could make one IBM i security suggestion, what would it be?

Carol: I would say to start with a security scan or a risk assessment that gives them a look at their system. If people just jump in the middle, they may neglect some very glaring misconfiguration that they have, so starting with the security scan will help make sure that you are looking at the full system and you can prioritise what needs to be done first. It's really important not to just to jump in the middle, but to have a plan so you can get management buy-in and roll out that plan. It may take time, but at least you have a plan in place to address the issue.

Charlie: Blue Chip is HelpSystems's partner and we recently won an award for top strategic MSP. We can supply, deliver and support the full end-to-end HelpSystems portfolio. We pull this together, with our IBM i security expertise to deliver a full end-to-end service.