Is Your Data REALLY Safe on the IBM i (AS/400)?

Is IBM i (AS/400) as Secure as People Say It Is? 

“AS/400 is built to be safe and reliable.”

“No one makes viruses for the IBM i. There are no known cases of malware, either.”

“IBM has amazing IBM i server security, so we don’t have to worry about vulnerabilities.”

Do these statements sound familiar? Perhaps you’ve come across these claims in the industry, heard someone say something similar at an event, or maybe even said it yourself. Whether it’s old news or not, the belief that the IBM i (often still referred to as AS/400, i Series, or Power Systems) is secure has circulated around organizations and IBM i shops for decades.

Talk to any industry professional, and they’ll probably agree that "AS/400 is a comparatively safe place for your data." Look up “is the AS/400 secure” on your favorite search engine. The common perception around IBM’s famous hardware is that it is hardy, bulletproof, and impressive.

And it is, of course. There’s a reason why so many organizations still use IBM i servers. But the praise surrounding IBM’s product development and built-in security is a double-edged sword. It lulls people into worrying more about their external network threats than their internal ones.

Which is where the bad news comes in…

The IBM i (AS/400) isn’t as safe as you think. In fact, your data may be vulnerable to attacks right now.

Fortra publishes an annual security study on the IBM i that analyzes the results of system scans from hundreds of IBM i environments in a variety of industries to pinpoint general cybersecurity trends and weaknesses.

According to the 2024 State of IBM i Security Study, companies who store their data on IBM i servers tend to be at risk in several key places. These areas of improper IBM i security include users with too many authorities, accidental or overlooked *PUBLIC data access, limited control over network access, and susceptibility to, yes, even viruses and malware.

Leading Causes of IBM i Security Gaps

What contributes to these gaps in an organization’s IBM i security methods? Unfortunately, there are several factors involved. The study lists overextended staff members, complicated server security, and lean IT budgets as a few roadblocks, but problems like hard-to-update legacy systems, a lack of bandwidth for system updates, and a reliance on IBM i to take care of AS/400 security measures can also be quiet culprits of risk.

Related Reading: PGP Encryption for IBM i

To learn how to identify and address dangerous security exposures in your IBM i environment, we recommend reading the 2024 State of IBM i Security Study in full. If you don’t have time to dig into the PDF, though, here’s a quick coffee break read on three things you can do, starting today, to ensure your data is properly secured on your AS/400.

How to Crack Down on User Access

It’s considered best practice to give users the minimum amount of permissions they need to do their jobs. This is obvious when it comes to shared folders or departmental groups on a company’s network, but it also applies to the files, IFS directories, and objects that are stored on the AS/400.

There are two things to consider with user access: god-like users and data created or stored with default permissions. Both of these can be easy to overlook in a busy environment, and both of these can create vulnerabilities to user error and malicious intent.

God-like Users

During the analysis of 148 IBM i environments, it was found that, on average, 241 users had All Object (*ALLOBJ) authority, allowing them “unrestricted ability to view, change, and delete every file and program on the system.” Furthermore, an average of 372 users had Spool Control (*SPLCTL) authority and nearly 849 users had Job Control (*JOBCTL) authority.

The best response to overpowered users is to check how authorities are assigned on the IBM i. They might be passed down as part of a Group Profile, for example, or exist as outdated users who were never cleared off the system.

Once you’ve determined how authorities are assigned, review who has special authorities on the IBM i and limit access for those who don’t need it. Not sure where to start? We recommend that businesses “keep the number of users with special authority to fewer than 10,” so use that as a marker for where you should be as you go down the list.

Data with Default Permissions

Overpowered users aren’t the only security issue for the AS/400. Objects created on the IBM i have a default of *PUBLIC, which lets users interact with, change, or even delete data. What’s worse, the study says, “unless [a] user is granted a specific authority … [they] will operate with the object’s default permission.”

Think about it. Do all your IBM i users have authorities assigned that approve or deny data access?

According to the Security Study, 51% of objects in an average IBM i environment had a *PUBLIC authority of *CHANGE, which allows users to “place new objects in the library and … change some of the library characteristics.” 29% had *USE, enabling any user to try to access objects, and 5% had *ALL, which lets “anyone on the system … manage, rename, specify security for, or even delete a library.”

If your data has *PUBLIC access rights, you can take steps to identify potential threats by monitoring for changes. Using a tool to log file changes and user activity will help you track unauthorized data access and find potential vulnerabilities in your environment.

We also recommend that businesses “use the security capabilities of the IBM i OS [and] secure data using resource-level security to protect individual application and data objects.”

Protect your IBM i servers from ransomware

Watch the above video for a demonstration of how Powertech Antivirus for IBM i protects against ransomware using behavior-based detection.

Contrary to popular belief, the files stored on the IBM i can be affected by viruses and malware. The IBM i itself can’t be contaminated by viruses created for computers, but its files are considered excellent “carriers,” delivering viruses, malware, and other threats from one network to the next.

The IBM i's IFS can store and distribute Windows malware – including encryption-wielding ransomware strains. This puts your IBM i data and sensitive information on employee workstations at risk. Ransomware is also a threat that can successfully encrypt your files, limiting access to important folders and databases.

Viruses on the IBM i aren’t always detectable at first glance. They can remain dormant, lurking beneath the surface waiting years to be activated. Organizations that scan their IBM i environment for the first time are often shocked to find they've been harboring infected files, hundreds of thousands of them in some cases. But how long had those files been affected—and how many more would’ve been contaminated if they hadn’t checked?

Could this be a scenario you’re living, and you just don’t know it?

The first step toward securing your data from viruses is to scan your files for existing problems. Once you’ve identified whether your environment is infected or not, continue to scan it frequently using a solution like Powertech Antivirus, a native IBM i virus scanner. This solution, or one similar to it, will protect your data by detecting and removing infections on the AS/400, freeing up your time and attention for other, more important matters.

Use managed file transfer to secure your data transfers

When it comes to file transfers, protecting your data with IBM’s built-in FTP and Open SSH servers isn’t enough. FTP hasn’t kept up with today’s rigorous security standards; it’s considered unsecure and outdated, making the sensitive files it moves vulnerable to packet sniffing tools and potential hackers.

A better way to protect and secure your IBM i file transfers is to use a managed file transfer solution. GoAnywhere MFT can streamline the exchange of data between your IBM i and non-IBM i systems, customers, and trading partners through secure servers and protocols like SFTP, FTPS, HTTPS, and AS2. Not only does it encrypt data in transit, protecting it from ransomware and malicious users, it also encrypts it at rest.

Comprehensive security controls, a helpful user management system, SSH key and SSL certificate creation for IBM i systems, and detailed audit logs all work together to preserve sensitive company data, making your environment a little safer … and a lot simpler. So if you’re looking to make the switch from IBM’s default servers to modern secure protocols, MFT is definitely worth consideration.

The AS/400 lives up to its praise in many ways. It’s sturdy, reliable, and versatile. But that doesn’t mean it’s immune to vulnerabilities. Setting resources aside to protect the data on your IBM i systems will go a long way toward ensuring your information IS safe—100% of the time.