As you consider taking your IBM i to the cloud, cybersecurity will no doubt top your list of concerns. And for good reason. It’s important to remember that the cloud is kind of a lie. Your sensitive data is simply being sent to someone else’s server, and that server has a physical location somewhere.
Just like on-prem cybersecurity, IBM i cloud security can be divided into two parts:
- Regulatory restrictions
- Securing your cloud server
In this article, we help you get a handle on critical IBM i cloud security considerations as you plan for the future of your data center.
Fortunately, cloud providers now allow you to choose a preferred region where you want your cloud workload to reside. But regulatory restrictions vary greatly from country to country. If your business and applications involve data that flows in and out of different countries and their associated borders, you need to be aware of three things:
- Data residency
- Data sovereignty
- Data localization
When looking to deploy your IBM i application in the cloud, it’s important to carefully consider all three before choosing your region.
What Is Data Residency?
Data residency relates to where a business specifies that their data is stored. This is in reference to a physical, geographical location usually for regulatory or policy reasons. Data residency is commonly associated with tax laws, where it may be more advantageous to store data in one country instead of another.
When looking to take advantage of data residency, you will need to satisfy the regulatory body that a large portion of your business—including data processing—takes place in the designated country. You may also be dictated to regarding the infrastructure you must use to remain compliant and to receive the financial benefits.
What Is Data Sovereignty?
Data sovereignty includes the elements of data residency. However, it is further extended in that the stored data is subject to the country’s laws where it resides.
An individual is likely to have different degrees of control over their data privacy depending on the physical location of the server that holds that data. With data sovereignty, where the data is alters what the local government can and can’t do.
What Is Data Localization?
Data localization simply means that any data created within a specific country or border stays there. Once again, this can vary hugely from country to country.
Securing Your Cloud Server
Keep in mind that cloud is kind of a lie. What you are really doing is buying or renting space on someone else’s server. And that server has just as many—if not more—security needs than a server in your own data center.
Secure Exit Points
Securing IBM i exit points with comprehensive exit programs is the most effective way to improve your security posture. If you haven’t already implemented exit programs, this should be at the top of your to-do list. The reason is that protocols like FTP or ODBC bypass traditional menu security. Without exit programs, IBM i users have unrestricted and untraceable access to sensitive date.
On the cloud, this is especially critical. Exit programs, like the Powertech Exit Point Manager for IBM i, lower the risk of unauthorized access through connections that are common to most modern operating systems. While the programs themselves must be self-authored or commercially purchased, IBM i takes on the task of invoking them as a precursor to determining what special authorities and object permissions the user possesses. Exit program functions should include documenting the connection activity (user profile, IP Address, type of connection, detail of action etc.) and acting as a preemptive layer of access control.
On-prem servers have benefitted from exit programs for many years as they lower the risk associated with outdated security controls. Servers in the cloud should double down on this deployment, as they present an enticing target for hackers due to their hosting of multiple organizations — sometimes with multi-tenancy on one server.
Control User Authority
IBM i users with more access than necessary puts your systems at risk. On-prem or in the cloud, following the principle of least privilege is best practice. Under this principle, users have only the level of access necessary to do their jobs. A privileged access management solution like Powertech Authority Broker for IBM i can make it easier to balance a user’s need for access with IT’s need for security and traceability.
Administrators come in many flavors, including the hosting staff, your own admins, and even user profiles that are operating with excess privileges. While revoking privileges is often desired, the reality is that it can be difficult to do so without causing disruption. Multi-tenancy in the cloud exacerbates these issues by allowing a privileged user to traverse environments. Application users should be tightly constrained and administrative staff should be closely audited.
Protect the IFS Against Viruses and Other Malware
Ransomware, viruses, and other types of malware have emerged as a major issue facing IT leaders. Even an operating system as reliable as stable as IBM i isn’t immune to malicious programs. The integrated file system (IFS) can house infected files that can spread to other objects in the IFS or even other servers. Moving your IBM i to the cloud doesn’t reduce the risk of malware.
In fact, cloud servers are an enticing target for criminals. Attackers attempt to penetrate through perimeter defenses to glean access to critical network infrastructure and important workstations and servers. This can result in data loss and operational disruption. Malware may be unleashed to create leverage, or to facilitate deeper penetration into the organization. While IBM i has an enviable reputation for its malware-resistant operating system, other file systems on the server are not as lucky. Even the native objects can be deleted, renamed, and moved.
Regulatory mandates may be a common driver for anti-virus protection but modern thinking knows an enterprise server should never be left unprotected on the network, especially in a hosted cloud environment where cross contamination could be exponentially devastating. Discover the powerful protection that Powertech Antivirus can bring to your servers.
Encrypt Data in Motion and at Rest
Data that has been encrypted can’t be read, stolen, or corrupted. In the cloud, exposed data can have legal implications for both the hosting organization and the owner of the data. Fortunately, IBM i has multiple mechanisms to facilitate encryption, including hardware protection of the entire disk array, and field-level protection for data-at-rest. Field procedures and database enhancements were introduced in v7.1 to facilitate storage of encrypted data without altering the structure of the file and, in many cases, without necessitating modification of the application.
Simpler application integration – possible even when the source code is unavailable – seamlessly permits data access only to those deemed authorized. For data in flight, audit and access control functions are necessary, making Powertech Encryption an essential tool for IBM i users. Consideration must be given for impeccable security hygiene – including multi-factor authentication, transference of exclusively encrypted data, comprehensive auditing, and assured delivery.
Where to Start with IBM i Cloud Security
Before you decide to move your IBM i application to the cloud, it’s a good idea to understand how secure your IBM i environment is today. By far, the most effective method is to use the free IBM i Security Scan from Fortra. We encourage you to run a scan to establish a baseline before you undertake any migration. With the scan results in hand, you will be able to determine how secure your IBM i is, and what you need to implement to keep it that way in the cloud.
Seek Outside Help from Security Experts
It’s true that the journey to the cloud can introduce a degree of complication. Some instances will require specialized skills and you are right to have concerns about security. But know that you are not alone.
If you run into any challenges or roadblocks, lean on cybersecurity services professionals or your cloud provider. They will most likely have worked with other clients who have been in your same situation and yet successfully moved IBM i workloads to the cloud. You will not be the first to do this.
Many of us have grown used to being able to touch and see our Power Systems server, so moving it to the cloud provider requires a major mental shift, even though we are cognizant of the benefits. But we know you’ll feel a lot better about the move with the right security controls in place.