Study: IBM System i hardware fails to secure companies

IBM's System i computers -- formerly known as the AS/400 and iSeries servers -- have long enjoyed a reputation for rock-solid reliability. But poor security practices by those who manage these systems are making them dangerously vulnerable to compromise, according to a recent study.

The report by The PowerTech Group Inc. a Kent, Wash.-based security firm, is based on the results of 188 system audits at 177 System i sites over the past year. The results show that many owners of System i computers are not putting enough internal controls in place to adequately protect data on the systems, said John Earl, chief technology officer at PowerTech.

For instance, more than 90 percent of the surveyed systems had no controls for preventing or auditing changes to the underlying data via an external PC. In addition, 95 percent of the systems had at least 10 users with complete root-access authority, and 43 percent had as many 30 users with root authority. Also, 77 percent of the systems had more than 20 users with passwords that were the same as their usernames.

The results are not much different from two earlier surveys PowerTech conducted of the System i user base. It shows a continuing lack of attention to security, Earl said.

"The platform has always had a great reputation for security and deservedly so," Earl said. "It has some of the best native security tools bundled into the box. But the community out there for a number of reasons has not stepped up to the plate and done their due diligence [around security]. Too often, projects involving security on the System i are not given the proper priority because the system is assumed to be secure."

The System i is a proprietary midrange IBM server that for several years now has powered critical enterprise resource planning, finance and human resources software at both large and small companies. It was first introduced as the AS/400 in 1988 and was originally based almost entirely on a previous-generation IBM midrange system called the System 38. Since then, the platform has gone through several major changes.