"Open access rights to the data and convenient tools to access the data from a PC make a troublesome combination," the PowerTech report noted. But few companies have put in place controls for limiting or monitoring this access, it said.

Much of the current attitude towards security on the System I has been shaped by user experiences of the past, said Al Barsa, president of Barsa Consulting Group LLC in Purchase, N.Y. "Keep in mind there are a lot of users who came from the S/38, which allowed you to be real sloppy with security," Barsa said. "It was a very simplistic computer to use" from a security standpoint, and early implementations often didn't even require passwords, he added.

"A lot of those practices carried over to the AS/400" and have persisted to this day, Barsa said. "Historically, this platform has been so robust that people have been able to get away with a lot of bad [security] practices."