Steps-to-Protect-Data-in-IBM i
Blogs

Simple Steps to Protect Data in IBM i

By PIO TEAM on January 6, 2025

Is your IBM i data as secure as it could be?

If not then…,

Do not wait for a breach—take these straightforward steps today to safeguard your information.

Introduction

In enterprise environments, IBM i System is widely used because of its scalability, reliability, and security. However, like any system, proper data protection measures are required to safeguard sensitive information.

To effectively enhance data security on your IBM i system, consider engaging with experienced providers of  IBM i Consultancy services. These experts can provide valuable guidance and assistance in implementing and maintaining robust security measures.

The following steps will help you enhance data security on your IBM i;

1. Implement Strong User Authentication

  • Use Complex Passwords: Ensure that all user accounts on the IBM i system use complex passwords. The length of your password should be at least eight characters and it should contain upper- and lower-case letters, numbers, and special characters.
  • Two-Factor Authentication (2FA): Implement 2FA for critical accounts. A one-time passcode sent to the users’ mobile devices adds an extra layer of security by requiring them to provide an additional form of identification.
  • User Profile Management: Regularly review and manage user profiles. Disable or remove inactive accounts and limit the number of users with high-level privileges.

2. Encrypt Data

  • Data-at-Rest Encryption: Encrypt sensitive data stored on your IBM i system to prevent unauthorized access. Use IBM i’s native encryption tools or third-party solutions to secure data at rest.
  • Data-in-Transit Encryption: Ensure that data transmitted over networks is encrypted using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. This is essential for protecting data from interception during transmission.

3. Regular Backups

  • Automated Backups: Set up automated backups to ensure that data is regularly copied and stored securely. Using this tool will make data recovery more efficient in case of hardware failure, data corruption, or cyber-attack.
  • Offsite Backups: Store backups in an offsite location to protect against data loss due to natural disasters or local system failures.

4. Implement Object-Level Security

  • Object Authority: Use IBM i’s object-level security to control access to objects such as files, libraries, and programs. Define specific authorities for users and groups to restrict access to sensitive data.
  • Adopt Least Privilege Principle: Grant users only the access rights they need to perform their job functions. Avoid assigning all-object (*ALLOBJ) special authority unless necessary.

5. Audit and Monitor System Activity

  • Enable Auditing: IBM i has built-in auditing capabilities that allow you to track user activities, system changes, and access sensitive data. Enable auditing and regularly review logs for suspicious activities.
  • Real-Time Monitoring: Implement real-time monitoring tools to detect and respond to security incidents promptly. An alert or notification can be configured to be activated when there is an unusual activity detected.

6. Apply Security Patches and Updates

  • Stay Updated: Regularly apply security patches and updates to your IBM i system. IBM frequently releases patches to address known vulnerabilities. Keeping your system updated helps protect against the latest threats.
  • Test Before Applying: Before applying patches in a production environment, test them in a non-production environment to ensure they do not cause any issues.

Steps to Protect Data in IBMi

IBMi’s steps for protecting data are as follows:

1. Exclusive object authority:

Set object authority for *Public as “*Exclude” and add a few users with authority as “*All”.

EOA

Unauthorized users trying to access objects will end in error.

EA

2. Data masking:

Some of the columns can be masked by using “CREATE MASK” in DDL to protect the data from unauthorized users.

Data-Masking

Unauthorized user accessing table:

table1

Authorized user accessing table:

table2

Note:

  • To run the statement “Create Mask” security admin authority is needed.
  • Masked data can be viewed by multiple users with the Authority. The value of this parameter should be hardcoded and handled by a stored procedure. 

    3. Data encryption and decryption:

  • Create an authorization table.
Query
  • Encrypt the password field and store it on the table.

Qc3EncryptData – Encrypting data using IBM i system API.

  • Decrypt the password field and pass it wherever needed.

Qc3DecryptData -Decrypting data using IBM i system API.

  • Data is not visible on the table. To view data, a unique key value is to be sent as input programmatically (the same key that was used during encryption).
Table3

Conclusion  

Protecting data in IBM i requires a combination of technical measures and user awareness. To significantly improve the security of your IBM i environment, develop strong password policies, use object-level security, enable auditing, encrypt data, limit network access, apply patch updates regularly, and educate users.

For expert guidance and assistance in implementing these security measures, consider IBM i Support and IBM i Consultancy services. Our team of IBM i experienced professionals can help you assess your current security posture, identify vulnerabilities, and develop a comprehensive security plan tailored to your specific needs.

These simple steps, combined with proactive IBM i Support, will help safeguard your data against potential threats and ensure your system’s integrity and availability. It is important to remember that security is not a one-time task, but a continuous effort that requires staying informed, applying best practices, and adapting to new challenges over time.”

By seamlessly integrating the keywords, the text now effectively promotes the availability of professional support and consultancy services related to IBM i security.

 

SHARE: