Every IBM i Estate Needs Securing – Here’s Why
Time to read: 10 mins
Securing Your IBM i Platforms in 2025
Over time, assumptions about IBM i’s reliability have led to a false confidence in its out-of-the-box security posture. Simply, IBM i environments are highly securable, but without best practice remain vulnerable to everyday ransomware.
If you run and manage an IBM i (or AS/400, iSeries, and System i) estate, then securing your OS could be the next, critical step in reaching peace of mind operationally. With cybersecurity reaching fever pitch in most businesses, now is the time to secure your IBM i environment.
Read more to discover, in depth, how to secure your IBM i platforms ↓
A Different Angle on Risk
If the Board of Directors asked you tomorrow, “does our IBM i environment require security protection?” How would you answer?
The subject of operational and cyber resilience is, according to analysts, on nearly every boardroom’s IT agenda. As budgets renew for the year, new threats emerge, compliance tightens and IT operations answer these challenges, we need to rethink the risks that surround your business. For example, the shift to remote working in the post-pandemic climate made many organisations lower their guard, focussing instead on employee connectivity, therefore widening the attack surface for ransomware.
As one of the most renowned, securable operating systems, IBM i has a loyal following and strong marketplace. Since the days of AS/400, there’s a longstanding reputation that the platform can withstand intrusion. The belief is that IBM i is a fortress. The truth is it can be.
IBM i Security, Explained
As operating systems go, IBM i platforms can be battle-hardened with security offerings that often go amiss. Like all platforms, forgoing the basic security protocols (are you, for example, utilising security audit logs?) invites risk and cybercriminals are nothing if not opportunists.
After more than 40 years of helping customers transform with scalable, compliant, and secure platforms like IBM i, our experts have seen it all, from poor configuration to limited protection where there is no exit point program in place. One of the most common scenarios, for example, affecting system users regards password length issues.
The list of possible security issues goes on.
What is considered security best practice for IBM i? There is a more formal list of security objectives for IBM i, detailed by IBM in this report, which covers areas including:
- Password controls and policies
- User special authorities
- System auditing
- Secure connections
- … and more
The Next Generation of Resilience – IBM Power11
In case you missed it… IBM Power11 launched to hotly anticipated subjects of productivity, business continuity, and beyond. As an agentic, autonomous platform, IBM Power11 is enriched with values of resiliency – not just security.
What does this mean for you?
“Resilience”, simplified, is the end goal for most modern organisations and describes how effectively they deter, mitigate and recover from risks of all kinds. Operationally, however, there is no single road to achieving resilience. Instead, companies layer in security controls and strategies, one after another, to ensure that they are defended from today’s threatscape.
Today’s most aggressive, pervasive and devastating risks can be blunted and deterred. The first step is simple: start with the essential security controls.
CSI SAYS
The Illusion of IBM i Immunity
There’s a well-worn myth that IBM i systems are virtually bulletproof.
From the start, our analysts have cautioned that even the most modernised IT environments should not make passive assumptions about their levels of resilience. In the last few years, there has a been a paradigm shift in how industry leaders think about, and execute, their security strategies. Security planning is not about if your business will get breached. It’s preparing for when cybercrime strikes and how you can recover at speed.
“Security by obscurity doesn’t cut it anymore.”
With ransomware now targeting file systems at a granular level, and hybrid environments increasing the complexity of IT estates, IBM i is no longer walled off from the modern threatscape. It’s on the network, integrated with Windows endpoints, connected to databases, and exposed through mapped drives and APIs. Attackers don’t need to understand RPG or CL -they just need to encrypt a few files via the IFS, and your weekend’s peace is over.
With every customer interaction, CSI’s specialists challenge what we call the ‘illusion of immunity’ or the belief that your platforms, no matter how reliable, are bulletproof.
Security Blind spots (According to Businesses)
Surveying the market, our security partner, Fortra, discovered that amongst the main inhibitors of IBM i security are:
- Risk misconception
- Mismanaged priorities
- Lack of security education (and training)
- Over reliance on firewalls
- Green screens (only menus)
These areas have been identified as some of the largest risks posed to businesses with IBM i workloads right now.
Where Do I Start with IBM i Security?
We tell customers all the time that there’s a difference between a secured IBM i platform and one that’s securable. Costly downtime, reputationally harming headlines, a high profile with regulators – there’s a lot on the line.
Security isn’t out-of-box, universal fit, but rather comes with some assembly required.
Start foundationally and with a wide-open, practical view into building up to resilience. Security, for example, isn’t a one-time, overnight fix. But rather security can be trained, managed and controlled, layered into your IT over time.
There are no shortcuts in security either.
Buyer beware, commercial security tools are available in the marketplace, and they exist to support your operational resilience. Owning tools doesn’t necessarily mean that you are protected.
Our experts have outlined the top three areas to consider first when starting to secure your IBM i estate.
#1. System Configuration
We recommend everything from robust auditing trials to strengthened user profiles. Without auditing, for example, detecting a security violation will be impossible. Areas for improvement in user profiles, such unused users, or defaulted passwords, should be addressed immediately.
If IFS shares are not under regular review, then there’s a greater risk of attack. But quick steps in eliminating unnecessary shares or making IFS shares “read only” can mitigate certain risks of an invasion.
#2. Virus Protection
In some cases, misconceptions about virus protection have led to the illusion of immunity.
As a traditional virus won’t affect an IBM i native object, this becomes mistaken as a form of false immunity.
There have been multiple reports of system invasions across IBM i end users, which could have been blunted with an anti-virus product. In a hybrid environment, the potential risks become even more heightened.
INSIGHTS
When Data is Violated
Data is the new oil. It’s considered a business’ most precious resource, if not it’s most valuable asset.
Tight privacy and data governance is the cornerstone of modern regulation and can be a source of frustration for organisations storing and managing it. The wrong side of data regulations, such as the most famous General Data Protection Regulation (GDPR) act, can be costly to recover from it.
As your data is valuable, cyber criminals are smarter than ever and trying to seize, ransom or destroy it for their own financial gain. Did you know… between 2020 and 2021, when many were accelerating their digital transformations, organisations paid at least £44.3 million to ransomware gangs.
There are different means that gangs will use to violate your data, including:
01. Data theft
02. Data ransom
03. Data destruction
Whether stolen, ransomed for financial gain, or destroyed in the war of cybercrime, if you have valuable data, you are a target. Better yet, as ransomware is platform-agnostic, even your IBM i platform is a target.
#3. Exit Programmes
If antivirus is a fortified wall in the fortress of your security strategy, exit programmes are the arsenal. Exit points allow you to define what happens when a user, or an application, attempts to connect from the outside in. This means with exit programmes, you can lock down the most attacked interfaces.
With exit programmes in place, you can:
- Allow or deny access based on user, IP, time, or command type
- Log every attempted access (… even failed ones)
- Block unencrypted sessions or limit specific SQL statements
- Monitor and alert on unusual usage patterns
OTHER ROLES
Compliance, Risk & the CISO’s Office
What about cyber insurance policies? Very recently, our analysts offered guidance to the UK & Ireland market regarding policies. Initially many asked, what can you do with risk? That quickly changed to: how can I offset risk and liability associated with cybercrime?
Cyber insurance is now stricter, making these policies even more challenging to acquire.
Regulators want better audit trails. Boards are asking harder questions. Customer data and its privacy has tightened.
Whether a bank, insurer, university, or other regulated industry, they all need verifiable controls. That includes:
- Antivirus logs
- Audit journal configurations (QAUDCTL, QAUDLVL)
- Least privilege enforcement
- File integrity monitoring
Without these, the risk of a costly breach is heightened.
Checklist for the Smart IBM i Buyer
✅ To-Do | 💡 Why It Matters |
---|---|
Deploy antivirus | Blocks threats in real-time on IBM i, not just at the perimeter |
Remove unused users | Attackers love default or anonymous users |
Enforce least privilege | ALLOBJ access is often unjustified |
Configure audit journals properly | You can’t detect what you don’t log |
Scan IFS weekly | Dormant files are still dangerous |
Monitor data exfiltration points | FTP, ODBC, JDBC need controls too |
IBM i Security ‘in a Box’
What if the worry of ransomware invasions, poor configs or weak passwords could be improved? In partnership with Fortra, CSI is offering IBM i end users an essentials ‘bundle’ for security, helping to compile some of the fundamental layers of security.
Secure by design, our security essentials is a way to get ahead of today’s pervasive threatscape. We built these essential building blocks to IBM i security to address the most common security challenges, including antivirus.
For more information on securing your IBM i platform, leave us a message and one of our experts will be in touch. Interested in understanding more about IBM i managed services? Be at peace with your security strategy – and it all starts with a free scan.

IBM Power
Every IBM i Estate Needs Securing – Here’s Why
A Different Angle on Risk If the Board of Directors asked you tomorrow, “does our IBM i environment require security…

IBM Power
The Ultimate IBM Power11 Buyers Guide
EXCLUSIVE INSIGHT The Market Asked, IBM Power11 Delivered You could call it a paradigm shift, or a change in attitude,…

IBM Power
Levelling Up from Legacy IBM Power Systems (An EOS Guide)
Why Modernisation Matters Modernisation is often about market competitiveness and relevance. For modernised organisations, offboarding outdated hardware is a matter…
Ready to talk?
Get in touch today to discuss your IT challenges and goals. No matter what’s happening in your IT environment right now, discover how our experts can help your business discover its competitive edge.