Skip to content

Every IBM i Estate Needs Securing – Here’s Why

Time to read: 10 mins

Page contents

    Securing Your IBM i Platforms in 2025

    Over time, assumptions about IBM i’s reliability have led to a false confidence in its out-of-the-box security posture. Simply, IBM i environments are highly securable, but without best practice remain vulnerable to everyday ransomware.

    If you run and manage an IBM i (or AS/400, iSeries, and System i) estate, then securing your OS could be the next, critical step in reaching peace of mind operationally. With cybersecurity reaching fever pitch in most businesses, now is the time to secure your IBM i environment.

    Read more to discover, in depth, how to secure your IBM i platforms ↓

    A Different Angle on Risk

    If the Board of Directors asked you tomorrow, “does our IBM i environment require security protection?” How would you answer?

    The subject of operational and cyber resilience is, according to analysts, on nearly every boardroom’s IT agenda. As budgets renew for the year, new threats emerge, compliance tightens and IT operations answer these challenges, we need to rethink the risks that surround your business. For example, the shift to remote working in the post-pandemic climate made many organisations lower their guard, focussing instead on employee connectivity, therefore widening the attack surface for ransomware.

    As one of the most renowned, securable operating systems, IBM i has a loyal following and strong marketplace. Since the days of AS/400, there’s a longstanding reputation that the platform can withstand intrusion. The belief is that IBM i is a fortress. The truth is it can be.

    IBM i Security, Explained

    As operating systems go, IBM i platforms can be battle-hardened with security offerings that often go amiss. Like all platforms, forgoing the basic security protocols (are you, for example, utilising security audit logs?) invites risk and cybercriminals are nothing if not opportunists.

    After more than 40 years of helping customers transform with scalable, compliant, and secure platforms like IBM i, our experts have seen it all, from poor configuration to limited protection where there is no exit point program in place. One of the most common scenarios, for example, affecting system users regards password length issues.

    The list of possible security issues goes on.

    What is considered security best practice for IBM i? There is a more formal list of security objectives for IBM i, detailed by IBM in this report, which covers areas including:

    • Password controls and policies
    • User special authorities
    • System auditing
    • Secure connections
    • … and more

     

    Where should you start with IBM i security?

    The Next Generation of Resilience – IBM Power11

    In case you missed it… IBM Power11 launched to hotly anticipated subjects of productivity, business continuity, and beyond. As an agentic, autonomous platform, IBM Power11 is enriched with values of resiliency – not just security.
    What does this mean for you?

    “Resilience”, simplified, is the end goal for most modern organisations and describes how effectively they deter, mitigate and recover from risks of all kinds. Operationally, however, there is no single road to achieving resilience. Instead, companies layer in security controls and strategies, one after another, to ensure that they are defended from today’s threatscape.

    Today’s most aggressive, pervasive and devastating risks can be blunted and deterred. The first step is simple: start with the essential security controls.

    CSI SAYS

    The Illusion of IBM i Immunity

    There’s a well-worn myth that IBM i systems are virtually bulletproof.

    From the start, our analysts have cautioned that even the most modernised IT environments should not make passive assumptions about their levels of resilience. In the last few years, there has a been a paradigm shift in how industry leaders think about, and execute, their security strategies. Security planning is not about if your business will get breached. It’s preparing for when cybercrime strikes and how you can recover at speed.

    “Security by obscurity doesn’t cut it anymore.”

    With ransomware now targeting file systems at a granular level, and hybrid environments increasing the complexity of IT estates, IBM i is no longer walled off from the modern threatscape. It’s on the network, integrated with Windows endpoints, connected to databases, and exposed through mapped drives and APIs. Attackers don’t need to understand RPG or CL -they just need to encrypt a few files via the IFS, and your weekend’s peace is over.

    With every customer interaction, CSI’s specialists challenge what we call the ‘illusion of immunity’ or the belief that your platforms, no matter how reliable, are bulletproof.

    Security Blind spots (According to Businesses)

    Surveying the market, our security partner, Fortra, discovered that amongst the main inhibitors of IBM i security are:

    • Risk misconception
    • Mismanaged priorities
    • Lack of security education (and training)
    • Over reliance on firewalls
    • Green screens (only menus)

    These areas have been identified as some of the largest risks posed to businesses with IBM i workloads right now.

    There are a lot of misconceptions around IBM i security.

    Where Do I Start with IBM i Security?

    We tell customers all the time that there’s a difference between a secured IBM i platform and one that’s securable. Costly downtime, reputationally harming headlines, a high profile with regulators – there’s a lot on the line.

    Security isn’t out-of-box, universal fit, but rather comes with some assembly required.

    Start foundationally and with a wide-open, practical view into building up to resilience. Security, for example, isn’t a one-time, overnight fix. But rather security can be trained, managed and controlled, layered into your IT over time.
    There are no shortcuts in security either.

    Buyer beware, commercial security tools are available in the marketplace, and they exist to support your operational resilience. Owning tools doesn’t necessarily mean that you are protected.

    Our experts have outlined the top three areas to consider first when starting to secure your IBM i estate.

    #1. System Configuration

    We recommend everything from robust auditing trials to strengthened user profiles. Without auditing, for example, detecting a security violation will be impossible. Areas for improvement in user profiles, such unused users, or defaulted passwords, should be addressed immediately.

    If IFS shares are not under regular review, then there’s a greater risk of attack. But quick steps in eliminating unnecessary shares or making IFS shares “read only” can mitigate certain risks of an invasion.

     

    #2. Virus Protection

    In some cases, misconceptions about virus protection have led to the illusion of immunity.
    As a traditional virus won’t affect an IBM i native object, this becomes mistaken as a form of false immunity.

    There have been multiple reports of system invasions across IBM i end users, which could have been blunted with an anti-virus product. In a hybrid environment, the potential risks become even more heightened.

    INSIGHTS

    When Data is Violated

    Data is the new oil. It’s considered a business’ most precious resource, if not it’s most valuable asset.

    Tight privacy and data governance is the cornerstone of modern regulation and can be a source of frustration for organisations storing and managing it. The wrong side of data regulations, such as the most famous General Data Protection Regulation (GDPR) act, can be costly to recover from it.

    As your data is valuable, cyber criminals are smarter than ever and trying to seize, ransom or destroy it for their own financial gain. Did you know… between 2020 and 2021, when many were accelerating their digital transformations, organisations paid at least £44.3 million to ransomware gangs.

    There are different means that gangs will use to violate your data, including:

    01. Data theft
    02. Data ransom
    03. Data destruction

    Whether stolen, ransomed for financial gain, or destroyed in the war of cybercrime, if you have valuable data, you are a target. Better yet, as ransomware is platform-agnostic, even your IBM i platform is a target.

    #3. Exit Programmes

    If antivirus is a fortified wall in the fortress of your security strategy, exit programmes are the arsenal. Exit points allow you to define what happens when a user, or an application, attempts to connect from the outside in. This means with exit programmes, you can lock down the most attacked interfaces.
    With exit programmes in place, you can:

    • Allow or deny access based on user, IP, time, or command type
    • Log every attempted access (… even failed ones)
    • Block unencrypted sessions or limit specific SQL statements
    • Monitor and alert on unusual usage patterns

    OTHER ROLES

    Compliance, Risk & the CISO’s Office

    What about cyber insurance policies? Very recently, our analysts offered guidance to the UK & Ireland market regarding policies. Initially many asked, what can you do with risk? That quickly changed to: how can I offset risk and liability associated with cybercrime?

    Cyber insurance is now stricter, making these policies even more challenging to acquire.
    Regulators want better audit trails. Boards are asking harder questions. Customer data and its privacy has tightened.

    Whether a bank, insurer, university, or other regulated industry, they all need verifiable controls. That includes:

    • Antivirus logs
    • Audit journal configurations (QAUDCTL, QAUDLVL)
    • Least privilege enforcement
    • File integrity monitoring

    Without these, the risk of a costly breach is heightened.

    Checklist for the Smart IBM i Buyer

    ✅ To-Do💡 Why It Matters
    Deploy antivirusBlocks threats in real-time on IBM i, not just at the perimeter
    Remove unused usersAttackers love default or anonymous users
    Enforce least privilegeALLOBJ access is often unjustified
    Configure audit journals properlyYou can’t detect what you don’t log
    Scan IFS weeklyDormant files are still dangerous
    Monitor data exfiltration pointsFTP, ODBC, JDBC need controls too

    IBM i Security ‘in a Box’

    What if the worry of ransomware invasions, poor configs or weak passwords could be improved? In partnership with Fortra, CSI is offering IBM i end users an essentials ‘bundle’ for security, helping to compile some of the fundamental layers of security.

    Secure by design, our security essentials is a way to get ahead of today’s pervasive threatscape. We built these essential building blocks to IBM i security to address the most common security challenges, including antivirus.

    For more information on securing your IBM i platform, leave us a message and one of our experts will be in touch. Interested in understanding more about IBM i managed services? Be at peace with your security strategy – and it all starts with a free scan.

    Ready to talk?

    Get in touch today to discuss your IT challenges and goals. No matter what’s happening in your IT environment right now, discover how our experts can help your business discover its competitive edge.