Is the IBM i secure or irrelevant? IBM i object security vs. Win and UNIX file security

1 04 2010

A critical security consideration for any operating system is how it secures ‘files’. Although the contexts may deffer, both Windows and UNIX encapsulate all types of information in fies of various types. IBM i, on the other hand, encapsulates information in various types of objects. Different objects require different types of access.

If I know the name and path of a file under Windows or UNIX, I know its location and can access it by knowing how to read and navigate the file structures. Under IBM i, objects in the native, library file system are located and constructed via sets of pointers. Knowing how to read and navigate the file structures only leads you to bits and pieces of an object’s definition. As a result, hacking an IBM i system requires an order of magnitude greater knowledge and sophistication than hacking either Windows or UNIX.

UNIX secures files at owner, group and public levels for read, write and execute access. Older versions of Windows only secured files via read-only, hidden and archive permissions attributes. Newer versions of Windows and many UNIX systems also provide Access Control Lists (ACLs) to secure ‘objects’ against access via user’s without proper permissions or authority. From it’s earliest days, starting with System/38, the IBM i series provided true object access control at multiple levels of an object’s definition. At the higher object definition level, the system provides Operational, Management, Existence, Alter and Reference control. For objects containing data, the system additionally provides Read, Add, Update, Delete and Execute control. What is more, file definitions can extend access controls to the field level. For the UNIX and Windows like file systems which are part of the Integrated File System, native object access controls are used to emulate UNIX access controls.

At a higher level, authority lists provide the ability to control object access for multiple objects using a single, easy to manage object. And, IBM i supports ACLs in limited environments.

Therefore, IBM i provides very mature and sophisticated access control mechanisms with a great deal of granularity. This is part of the reason IBM i systms are compromized far less often than are Windows and UNIX systems.

Most Integrated System in the World?

11 12 2009

Basically, the IBM i (OS/400 i5) is the most integrated, some say psychotic, computer system ever built. With it you can set up LPARs from which to independently serve and/or process different types of information and/or address different domain spaces using AIX, Linux and/or native OS/400 images. It allows direct access of centralized data in the native database file system, PC file system, UNIX file system, optical file system, and other file systems from the native OS/400, PASE (AIX bind) or Windows Server interfaces. It provides system access via green screen, graphical interface, web centric interface and others. It allows running legacy and new COBOL and RPG applications along side of JAVA and PHP applications.

What system could be more integrated? The internet! IBM i systems, along with other systems, provide users with unbelievable power, flexibility and interconnectivity and they all integrate via the internet. How can you provide services to and receive services from customers, venders, government agencies, web portals, etc. without compromising your systems integrity? As demonstrated in the news this past week, not even the US Government is immune to compromise.

There is hope and in the coming weeks I plan to provide some helpful insight. Being an IBM i bigot, you can bet that IBM i will be included in the discussions.