AS400 Security - Bsafe

The IBM AS400 has powerful security features built into its OS/400 operating system. The AS400 security architecture is well proven and has been the backbone of subsequent IBM midrange computer product lines including, iSeries, System i and IBM i.

The traditional AS00 security features include powerful authentication and authorization at the user and object levels. AS400 users are defined by a user profile, made up of many dozens of parameters defining the authorities and environment available to the user. Every OS400 resource is considered an object, each object being characterized with a predefined object type and with many more qualifying parameters.

User authorization is mapped to the objects through a well proven system of user rights, object types, group authorities and special authorities.

On the auditing front, security auditing is provided in the form of logs and a system audit journal, while, database auditing is handled via something known as a file journal.

The AS/400 system administrator is faced with a number of challenges. Firstly, many of the features described above require expertise in AS/400 system commands to implement them, whereas today's administration staff often come from a Windows, networking or other background and don't have in-depth AS400 security knowledge. Secondly, even if the system administrator has the required skills, the format of the resulting output is frequently formatted in a less than ideal way and does not easily constitute valuable and useable information.

Moreover, with today's demands of internal controls and auditing, auditors have joined as new players in the AS400's set of use cases. They need easy-to-use tools to get the information they require, and their dependency on IT departments for the necessary reports can be costly and inefficient.

But, probably the most concerning and time-invested issue of AS400 security is the now, well established fact in that the AS400 no longer connects to its users with twinax cables, but rather uses TCP/IP based protocols for anything from web application serving to file transfer. In these applications, the excellent user profile/object authority architecture is presented with a new challenge that cannot be overcome without adding a new dimension, that of controlling access also to the path taken (i.e. server, service or network resources) in accessing the objects. For example, an object accessed by a user using the company accounts application has other implications if accessed from the same user via a remote FTP file download operation. See AS400 FTP.

IBM provided a means of enhancing the existing AS/400 security infrastructure when it introduced exit points into OS/400. Exit points allow user-written programs to be invoked at critical processing points such as when connecting to the AS400 from a remote computer using FTP, or executing an ODBC database request. For a more detailed example, see AS400 Security Software.

Users have been taking advantage of this openness for years to harden the AS400 against unauthorized access, and a relatively small number of software vendors have capitalized on the possibilities which have become available. Bsafe Information Systems is one of those vendors, building AS/400 security products since the year 2000.

And so, despite its maturity and robustness, the AS400's security features are complemented by system security management solutions and data security software, developed and marketed by Bsafe Information Systems.

Bsafe develops and markets software products to meet many of the AS400 security needs of companies in the post SOX era. To learn more about these products, select from the menu System i Products on the right of this page.