In today’s interconnected computing landscape, IBM i security has become a critical concern as these systems often find themselves in a precarious position. They typically house an organization’s most vital data while sometimes operating as “security islands” within the enterprise architecture. As I speak with CIOs and IT leaders, I frequently hear confidence about enterprise-wide security measures until the conversation turns to IBM i systems. Then comes the pause, followed by, “Well, those are… different.”
This security isolation creates serious vulnerabilities. Most modern attacks originate from inside company networks, often from compromised internal devices. By treating IBM i as a security outlier, organizations create gaps precisely where mission-critical data resides.
To address these challenges, we’ve developed a comprehensive IBM i Integration Security Maturity Model that helps organizations assess their current security posture and chart a path toward a more robust and integrated security approach.
The IBM i Integration Security Model
Let’s explore each level of the maturity model, from basic security measures to a comprehensive, enterprise-wide approach:
Level 1: Basic Authentication
At the foundation level, organizations typically rely on:
- Username/password authentication
- Direct IBM i credential usage
- Limited security controls
- Isolated security management
While this approach leverages native IBM i security features like allowing you to use the authorization capabilities of IBM i profiles, it creates significant vulnerabilities. When you rely on basic authentication, you send IBM i credentials with every sign-on, every external connection (eg. ODBC, JDBC…), and every API call. This means native credentials are constantly transmitted across the wire and often stored in multiple locations outside your control. To make matters worse, many IBM i shops have given their .NET, web, and other external developers IBM i user IDs with very high levels of authority. Should those user IDs become compromised, malicious actors would gain significant access to your core systems. To start addressing those weaknesses, you can move up through the higher levels of the security model.
Level 2: Network Security & Protocol Updates
The next step up involves implementing:
- TLS/HTTPS for all communications
- Secure cipher suites
- Updated security protocols
At this level, organizations recognize the importance of securing the transport layer. All API communications use HTTPS with modern TLS protocols (TLS 1.2 or higher) and secure cipher suites, even for internal network communications.
Level 3: Enterprise IAM Integration
Level 3 involves adopting the latest in authentication and authorization controls.
- Connecting to enterprise identity providers
- Single sign-on capabilities (eg. Kerberos, SAML, Entra, LDAP…)
- Centralized user management
- Standardized authentication protocols
- Multi-factor authentication for all access points
- Token-based authentication
- Role-based access control – external users’ authority is limited to the data and functions they actually need for the specific task they are performing
- Granular authorization controls – just the minimum necessary authorization
This level represents a significant step forward, as IBM i authentication becomes part of the broader enterprise identity ecosystem. Rather than maintaining separate credentials for IBM i systems, users can authenticate through central identity providers.
Level 4: Secure DevOps Controls
At level 4, users apply strong process controls and comprehensive change tracking around modifications to their application source code.
- Automating code scanning to protect against security vulnerabilities in code
- Automated enforcement of the separation of duties
- Detailed, automatically enforced change logs (who, what, when, why)
- Protecting from code loss by storing source code in a secure cloud repository
Level 5: Zero Trust Architecture & Comprehensive Monitoring
At the highest level of maturity, organizations achieve:
- Enterprise-wide security monitoring and alerting
- Integration with central security dashboards (Splunk, DataDog, etc.)
- Complete audit trails across all systems
- Zero trust principles applied consistently
This level represents highly secure controls, where IBM i systems are fully integrated into the enterprise security architecture, with consistent monitoring, logging, and security principles applied across all platforms.
Moving Up the Maturity Model: Advancing Your IBM i Security
How can organizations advance their IBM i security maturity? Here are practical steps to consider:
- Assess your current position – Understand where you stand today by evaluating your authentication methods, network security, monitoring capabilities, and integration with enterprise security systems.
- Implement token-based authentication – Move beyond basic authentication to token-based approaches that don’t require transmitting IBM i credentials.
- Connect with enterprise identity providers – Integrate with existing IAM solutions like Okta, Microsoft Entra, or Duo to provide consistent authentication experiences.
- Add multi-factor authentication – Implement MFA for IBM i access points, leveraging the same tools used across your enterprise.
- Adopt advanced modern DevOps based on the latest tools – Implement source control with Git, source scanning with tools like SonarQube and Black Duck. Use pull requests and approvals to ensure all changes are reviewed before reaching production.
- Implement comprehensive monitoring – Ensure all IBM i authentication and access events are logged and visible in your enterprise security monitoring tools.
- Adopt zero trust principles – Apply the principle of “never trust, always verify” consistently across all platforms, including IBM i.
Real-World Success
One of our manufacturing clients recently moved from Level 2 to Level 4 by integrating their IBM i environment with their enterprise identity provider. By implementing token-based authentication and MFA through a secure API layer, they achieved several key benefits:
- Security team’s visibility into IBM i authentication events
- Elimination of plain-text IBM i credentials on other systems
- Consistent security experience for users across all platforms
- Simplified compliance reporting for security audits
Their CIO noted: “For the first time, our IBM i is no longer treated as a security exception. It’s fully integrated into our zero-trust architecture.”
Beyond Authentication
While the maturity model focuses heavily on authentication and authorization, a comprehensive security approach should also include:
- API layer security to protect calls between systems
- Network configuration security to manage how devices connect to your IBM i
- Credential management to eliminate storing IBM i profiles and passwords externally
- Monitoring and alerting to detect unusual activity patterns
Conclusion
The days of treating IBM i systems as security islands must end. Modern enterprise IBM i security demands a unified approach where IBM i systems participate fully in your security architecture. By advancing through the IBM i Integration Security Maturity Model, organizations can protect their mission-critical systems while maintaining the robust performance they expect from IBM i.
Remember, in today’s security landscape, having strong authentication on most of your systems isn’t enough. True security requires consistent, enterprise-wide protection that includes every platform, including your IBM i.
Interested in learning more about IBM i security integration? Join our upcoming webinar series where we’ll explore each level of the maturity model in depth and provide practical implementation guidance.
Dan has spent over thirty years leading companies that help customers implement new technologies in legacy environments. Previously, Dan led worldwide software development groups that built highly successful modernization and DevOps tools and was the CEO of Aldon, the leading provider of DevOps tools to the IBM i marketplace. To learn more about Eradani’s offerings, reach out to us today!
