Blog

Log4j Shows Why Security Can Never Be Neglected (Even for IBM i)

Posted by John Huntoon

Find me on:


Log4j Shows Why Security Can Never Be Neglected - Even for IBM iRecent months have provided a vivid reminder of why it’s so important to have an IT team paying close attention to your security at all times.  While IBM i is one of the safest environments around, the Log4j virus showed yet again that no ecosystem is immune to serious security risks. 

Don’t get lulled into complacency!

Security risks become more complex and varied with each passing year, and keeping up with this shifting landscape can be burdensome for internal IT teams. The right managed service provider can help keep up, leveraging economies of scale to deliver cost-effective security expertise, monitoring, and support services. 

Log4j Reminds Us Why Security Can Never Be Neglected

Apache Log4j is a logging framework used in a variety of popular programs, including many programs run on IBM i. Also going by the name of “LogJam” and “Log4Shell,” this issue represents a very serious risk to a broad variety of systems – IBM i included – and gives hackers a relatively easy entry point for malicious code. As this critical vulnerability in this framework emerged in December, IT Jungle cautioned “IBM i shops are encouraged to take this flaw very seriously, as the vulnerability already is being actively exploited in the wild. However, finding where Log4j exists in your stack is not always simple, which makes this particular flaw particularly nasty.” Research by CheckPoint suggests that this vulnerability was exploited over 830,000 times in the first 72 hours since it emerged. Over 60 different variants emerged in the same period.

Fortunately, we were able to rapidly secure our clients from the Log4J vulnerability. Threats like this one serve as a powerful reminder that new security risks can always emerge, even for secured systems like IBM i. It’s essential to always pay meticulous attention to security (or have a quality MSP do it for you).

IBM i: A Safe Stable, Ecosystem Still Requires Careful Attention to Security

IBM i provides outstanding long-term value to so many different organizations due, among other things, to its outstanding stability and security. Indeed, many IBM i systems can keep performing for years with virtually no attention. But no system is invulnerable or permanently maintenance-free! 

In the past, we’ve written about how highly reliable tech, like Power i running IBM i, still needs a carefully tailored support strategy. And security is no different. A well-managed IBM i implementation should be effectively immune to many common threats that plague alternative operating systems. In fact, IBM i is so secure that it can engender a sense of complacency. But as Log4j shows us, it’s still essential to keep up with the latest threats so that any new vulnerabilities can be rapidly secured. 

Keeping up with the latest security developments, however, is demanding, specialized work. Maintaining the requisite security expertise in house can be challenging (and expensive) for many organizations. And keeping up with ongoing security workflows (like monitoring new threats and applying critical updates to quickly resolve emerging threats) can push already busy internal IT resources past their limits. Enterprise-grade security requirements seem to become more complex with each passing day. As this complexity grows, it risks diluting the lean operational overhead that a system like IBM i should be able to deliver!

Fortunately, a managed services provider with the right security expertise can offer a powerful solution. 

Why Managed Services Can Offer Great Value for Security Work (and Beyond)

The right MSP can be the perfect fit for an organization that needs to keep up with the latest best practices for security without bogging down internal resources (or distracting them from work more directly related to the core business). That’s because an MSP can:

  1. Offer economies of scale. While effective security requires specialized expertise, it doesn’t require full-time attention at many organizations. An MSP can help an organization maintain access to security experts without the cost of a dedicated internal security hire.
  2. Keep up with ongoing updates. Keeping systems fully up to date is always one of the best ways to stay secure, and an MSP can help ensure that the operating system is updated in a timely fashion.
  3. Monitor new security developments. An MSP can afford to maintain dedicated security experts who track the latest developments about potential vulnerabilities and mitigation strategies.

For these reasons, the right MSP should be able to enhance security, control costs, and improve internal IT teams’ ability to focus on value-added projects. Unless an organization has such extensive security requirements that multiple full-time security specialists could be justified, the economics of a managed service model will almost always prove advantageous. While most businesses don’t need a full-time security specialist, they do need reliable, timely access to an IT management team with dedicated security capabilities and specialized tools.  An MSP with the right security expertise can thread this needle at an optimal price point. 

If you’re interested in learning more about why a managed service model can offer such outstanding value, we recommend our article here on remote monitoring for managed services. We examine how comprehensive system monitoring, like security, doesn’t always require the expense of 24/7 eyes on glass. 

Or, if you’re interested in discussing the best way to keep up with security for your IBM i implementation, we encourage you to reach out to our team using the button below.

Need Help with A Security Audit? Reach Out to the Experts