Annual Security Study Methodology and Scope
Fortra's 2024 State of IBM i Security Study marks the 21st consecutive year of analyzing security configurations across IBM i environments. The study draws from two primary data sources: the free Security Scan tool, which performs non-invasive Windows-based assessments of native IBM i configurations across seven key categories, and deep-dive risk assessments conducted through paid security services engagements. This dual-source approach provides both broad community trends and granular security insights. The study evaluates 98 distinct data points to help organizations understand their security posture, prioritize remediation efforts, and justify security investments. Unlike external port scans, this inside-out methodology examines actual system configurations to reveal true security exposures that are often masked by the platform's reputation as inherently secure.
Critical Findings: Password Security Remains Inadequate
Password security continues to be a fundamental weakness across IBM i environments. The study reveals that 70% of systems still operate at password level 0 or 1, failing to meet minimum security standards. Default passwords—where the password matches the username—remain alarmingly common, with an average of 241 users per system having default credentials. While there has been modest improvement from 2023 when only 30% of systems met level 2, 3, or 4 requirements, the persistence of weak password policies represents a critical vulnerability. Notably, no systems evaluated in 2023 achieved password level 4, though 2024 data shows some progress. The study emphasizes that password expiration alone is insufficient, as expired passwords still allow batch job execution. Organizations must implement comprehensive password policies including minimum complexity requirements, eliminate default passwords entirely, and consider multi-factor authentication to address this foundational security gap.
Administrative Privilege Overproliferation
The study documents widespread overuse of special authorities, with systems averaging 241 users holding *ALLOBJ authority—effectively granting full administrative access. Job control authority has increased dramatically to 849 users per system (up from 442 in 2023), while IO SysConfig authority rose to concerning levels given its ability to create network shares. Year-over-year analysis shows the percentage of users with *ALLOBJ has fluctuated significantly, with 2021-2022 showing major spikes before improvements in 2023, though 2024 saw a slight uptick. The data reveals that most users don't actually require special authorities for their daily application work. Authority collection tools can identify precise object-level permissions needed, enabling organizations to implement least-privilege access models. The study recommends temporary privilege elevation for specific tasks rather than permanent administrative rights, particularly as cyber insurance policies increasingly mandate stricter controls on administrative access and multi-factor authentication for privileged users.
Network Security and Ransomware Exposure
Exit program deployment remains inadequate, with only 7% of systems implementing full coverage across all TCP/IP connection points (up from 3% in 2023). This gap leaves systems vulnerable to unauthorized access through FTP, ODBC, and other network protocols that bypass traditional object-level security. The study highlights the critical threat of ransomware to IBM i environments, particularly through network shares. Root directory shares expose the entire IFS including QSYS.LIB to potential encryption or deletion by ransomware. Real-world production incidents documented by Fortra include cases of half a million files encrypted by ransomware on IBM i systems. The study emphasizes that high availability solutions replicate malware infections rather than protecting against them, and that native IBM i objects, while immune to infection, are not immune to deletion or impact. Organizations must eliminate root shares, implement read-only shares where possible, deploy native antivirus with scan engines, and use exit programs to control network access behavior.
