The PowerTech Group reports in its newly released fourth annual security review, "The State of System i Security 2007," that while the overall security of the System i is very good, "the security of machines in the field is often both poorly managed and poorly configured by the organizations that use it." The security company based its study on nearly 200 system audits conducted by PowerTech during the last year.

One of the biggest weaknesses in System i-related security is internal, PowerTech reports, and analyst firm Forrester estimates that 70 percent of all database breaches are indeed internal. Overall, the report notes that the results show that virtually every system user has access to data far beyond his or her demonstrated need.

"The computing and networking demands of today's enterprises require more open connectivity and targeted sharing of data between departments and key business partners," notes PowerTech's Chief Technology Officer John Earl. "But many OS/400 shops have yet to embrace the new security technologies that are available in IBM's architecture and through third-party security applications, leaving their critical data exposed."

As good as the operating system is at protecting the data assets, any system is only as strong as the policies and practices deployed to keep it safe. With the extent and cost to companies of data-security breaches and the ease with which the System i platform can be secured, PowerTech says it continues to be surprised by the study results.

  Here are a few key findings:

• 76 percent of systems don't control or audit changes to data made through PC access applications such as MS Excel and MS Access, creating uncontrolled network access.  
• 10 percent of all users have privileged access (root-level access) authority.
• Confidential reports can be viewed by 20 percent of all users.
• Half of all systems have more than 20 users with default passwords (Password = User name) that can be easily determined by any attacker.  

"Organizations that utilize OS/400 architecture should not be complacent about the security of this system," Earl says. "These statistics make clear that critical data stored on the System i is as, or even more, vulnerable than data stored elsewhere in the enterprise."

To download a free copy of the report, check out http://www.powertech.com.

Editor's Note: The headline was adjusted shortly after publication for clarity.