Data Privacy - Encryption on i5/OS - gomitec.com · •Compliance audit trails should be generated...

1

Data Privacy - Encryption on i5/OS

Copyright 2006 – The PowerTech Group, Inc.

Extending iSeries Security

PowerTech Confidential © 2006 PowerTech Group, Inc. All rights reserved.

John EarlChief Technology Officer

The PowerTech Groupwww. powertech.com

john.earl@ powertech.com

Data PrivacyEncryption on i5/OS

2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com

Five encryption essentials

•Not all Encryption is the same

•Key Management

•It’s not just about the iSeries

•What about High Availability?

•There is no magic bullet

2




Not all Encryption is the same

•AES, DES, triple DES, PGP, RC2, RC4, twofish, blowfish, etc.

•NIST, PCI, and the Federal Government have chosen 256-byte AES as their standard

•AES in Counter mode (CTR) Encryption adds additional security for databases


Key Management•Managing keys is as or more important than the encryption.

•If a key is “lost” or compromised, its like losing the master key to a building.

•Key management is critical to success

•PCI requires split keys

3




It’s not just about the iSeries

•Encrypted data is still shared with outside entities

•You need a common encryption and decryption protocol

•Your encryption method should take into consideration the requirements and capabilities of:

•Windows

•Mainframe

•UNIX. LINUX, AIX, etc.

•Point of Sale

•Etc.


What about High Availability?

•If you use High Availability, you have additional encryption concerns

•Software is better than hardware•Easier to duplicate

•Fewer hassles with DR sights

•Key management must take HA system into account

4




There is no Magic Bullet

•Encryption takes time

•Database encryption will require application changes

•Keyed files may not work anymore

•Select/Omit has the same issue

•You may not be able to search on encrypted fields anymore


What is Encryption?•Encryption is Access Control.

•With a finer grain of control

•Encryption is Easy!

•Decrypting is where things get complicated

•More is not better

•Encryption costs time and money

•Encrypting unimportant fields can sometimes weaken security

5




Why Encryption?

•Data security is no longer optional.

•New regulations require that you secure your sensitive data to protect customers and employees.

•Your customers, employees, shareholders, management, and trading partners all expect that information will be secure


Why Encryption?•Data encryption must meet or exceed the encryption requirements of PCI, California Privacy Notification, HIPAA, Sarbanes-Oxley, and other regulations.

•This can be done completely on the iSeries – No need for additional hardware

•Compliance audit trails should be generated when data is encrypted or decrypted.

•You will likely have to exchange data with non-iSeries platforms

•User access controls and system security audit trails are essential.

6




How do I begin?

•Don’t try to boil the ocean.

•Pick the most pressing need and create a successful implementation.

•Use a staged deployment model•Backup tapes first

•Then PCI compliance data

•Then Employee data

•Then etc.


Use an Industry Standard Encryption algorithm.

•There are proven secure encryption standards

•Standard algorithms are mathematically proven to be secure – your “secret” obfuscating of your daughter’s birth date is proven to not be secure.

•Standard algorithms can be used to interchange data with other companies, and other platforms.

•Your goal is to be able to encrypt anywhere and decrypt anywhere…. With the correct key!

7




Encryption Focus Areas

•Field level encryption•APIs to encrypt and decrypt fields .

•Key management •Must be able to securely create and store keys.

•Tape encryption •Protects your backup and archival tapes.

•Spool file encryption •Securely store and retrieve reports on-line.

•Data in transit •How do you share data?


•Cross-platform field and file encryption •Securely exchange data with iSeries, Windows, Linux, UNIX and zSeries mainframe.

•Compliance audit reports •Identify use of sensitive information by user, terminal, date, time, etc.

•Security notification •Alerts for potential security failures via messages, iSeries security log, etc.

•User management •Restrict access on a need-to-use basis.

Encryption Focus Areas

8




Field Level Encryption

Encryption APIs are easy to use in RPG and Cobol, and require only a few lines of code:

Callb(d) 'AESCrypt'

Parm KeyName

Parm InputData

Parm InputLen

Parm UniqueID

Parm OutputData

Parm ReplyCode



•Can be done without changing field size.

•Usually done through a bindable service program for ILE, or a callable API for OPM.

•Use APIs with RPG, Cobol, CL and any other iSeries language.

•Encrypt Externally described (DDS) fields, internally described (Sys/36) fields, and SQL columns.

•Log activity to provide access control auditing.

9





Technical specifications:

• Use 256-bit AES encryption (FIPS-197).

• Use AES Counter (CTR) mode for database security.

• Should perform key validation on encrypt/decrypt.


Key management

•Determine how to generate keys

•Pass Phrase (PBE)

•Random number generation (RNG)

•Diffie-Hellman key generation.

•Split key creation for PCI compliance.

•Ensure that you are securely storing AES symmetric keys.

•Consider the impact on HA solutions such as MIMIX, Vision, iTera, etc.

•Always backup up keys when they change.

10




Tape encryption

•What are your Tape backup requirements?

• Encrypt save file directly to tape.

• Encrypt save file to library.

• Encrypt IFS file for save to tape.

• Restore directly from tape to save file with decryption.

•Exchange data with other iSeries

•Exchange data with non iSeries


Spooled file encryption

•Automatically capture and encrypt any spool file report.

•Select report by name, user, spool file data, etc.

•Define access lists to control user retrieval and re-print.

•On-line storage of encrypted reports for quick access.

•Capture immediately or on scheduled basis.

11




Data in Transit

•Requires lots of coordination with your trading partner

•Who is authorized to interface with the partner•For Setup and configuration

•For daily operations

•Make your iSeries encryption method is shared with your partner

•Determine how key management will be handled•What happens when you must change keys?

•Agree on a transport method.

•How secure is the data once it reaches your trading partner?


Cross-platform encryption

•Encrypted data must still be shared

•Your goal should be:•Encrypt on any platform, decrypt on any platform.

•Choose an encryption method that can be shared with other platforms:

•Windows, Linux, Solaris, HP-UX, AIX, zSeries?

•Consider the impacts of•Field level encryption

•Whole file encryption and decryption.

12




Compliance audit reports

•Once you have secured the data, can you report on access?

•Produce a report on all activity for a user.

•Report all access to specified information such as a credit card number.

•Audit reports should not expose sensitive data.

•Report access to user-specified files and fields.


Security notification

•Notify on attempts to breach security

•Notify on any action where access is denied.

•Log messages to internal and external sources

•Log events in a secure OS/400 journal (QAUDJRN)

•Regularly report on anomalies

13




User management

•Determine who will manage user access to encryption functions.

•Grant users authority to use only those applications they need.

•Don’t forget to secure sensitive data in spooled files

•Anyone with *ALLOBJ has the potential to compromise the encryption system


Questions?

Any Questions?

Data Privacy - Encryption on i5/OS - gomitec.com · •Compliance audit trails should be generated...

Documents

Transcript of Data Privacy - Encryption on i5/OS - gomitec.com · •Compliance audit trails should be generated...