Precisely, profile picture
Uploaded byPrecisely
PPTX, PDF27 views

Streamlining Data Encryption While Maintaining IBM i Availability

The document discusses the importance of data encryption for protecting sensitive information on IBM i systems, highlighting benefits such as data protection, compliance, and maintaining brand reputation. It compares different encryption strategies, including disk-level and field-level encryption, and introduces the 'encrypt while active' feature that minimizes downtime during encryption processes. Additionally, it addresses challenges such as key management and application risks associated with encryption implementation.

Download to read offline
Streamlining Data Encryption While Maintaining IBM i Availability Bill Hammond | Director, Product Marketing Bill Peedle | Principal Sales Engineer
Today’s Topics • Benefits of encryption • Challenges of encryption • Comparing encryption strategies • Field-level encryption on IBM i • Encrypt While Active option • Q & A 2
What is Encryption? 3 • Data encryption is the process of converting data into a format that is unreadable, known as ciphertext, to protect sensitive information from unauthorized access. • This is accomplished using an encryption algorithm and a key. • The encryption algorithm is a mathematical formula that scrambles the data, while the key is a secret value that is used to decrypt the data.
Why use encryption at all? 4 • Data Protection • Confidentiality: Prevents unauthorized access to sensitive information • Integrity: Ensures that data remains unaltered and accurate – at rest and in motion • Availability: Protects data from being held hostage through ransomware attacks. • Compliance and Regulatory Adherence • Industry Standards: Many industries have strict data protection regulations (HIPAA, GDPR, CCPA) that mandate encryption. • Risk Mitigation: Commitment to data security and reduces the risk of legal and financial penalties. • Brand Reputation and Customer Trust • Data Breach Prevention: These can damage a company's reputation and lead to customer loss. • Customer Confidence: Builds trust by demonstrating a strong commitment to data security. • Competitive Advantage • Intellectual Property Protection: Safeguards valuable innovations and trade secrets. • Secure Business Operations: Enables secure collaboration and information sharing.
Protect your stored data with AES Encryption • The encryption methods recognized by the National Institute of Standards and Technology (NIST) ensure that your data is protected to the highest standards. • The US government and agencies have accepted the Advanced Encryption Standard (AES) as a format standard for encrypting data in databases. • For PCI-DSS, HIPAA, and specific government privacy rules, AES is the preferred encryption method. • Use the Advanced Encryption Standard (AES-256) 5
What is a key management server? 6 When encrypting fields in a file, an encryption key is required • Many customers use an external key manager to store and manage the master key as well as the encryption keys for the individual fields. • They may already have an external key manager for other platforms and can leverage that server for the IBM i encryption as well. • An example of an external key server would be Thales Cipher trust or Alliance Key Manager. There are others as well. • For those who do not want to support an external key manager on a Windows or Linux server, a local key store can be used on the IBM i to store and manage the keys. Third party encryption tools typically include a local key store for this use case.
Protect your encryption keys and data by keeping them separate If you keep your encrypted data and keys in the same place, it’s like placing your house key beneath the mat Security best practices require you to store encryption keys separately from your encrypted data and manage them with an encryption key manager 7
Encryption Challenges and Best Practices
Encryption Challenges and Best Practices Presentation name 9 Key management • Lifecycle management • Generation • Distribution • Usage • Rotation • Revocation • Destruction • Compliance • Human error Performance • Processing power • Encryption/Decryption overhead • Hardware Acceleration • Network latency • Storage • Application Security and usability • Algorithm selection • Quantum computing • User experience • Compatibility • Access management Key length and strength • Length • Longer keys yield stronger encryption • Balancing security and performance • Strength • Robust algorithm • Effective key management strategies • Additional considerations • Threats • Compliance • Future computing power Implementin g encryption • Technical challenges • Performance • Integration • Algorithm selection • Data recovery • Organization challenges • Cost • Human error • Industry specific regulations • User acceptance • Balancing security and usability
Implementing encryption has its challenges EXCLUSIVE LOCKS SMALL WINDOW • IBM i Field Procedures (FieldProc) needs an Exclusive Lock on file data to add/remove an encryption program and encrypt/decrypt a column • Your maintenance window may be too small to encrypt/decrypt all files during the allotted time APPLICATION RISK • Encryption processing changes every record within a file – increasing risk to applications 10
Comparing encryption strategies
What is disk level encryption? 12 • On the IBM i, full disk encryption allows you to encrypt data that is stored in basic disk pools and independent disk pools • Full disk encryption protects data from several different threats: • Protects data transmission to and from the disk drive (important in a SAN environment) • Protects data transmission in the cross-site mirroring environment (only when the data being mirrored is on an encrypted independent disk pool) • Protects data in the case of theft of the disk drive
What is field level encryption? 13 • Field procedures can provide field level (or column level) encryption on DB2 for IBM i • A field procedure is a user-written exit routine to transform values in a single column • When values in the column are changed, or new values inserted, the field procedure is invoked for each value • The field procedure can transform values (encode it) in any way. • The encoded value is then stored • When values are retrieved from the column, the field procedure is invoked for each encoded value. • The field procedure decodes each value back to the original value. • Any indexes defined on a column that uses a field procedure are built with encoded values. • The fields are encrypted at rest and will be decrypted when a database operation is performed against the file that has the field in it. • Fields can be ”masked” based on specific users or groups.
What is field level masking? 14 Individual fields can be “masked” in addition to being encrypted • One of the big benefits of field level masking versus disk level encryption. • For example, a Social Security Number (SSN) field can be masked so that: • Only certain users or groups can see the fully unmasked SSN data • Other users or groups can be masked to see only the last four digits of the field • Other users will see a fully- masked SSN Let’s use the Social Security Number 123456789 as an example • For users that need to see the full SSN such as a payroll administrator, the field is encrypted but gets decrypted on the fly and they can see the full number • For other users, you may decide that they should not see the full SSN, so in that case, you can mask the first 5 digits, so the SSN# would look like this: XXXXX6789 • You can mask the entire field for certain people or groups if appropriate, so the SS# would look like this: XXXXXXXXX
Field level masking • If the field in question is a numeric field, the mask will be the number 9. However, if the field in question is a character field, you can choose the character that you want to use for the mask. • For example, if you want to mask a credit card number that happens to be a character field, you can choose “X” or whatever other character you want to use for the mask. • Let’s use the credit card number 1234567890123456 as an example. If we decide to mask everything but the last 4 digits (or characters in this case), it looks like this: XXXXXXXXXXXX3456 • If you decide to mask the entire field, it looks like this: XXXXXXXXXXXXXXXX 15
Field-level encryption on IBM i
What does field level encryption look like on the IBM i? 17 The best way to see that the field or fields are encrypted on the IBM i is by leveraging the DSPFFD command. Below is an example of a social security number that is not encrypted:
What does field level encryption look like on the IBM i? 18 After encrypting a field with field level encryption, you will notice new attributes on the field called “Field Procedure Name” and “Field Procedure Library”. Below is an example of a social security number that is encrypted via a field procedure.
How do I encrypt sensitive fields in a file? Working with Field Procedures Field procedures are part of the IBM i OS. They can be used for other purposes but are primarily used for encryption and masking A field procedure is a procedure that can be written by hand and attached to the field, however, that can be a large undertaking The best way to encrypt and decrypt fields with field procedures is to use a third- party interface that will develop the code for you, attach it to the field in question and help you to manage and track which fields are encrypted or decrypted and to set up the masking rules 19
Implications for field level encryption 20 • While encrypting or decrypting a file, the IBM i requires an exclusive lock on the file until the encryption or decryption has completed. This means users need to be out of the file until the operation has completed. • For smaller files, this may not be an issue as you may be able to lock the file for a short period of time. However, for larger files, this process can take several hours. • In addition, many customers have requirements to “roll” the encryption keys periodically, which requires decryption and then re-encryption of the fields with a new key. • For legacy RPG-ILE programs, if the encrypted field is an index or key on the file, the sort order will be based on the encrypted data instead of the actual values. There are technologies that can help overcome this situation available on the market. Once you have decided on a tool to develop and manage field level encryption on your IBM i, there are some technical considerations:
Minimizing the downtime required to encrypt/decrypt fields 21 • In order to avoid the downtime required to encrypt fields in larger files, there are technologies that allow you to ”Encrypt while active”. • This technology allows you to make a copy of the file empty (using CRTDUPOBJ) into a temporary library. Once the file is duplicated, it can encrypt while it is empty. • The “Encrypt while active” technology will then copy all the records from the production copy of the file into the temporary copy. As they are being copied in, the records are encrypted. • This technology keeps the file in sync with ongoing changes since the file is still being used by end users and applications.
Minimizing the downtime required to encrypt/decrypt fields (cont.) 22 • Once you have a maintenance window and have users out of the file, the process that keeps the file in sync is ended, the old copy of the file can be moved out of production, and new encrypted version of the file can be moved into production. • The file is moved into production using the MOVOBJ command which simply updates the pointer to the location of the file from the temporary library to the production library. It does not perform a full copy of the data so the process is very quick. • The ”Encrypt while active” technology can save many hours of downtime on initial encryption, and then also during the roll of the key when the file needs to be decrypted and re-encrypted with a new key.
What can I do if I have legacy RPG- ILE programs that no longer sort correctly by an encrypted key field? • There are technologies available to help with the sorting issues that may occur because of an encrypted key field in legacy RPG-ILE programs • These technologies require access to your source code • Handler software can be used to convert traditional record-oriented file access to SQL Query Engine (SQE) access • Only one line of code is added to make this conversion 23
What can I do if I have legacy RPG-ILE programs that no longer sort correctly by an encrypted key field? (Continued) 24 • This is what the additional line of code would look like to handle the sorting issues in a legacy RPG-ILE program: • The handler program converts record-oriented reads into SQL access which corrects the sorting issues experienced by having an encrypted key in legacy RPG-ILE programs
Encrypt While Active
Introducing Encrypt While Active 26 Combines market-leading Assure technology to: • Create a pre-production copy of your encrypted data • Promote that file to production with only minutes of downtime • Optionally compress the file being encrypted by removing deleted records Based on Assure MIMIX and Assure Security products • Assure MIMIX Enterprise for replication • Assure MIMIX Promoter, a feature of MIMIX High Availability, for file promotion • Assure Encryption, a component a Assure Security, for encryption Combination of Software and Services • Software to facilitate encryption without downtime and remove encryption risks • Expert services to manage the process and ensure a successful outcome
Encrypt While Active Architecture 27 ENCRYPT WHILE ACTIVE STEPS 1. Install Assure MIMIX HA (includes Assure MIMIX Promoter) and Assure Encryption on both systems 2. Create TEMP and ARCHIVE libraries on the Source System 3. Create empty duplicate objects of files being encrypted into the TEMP library with all logicals and PFs joined by joined logical (if any exist) 4. Configure Assure MIMIX HA for replication to the Target System and use Assure MIMIX Promoter for moving PROD (future encrypted Production files) to the TEMP Library 5. Configure Assure Encryption for fields being encrypted and start encryption on TEMP files which are empty. This is very fast. PROD TEMP ARCHIVE ARCHIVE TEMP PROD Source System Target System Replication Replication Replication a c d b Assure MIMIX HA* Assure Encryption Assure MIMIX HA* Assure Encryption * Includes Assure MIMIX Promoter
Encrypt While Active Architecture 28 ENCRYPT WHILE ACTIVE STEPS (continued) 6. Start Copy While Active (CPYACTF) process with Remove Deleted Records option, if desired (a). Assure MIMIX Promoter will copy all the records from PROD to TEMP then wait for additional changes to PROD files. CPYACTF will encrypt the fields as they are copied into the TEMP file and keep the files in sync until you are ready to cutover (b). 7. At cutover, during an outage window, Assure MIMIX Promoter is ended. PROD files are moved to the ARCHIVE library (c) and encrypted files in the TEMP library are moved to the PROD library (d). 8. Encrypted field definitions are modified to the PROD library for all files moved from the TEMP library to the PROD library. 9. Assure MIMIX HA replication is in place is in place. In the event of disk failure or disaster, copies are available on the Target System. An Assure MIMIX HA system does not need to be in place for this solution, but it is a good idea. PROD TEMP ARCHIVE ARCHIVE TEMP PROD Source System Target System Replication Replication Replication a c d b Assure MIMIX HA* Assure Encryption Assure MIMIX HA* Assure Encryption * Includes Assure MIMIX Promoter
Presentation name Encrypt While Active is useful throughout the lifetime of your encryption project INITIAL ENCRYPTION REMOVING ENCRYPTION • Adding encryption to fields/files not currently encrypted • Removing encryption from fields/files currently encrypted KEY ROTATION • Cycling an encrypted file from one set of encryption keys to another (annually or on another regular interval to meet compliance requirements) 29
Benefits of Encrypt While Active • Minimizes downtime for encryption operations • Mitigates the risk of application failure after encryption • Ensures HA/DR-readiness throughout the encryption process 30 As an added benefit, deleted records can be removed from the file during the encryption – a Compress While Active service
Questions?
Streamlining Data Encryption While Maintaining IBM i Availability

More Related Content

PPTX
Why Disk Level Encryption is Not Enough for Your IBM i
byPrecisely
 
PPTX
WBN_Securing Your IBM i_E_250300003.pptx
byPrecisely
 
PDF
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
byPrecisely
 
PDF
IBM i Encryption Made Easy
byPrecisely
 
PDF
IBM i Encryption Made Easy
byPrecisely
 
PPTX
Data encryption in database management system
byRabin BK
 
PPT
Formal Lecture.ppt
byEqinNiftalyev
 
PDF
Choosing Encryption for Microsoft SQL Server
byJerome J. Penna
 
Why Disk Level Encryption is Not Enough for Your IBM i
byPrecisely
 
WBN_Securing Your IBM i_E_250300003.pptx
byPrecisely
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
byPrecisely
 
IBM i Encryption Made Easy
byPrecisely
 
IBM i Encryption Made Easy
byPrecisely
 
Data encryption in database management system
byRabin BK
 
Formal Lecture.ppt
byEqinNiftalyev
 
Choosing Encryption for Microsoft SQL Server
byJerome J. Penna
 

Similar to Streamlining Data Encryption While Maintaining IBM i Availability

PPTX
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
byNeo4j
 
PDF
Key Concepts for Protecting the Privacy of IBM i Data
byPrecisely
 
PPT
IBM Share Conference 2010, Boston, Ulf Mattsson
byUlf Mattsson
 
PDF
Top 5 Encryption Myths for IBM i Users
byPrecisely
 
PDF
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
byTony Pearson
 
PPT
Database Security & Encryption
byTech Sanhita
 
PPT
Protecting Sensitive Data using Encryption and Key Management
byStuart Marsh
 
PPTX
Confidential data storage and deletion
byvitam,berhampur
 
PDF
SafeNet DataSecure vs. Native SQL Server Encryption
bySafeNet
 
PPTX
Essential Layers of IBM i Security: File and Field Security
byPrecisely
 
PDF
Securing Sensitive IBM i Data At-Rest and In-Motion
byPrecisely
 
PDF
Z110932 strengthen-security-jburg-v1909c
byTony Pearson
 
PDF
Z111806 strengthen-security-sydney-v1910a
byTony Pearson
 
PPTX
Encryption in the enterprise
byBozhidar Bozhanov
 
PPTX
Optimizing Protected Indexes
byChris Bell
 
PDF
Encryption technology
bySivakumarraju Gangaraju
 
PPTX
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
byUlf Mattsson
 
PDF
Encryption: Who, What, When, Where, and Why It's Not a Panacea
byResilient Systems
 
PPT
Encryption Primer por Cathy Nolan
byJoao Galdino Mello de Souza
 
PDF
Isaca global journal - choosing the most appropriate data security solution ...
byUlf Mattsson
 
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
byNeo4j
 
Key Concepts for Protecting the Privacy of IBM i Data
byPrecisely
 
IBM Share Conference 2010, Boston, Ulf Mattsson
byUlf Mattsson
 
Top 5 Encryption Myths for IBM i Users
byPrecisely
 
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
byTony Pearson
 
Database Security & Encryption
byTech Sanhita
 
Protecting Sensitive Data using Encryption and Key Management
byStuart Marsh
 
Confidential data storage and deletion
byvitam,berhampur
 
SafeNet DataSecure vs. Native SQL Server Encryption
bySafeNet
 
Essential Layers of IBM i Security: File and Field Security
byPrecisely
 
Securing Sensitive IBM i Data At-Rest and In-Motion
byPrecisely
 
Z110932 strengthen-security-jburg-v1909c
byTony Pearson
 
Z111806 strengthen-security-sydney-v1910a
byTony Pearson
 
Encryption in the enterprise
byBozhidar Bozhanov
 
Optimizing Protected Indexes
byChris Bell
 
Encryption technology
bySivakumarraju Gangaraju
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
byUlf Mattsson
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
byResilient Systems
 
Encryption Primer por Cathy Nolan
byJoao Galdino Mello de Souza
 
Isaca global journal - choosing the most appropriate data security solution ...
byUlf Mattsson
 

More from Precisely

PDF
Privilege Elevation in z/OS Systems - APF and More.pdf
byPrecisely
 
PDF
The State of Self-Service and Automation.pdf
byPrecisely
 
PDF
Generation Data Sets - Unique, Useful... Understandable?.pdf
byPrecisely
 
PDF
IEBCOPY and the Mysteries of Partitioned Datasets.pdf
byPrecisely
 
PDF
Réussir votre migration S/4HANA: vitesse, précision et données SAP fiables.pdf
byPrecisely
 
PDF
Overcoming Data Quality Challenges During Your SAP Modernization.pdf
byPrecisely
 
PDF
Automate Studio & Data360 Analyze Training: Simplifying SAP® Data Migrations ...
byPrecisely
 
PDF
Unlocking Access: Enriching Public Services with Location Intelligence.pdf
byPrecisely
 
PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PDF
The Future of Automation: AI, APIs, and Cloud Modernization for S/4HANA.pdf
byPrecisely
 
PDF
Precisely MCP Server - Completing the AI Puzzle​.pdf
byPrecisely
 
PDF
The Future of Automation: AI, APIs, and Cloud Modernization.pdf
byPrecisely
 
PDF
Powering SAP Transformation: Automation for the Enterprise of Tomorrow.pdf
byPrecisely
 
PDF
Modernizing Meter-to-Cash: Driving Efficiency and Customer Trust with Accurat...
byPrecisely
 
PDF
Modernizing Power Systems: Cloud Migration Strategies for IBM I and AIX with ...
byPrecisely
 
PDF
What Every Data Leader Should Know About Third-Party Data for AI and Analytic...
byPrecisely
 
PDF
Back to Basics: Smarter Decisions with AI-Ready Location Intelligence.pdf
byPrecisely
 
PDF
Securing Access: Best Practices for Multi-Factor Authentication on IBM i.pdf
byPrecisely
 
PDF
Modernization Mondays - Architecture Modernization.pdf
byPrecisely
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
Privilege Elevation in z/OS Systems - APF and More.pdf
byPrecisely
 
The State of Self-Service and Automation.pdf
byPrecisely
 
Generation Data Sets - Unique, Useful... Understandable?.pdf
byPrecisely
 
IEBCOPY and the Mysteries of Partitioned Datasets.pdf
byPrecisely
 
Réussir votre migration S/4HANA: vitesse, précision et données SAP fiables.pdf
byPrecisely
 
Overcoming Data Quality Challenges During Your SAP Modernization.pdf
byPrecisely
 
Automate Studio & Data360 Analyze Training: Simplifying SAP® Data Migrations ...
byPrecisely
 
Unlocking Access: Enriching Public Services with Location Intelligence.pdf
byPrecisely
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
The Future of Automation: AI, APIs, and Cloud Modernization for S/4HANA.pdf
byPrecisely
 
Precisely MCP Server - Completing the AI Puzzle​.pdf
byPrecisely
 
The Future of Automation: AI, APIs, and Cloud Modernization.pdf
byPrecisely
 
Powering SAP Transformation: Automation for the Enterprise of Tomorrow.pdf
byPrecisely
 
Modernizing Meter-to-Cash: Driving Efficiency and Customer Trust with Accurat...
byPrecisely
 
Modernizing Power Systems: Cloud Migration Strategies for IBM I and AIX with ...
byPrecisely
 
What Every Data Leader Should Know About Third-Party Data for AI and Analytic...
byPrecisely
 
Back to Basics: Smarter Decisions with AI-Ready Location Intelligence.pdf
byPrecisely
 
Securing Access: Best Practices for Multi-Factor Authentication on IBM i.pdf
byPrecisely
 
Modernization Mondays - Architecture Modernization.pdf
byPrecisely
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 

Recently uploaded

PDF
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
PPTX
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
PDF
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
PDF
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
PDF
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
PDF
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
PDF
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
PDF
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
PPTX
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
PPTX
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
PDF
API Days Australia - API Management in the AI Era
byNilesh Gule
 
PDF
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
PDF
WPE Android 🤖 State of the Bot (2025)
byIgalia
 
PPTX
DJI Avata 2 Fly More Combo: Experience Immersive FPV Flight
byDronevex
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PDF
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
PDF
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
PDF
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
PDF
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
API Days Australia - API Management in the AI Era
byNilesh Gule
 
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
WPE Android 🤖 State of the Bot (2025)
byIgalia
 
DJI Avata 2 Fly More Combo: Experience Immersive FPV Flight
byDronevex
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 

Streamlining Data Encryption While Maintaining IBM i Availability

  • 1.
    Streamlining Data Encryption While MaintainingIBM i Availability Bill Hammond | Director, Product Marketing Bill Peedle | Principal Sales Engineer
  • 2.
    Today’s Topics • Benefitsof encryption • Challenges of encryption • Comparing encryption strategies • Field-level encryption on IBM i • Encrypt While Active option • Q & A 2
  • 3.
    What is Encryption? 3 •Data encryption is the process of converting data into a format that is unreadable, known as ciphertext, to protect sensitive information from unauthorized access. • This is accomplished using an encryption algorithm and a key. • The encryption algorithm is a mathematical formula that scrambles the data, while the key is a secret value that is used to decrypt the data.
  • 4.
    Why use encryptionat all? 4 • Data Protection • Confidentiality: Prevents unauthorized access to sensitive information • Integrity: Ensures that data remains unaltered and accurate – at rest and in motion • Availability: Protects data from being held hostage through ransomware attacks. • Compliance and Regulatory Adherence • Industry Standards: Many industries have strict data protection regulations (HIPAA, GDPR, CCPA) that mandate encryption. • Risk Mitigation: Commitment to data security and reduces the risk of legal and financial penalties. • Brand Reputation and Customer Trust • Data Breach Prevention: These can damage a company's reputation and lead to customer loss. • Customer Confidence: Builds trust by demonstrating a strong commitment to data security. • Competitive Advantage • Intellectual Property Protection: Safeguards valuable innovations and trade secrets. • Secure Business Operations: Enables secure collaboration and information sharing.
  • 5.
    Protect your storeddata with AES Encryption • The encryption methods recognized by the National Institute of Standards and Technology (NIST) ensure that your data is protected to the highest standards. • The US government and agencies have accepted the Advanced Encryption Standard (AES) as a format standard for encrypting data in databases. • For PCI-DSS, HIPAA, and specific government privacy rules, AES is the preferred encryption method. • Use the Advanced Encryption Standard (AES-256) 5
  • 6.
    What is akey management server? 6 When encrypting fields in a file, an encryption key is required • Many customers use an external key manager to store and manage the master key as well as the encryption keys for the individual fields. • They may already have an external key manager for other platforms and can leverage that server for the IBM i encryption as well. • An example of an external key server would be Thales Cipher trust or Alliance Key Manager. There are others as well. • For those who do not want to support an external key manager on a Windows or Linux server, a local key store can be used on the IBM i to store and manage the keys. Third party encryption tools typically include a local key store for this use case.
  • 7.
    Protect your encryptionkeys and data by keeping them separate If you keep your encrypted data and keys in the same place, it’s like placing your house key beneath the mat Security best practices require you to store encryption keys separately from your encrypted data and manage them with an encryption key manager 7
  • 8.
  • 9.
    Encryption Challenges andBest Practices Presentation name 9 Key management • Lifecycle management • Generation • Distribution • Usage • Rotation • Revocation • Destruction • Compliance • Human error Performance • Processing power • Encryption/Decryption overhead • Hardware Acceleration • Network latency • Storage • Application Security and usability • Algorithm selection • Quantum computing • User experience • Compatibility • Access management Key length and strength • Length • Longer keys yield stronger encryption • Balancing security and performance • Strength • Robust algorithm • Effective key management strategies • Additional considerations • Threats • Compliance • Future computing power Implementin g encryption • Technical challenges • Performance • Integration • Algorithm selection • Data recovery • Organization challenges • Cost • Human error • Industry specific regulations • User acceptance • Balancing security and usability
  • 10.
    Implementing encryption has its challenges EXCLUSIVE LOCKSSMALL WINDOW • IBM i Field Procedures (FieldProc) needs an Exclusive Lock on file data to add/remove an encryption program and encrypt/decrypt a column • Your maintenance window may be too small to encrypt/decrypt all files during the allotted time APPLICATION RISK • Encryption processing changes every record within a file – increasing risk to applications 10
  • 11.
  • 12.
    What is disklevel encryption? 12 • On the IBM i, full disk encryption allows you to encrypt data that is stored in basic disk pools and independent disk pools • Full disk encryption protects data from several different threats: • Protects data transmission to and from the disk drive (important in a SAN environment) • Protects data transmission in the cross-site mirroring environment (only when the data being mirrored is on an encrypted independent disk pool) • Protects data in the case of theft of the disk drive
  • 13.
    What is fieldlevel encryption? 13 • Field procedures can provide field level (or column level) encryption on DB2 for IBM i • A field procedure is a user-written exit routine to transform values in a single column • When values in the column are changed, or new values inserted, the field procedure is invoked for each value • The field procedure can transform values (encode it) in any way. • The encoded value is then stored • When values are retrieved from the column, the field procedure is invoked for each encoded value. • The field procedure decodes each value back to the original value. • Any indexes defined on a column that uses a field procedure are built with encoded values. • The fields are encrypted at rest and will be decrypted when a database operation is performed against the file that has the field in it. • Fields can be ”masked” based on specific users or groups.
  • 14.
    What is fieldlevel masking? 14 Individual fields can be “masked” in addition to being encrypted • One of the big benefits of field level masking versus disk level encryption. • For example, a Social Security Number (SSN) field can be masked so that: • Only certain users or groups can see the fully unmasked SSN data • Other users or groups can be masked to see only the last four digits of the field • Other users will see a fully- masked SSN Let’s use the Social Security Number 123456789 as an example • For users that need to see the full SSN such as a payroll administrator, the field is encrypted but gets decrypted on the fly and they can see the full number • For other users, you may decide that they should not see the full SSN, so in that case, you can mask the first 5 digits, so the SSN# would look like this: XXXXX6789 • You can mask the entire field for certain people or groups if appropriate, so the SS# would look like this: XXXXXXXXX
  • 15.
    Field level masking • Ifthe field in question is a numeric field, the mask will be the number 9. However, if the field in question is a character field, you can choose the character that you want to use for the mask. • For example, if you want to mask a credit card number that happens to be a character field, you can choose “X” or whatever other character you want to use for the mask. • Let’s use the credit card number 1234567890123456 as an example. If we decide to mask everything but the last 4 digits (or characters in this case), it looks like this: XXXXXXXXXXXX3456 • If you decide to mask the entire field, it looks like this: XXXXXXXXXXXXXXXX 15
  • 16.
  • 17.
    What does fieldlevel encryption look like on the IBM i? 17 The best way to see that the field or fields are encrypted on the IBM i is by leveraging the DSPFFD command. Below is an example of a social security number that is not encrypted:
  • 18.
    What does fieldlevel encryption look like on the IBM i? 18 After encrypting a field with field level encryption, you will notice new attributes on the field called “Field Procedure Name” and “Field Procedure Library”. Below is an example of a social security number that is encrypted via a field procedure.
  • 19.
    How do I encrypt sensitivefields in a file? Working with Field Procedures Field procedures are part of the IBM i OS. They can be used for other purposes but are primarily used for encryption and masking A field procedure is a procedure that can be written by hand and attached to the field, however, that can be a large undertaking The best way to encrypt and decrypt fields with field procedures is to use a third- party interface that will develop the code for you, attach it to the field in question and help you to manage and track which fields are encrypted or decrypted and to set up the masking rules 19
  • 20.
    Implications for fieldlevel encryption 20 • While encrypting or decrypting a file, the IBM i requires an exclusive lock on the file until the encryption or decryption has completed. This means users need to be out of the file until the operation has completed. • For smaller files, this may not be an issue as you may be able to lock the file for a short period of time. However, for larger files, this process can take several hours. • In addition, many customers have requirements to “roll” the encryption keys periodically, which requires decryption and then re-encryption of the fields with a new key. • For legacy RPG-ILE programs, if the encrypted field is an index or key on the file, the sort order will be based on the encrypted data instead of the actual values. There are technologies that can help overcome this situation available on the market. Once you have decided on a tool to develop and manage field level encryption on your IBM i, there are some technical considerations:
  • 21.
    Minimizing the downtimerequired to encrypt/decrypt fields 21 • In order to avoid the downtime required to encrypt fields in larger files, there are technologies that allow you to ”Encrypt while active”. • This technology allows you to make a copy of the file empty (using CRTDUPOBJ) into a temporary library. Once the file is duplicated, it can encrypt while it is empty. • The “Encrypt while active” technology will then copy all the records from the production copy of the file into the temporary copy. As they are being copied in, the records are encrypted. • This technology keeps the file in sync with ongoing changes since the file is still being used by end users and applications.
  • 22.
    Minimizing the downtimerequired to encrypt/decrypt fields (cont.) 22 • Once you have a maintenance window and have users out of the file, the process that keeps the file in sync is ended, the old copy of the file can be moved out of production, and new encrypted version of the file can be moved into production. • The file is moved into production using the MOVOBJ command which simply updates the pointer to the location of the file from the temporary library to the production library. It does not perform a full copy of the data so the process is very quick. • The ”Encrypt while active” technology can save many hours of downtime on initial encryption, and then also during the roll of the key when the file needs to be decrypted and re-encrypted with a new key.
  • 23.
    What can Ido if I have legacy RPG- ILE programs that no longer sort correctly by an encrypted key field? • There are technologies available to help with the sorting issues that may occur because of an encrypted key field in legacy RPG-ILE programs • These technologies require access to your source code • Handler software can be used to convert traditional record-oriented file access to SQL Query Engine (SQE) access • Only one line of code is added to make this conversion 23
  • 24.
    What can Ido if I have legacy RPG-ILE programs that no longer sort correctly by an encrypted key field? (Continued) 24 • This is what the additional line of code would look like to handle the sorting issues in a legacy RPG-ILE program: • The handler program converts record-oriented reads into SQL access which corrects the sorting issues experienced by having an encrypted key in legacy RPG-ILE programs
  • 25.
  • 26.
    Introducing Encrypt WhileActive 26 Combines market-leading Assure technology to: • Create a pre-production copy of your encrypted data • Promote that file to production with only minutes of downtime • Optionally compress the file being encrypted by removing deleted records Based on Assure MIMIX and Assure Security products • Assure MIMIX Enterprise for replication • Assure MIMIX Promoter, a feature of MIMIX High Availability, for file promotion • Assure Encryption, a component a Assure Security, for encryption Combination of Software and Services • Software to facilitate encryption without downtime and remove encryption risks • Expert services to manage the process and ensure a successful outcome
  • 27.
    Encrypt While Active Architecture 27 ENCRYPTWHILE ACTIVE STEPS 1. Install Assure MIMIX HA (includes Assure MIMIX Promoter) and Assure Encryption on both systems 2. Create TEMP and ARCHIVE libraries on the Source System 3. Create empty duplicate objects of files being encrypted into the TEMP library with all logicals and PFs joined by joined logical (if any exist) 4. Configure Assure MIMIX HA for replication to the Target System and use Assure MIMIX Promoter for moving PROD (future encrypted Production files) to the TEMP Library 5. Configure Assure Encryption for fields being encrypted and start encryption on TEMP files which are empty. This is very fast. PROD TEMP ARCHIVE ARCHIVE TEMP PROD Source System Target System Replication Replication Replication a c d b Assure MIMIX HA* Assure Encryption Assure MIMIX HA* Assure Encryption * Includes Assure MIMIX Promoter
  • 28.
    Encrypt While Active Architecture 28 ENCRYPTWHILE ACTIVE STEPS (continued) 6. Start Copy While Active (CPYACTF) process with Remove Deleted Records option, if desired (a). Assure MIMIX Promoter will copy all the records from PROD to TEMP then wait for additional changes to PROD files. CPYACTF will encrypt the fields as they are copied into the TEMP file and keep the files in sync until you are ready to cutover (b). 7. At cutover, during an outage window, Assure MIMIX Promoter is ended. PROD files are moved to the ARCHIVE library (c) and encrypted files in the TEMP library are moved to the PROD library (d). 8. Encrypted field definitions are modified to the PROD library for all files moved from the TEMP library to the PROD library. 9. Assure MIMIX HA replication is in place is in place. In the event of disk failure or disaster, copies are available on the Target System. An Assure MIMIX HA system does not need to be in place for this solution, but it is a good idea. PROD TEMP ARCHIVE ARCHIVE TEMP PROD Source System Target System Replication Replication Replication a c d b Assure MIMIX HA* Assure Encryption Assure MIMIX HA* Assure Encryption * Includes Assure MIMIX Promoter
  • 29.
    Presentation name Encrypt While Activeis useful throughout the lifetime of your encryption project INITIAL ENCRYPTION REMOVING ENCRYPTION • Adding encryption to fields/files not currently encrypted • Removing encryption from fields/files currently encrypted KEY ROTATION • Cycling an encrypted file from one set of encryption keys to another (annually or on another regular interval to meet compliance requirements) 29
  • 30.
    Benefits of Encrypt WhileActive • Minimizes downtime for encryption operations • Mitigates the risk of application failure after encryption • Ensures HA/DR-readiness throughout the encryption process 30 As an added benefit, deleted records can be removed from the file during the encryption – a Compress While Active service
  • 31.