Are you looking to protect personally identifiable information (PII), payment card information (PCI) or personal health information (PHI) from unauthorized access on your IBM i, but are worried about the complexity of implementing encryption? Put your fears to rest by learning how IBM i Field Procedures, introduced in V7R1, have greatly simplified encryption projects – often eliminating the need for application changes.
View this customer education webinar on-demand, led by Syncsort Product Management Director for Security Jeff Uehling and Townsend’s Founder & CEO Patrick Townsend to learn more about:
• IBM i encryption basics
• What FieldProc is and how it works
• How to easily encrypt and decrypt data without impacting existing application
• The challenges and practical considerations for FieldProc encryption
• The importance of encryption key management
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
IBM i Encryption Made Easy
1. IBM i Encryption
Made Easy
Jeff Uehling
Product Management Director, Syncsort
Patrick Townsend
Founder and CEO, Townsend Security
2. Today’s Presenters
2 | IBM i Encryption Made Easy
Jeff Uehling
Product Management Director, Syncsort
Patrick Townsend
Founder and CEO, Townsend Security
3. • IBM i encryption basics
• What FieldProc is and how it works
• How to easily encrypt and decrypt data without impacting existing applications
• Challenges and practical considerations for FieldProc encryption
• The importance of encryption key management to meet compliance requirements
• Introduction to encryption and key management from Syncsort and Townsend
Security
• Q&A
Agenda
3 | IBM i Encryption Made Easy
4. IBM i Encryption Algorithms
IBM i APIs exist to allow applications to encrypt data
• Included with the OS
• Key management integrated with the API design
(master keys and key store files)
Syncsort provides NIST-certified encryption support
• NIST-certified encryption algorithms in Alliance AES/400
• Key Management solution from Townsend Security, including
“off partition” support
4 | IBM i Encryption Made Easy
5. A data encryption key should be well protected or data
is exposed
• Key is used to encrypt data (SSN’s, credit card numbers, etc.)
It is recommended to encrypt the data key
with a key encrypting key (KEK)
• Used to encrypt data encryption keys
A Master Key can then be used to encrypt all KEKs
• A master key is used to encrypt KEKs or Data Encryption Keys
• Top level key, in the clear! If master key is compromised,
data is compromised.
• How do you securely store this master key?
Cryptographic Key Protection - Terminology
1 2 3KEK2
1 2 3
KEK1
Master
Clear Text
NOTE: Encryption Algorithms
are public knowledge.
Encryption keys must be kept
secret and protected.
5 | IBM i Encryption Made Easy
6. Crypto Key Management
IBM i has GUI & CL interfaces to manage master
keys & keystore files
• Included as part of the base OS
Syncsort provides “off partition” key management
via tight integration with the encryption products
with NIST-certified algorithm support
Off-partition encryption key management using
Townsend Security’s Alliance Key Manager
6 | IBM i Encryption Made Easy
7. Field Procedures
• Available beginning with IBM i V7R1
• Exit point technology
• Implemented on IBM System z in DB2 v9
• Implemented by customers or vendors
What is FIELDPROC and
How Does it Work?
7 | IBM i Encryption Made Easy
8. It’s an Application Software Project
• Identify all of the fields you want to encrypt
• Decide if triggers can work for you (partial solution)
• Identify all RPG or COBOL applications that must be changed
• Modify the applications
• Test, test, and test again
Encryption Before V7R1
8 | IBM i Encryption Made Easy
9. It’s a database change, not an application change
• Identify all of the fields you want to encrypt
• Install FIELDPROC exit point software
• Activate FIELDPROC protection
Encryption with FIELDPROC
9 | IBM i Encryption Made Easy
10. No database changes required with FIELDPROC
• No field type or size changes
• No problems with Zoned and Packed data
Few (if any!) application changes required
• Most applications can will run without changes
• There are a few caveats (covered later) that may require
minor application modifications
Your Encryption Project
Just Got a Whole Lot Easier!
10 | IBM i Encryption Made Easy
11. ORDMASTER
cardno
prodlib/exitpgm
How Does FIELDPROC Work?
11 | IBM i Encryption Made Easy
YOUR
FIELDPROC
APPLICATION
Like most exit points you must register your exit point program (uses SQL)
A SQL statement used to do this:
ALTER TABLE ordmaster
ALTER COLUMN cardno
SET FIELDPROC prodlib/exitpgm
CONSTANT ‘Unique-Value’
Now the DB will call your API program on every I/O operation
13. 13 | IBM i Encryption Made Easy
NO!
FIELDPROC works with files created with DDS. You don’t need to convert them to
SQL tables. There are some benefits to SQL conversion, but it is not required.
14. 14 | IBM i Encryption Made Easy
- Encryption
- AuditDatabase Table
YOUR
FIELDPROC
APPLICATION
FIELDPROC:
What It Is and Isn’t
What it does:
• Provides a column level exit for insert/read/update operations on a database
What it does not do:
• Does not provide encryption, audit, or key management software
• You have to provide software for the Exit (an executable program) to handle encrypt/decrypt
• FIELDPROC does not provide security controls – that’s up to you!
• Does not log actions for compliance
FIELDPROC
16. The new FIELDPROC exits expose new security challenges!
Once an exit point program is installed, it will be called
regardless of the user application. Common utilities such
as DBU, Display Physical File Member, Query, and FTP can
trigger automatic decryption of data.
You will need:
• User access controls
• Encryption key access controls
• Automatic masking of data by policy
• QAUDJRN logging of access
Security Concerns
16 | IBM i Encryption Made Easy
17. Everything you need to get FIELDPROC right
• Easy-to-use management interface
• Exit point software for encryption
• Key management (more later)
• User access controls by policy with Group Profile support
• Data masking
• Audit
• NIST-certified AES encryption
Alliance AES/400
and FIELDPROC
17 | IBM i Encryption Made Easy
18. • IBM i customers with legacy RPG applications can
now deploy automatic DB2 encryption over sensitive
data which are indexes
• Leverage OAR capabilities by replacing the legacy
RPG file I/O with modern SQL operations
• Sensitive indexes include social security numbers,
bank accounts, etc.
Major Step Forward
in FIELDPROC Encryption
18 | IBM i Encryption Made Easy
19. With Legacy RPG Encrypted
Indexes Often Do Not Work
19 | IBM i Encryption Made Easy
RPG Application
DB2
Legacy I/O Model (no SQL / SQE)
AES Encryption
Alliance Key Manager
SQL
20. Legacy RPG File I/O Model
• Does not implement SQL interface to DB2
• Record-oriented file access
• Translates I/O Operations (CHAIN, READE, etc.) to
Encrypted operations
• Does not resolve encrypted indexes to unencrypted
sort order
• I.e. no index scan
20 | IBM i Encryption Made Easy
21. Problem Symptoms with Legacy
RPG I/O and Encrypted Indexes
• Empty reports when sorted in a range
• Empty subfile displays
• Broken program logic with related tables/files
• Substring operations on encrypted indexes do not work
• Join logical files on encrypted indexes will not build
These issues are insurmountable for
many IBM i customers
21 | IBM i Encryption Made Easy
22. Any IBM i customer who indexes by sensitive data:
• Banks and credit unions
• Hospitals, HMOs, and other medical entities
• Insurance providers and brokers
(casualty, liability, PMI, auto, etc.)
• Brokerages and traders
• Pharmaceutical
• Retail
• Telecos
• And many others
Who is Most Affected by
the Encrypted Index Issue?
22 | IBM i Encryption Made Easy
23. With Open Access for RPG (OAR)
There Is A Way to Fix RPG!
23 | IBM i Encryption Made Easy
24. Open Access for RPG Enables:
• The replacement of the legacy RPG I/O engine
• You define a “Handler” to take over I/O operations
• A Handler is a program you write (*PGM or *SRVPGM)
• The Handler is passed the RPG operation
• READ, CHAIN, etc.
A Handler can do anything!
Think of a Handler as an Exit Point
for an RPG “F” specification
24 | IBM i Encryption Made Easy
25. OAR with SQL File Handler
to the Rescue
25 | IBM i Encryption Made Easy
RPG Application with OAR
SQE / DB2
SQL File Handler maps RPG I/O to SQL
AES Encryption
AKM Key Manager
26. + S Q L
O A R
• Translates RPG I/O Operations (CHAIN, READE, etc.) to SQL
• Implements SQL interface to DB2
• Encrypted indexes now work as expected
RESULT:
• Display files work properly
• Reports work as expected
• Sort order is correct
RPG with SQL OAR Handler
26 | IBM i Encryption Made Easy
27. Requires One Line of New Code
FMyFile UF E Disk
F Handler(‘SrvProgram(function)’)
RPG application code must be modified to add the OAR handler on a file extension specification,
and the program must be re-compiled.
Normal system testing should be performed to assure proper operation.
RPG OAR Implementation
27 | IBM i Encryption Made Easy
28. Data
Protected Data
Key
• AES is not a “secret”
• The key is the real “secret”• Key Management SP800-57
• Cryptographic Module Validation
• Program (CMVP)
• National Voluntary Laboratory
• Accreditation Program (NVLAP)
• FIPS-140
Key Management
Is Crucial for Compliance
28 | IBM i Encryption Made Easy
29. • Dual control
• Separation of duties
• Split knowledge
• Key rotation
• Separate keys from the data they protect
Key Management
for Compliance
29 | IBM i Encryption Made Easy
30. Key management is critically important to encryption
• Hackers don’t break encryption, they find the keys
• A good key management system will…
1. Control access to keys
2. Manage keys through the life cycle
3. Log access to keys
4. Back up keys
5. Roll keys
6. Expire keys, etc
FIELDPROC and Key Management?
30 | IBM i Encryption Made Easy
31. • Local key store (based on X9.24)
• External encryption key management
• Alliance Key Manager
• FIPS 140-2 compliant
• Available As: HSM, Cloud HSM, VMware, Cloud
The keys are the secret –
they must be protected and managed
Two Choices for Key Management
31 | IBM i Encryption Made Easy
32. Encryption will have an impact – how much?
• AES encryption libraries vary in performance
• Alliance AES/400 libraries are highly optimized
• 116x faster than native IBM i software library
• 50x faster than IBM Power8 on-chip AES
• Key management impacts performance
• Alliance Key Manager TLS + secure caching
Practical Issues –
Performance
32 | IBM i Encryption Made Easy
Example: IBM model 515
Power 5 single processor,
1 Gig storage, 2 disks,
3800 CPW, 1 Million records,
unique index: 16,000+ records
per second decryption
33. Sort sequence of encrypted indexes
• IBM indexes based on encrypted value, not decrypted value
• Index lookups based on encrypted value, not plaintext value
• Range bound reads, some RPG operation impacts
• SETLL followed by READE, etc.
Practical Issues –
Encrypted Indexes
33 | IBM i Encryption Made Easy
34. Incompatible with DDS-based join files on encrypted values
• Joined fields are a different type (Input only)
• Errors when re-creating join logical file after FIELDPROC active
• NOT a problem with native SQL joins
Practical Issues –
Join Logical Files
34 | IBM i Encryption Made Easy
35. IBM DB2 FIELDPROC SQL Server EKM
Oracle 10g/11g SharePoint
Tape, storage, etc.
Critical infrastructure for multiple platforms
• Centralized key management reduces security exposure
• One key vault for all OSs – IBM i, Windows, Linux, UNIX, IBM z, etc.
• One key vault for all platforms – Client, server, cloud, mobile, etc.
• One key vault for all applications:
Practical Issues –
Enterprise Key Management
35 | IBM i Encryption Made Easy
36. Making it easy
• Fully functional software – Internet download
• Local key management included
• Alliance Key Manager as VMware or Internet instance
• Free training, Quick Start guides, on-line help
Alliance Key Manager
Software Evaluations
36 | IBM i Encryption Made Easy
38. Data Privacy
Protecting the privacy of sensitive
data by ensuring that it cannot be
read by unauthorized persons
using encryption, tokenization
and secure file transfer
Access and Authentication
Control
Ensuring comprehensive control
of unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Security & Compliance
Assessments
Assessing your security risks or
regulatory compliance
Auditing and Monitoring
Gaining visibility into all security
activity on your IBM i and
optionally feeding it to an
enterprise console
Syncsort Security
addresses the issues
on every CISO and
system admin’s
radar screen
38 | IBM i Encryption Made Easy
39. • Only NIST-validated AES encryption for the IBM i
• High performance encryption libraries
• Does not use slow IBM libraries like other competitors
• Better performance than Power8 on-chip encryption
• Encryption key management options
• Local key store
• FIPS 140-2 compliant Key Manager
• Built-in data masking based on user, group
• Built-in data access audit
• Extensive encryption APIs for RPG and COBOL
• Encryption commands for Save Files, IFS, and more
Why Choose Alliance AES/400?
39 | IBM i Encryption Made Easy
40. Compatibility
• Works with all major business and cloud platforms
• Integrates with all leading encryption applications
Compliant
• FIPS 140-2 compliant – the US Federal Information Processing Standard for
approving cryptographic solutions with both hardware and software components.
• OASIS KMIP (Key Management Interoperability Protocol) compliant
• Certified for PCI-DSS version 3 by Coalfire, a certified QSA auditor
Flexible Deployment Options
• VMware, Hardware Security Module (HSM) or cloud deployment (AWS, Microsoft
Azure) options for deploying Key Manager
Cost Effective
• Affordable for any size Enterprise
• No additional client-side license or usage fees.
Easy to Use
• Ready-to-use client software speeds deployment and reduces IT costs
Why Alliance Key Manager?
40 | IBM i Encryption Made Easy
41. Syncsort’s Security Solutions
Syncsort Security
Cilasoft
QJRN/400
QJRN Database & QJRN System
CONTROLER
EAM
RAMi
CENTRAL
Alliance
Alliance
AES/400
Townsend’s Alliance
Key Manager
Alliance Token
Manager
Alliance
FTP Manager
Alliance
LogAgent Suite
Alliance Two Factor
Authentication
Enforcive
Enterprise Security Suite
Security Risk Assessment
Cross-Platform Audit
Cross-Platform Compliance
Password Self-Service
AIX Security
Quick
Quick-CSi
Quick-Anonymizer
Syncsort’s Security
solutions have the breadth and
depth to meet your IBM i
compliance or security needs.
41 | IBM i Encryption Made Easy
42. Flexible services offerings for security
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (installing hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Leverage Syncsort’s team of seasoned security experts!
Global Professional Services
Add Value to Your Investment
42 | IBM i Encryption Made Easy