The continuous news of personal information stolen from major retailers and financial institutions have driven consumers and regulatory bodies to demand that more action be taken to ensure data protection and privacy. Regulations such as PCI DSS, HIPAA, GDPR, and FISMA require that personal data be protected against unauthorized access using technologies like encryption, tokenization, masking, secure file transfer and more.
With all the options available for securing IBM i data at rest and in motion, how do you know where to begin? View this webinar on-demand to get up to speed on the key concepts you need to know about assuring data privacy for your customers, business partners and employees. Topics include:
• Protecting data with encryption and the need for strong key management
• Use cases that are best for tokenization
• Options for permanently de-identifying data
• Securing data in motion across networks
Key Concepts for Protecting the Privacy of IBM i Data
1. Key Concepts for Protecting
the Privacy of IBM i Data
1
Patrick Townsend
Founder and CEO,
Townsend Security
Becky Hjellming
Senior Director, Product Marketing,
Syncsort
2. Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your computer speakers.
• If you need technical assistance with the web interface or audio,
please reach out to us using the chat window.
Questions Welcome
• Submit your questions at any time during the presentation
using the chat window.
• We will answer them during our Q&A session following the
presentation.
Recording and slides
• This webcast is being recorded. You will receive an
email following the webcast with a link to download
both the recording and the slides.
Patrick
Townsend
Becky
Hjellming
2
3. Protecting data is fundamental to your business
• Customers, partners and employees trust you to prevent breaches
• Your business suffers negative publicity if breached
Regulations require that personally identifiable information (PII), payment
card information (PCI) and personal health information (PHI) be encrypted
• HIPAA
• GDPR
• PCI DSS
Data could be compromised from the inside or outside
• Users should see only the data they need as part of their jobs
• Data must be protected from internal staff, contractors and business
partners – as well as criminal intruders
Data Privacy Is Essential
• State privacy laws
• And more
3
4. Health Insurance
Portability and
Accountability Act (HIPAA)
4
Scope of Regulation
Originally enacted August 21, 1996
Establishes US national standards for
electronic health care transactions and
national identifiers for providers, health
insurance plans, and employers
HITECH Act builds on HIPAA data security
standard
Cybersecurity Requirements
• Access control
• Electronic healthcare information protection
• Many references to NIST standards for
encryption and key management
• Guidance on key management
recommends NIST FIPS 140-2
• Protection of data in motion
• Monitoring of logins and system accesses
• Policies for reporting breaches
The only safe harbor from
breach notification is
encryption
5. California
Consumer Privacy Act
(CCPA)
5
Scope of Regulation
Enforcement date: January 1, 2020
Provides California citizen with the right to see
the personal data being collected about them,
know whether their information is being sold,
and request that their data be deleted
Applies to organizations that collect personal
information about California citizens, or on
the behalf of which information is collected,
and meets certain thresholds for gross
revenue and consumer records buys, sells or
shares consumer information
Cybersecurity Requirements
• Audit interaction with consumer data
• Detect security incidents
• Pseudonymize personal information
• Deidentify personal information used in
aggregate
• Access controls for data
6. Payment Card Industry
Data Security Standard
(PCI DSS)
6
Scope of Regulation
V1 released on December 15, 2004
Information security standard for
organizations that handle branded credit
cards from the major card schemes
Created to increase controls around
cardholder data to reduce credit card fraud
Validation of compliance is required annually
Cybersecurity Requirements
• Firewalls
• Password security
• Multi-factor authentication
• System and data access restrictions
• Cardholder data protection
• Encryption of data in motion
• Encryption key management
• Monitoring of network and data access
• Regular security testing
8. • Encryption transforms readable information into an unreadable format
(or “cyphertext”)
• Encryption is based on proven, well-known algorithms
• The best encryption algorithms are open and vetted
• Common algorithms include AES, RSA, Triple DES and others
• Algorithms are continuously scrutinized and attempts are made to
break them
• Algorithms rely on secret “keys” for encrypting/decrypting data
• The best encryption solutions are independently certified to validate
compliance with standards (e.g. NIST)
• The encryption algorithm is never the secret, but the encryption keys must
be kept secret
Encryption is mature science
that has been used for thousands of years
What Is Encryption?
8
9. Encryption Key Management
Is Critical
• Hackers don’t break encryption algorithms – they find the keys
• Encryption keys are THE secret that must be protected since
the algorithms are public
• Compliance regulations (PCI, HIPAA, GLBA/FFEIC, and others)
require proper key management
• There are industry standards and best practices for key
management (FIPS 140-2)
9
10. Protects keys from theft and loss
• Stores keys separately from the encrypted data
• Restricts access to keys
• Backs up keys securely
• Supports regular key rotation
Supports best practices for key management
• Separation of duties between data manager and key manager
• Dual control of key management processes
• Split knowledge of complete key values
• Ensuring origin and quality of keys
• As with encryption, key manager certifications are available; e.g. Federal
Information Processing Standards (FIPS) 140-2
• KMIP-compliance ensures future compatibility with encryption solutions
What Does a Key Manager Do?
10
11. • Beware of home-grown or non-standard encryption and key management
• Look for independent assessments and certifications (FIPS-197; FIPS 140-2)
of the implementation of a secure algorithm
• Best option for applications requiring higher performance
• Can be easily implemented for Db2 databases in IBM i 7.1 or greater using
FieldProc solutions with few (if any) application or database changes
• 3rd party solutions provide APIs and CL commands to encrypt IFS files,
backups, etc.
• Open Access for RPG (OAR) handlers simplify your project if you have
legacy RPG applications and need to encrypt indexes
• FIELDPROC exits expose security challenges. Make sure you also implement
access logging, automatic masking, access control for common utilities
(like DBU, Display Physical File Member, and FTP), access control for
encryption keys
11
IBM i Encryption Tips
13. • Replaces sensitive data with substitute values or “tokens”
• Tokens are stored in a database or “token vault” that maintains the
relationship between the original value and token
• Format-preserving tokens retain the characteristics of the original
data (e.g. a VISA number would still look like a VISA number and pass
a LUHN check)
• Token consistency enables the same token to be used for every
instances of the original data
• When tokenized data is displayed in its original form, it should be
masked based on the privilege of the user
What Is Tokenization?
13
Also known as pseudonymization
14. Tokenization Tips
• Tokenizing a server’s data can remove it from the scope of
compliance and reduce the risk of breach exposure
• Encrypt the token vault and make the vault the focus of compliance
• Tokens cannot be reversed with a key as there is no algorithmic
relationship to the original data
• Tokenization has a performance impact to register tokens and
retrieve them
• Good fit for BI and queries since tokenization maintains database
relationships
• Tokenization is available thru credit card payment networks for
tokenizing credit card numbers
14
16. • A form of tokenization that permanently replaces sensitive data with
substitute values (or “tokens”)
• Substitute values are not stored, so a secured token vault is not
required
• Format-preserving tokens retain the characteristics of the original
data
• Can replace every instances of a piece of original data with the same
token
• A variety of anonymization methods can be used (e.g. scrambling)
• NOT a solution for use on a production server since tokens are
unrecoverable
What Is Anonymization?
16
Also known as deidentification or redaction
17. Anonymization Tips
• As with Tokenization, Anonymization cannot be reversed with a key
as there is no algorithmic relationship to the original data
• Anonymization is not a solution for data on your production server
• Ideally used for anonymizing sensitive data on a development or
test system
• Good for sending scrubbed data to outside services for processing
or analysis in aggregate
• Addresses requirements of GDPR and CCPA
• When coupled with a high availability solution for replication to
non-HA server, it can feed dev/test system with anonymized data
• Note: Anonymization should be done before the data goes across the
network for true compliance with regulations like GDPR
17
19. Organizations of all sizes are required to encrypt sensitive IBM i data as
it moves over public networks such as the Internet
Secure file transfer is stipulated by a number of compliance regulations,
such as:
• PCI
• HIPAA
• SOX
Partners demand that the data they exchange with you to be safely
transferred and protected at the destination
Security best practice calls for internal data that passes across an
external network to be encrypted
Secure File Transfer
Requirements
• GDPR
• GLBA
• State privacy laws
19
20. • Manual transfer processes are unwieldy and time consuming
• Tracking transfers and resubmitting failed transfers is tedious
• Capturing files from FTP servers for processing into an ERP system or other
application is a cumbersome manual process or requires programming
• Securely sending ACH and Positive Pay records to a financial services
company’s FTP server is another burdensome transfer to manage
• Manual management leaves too much margin for human error
File Transfer Management
Needs
20
21. • Secure file transfer solutions encrypt data moving across internal or
external networks to protect it from being seen in “clear text”
• Third-party solutions handle the technical details of network
protocols, encryption standards, and firewall negotiation
• File transfer solutions deliver automation to relieve your team’s
workload and auditing and reporting required by auditors
• APIs enable you to integrate secure file transfer with your applications
and processes
• Solutions may offer the ability to keep the data encrypted at the
destination to ensure it remains private
• Secure file transfer is a very mature discipline with standards and
certifications available
Secure File Transfer Solutions
Deliver Many Benefits
21
22. Secure File Transfer Tips
• Look for solutions that meet standards and have certifications
• Ensure any solution you consider can navigate the complexities of
your firewall configurations
• Keep an audit trail of transfer activities
• An archive of transferred files makes retries much simpler
• Set up a hub-and-spoke configuration that manages all your file
transfer activities
22
24. • Masking obscures a portion of viewable data so that only the required
minimum amount is shown to a user
• Data can be fully or partially masked
• One common example is seeing only the final 4 digits of your credit
card number
• Partial masks can be done in variety of ways (e.g. showing only the
last four characters, or the first five, or other combinations)
• Masking should be done when encrypted or tokenized data is
displayed in clear text
• Managing masking is easiest when they can be applied based on the
user and group privileges
What Is Masking?
24
25. Masking Tips
• Using masking can help enforce separation of duties
• Masking can be used on otherwise unprotected data to protect
the data from view. This does not protect the data from breach if
someone takes it; it only protects it from view.
25
27. Introducing Assure Security
Complete IBM i Security and Compliance
• Best in class IBM i security capabilities acquired from
Cilasoft and Townsend Security
• A common package for new installs and upgrades
• A common monitoring console with Syncsort’s
Assure Availability products MILESTONES
• April 2019 Global Launch
• May 2019 General Availability
27
28. Assure Security
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Security Risk
Assessment
Choose the full product
Choose a feature bundle
Or select a specific capability
Assure Compliance
Monitoring
Assure Security
strengthens IBM i
security and assures
regulatory compliance
28
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
29. Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Security Risk
Assessment
Assure Compliance
Monitoring
Assure Data Privacy protects
IBM i data at-rest and in-
motion from unauthorized
access and theft using
encryption, tokenization and
masking
29
30. Assure Encryption
Complete protection for data at rest
• IBM i FieldProc exit point software for encryption
• High performance encryption libraries
• Built-in masking of decrypted data based on user or group
• Provides key management with a local key store
• Includes extensive data tokenization capabilities
30
The only NIST-certified
AES encryption solution for IBM i
31. Assure Encryption
Easy to manage and monitor data access
• Easy-to-use management interface
• User access controlled by policy with Group Profile support
• Built-in data access auditing
31
32. Assure Encryption
Integrates with other applications and key managers
• Encryption commands for Save Files, IFS, and much more
• Extensive encryption APIs for RPG and COBOL
• Built to integrate with Townsend Security’s Alliance Key
Manager for off-partition key management
• Integrates with any OASIS KMIP-compliant key manager
32
33. Alliance Key
Manager?
Flexible
• Works with all major business
and cloud platforms
• Integrates with all leading
encryption applications
• Multiple deploying options
including a VMware VM,
Hardware Security Module
(HSM), or cloud module (AWS,
Microsoft Azure)
Compliant
• FIPS 140-2 compliant – the US
standard for approving
cryptographic solutions with
both hardware and software
components
• OASIS KMIP (Key Management
Interoperability Protocol)
compliant
• Certified for PCI-DSS version 3
by Coalfire, a certified QSA
auditor
Easy and Cost Effective
• Affordable for any size
Enterprise
• No additional client-side license
or usage fees
• Ready-to-use client software
speeds deployment and reduces
IT costs
33
34. Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Security Risk
Assessment
Assure Compliance
Monitoring
Assure Data Privacy protects
IBM i data at-rest and in-
motion from unauthorized
access and theft using
encryption, tokenization and
masking
34
35. Secures data transferred with trading partners or customers
• Encrypts data before transfer and decrypts it at the destination
• Encrypts any file type including Db2 database files, flat files, IFS
files, Save Files, and spooled files
• Supports encrypted ZIP and PDF formats
• Supports common transfer protocols
• Secure Shell (SSH SFTP)
• Secure FTP (SSL FTPS)
• Records all encryption and file transfer activity to meet compliance
requirements
• Offers a PGP option to encrypt data at the source and destination
• PGP encrypted files can be received from other platforms such as
Windows, Linux, and UNIX
Assure Secure File Transfer
35
36. Enables centralized management and automation
• Automates secure transfers with centrally managed policies
• Configurable in a hub-and-spoke configuration to automatically
manage file transfer needs
• Allows administrators to easily retransmit any file from the
archive of backup libraries
• Provides email, SNMP, message notifications and alerts
• Supports email confirmation of transfer with distribution list
• Provides APIs and commands for integration with RPG, COBOL
applications and CL programs
Assure Secure File Transfer
36
37. Assure Secure File Transfer is
compatible with a variety of:
• Banks
• Insurance companies
• Authorization networks
• Benefits providers
• Medical claims services
• EDI networks
A partial list is shown here.
Supported Banks,
Insurance Companies, and Benefits Providers
Banks Bank of America, Wachovia, Wells Fargo, US Bank, State Street,
ABN Amro, CitiGroup, JPMorgan Chase, BankOne, and others
Medical Blue Cross Blue Shield, State of California, State of Florida,
Hewitt Associates, ZirMed, WebMD, and others
Services Merrill Lynch, Fidelity, ADP, Frick, TALX, eTRAFX, AllTel, Bell
South, and others
Networks GXS, Inovis, Sterling, IBM Advantis (now GXS), Pantellos, and
others
Authorizations Visa, American Express, ADS, Chase Paymentech, First Data,
ValueLink, and others
3rd Party Tools SAP, PeopleSoft, CostPoint, Concur, and others
37
38. Today’s Topics
1 – Common regulatory requirements
2 – Security solutions that align with regulations
3 – How Syncsort and Townsend Security can help
4 – Resources
5 – Q&A
39. 39
Download our eBooks
To learn more about technologies for ensuring
the privacy of data at rest……
To learn more about protecting the privacy of
data in-motion…..
40. 40
Learn More
About the layers of security by visiting
the Syncsort website Download Syncsort’s White Paper on
“The Essential Layers of IBM i Security”