The document discusses protecting sensitive data on IBM i systems. It provides an agenda for a webcast covering key concepts for protecting IBM i data privacy including encryption, tokenization, and secure file transfer. It will also introduce the Assure Security solution from Precisely for IBM i compliance and security. The webcast includes segments on protecting data privacy, demonstrating Assure Security, and a question and answer period.
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
1. Protect Sensitive Data
on Your IBM I (Social
Distance Your IBM
i/AS400)
Chang Ban Lee | General Manager, CBS
Bill Hammond | Senior Product Marketing Manager, Precisely
Sidney Wong | Senior Sales Engineer, Precisely
2. Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your computer speakers
• Audio lines will be muted during the presentation
Questions Welcome
• Submit your questions at any time during the presentation using the
Q&A box. Questions will be answered at the end.
Technical assistance
• If you need technical assistance with the web interface or audio,
please reach out to us using the Q&A box
• You can move and resize the different webinar panels
Resources, Recording and slides
• The Resource List contains brochures which you can download and
read later
• This webcast is being recorded. You will receive an email following
the webcast with a link to the recording
3. Agenda
9:30am Opening - Cheng Ban Lee, CBS
9:35am Key Concepts for Protecting the Privacy of IBM i Data
- Bill Hammond, Precisely
10:05am Introducing Assure Security - Complete IBM I Compliance and Security
- Sidney Wong, Precisely
10:35am Q & A
4. PROTECT YOUR CUSTOMER SENSITIVE DATA ON
YOUR AS400 (SOCIAL DISTANCE YOUR AS400)
DATE : 22nd July 2020 (Wednesday)
TIME : 9.30am – 10.40am
5. Protect Sensitive Data on Your IBM i (Social
Distance Your IBM i/AS400)
Agenda
o Key Concepts for Protecting the Privacy of IBM i Data - Bill Hammond,
Precisely
o Assure Security - Complete security solution for IBM i (AS/400) - Sidney
Wong, Precisely
o Q & A
6. - Personal information stolen from
major retailers and financial
institutions have driven consumers
and regulatory bodies to demand
that more action be taken to
ensure data protection and privacy.
- Regulations such as PCI DSS, HIPAA,
GDPR, and FISMA require that
personal data be protected against
unauthorized access using
technologies like encryption,
tokenization, masking, secure file
transfer.
7. Topics will include:
Protecting data with encryption and the need for strong key management
Use Cases that are best for tokenization
Options for permanently deidentifying data
Securing data in motion across networks
Protect against unauthorized access for AS400 (IBM i)
9. 1. Announcing … Precisely
2. Marketplace Trends
3. Common regulatory requirements
4. Data Privacy solutions that align with regulations
5. Q&A
Today’s Topics
10. The global leader in data integrity
Trust your data. Build your possibilities.
Our data integrity software and data enrichment products
deliver accuracy and consistency to power confident
business decisions.
Brands you trust, trust us
Data leaders partner with us
of the Fortune 100
90
Customers in more than
100
2,000
employees
customers
12,000
countries
10
11. Better decisions, better data
Data Integration
Security
High Availability
Mainframe Sort &
Optimization
Integrate
Data Discovery
Data Cleansing
Data Lineage
Governance
Verify
Spatial Analysis
Geocoding
Routing
Visualization
Locate
Location Enrichment
Boundaries
Points of Interest
Property Attributes
Demographics
Enrich
11
14. Business Trends
• Regulations such as SOX, GDPR, PCI DSS, HIPAA and others require
you to protect and secure data
• GDPR fines are significant - British Airways $230 million and
Marriott $124 million
• CCPA exposes organizations to potentially large civil penalties and
statutory damages
• Expectation of spike in privacy class-action lawsuits – Forrester
predicts a 300% increase
• Data privacy is becoming a business differentiator – 81% of
consumers express concerns with use of their PII*
• Level of confidence in security policies is dropping**
• Increasing visibility and quantity of security breaches
* IBM Institute for Business Value Privacy Survey
** Syncsort 2020 Security Survey
14
15. Data Privacy Is Essential
Protecting data is fundamental to your business
• Customers, partners and employees trust you to prevent breaches
• Your business suffers negative publicity if breached
Regulations require that personally identifiable information (PII),
payment card information (PCI) and personal health information
(PHI) be encrypted
• HIPAA
• GDPR
• PCI DSS
Data could be compromised from the inside or outside
• Users should see only the data they need as part of their jobs
• Data must be protected from internal staff, contractors and
business partners – as well as criminal intruders
• CCPA
• State privacy laws
• And more
15
16. Health Insurance Portability and
Accountability Act (HIPAA)
16
Scope of Regulation
Originally enacted August 21, 1996
Establishes US national standards
for electronic health care
transactions and national identifiers
for providers, health insurance
plans, and employers
HITECH Act builds on HIPAA data
security standard
• Access control
• Electronic healthcare information
protection
• Many references to NIST
standards for encryption and
key management
• Guidance on key management
recommends NIST FIPS 140-2
• Protection of data in motion
• Monitoring of logins and system
accesses
• Policies for reporting breaches
The only safe harbor from
breach notification is
encryption
17. California Consumer Privacy Act
(CCPA)
17
Scope of Regulation
Enforcement date: 1 Jan 2020
The California Consumer Privacy Act
gives California residents numerous
data privacy rights while penalizing
organizations that are in violation.
The law covers a much broader set of
information than any other regulation,
including GDPR.
Fines can be imposed per record
breached by the California AG and
consumers are granted the right to sue
if their data is stolen and not encrypted.
There is no maximum amount to the
fines.
• Encrypt protected data so that it is
unreadable should a breach occur
• Deidentify data prior to sharing it
• Implement technologies and
processes that will prevent a breach
18. Payment Card Industry Data
Security Standard (PCI DSS)
18
Scope of Regulation
V1 released on December 15, 2004
Information security standard for
organizations that handle branded
credit cards from the major card
schemes.
Created to increase controls around
cardholder data to reduce credit
card fraud.
Validation of compliance is required
annually.
• Firewalls
• Password security
• Multi-factor authentication
• System and data access restrictions
• Cardholder data protection
• Encryption of data in motion
• Encryption key management
• Monitoring of network and data
access
• Regular security testing
21. What Is Encryption?
• Encryption transforms readable information into an unreadable format
(or “cyphertext”)
• Encryption is based on proven, well-known algorithms
• The best encryption algorithms are open and vetted
• Common algorithms include AES, RSA, Triple DES and others
• Algorithms are continuously scrutinized and attempts are made to break
them
• Algorithms rely on secret “keys” for encrypting/decrypting data
• The best encryption solutions are independently certified to validate
compliance with standards (e.g. NIST)
• The encryption algorithm is never the secret, but the encryption keys must be
kept secret
Encryption is mature science
that has been used for thousands of years21
22. IBM i Encryption Tips
• Compliance regulations (PCI, HIPAA, GLBA/FFEIC, and others)
require proper key management
• Beware of home-grown or non-standard encryption and key management
• Look for independent assessments and certifications (FIPS-197; FIPS 140-2) of
the implementation of a secure algorithm
• Best option for applications requiring higher performance
• Can be easily implemented for Db2 databases in IBM i 7.1 or greater using
FieldProc solutions with few (if any) application or database changes
• 3rd party solutions provide APIs and CL commands to encrypt IFS files,
backups, etc.
• Open Access for RPG (OAR) handlers simplify your project if you have legacy
RPG applications and need to encrypt indexes
• FIELDPROC exits expose security challenges. Implement access logging,
automatic masking, access control for common utilities access control for
encryption keys22
24. What Is Tokenization?
• Replaces sensitive data with substitute values or “tokens”
• Tokens are stored in a database or “token vault” that maintains the
relationship between the original value and token
• Format-preserving tokens retain the characteristics of the original
data (e.g. a VISA number would still look like a VISA number and
pass a LUHN check)
• Token consistency enables the same token to be used for every
instances of the original data
• When tokenized data is displayed in its original form, it should be
masked based on the privilege of the user
Also known as pseudonymization
24
25. Tokenization Tips
• Tokenizing a server’s data can remove it from the scope of compliance and reduce the risk of breach exposure
• Encrypt the token vault and make the vault the focus of compliance
• Tokens cannot be reversed with a key as there is no algorithmic relationship to the original data
• Tokenization has a performance impact to register tokens and retrieve them
• Good fit for BI and queries since tokenization maintains database relationships
• Tokenization is available thru credit card payment networks for tokenizing credit card numbers
25
27. What Is Anonymization?
• A form of tokenization that permanently replaces sensitive data with
substitute values (or “tokens”)
• Substitute values are not stored, so a secured token vault is not required
• Format-preserving tokens retain the characteristics of the original data
• Can replace every instances of a piece of original data with the same token
• A variety of anonymization methods can be used (e.g. scrambling)
• NOT a solution for use on a production server since tokens are unrecoverable
Also known as deidentification or redaction
27
28. Anonymization Tips
• As with Tokenization, Anonymization cannot be reversed with a key as there is no algorithmic relationship
to the original data
• Anonymization is not a solution for data on your production server
• Ideally used for anonymizing sensitive data on a development or test system
• Good for sending scrubbed data to outside services for processing or analysis in aggregate
• Addresses requirements of GDPR and CCPA
• When coupled with a high availability solution for replication to non-HA server, it can feed dev/test system
with anonymized data
• Note: Anonymization should be done before the data goes across the network for true compliance with
regulations like GDPR
28
30. What Is Masking?
• Masking obscures a portion of viewable data so that only the required
minimum amount is shown to a user
• Data can be fully or partially masked
• One common example is seeing only the final 4 digits of your credit
card number
• Partial masks can be done in variety of ways (e.g. showing only the
last four characters, or the first five, or other combinations)
• Masking should be done when encrypted or tokenized data is
displayed in clear text
• Managing masking is easiest when they can be applied based on the
user and group privileges
30
31. Masking Tips
• Using masking can help enforce separation of duties
• Masking can be used on otherwise unprotected data to protect the
data from view. This does not protect the data from breach if someone
takes it; it only protects it from view.
31
33. Why Secure
File Transfer?
Challenges
Benefits Requirements
• Manual transfer processes are unwieldy
and time consuming
• Tracking transfers and resubmitting
failed transfers is tedious
• Capturing files from FTP servers for
processing into an ERP system or other
application is a cumbersome manual
process or requires programming
• Securely sending ACH and Positive Pay
records to a financial services
company’s FTP server is another
burdensome transfer to manage
• Manual management leaves too much
margin for human error
• Secure file transfer solutions encrypt
data moving across internal or external
networks to protect it from being seen in
“clear text”
• Third-party solutions handle the
technical details of network protocols,
encryption standards, and firewall
negotiation
• File transfer solutions deliver automation
to relieve your team’s workload and
auditing and reporting required by
auditors
• APIs enable you to integrate secure
file transfer with your applications
and processes
• Solutions may offer the ability to keep
the data encrypted at the destination
to ensure it remains private
• Secure file transfer is a very mature
discipline with standards and
certifications available
• Organizations of all sizes are
required to encrypt sensitive
IBM i data as it moves over
public networks such as the
Internet
• Secure file transfer is stipulated
by a number of compliance
regulations
• Partners demand that the data
they exchange with you to be
safely transferred and
protected at the destination
• Security best practice calls for
internal data that passes
across an external network to
be encrypted
33
34. Secure File Transfer Tips
• Look for solutions that meet standards and have certifications
• Ensure any solution you consider can navigate the complexities
of your firewall configurations
• Keep an audit trail of transfer activities
• An archive of transferred files makes retries much simpler
• Set up a hub-and-spoke configuration that manages all your
file transfer activities
34
37. Introducing Assure Security
37
• A comprehensive solution that addresses all aspects of
• IBM i security and helps to ensure compliance with
• cybersecurity regulations.
• Whether your business needs to implement a full set of
• security capabilities, or you need to address a specific
• vulnerability, Assure Security is the solution.
38. Assure Security
Syncsort’s Best of Breed Security Suite
38
Assure Security includes
• Best of breed IBM i security capabilities acquired from
Cilasoft, Enforcive, and Townsend Security
• A common package for new installs and upgrades
• A common monitoring console with Syncsort’s HA products
• Support for UI location in English, French and Spanish
For Cilasoft and Townsend customers, Assure Security
• Is the next generation product
• Seamlessly supports your current capabilities (or more)
• Makes it easier to adopt new security capabilities
39. 39
Assure
Security
addresses the issues on the
radar screen of every security
officer and IBM i admin
Compliance Monitoring
Gain visibility into all security activity on
your IBM i and optionally feed it to an
enterprise console
Access Control
Ensure comprehensive control of
unauthorized access and the ability to
trace any activity, suspicious or otherwise
Security Risk Assessment
Assess your security threats and
vulnerabilities
Data Privacy
Protect the privacy of data at-rest or
in-motion to prevent data breaches
40. 40
Choose the full product
Choose a feature bundle
Or select a specific capability
Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Assure Security
Risk Assessment
Assure Compliance
Monitoring
41. 41
Risk
Assessment
Assure Security
Risk Assessment Tool
Thoroughly check all aspects of IBM i
security and obtain detailed reports and
recommendations
Security Risk
Assessment Service
Let Syncsort’s team of security experts conduct a
thorough risk assessment and provide a report
with remediation guidance
42. Security Risk Assessment
42
What It Is
• A security risk assessment is a
thorough check of all aspects of
system security, including (but not
limited to):
• Security settings in the OS
• Default passwords
• Disabled users
• Command line users
• Distribution of powerful users
• Library authorities
• Open ports
• OS exit points
• Risk assessments tools or services
provide detailed reports on
findings, explanations and
recommendations for remediation
• Assessment summary for non-
technical management
summarizes findings
Benefits
• Helps to satisfy the requirement for
annual risk assessments found in
regulations such as PCI DSS and
HIPAA
• Results in reports that inform
management and administrators
about security vulnerabilities and
remedies
• Saves time by automating (tool) or
offloading (service) the process of
conducting as assessment
• Using a service or tool that
encapsulates extensive experience
can fill skillset gaps
• Provides separation of duties
between administrator and auditor
44. 44
Access Control
Secure all points of entry into to your
system including network access,
database access, command line access
and more
•
Multi-Factor Authentication
Strengthen login security by requiring
multiple forms of authentication
Elevated Authority
Management
Automatically elevate user authority
as-needed and on a limited basis
Assure
Access Control
45. Assure System Access Manager
45
Comprehensive control of
external and internal access
• Network access (FTP, ODBC, JDBC,
OLE DB, DDM, DRDA, NetServer,
etc.)
• Communication port access (using
ports, IP addresses, sockets - covers
SSH, SFTP, SMTP, etc.)
• Database access (open-source
protocols - JSON, Node.js, Python,
Ruby, etc.)
• Command access
Powerful, flexible and easy to
manage
• Easy to use graphical interface
• Standard configuration provided for
out-of-the-box deployment
• Powerful, flexible rules for controlling
access based on conditions such as
date/time, user profile settings, IP
addresses, etc.
• Simulation mode for testing rules
without impact to the users
• Provides alerts and produces reports
• Logs access data for SIEM
integration
Secures IBM i systems and
enables regulatory compliance
• Supports regulatory requirements for
SOX, GDPR, PCI-DSS, HIPAA, and
others
• Satisfies security officers by securing
access to IBM i systems and data
• Significantly reduces the time and cost
of achieving regulatory compliance
• Enables implementation of security best
practices
• Quickly detects security incidents so
you can efficiently remediate them
• Has low impact on system performance
46. Assure Elevated Authority
Manager
46
Complete, automated control
of elevated user authorities
• Administrators can manually grant
user’s requests or rules can be
configured to automatically manage
them
• Rules can be defined for source and
target profiles based on group
profiles, supplemental groups, user
lists and more
• Rules determine the context in which
authority can be granted, such as
time of date, job name, IP address
and more
• *SWAP or *ADOPT methods are
supported to elevate authority
• Handles processes connecting via
ODBC, JDBC, DRDA and FTP
Comprehensive monitoring of
elevated profiles
• Monitors elevated users and duration
of elevation from GUI or 5250
displays
• Maintains an audit trail of elevated
activity using job logs, screen
captures, exit points and journals
• An option is available to simply log
user activity without changing
authorities
• Produces alerts on events such as
exceeding authorized time
• Generates reports in a variety of
formats
• Allows integration with ticketing
systems
Enables regulatory compliance
and security best practice
• Generates an audit trail of actions by
elevated profiles for compliance
auditors
• Makes it easy to manage requests for
elevated authority on demand
• Enforces segregation of duties
• Satisfies security officers by reducing
the number of powerful profiles and
maintaining a comprehensive audit
trail
• Produces necessary alerts and
reports
• Significantly reduces security
exposures caused by human error
• Reduces risk of unauthorized access
to sensitive data
47. Assure Multi-Factor
Authentication
47
Full-featured multi-factor
authentication for IBM i
• Enables you to require two or more
factors for authentication:
• Something the user knows
• Something the user has
• Something the user “is”
• Relies on codes from authentication
services delivered via mobile device,
email, hardware token, etc.
• Enables self-service profile re-
enablement and self-service
password changes
• Supports the Four Eyes Principle for
supervised changes
• RSA certified (See DOC-92160
on RSA’s community site)
Powerful, flexible deployment
options
• Allows multi-factor authentication to
be enabled only for specific users or
situations
• Rules engine makes it easy to
configure when multi-factor
authentication is used
• Supports multiple authenticators
• Free Syncsort authenticator
• RADIUS-based servers
• RSA SecurID (on-prem or cloud)
• Options to initiate from the 5250
signon screen or on-demand
(manually or from a program)
• Options for multi-factor or two-step
authentication
Strengthens login security and
enables compliance
• Adds an authentication layer above
and beyond memorized or written
passwords
• Reduces potential for the cost and
consequences of data theft and
unauthorized access to systems and
applications
• Lowers risk of an unauthorized user
guessing or finding another user’s
password
• Addresses regulatory requirements
and recommendations in PCI DSS
3.2, NYDFS Cybersecurity Regulation,
Swift Alliance Access, GLBA/FFIEC,
and more
48. 48
Assure
Data Privacy
Encryption
Transform human-readable database
fields into unreadable cypher text using
industry-certified encryption & key
management solutions
Secure File Transfer
Securely transfer files across internal or
external networks using encryption
Tokenization
Remove sensitive data from a server by
replacing it with substitute values that can
be used to retrieve the original data
49. Assure Encryption
49
The only NIST-certified solution
for IBM i encryption
• Automatic encryption for Db2 data
using IBM i Field Procedures (IBM i 7.1
or greater)
• AES encryption algorithms are
optimized for performance
• Built-in masking of decrypted data
based on user or group
• Built-in data access auditing
• Includes encryption commands for
Save Files, IFS, and much more
• Extensive encryption APIs for RPG &
COBOL
• Easily addresses issues of encrypted
indexes in legacy RPG programs
• Includes tokenization to replace
sensitive data with substitute values
or “tokens”
Supports multiple key
management options
• Encryption keys must be protected
since encryption algorithms are
public
• Compliance regulations require
proper key management
• Assure Security supports multiple key
management options
• Local key store provided
• Built to integrate with Townsend
Security’s FIPS 140-2 compliant
Alliance Key Manager, available as:
• VMware appliance
• Hardware Security Module (HSM)
• Cloud HSM (AWS, Azure)
• Other OASIS KMIP compliant key
management solutions
Enables regulatory compliance
and security best practice
• Encrypts data without impacting
applications
• Protects data from unauthorized
access by internal staff, contractors
and business partners – as well as
criminal intruders
• Meets requirements of regulations
that mandate sensitive data
protection such as HIPAA/HITECH,
PCI-DSS, state privacy laws and
more
• Builds your customer’s confidence in
doing business with you through
NIST validation
50. Assure Secure File Transfer
50
Secures data transferred with
trading partners or customers
• Secures data moving across internal
or external networks by encrypting it
before transfer & decrypting it at the
destination
• Encrypts any file type including Db2
database files, flat files, IFS files, Save
Files, and spooled files
• Supports common transfer protocols
• Secure Shell (SSH SFTP)
• Secure FTP (SSL FTPS)
• Records all encryption and file
transfer activity to meet compliance
requirements
• Offers a PGP option to encrypt data
at the source and destination
location
• PGP encrypted files can be received
from any other system including
Windows, Linux, and UNIX
Enables centralized
management and automation
• Automatically enforces data
protection with centrally managed
policies
• Intelligently negotiates firewalls
• Configurable in a hub-and-spoke
configuration to automatically
manage all your file transfer needs
• Provides email, SNMP, message
notifications and alerts
• Supports email confirmation of
transfer with distribution list
• Provides APIs and commands for
integration with RPG, COBOL
applications and CL programs
• Supports encrypted ZIP and PDF
Enables regulatory compliance
and security best practice
• Protects data from being seen in
clear text when transferred
across networks
• Meets requirements of
regulations such as PCI, HIPAA
and others that require
encrypted transfer and logging
of transfer activity
• PGP option provides cross-
platform, standards-based
encryption that works with all
other PGP solutions
51. 51
Assure
Compliance
Monitoring
System & Database Auditing
Simplify analysis of IBM i journals to
monitor for security incidents and
generate reports and alerts
Db2 Data Monitoring
Monitor for views of sensitive Db2 data
and optionally block data from view
SIEM Integration
Integrate IBM i security data with data
from other platforms by transferring it
to a Security Information and Event
Management console
52. Assure Monitoring and
Reporting
52
Comprehensive monitoring of
system and database activity
• Simplifies the process of analyzing complex
journals
• Monitoring for system and database
changes available separately or together
• Powerful query engine with extensive
filtering enables identification of deviations
from compliance or security best practice
• Out-of-the-box, customizable models
supplied for common ERP solutions and
GDPR compliance
• Application modifications not required
Produces clear, easy-to-read
alerts and reports
• Provides security and compliance event
alerts via e-mail popup or syslog
• Enables easy creation of customized reports
that can be generated continuously, on a
schedule or on-demand
• Supports multiple report formats including
PDF, XLS, CSV and PF formats
• Distributes reports via SMTP, FTP or IFS
• Add-on available to send security data to
SIEM consoles such as IBM Qradar, ArcSight,
LogRhythm, LogPoint, and Netwrix
• Integration of security data into Splunk for
security monitoring or IT operations analytics
available via Syncsort’s Ironstream product
family
Benefits of monitoring and for
compliance & security
• Quick identification of security
incidents and compliance deviations
• Monitors the security best practices
you have implemented
• Enables meeting regulatory
requirements for GDPR, SOX, PCI
DSS, HIPAA and others
• Satisfies requirements for a journal-
based audit trail
• Provides real segregation of duties
and enforces the independence of
auditors
53. Assure Db2 Data Monitor
53
Gives you complete control
over sensitive data access
• Monitors Db2 data to inform you of
who has viewed sensitive records in a
file, when and how
• Rich set of rules enable fine tuning of
read-access detection and alerts
(e.g. specific access of a specific file)
• No need to change existing
applications
• Generates reports in multiple formats
and real-time alerts
• Blocking mode prevents users from
reading specified information in a file
• Simulation mode available for testing
rules to ensure blocking doesn’t
disrupt normal activities before
deployment
Produces clear, targeted
reports on data views
• Reports could show on views of:
• Manager salaries
• Medical data
• Credit information
• Reports can include information on
how data was accessed, such as:
• IP address
• Current user
• Call stack
• And more
• Specify only the fields you need to
see in a report, not the entire record,
to keeps your confidential data truly
confidential
Meets even the most stringent
compliance and security needs
• Meets the most stringent regulatory
requirements for confidential data
• Reduces the risk of accidental data
disclosure
• Deters illicit or criminal activity