Information protection, Part 1: Information security

"SAFER" information protection capabilities

Information protection is one of the common entry points for organizations getting started with information governance. Protecting sensitive data serves a clear business need, and protecting data is the goal of many current regulations. In this 2 part series we will start looking at the protection of data in this article by looking at the security of IBM Data Servers on z/OS. This will be followed by part 2 looking at audit and compliance.


Mark Simmonds (, Senior Product Marketing Manager, Information Management division, System z, IBM

Mark Simmonds is a senior product marketing manager within the IBM Software Group Information Management division focused on Data Governance, Master Data Management and SOA for the System z® portfolio. He has 15 years IBM service. He previously spent 10 years in WebSphere® Product Marketing. He has his feet firmly on the ground having spent three years as an IBM systems architect responsible for infrastructure design and corporate technical architecture with large financial institutions. He has a number of author recognition awards, having written articles for technical journals and business magazines.

Ernie Mancill (, Executive IT Specialist System z, IBM

Ernie is an Executive IT Specialist and is a founding member of IBM’s z/Series Database Tools team, a team which assists customers in evaluating and implementing IBM's database tools for DB2. Ernie specializes in Data Governance and Security on DB2 and IMS on System z. He has a specific focus on Auditing, Data Privacy, and Data Encryption technology. Prior to joining IBM in 1999, Ernie worked as a DB2 and CICS Systems Programmer and has over 35 years of IT experience in many different capacities and in a variety of different industries.

Ernie is a Certified DB2 for z/OS V9 Database Administrator, and has presented at IDUG, the DB2 Information-On-Demand Conference, SHARE, and at local DB2 user groups throughout the Americas. Ernie has co-authored three IBM Redbooks, "A Deep Blue View of DB2 Performance – IBM Tivoli OMEGAMON for DB2 Performance Expert on z/OS", "Keeping Your Data in its Place with DB2 Data Archive Expert", and "Securing and Auditing Data on DB2 for z/OS". In his spare time, Ernie is an avid saltwater fly fisherman.

30 July 2010

Also available in Russian


IBM provides a comprehensive set of information protection capabilities for IBM hardware platforms that help organizations discover which data needs to be protected, secure access to it, provide encryption of the data, and ensure that privacy controls are in place throughout the information life cycle. In addition, IBM provides organizations with powerful and flexible analysis, real-time auditing, and reporting tools.

Figure 1. IBM provides organizations with a comprehensive set of information protection capabilities.
IBM provides organizations with a comprehensive set of information protection capabilities.

Information protection for IBM System z

It's estimated that 95 percent of Fortune 1000 companies store business data on IBM System z®. Its business-focused capabilities - advanced business continuity features, security, transaction integrity, scalability, dynamic workload balancing capabilities, and powerful tools for access control and protection—make the System z platform an excellent choice for storing and processing business-critical information.

However, organizations must demonstrate accountability by complying with industry, financial and regulatory guidelines and be able to answer the who, what, when, where and how questions when it comes to data access. Regulations exist at the worldwide level, in addition to the country- and state-specific laws and regulations that must be followed. The Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Basel II and U.S. Senate Bill 1396 are just a few examples of the regulations with which organizations must comply. Research shows that the perceived quality of a company's corporate governance can influence its share price, as well as the cost of raising capital.

Let's take a closer look at information protection on the System z platform, starting today with security of your data on System z and z/OS.

Security on IBM data servers on z/OS

Authentication is the first security capability a user encounters when attempting to use services provided by IBM data servers on the IBM z/OS® operating system. The user must be identified and authenticated before being allowed to use any of these services.

The primary job of identification and authentication in IBM data servers on z/OS is assigned to the security subsystem. On z/OS, the z/OS security server which would be the IBM Resource Access Control Facility (RACF®)or its equivalent provides authentication and authorization services to control access to the database subsystem. This technique means that access for many resources can be consistent, whether the resource is a file, a printer, or communications or database access.

For the purposes of this discussion, RACF and its primary competitors, CA-TopSecret and CA-ACF2, are security products that provide access control and security functionality for z/OS and the IBM z/VM® operating system for virtualized environments.

RACF and DB2 databases

In an IBM DB2® database on z/OS configuration, the z/OS security server (RACF or equivalent) is used for the following purposes:

  • Control connections to the DB2 subsystem
  • Assign identities
  • Protect the underlying DB2 data store (underlying data-sets of DB2 can be protected by RACF data-set services)

In addition to database server-provided security, RACF can be used to control access to database objects, authorities, commands and utilities by using the RACF access control module of the database server.


The IBM Information Management System (IMS) has been enhanced to make use of RACF for controlling access to IMS resources. It is possible to use the original IMS security features, the new RACF features, and combinations of these. RACF provides more flexibility than the older security features. The normal features of RACF can be used to protect both system and database IMS data sets.

Using IBM Tivoli products to enhance RACF

By putting a user-friendly layer on top of RACF, IBM Tivoli® zSecure Admin provides a comprehensive, easy-to-use Interactive System Productivity Facility (ISPF) interface for low-level RACF administrators. The product generates the required syntax for RACF commands (based on the input from the window). Generating RACF commands automatically reduces errors that could lead to security exposures or system downtime. zSecure Admin can help automate recurring work during RACF administration, freeing advanced administrators to focus on higher-value tasks.

IBM Tivoli zSecure Visual, a Microsoft® Windows®-based graphical user interface (GUI) for RACF administration, allows RACF administration tasks to be delegated to junior security administrators. zSecure Visual communicates with a server running under z/OS UNIX® to perform the native RACF commands. This insulates the zSecure Visual administrator from the complexities of native RACF and TSO/ISPF.

Encryption and data obfuscation

The requirement to encrypt data at rest is fundamental to many regulatory compliance initiatives. Encryption is the process whereby clear text data is transformed into cybertext. This transformation uses a mathematical formula, known as an encryption algorithm, in conjunction with a data encrypting key to create the cybertext. There are two basic encryption algorithms that are generally accepted as secure today: Triple Data Encryption Standard (TDES) and Advanced Encryption Standard (AES). Keys are hexadecimal strings of randomly generated characters, varying in length from 128 to 512 bits. In general, the longer the key, the more secure the encryption implementation.

Contrasted with encryption, data obfuscation is the process whereby sensitive data is transformed to generate a new data value, which has the same general characteristics of the original value, but which represents a fictional data value. In general, the obfuscation is performed in such a manner that the original value, through causal reverse engineering, cannot be derived.

IBM data servers and z/OS Communications Server-based network encryption

While data at rest is the primary concern here, there should be no disagreement that a robust encryption implementation needs to include techniques to encrypt critical information throughout its life cycle. This includes the requirement to encrypt data that flows into and out of the enterprise through network connections, including data that is shared with external business partners.

Capabilities inherent in the z/OS operating system, such as the z/OS Communications Server, can help protect network resources. The z/OS Communications Server works with DB2 and IMS for z/OS and uses well-designed implementations that allow organizations to take advantage of different types of network-based encryption such as:

  • Secure Sockets Layer (SSL), which is a communications protocol that provides secure communications over an open communications network.
  • Internet Protocol Security (IPSec), which is intended to protect traffic between two TCP/IP stacks transparently to the applications.
  • Application Transparent Transport Layer Security (AT-TLS), which is intended to protect traffic between specific client and server applications, and between the TCP/IP stacks to which these applications are bound.

IBM data servers and encryption of data at rest

There are many ways to encrypt data in DB2 and IMS. The questions, What do you want to protect and from whom? and How much effort can be used? are asked to determine which technique to use and where to encrypt and decrypt.

The choice of encryption technique does mean some trade-offs in function, usability and performance. Organizations using DB2 for z/OS V8 and later can elect to implement encryption via the DB2 built-in function. It does, however, have some problematic characteristics that may impact the flexibility needed for a robust enterprise solution.

For IMS, there is no DBMS implementation of encryption, so there is a need to consider other mechanisms for encrypting data.

Key management using ICSF services

Integrated Cryptographic Service Facility (ICSF) is a component of z/OS that is designed to transparently use the available cryptographic functions, whether CP Assist for Cryptographic Function (CPACF) or Crypto Express2, to address the data encryption requirements of z/OS applications and subsystems.

ICSF supports the AES and TDES algorithms for data privacy. TDES (Triple Data Encryption Standard) was originally published in 1999 and is still a well-adopted industry standard. AES (Advanced Encryption Standard) was announced by the National Institute of Standards and Technology in 2001 and became effective as a Federal government standard in 2002. AES is the first publicly accessible and open cipher approved by the NSA for top-secret information. This updated algorithm provides stronger encryption and is the recommended algorithm for "data-at-rest"requirements. Key lengths of 128, 192 and 256 bits are supported, depending on the class of System z processor used. Keys generated with ICSF services are used by the IBM Data Encryption for IMS and DB2 Databases tool.

The cryptographic hardware (also known as the coprocessor) available to IBM Data Encryption for IMS and DB2 Databases depends on processor or server model. z/OS ICSF supports the Crypto Express3 Feature that is available on IBM System z10® Enterprise Class and IBM System z10 Business Class processors. For IBM System z9® and z10® processors, the Crypto Express2 feature is also available.

ICSF provides a secure environment for key generation, storage and use, and is preferred over application-based key management as implemented in encryption approaches such as the DB2 V8 built-in function.

IBM Data Encryption for IMS and DB2 Databases

IBM Data Encryption for IMS and DB2 Databases provides a data encryption function for both IMS and DB2 for z/OS databases in a single product. It enables protection of sensitive data for IMS at the segment level and for DB2 at the table level.

IBM Data Encryption for IMS and DB2 Databases is implemented using standard IMS exits and DB2 EDITPROCs. The exit or EDITPROC code invokes the System z Crypto hardware to encrypt data for storage and decrypt data for application use, thereby protecting sensitive data residing on various storage media. System z hardware has provided improving support for the encryption instructions and features, thereby decreasing the performance overhead of encryption.

For both IMS and DB2, the routines that are generated by IBM Data Encryption for IMS and DB2 Databases are transparent to the application programs that access the databases, thus requiring no application changes to implement. This tool can save the time and effort required to write and maintain encryption software for use with such exits or within applications.

Implementing the generated exit is simple. Once implemented, based on the type of SQL or IMS statement, the exit will be driven by the DBMS at the appropriate point, and encryption or decryption occurs as needed.

With encrypted tables, standard recovery assets including the DB2 recovery log and DB2 image copy data sets are also encrypted. The recovery log record is encrypted by virtue of the log image reflecting the row after the EDITPROC is driven. The DB2 image copy data set is encrypted due to the nature of the image copy utility being a page-level operation. With an IMS implementation, the image copy data sets are also encrypted. This is important for organizations that ship recovery assets to off-site storage facilities; in the event that data in transit is lost or stolen, there is no exposure, as the data being encrypted is protected from unauthorized usage.


The cost of implementing security measures is far cheaper than fixing a breach after it occurs - not to mention the bad publicity and potential effect on an organization's stock price and reputation. The financial penalties and losses surrounding data breaches are never truly realized until many years after the event. Frankly, there is no longer any excuse for security-related failures. IBM Information Management information protection solutions for z/OS offer comprehensive end-to-end capabilities to help manage business risk and reduce the threat of data breaches and security exposures- wherever your data is, whoever is using it, whenever it is being used. IBM can help you find ways to take back control and be S.A.F.E.R.

Join us in part 2 the next arcticle in the series focused on Auditing and Compliance



Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.


  • Get involved in the My developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Information management on developerWorks

Zone=Information Management, SOA and web services
ArticleTitle=Information protection, Part 1: Information security