IBM provides a comprehensive set of information protection capabilities for IBM hardware platforms that help organizations discover which data needs to be protected, secure access to it, provide encryption of the data, and ensure that privacy controls are in place throughout the information life cycle. In addition, IBM provides organizations with powerful and flexible analysis, real-time auditing, and reporting tools.
Figure 1. IBM provides organizations with a comprehensive set of information protection capabilities.
It's estimated that 95 percent of Fortune 1000 companies store business data on IBM System z®. Its business-focused capabilities - advanced business continuity features, security, transaction integrity, scalability, dynamic workload balancing capabilities, and powerful tools for access control and protection—make the System z platform an excellent choice for storing and processing business-critical information.
However, organizations must demonstrate accountability by complying with industry, financial and regulatory guidelines and be able to answer the who, what, when, where and how questions when it comes to data access. Regulations exist at the worldwide level, in addition to the country- and state-specific laws and regulations that must be followed. The Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Basel II and U.S. Senate Bill 1396 are just a few examples of the regulations with which organizations must comply. Research shows that the perceived quality of a company's corporate governance can influence its share price, as well as the cost of raising capital.
Let's take a closer look at information protection on the System z platform, starting today with security of your data on System z and z/OS.
Authentication is the first security capability a user encounters when attempting to use services provided by IBM data servers on the IBM z/OS® operating system. The user must be identified and authenticated before being allowed to use any of these services.
The primary job of identification and authentication in IBM data servers on z/OS is assigned to the security subsystem. On z/OS, the z/OS security server which would be the IBM Resource Access Control Facility (RACF®)or its equivalent provides authentication and authorization services to control access to the database subsystem. This technique means that access for many resources can be consistent, whether the resource is a file, a printer, or communications or database access.
For the purposes of this discussion, RACF and its primary competitors, CA-TopSecret and CA-ACF2, are security products that provide access control and security functionality for z/OS and the IBM z/VM® operating system for virtualized environments.
In an IBM DB2® database on z/OS configuration, the z/OS security server (RACF or equivalent) is used for the following purposes:
- Control connections to the DB2 subsystem
- Assign identities
- Protect the underlying DB2 data store (underlying data-sets of DB2 can be protected by RACF data-set services)
In addition to database server-provided security, RACF can be used to control access to database objects, authorities, commands and utilities by using the RACF access control module of the database server.
The IBM Information Management System (IMS) has been enhanced to make use of RACF for controlling access to IMS resources. It is possible to use the original IMS security features, the new RACF features, and combinations of these. RACF provides more flexibility than the older security features. The normal features of RACF can be used to protect both system and database IMS data sets.
By putting a user-friendly layer on top of RACF, IBM Tivoli® zSecure Admin provides a comprehensive, easy-to-use Interactive System Productivity Facility (ISPF) interface for low-level RACF administrators. The product generates the required syntax for RACF commands (based on the input from the window). Generating RACF commands automatically reduces errors that could lead to security exposures or system downtime. zSecure Admin can help automate recurring work during RACF administration, freeing advanced administrators to focus on higher-value tasks.
IBM Tivoli zSecure Visual, a Microsoft® Windows®-based graphical user interface (GUI) for RACF administration, allows RACF administration tasks to be delegated to junior security administrators. zSecure Visual communicates with a server running under z/OS UNIX® to perform the native RACF commands. This insulates the zSecure Visual administrator from the complexities of native RACF and TSO/ISPF.
The requirement to encrypt data at rest is fundamental to many regulatory compliance initiatives. Encryption is the process whereby clear text data is transformed into cybertext. This transformation uses a mathematical formula, known as an encryption algorithm, in conjunction with a data encrypting key to create the cybertext. There are two basic encryption algorithms that are generally accepted as secure today: Triple Data Encryption Standard (TDES) and Advanced Encryption Standard (AES). Keys are hexadecimal strings of randomly generated characters, varying in length from 128 to 512 bits. In general, the longer the key, the more secure the encryption implementation.
Contrasted with encryption, data obfuscation is the process whereby sensitive data is transformed to generate a new data value, which has the same general characteristics of the original value, but which represents a fictional data value. In general, the obfuscation is performed in such a manner that the original value, through causal reverse engineering, cannot be derived.
While data at rest is the primary concern here, there should be no disagreement that a robust encryption implementation needs to include techniques to encrypt critical information throughout its life cycle. This includes the requirement to encrypt data that flows into and out of the enterprise through network connections, including data that is shared with external business partners.
Capabilities inherent in the z/OS operating system, such as the z/OS Communications Server, can help protect network resources. The z/OS Communications Server works with DB2 and IMS for z/OS and uses well-designed implementations that allow organizations to take advantage of different types of network-based encryption such as:
- Secure Sockets Layer (SSL), which is a communications protocol that provides secure communications over an open communications network.
- Internet Protocol Security (IPSec), which is intended to protect traffic between two TCP/IP stacks transparently to the applications.
- Application Transparent Transport Layer Security (AT-TLS), which is intended to protect traffic between specific client and server applications, and between the TCP/IP stacks to which these applications are bound.
There are many ways to encrypt data in DB2 and IMS. The questions, What do you want to protect and from whom? and How much effort can be used? are asked to determine which technique to use and where to encrypt and decrypt.
The choice of encryption technique does mean some trade-offs in function, usability and performance. Organizations using DB2 for z/OS V8 and later can elect to implement encryption via the DB2 built-in function. It does, however, have some problematic characteristics that may impact the flexibility needed for a robust enterprise solution.
For IMS, there is no DBMS implementation of encryption, so there is a need to consider other mechanisms for encrypting data.
Integrated Cryptographic Service Facility (ICSF) is a component of z/OS that is designed to transparently use the available cryptographic functions, whether CP Assist for Cryptographic Function (CPACF) or Crypto Express2, to address the data encryption requirements of z/OS applications and subsystems.
ICSF supports the AES and TDES algorithms for data privacy. TDES (Triple Data Encryption Standard) was originally published in 1999 and is still a well-adopted industry standard. AES (Advanced Encryption Standard) was announced by the National Institute of Standards and Technology in 2001 and became effective as a Federal government standard in 2002. AES is the first publicly accessible and open cipher approved by the NSA for top-secret information. This updated algorithm provides stronger encryption and is the recommended algorithm for "data-at-rest"requirements. Key lengths of 128, 192 and 256 bits are supported, depending on the class of System z processor used. Keys generated with ICSF services are used by the IBM Data Encryption for IMS and DB2 Databases tool.
The cryptographic hardware (also known as the coprocessor) available to IBM Data Encryption for IMS and DB2 Databases depends on processor or server model. z/OS ICSF supports the Crypto Express3 Feature that is available on IBM System z10® Enterprise Class and IBM System z10 Business Class processors. For IBM System z9® and z10® processors, the Crypto Express2 feature is also available.
ICSF provides a secure environment for key generation, storage and use, and is preferred over application-based key management as implemented in encryption approaches such as the DB2 V8 built-in function.
IBM Data Encryption for IMS and DB2 Databases provides a data encryption function for both IMS and DB2 for z/OS databases in a single product. It enables protection of sensitive data for IMS at the segment level and for DB2 at the table level.
IBM Data Encryption for IMS and DB2 Databases is implemented using standard IMS exits and DB2 EDITPROCs. The exit or EDITPROC code invokes the System z Crypto hardware to encrypt data for storage and decrypt data for application use, thereby protecting sensitive data residing on various storage media. System z hardware has provided improving support for the encryption instructions and features, thereby decreasing the performance overhead of encryption.
For both IMS and DB2, the routines that are generated by IBM Data Encryption for IMS and DB2 Databases are transparent to the application programs that access the databases, thus requiring no application changes to implement. This tool can save the time and effort required to write and maintain encryption software for use with such exits or within applications.
Implementing the generated exit is simple. Once implemented, based on the type of SQL or IMS statement, the exit will be driven by the DBMS at the appropriate point, and encryption or decryption occurs as needed.
With encrypted tables, standard recovery assets including the DB2 recovery log and DB2 image copy data sets are also encrypted. The recovery log record is encrypted by virtue of the log image reflecting the row after the EDITPROC is driven. The DB2 image copy data set is encrypted due to the nature of the image copy utility being a page-level operation. With an IMS implementation, the image copy data sets are also encrypted. This is important for organizations that ship recovery assets to off-site storage facilities; in the event that data in transit is lost or stolen, there is no exposure, as the data being encrypted is protected from unauthorized usage.
The cost of implementing security measures is far cheaper than fixing a breach after it occurs - not to mention the bad publicity and potential effect on an organization's stock price and reputation. The financial penalties and losses surrounding data breaches are never truly realized until many years after the event. Frankly, there is no longer any excuse for security-related failures. IBM Information Management information protection solutions for z/OS offer comprehensive end-to-end capabilities to help manage business risk and reduce the threat of data breaches and security exposures- wherever your data is, whoever is using it, whenever it is being used. IBM can help you find ways to take back control and be S.A.F.E.R.
Join us in part 2 the next arcticle in the series focused on Auditing and Compliance
- Learn how IBM Information Management information protection solutions for z/OS can help you reduce the threat of data breaches and
- "IMS at 40: Stronger than
Ever", IBM Database, October 2008.
- "A Board Culture of Corporate Governance", Corporate Governance International Journal, Vol 6, Issue 3, July 2003.
- Learn more about the IBM System z cryptographic function.
- Stay current with developerWorks technical events
and webcasts focused on a variety of IBM products and IT industry
- Attend a free developerWorks Live!
briefing to get up-to-speed quickly on IBM products and tools as
well as IT industry trends.
- Follow developerWorks on
- Watch developerWorks on-demand demos
ranging from product installation and setup demos for beginners, to
advanced functionality for experienced developers.
Get products and technologies
Evaluate IBM products in the
way that suits you best: Download a product trial, try a product online,
use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to
implement Service Oriented Architecture efficiently.
- Get involved in the My developerWorks community.
Connect with other developerWorks users while exploring the
developer-driven blogs, forums, groups, and wikis.
Mark Simmonds is a senior product marketing manager within the IBM Software Group Information Management division focused on Data Governance, Master Data Management and SOA for the System z® portfolio. He has 15 years IBM service. He previously spent 10 years in WebSphere® Product Marketing. He has his feet firmly on the ground having spent three years as an IBM systems architect responsible for infrastructure design and corporate technical architecture with large financial institutions. He has a number of author recognition awards, having written articles for technical journals and business magazines.
Ernie is an Executive IT Specialist and is a founding member of IBM’s z/Series Database Tools team, a team which assists customers in evaluating and implementing IBM's database tools for DB2. Ernie specializes in Data Governance and Security on DB2 and IMS on System z. He has a specific focus on Auditing, Data Privacy, and Data Encryption technology. Prior to joining IBM in 1999, Ernie worked as a DB2 and CICS Systems Programmer and has over 35 years of IT experience in many different capacities and in a variety of different industries.
Ernie is a Certified DB2 for z/OS V9 Database Administrator, and has presented at IDUG, the DB2 Information-On-Demand Conference, SHARE, and at local DB2 user groups throughout the Americas. Ernie has co-authored three IBM Redbooks, "A Deep Blue View of DB2 Performance – IBM Tivoli OMEGAMON for DB2 Performance Expert on z/OS", "Keeping Your Data in its Place with DB2 Data Archive Expert", and "Securing and Auditing Data on DB2 for z/OS". In his spare time, Ernie is an avid saltwater fly fisherman.