April 6, 2022 By Naomi Scott 3 min read

Security on the MQ Appliance just got even better.

Securing your business is just good business sense. We lock our doors to protect our homes and belongings, but what about protecting data? Businesses have the responsibility to protect the data that flows through them — not only to protect themselves but also to protect and serve their customers.

Cybersecurity is a pervasive theme and one of business owners’ top concerns. We’ve all heard of companies that have been victims of ransomware or lost data. Their names have been dragged through the mud, confidence lost and fines issued. Not all survive, and those that do can incur great damage.

And, of course, that is just the external threat. A disgruntled employee can also be a danger if they abuse their access. They can take a company down from the inside and make a tidy profit for themselves at the same time.

Building end-to-end security into your infrastructure

That is why security is a key part of planning your infrastructure. Data must be protected when it is on the move and also when it is at rest. Many vendors claim end-to-end security/encryption, but this all varies in meaning when you look at the details. Most offer protection ‘on the wire’ using TLS. This is useful for securing against the external threat. Authentication and authorization help to ensure that only those with the correct permissions can access data. All variants of IBM MQ have these features as standard, but there is an additional capability that sets IBM MQ apart from other options on the market.

Protecting data at rest

When vendors claim protection of data at rest, they could mean a variety of implementations. When IBM MQ uses that phrasing, it typically refers to Advanced Message Security (AMS), which encrypts at the message-level. To view the message, the receiving application must use the correct key. Without it, the message remains encrypted. This approach is included in most implementations of IBM MQ — including the IBM MQ Appliance — and also covers file data moving over the MQ network.

However, when most vendors claim at-rest protection, they refer to encryption of the disk, which is great, as long as nobody gets disk access. If they do, the messages are unencrypted and available for exploitation.

MQ Appliance enhanced encryption

That said, the nature of the MQ Appliance means that disk encryption is valuable, and when paired with message-level encryption, it is even more secure. The requirement for disk encryption appears on many implementation checklists, and because appliances are physical hardware, there persists a concern about disks that could be removed or still contain data at the end of the appliance’s life. The MQ Appliance has always had the message-level encryption from AMS, but now it offers an additional level of security to satisfy businesses with those concerns.

We listened to our customers and added another level of protection in addition to what TLS and AMS already provide. As part of the MQ 9.2.5 firmware level, disk encryption is available through the encryption of individual queue managers. Encrypting at this level — rather that at the appliance level — provides the flexibility to select which queue managers are encrypted, rather than automatically applying encryption to everything at the same time. This can help if you wish to encrypt individual queue managers as part of a gradual migration or if you wish to only encrypt those with sensitive data. The data that is mirrored to a paired HA/DR appliance is encrypted on the active appliance before transfer, meaning that that it does not need to be encrypted a second time on the standby appliance. Moreover, because the data is protected before transfer that means that protection is now provided between HA/DR appliances.

Update your MQ Appliance firmware today, and tell us what you think.

More information

More from Announcements

IBM and SAP unlock business and industry value with new generative AI solutions 

3 min read - IBM Consulting is delivering on our commitment to co-innovate with SAP and collaborate with our clients. As part of our Value Generation Partnership initiative announced earlier this month with SAP, we are releasing the first 10 of 100 planned AI solutions to help clients transform their industries, optimize their business processes and successfully deliver their SAP programs.  Delivering AI business and industry innovation at scale  With the recently announced Value Generation Partnership initiative, IBM and SAP are co-innovating intelligent industry…

IBM SevOne 7.0: Reaching application-centric multicloud network observability  

2 min read - As enterprises increasingly rely on network connectivity to support cloud-based applications and remote workers, network managers require new methods to monitor and safeguard connectivity across diverse environments, including corporate networks, software-defined WANs and multiple public cloud providers.   According to the recent EMA Network Megatrends Report, responding network professionals believe that 53% of network outages and performance issues could be prevented with improved network management tools, yet only 9% find it very easy to hire skilled networking personnel. This is why…

IBM Hybrid Cloud Mesh and Red Hat Service Interconnect: A new era of app-centric connectivity 

2 min read - To meet customer demands, applications are expected to be performing at their best at all times. Simultaneously, applications need to be flexible and cost effective, and therefore supported by an underlying infrastructure that is equally reliant, performant and secure as the applications themselves.   Easier said than done. According to EMA's 2024 Network Management Megatrends report only 42% of responding IT professionals would rate their network operations as successful.   In this era of hyper-distributed infrastructure where our users, apps, and data…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters