Security on the MQ Appliance just got even better.
Securing your business is just good business sense. We lock our doors to protect our homes and belongings, but what about protecting data? Businesses have the responsibility to protect the data that flows through them — not only to protect themselves but also to protect and serve their customers.
Cybersecurity is a pervasive theme and one of business owners’ top concerns. We’ve all heard of companies that have been victims of ransomware or lost data. Their names have been dragged through the mud, confidence lost and fines issued. Not all survive, and those that do can incur great damage.
And, of course, that is just the external threat. A disgruntled employee can also be a danger if they abuse their access. They can take a company down from the inside and make a tidy profit for themselves at the same time.
Building end-to-end security into your infrastructure
That is why security is a key part of planning your infrastructure. Data must be protected when it is on the move and also when it is at rest. Many vendors claim end-to-end security/encryption, but this all varies in meaning when you look at the details. Most offer protection ‘on the wire’ using TLS. This is useful for securing against the external threat. Authentication and authorization help to ensure that only those with the correct permissions can access data. All variants of IBM MQ have these features as standard, but there is an additional capability that sets IBM MQ apart from other options on the market.
Protecting data at rest
When vendors claim protection of data at rest, they could mean a variety of implementations. When IBM MQ uses that phrasing, it typically refers to Advanced Message Security (AMS), which encrypts at the message-level. To view the message, the receiving application must use the correct key. Without it, the message remains encrypted. This approach is included in most implementations of IBM MQ — including the IBM MQ Appliance — and also covers file data moving over the MQ network.
However, when most vendors claim at-rest protection, they refer to encryption of the disk, which is great, as long as nobody gets disk access. If they do, the messages are unencrypted and available for exploitation.
MQ Appliance enhanced encryption
That said, the nature of the MQ Appliance means that disk encryption is valuable, and when paired with message-level encryption, it is even more secure. The requirement for disk encryption appears on many implementation checklists, and because appliances are physical hardware, there persists a concern about disks that could be removed or still contain data at the end of the appliance’s life. The MQ Appliance has always had the message-level encryption from AMS, but now it offers an additional level of security to satisfy businesses with those concerns.
We listened to our customers and added another level of protection in addition to what TLS and AMS already provide. As part of the MQ 9.2.5 firmware level, disk encryption is available through the encryption of individual queue managers. Encrypting at this level — rather that at the appliance level — provides the flexibility to select which queue managers are encrypted, rather than automatically applying encryption to everything at the same time. This can help if you wish to encrypt individual queue managers as part of a gradual migration or if you wish to only encrypt those with sensitive data. The data that is mirrored to a paired HA/DR appliance is encrypted on the active appliance before transfer, meaning that that it does not need to be encrypted a second time on the standby appliance. Moreover, because the data is protected before transfer that means that protection is now provided between HA/DR appliances.
Update your MQ Appliance firmware today, and tell us what you think.