Safe Harbor Statement: The information on IBM products is intended to outline IBM's general product direction and it should not be relied on in making a purchasing decision. The information on the new products is for informational purposes only and may not be incorporated into any contract. The information on IBM products is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for IBM products remains at IBM's sole discretion.
Tony Pearson is a an active participant in local, regional, and industry-specific interests, and does not receive any special payments to mention them on this blog.
Tony Pearson receives part of the revenue proceeds from sales of books he has authored listed in the side panel.
Tony Pearson is not a medical doctor, and this blog does not reference any IBM product or service that is intended for use in the diagnosis, treatment, cure, prevention or monitoring of a disease or medical condition, unless otherwise specified on individual posts.
The developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this blog will no longer be available. More details available on our FAQ.
IBM #InterConnect - Day 3 afternoon break-out sessions
This week, I am attending the [InterConnect Conference] in Las Vegas, Feb 21-25, 2016. This is IBM's premier Cloud & Mobile conference for the year.
Here is my recap of the sessions Wednesday afternoon.
1013A Trends in Encryption of Data at Rest: On-Premise and in the Cloud
Rick Robinson and Walid Rjaibi, both from IBM, co-presented. As the storage of data across seamless on-premise, mobile, and cloud systems platforms becomes ubiquitous, the need for protecting the data, regardless of its location, also needs to be maintained through the use of encryption—and that means centralized key management.
How has industry adopted encryption, especially in the cloud? What applications have adopted centralized key management in the cloud? What are the standards?
There are two types of encryption: Symmetric and Asymmetric. Symmetric like AES or 3DES use the same key for both encryption and decryption. It is faster and designed for large amounts of data. The Symmetric key must be kept private and secure.
Asymmetric like RSA, ECC and Diffie-Hellman use two keys, a public key for encryption, and a private key for decryption. This is slower and intended for smaller amounts of data. However, you can freely share the public key with anyone, publish on your website or print it on your business cards. That is because it cannot be used to decrypt any data!
Don't let the size of the key fool you. AES 256-bit has more security strength than RSA-2048 or ECC-384.
Initial implementations used Electronic Code Block (ECB), which uses just the information in the block of data. Two identical plain-text blocks would be encrypted to identical encrypted blocks. Good for deduplication, but bad for security as hackers love to find patterns.
To solve this, Cyber Block Chain (CBC) uses a bit of the previous block to randomize the data so that even identical plain-text blocks would be encrypted to different results. This is like making sourdough bread, a piece of yesterday's dough is saved and used to rise the yeast for today. To get the sequence started, you need an "Initialization Vector" which is either randomly generated, or a "nonce" (which is short for a number-only-used-once).
For handshake sessions, the TLS protocol generates a Symmetric key that both the sender and recipient will use for bulk data transfer. Then, the sender uses the receiver's public key to send the Symmetric key to the receiver. The receiver uses the sender's public key to acknowledge. Once the handshake is complete, both sender and receiver use the shared Symmetric key to transfer the rest of the data.
This notion of wrapping the Symmetric key with an Asymmetric key is also used on tape and disk. The Symmetric key is often randomly assigned per disk drive or tape cartridge, and the Asymmetric key is referred to as the Key-Encrypting-Key (KEK) or "Master Key".
(The best way to explain this is a Real Estate agent that shows different houses to prospective buyers. Rather than having the agent carry 50 different house keys, she carries a single "master key". At each house, there is a locked box hanging on the door knob that can be opened with the master key, and inside this box is the key that opens that particular house.)
The other challenge to encryption is managing the keys. If you lose the key, you lose access to the data. If the keys are divulged to the wrong parties, you may need to re-encrypt your data to avoid inadvertent exposure. Master keys can be rotated every 90 days, just like passwords.
Where do you store your keys. There are several options:
Public Key Cryptography Standard (PKCS) #12 -- defines a method to store keys in a password-protect file, such as a USB thumb drive. IBM GSKit is available to assist with this.
Enterprise Key Manager (EKM) refers to a set of software packages that manage and distribute encryption keys. IBM Security Key Lifecycle Manager (SKLM), Safenet KeySecure, and Thales EKM are three popular examples.
Hardware Security Module (HSM) is hardware designed to securely store keys. IBM z13 Crypto and Safenet Luna are two examples.
Cloud-KMS are key management systems for Cloud providers. IBM Key Protect, Amazon Web Services KMS, and Microsoft Azure Key Vault are three examples.
In a survey done by Thales, the statistics are scary: Only 36 percent of companies have consistent encryption policy. Nearly half (49 percent) of companies use encryption, but inconsistently across their organization. The remaining 15 percent have no encryption strategy whatsoever.
Here is what IBM offers for zSystems, as well as Linux, UNIX and Windows (collectively referred to as LUW):
For zSystems data-at-rest
For z and LUW data-at-rest
Enterprise Key Management Foundation (EKMF)
IBM Security Key Lifecycle Manager (SKLM)
Guardium Data Encryption (GDE)
IBM Key Protect (backed by a Safenet Luna HSM)
3318A System of Systems Transformation at the Boeing Company
Thomas Kelley and Mahendra Velchuru, both from Boeing, co-presented. The Boeing Company celebrates its 100th year in business in 2016. During this time we have traced the history of computing systems within the industry and have utilized IBM as a strategic partner for many decades.
Boeing found themselves with a large inventory of computing systems and technologies that are required to support their business and drive innovation. As they begin their second century, they are launching several critical systems modernizations and technology initiatives in order to maintain our role as the world's leading aerospace provider.
(While other rooms at this conference packed 80 people in a room with only 50 chairs, this session was scheduled in a room that could hold two Boeing 747 airplanes and hundreds of chairs.)
Over the years, Boeing transition from Remote Procedure Call (RPC), to Common Object Request Broker Architecture (CORBA), to Integration Brokers, to Enterprise Service Bus (ESB) Service Oriented Architecture (SOA).
(At this point, I could have gotten up and left the room, as obviously the "Systems" referred to in the title were not referring to IBM Systems, like server, network or storage systems, as I had anticipated. However, I decided to stay and learn more.)
Boeing explained their "Six Pillars" of SOA transformation, starting with a Maturity Assessment of where they were, then a four-year roadmap of transformation, and adopting a Bi-Modal SOA method, and adopting the right level of SOA Governance to keep it running correctly.
2154A Expert Panel on Hybrid Cloud Data Protection: Who Is the Service Provider?
David "Greg" Van Hise, IBM, served as emcee for this expert panel. Experts on our panel perform over five million backups per month. Who better to ask about what's new in cloud data protection? The experts were:
Richard Spurlock, Cobalt Iron -- which provides Cloud Backup for Business Data Protection
Thomas Bak, Front-safe A/S -- a third party that provides Backup-as-a-Service using IBM Spectrum Protect
Daniel Witteveen, IBM Resiliency Services for Cloud Managed Backup -- Formerly known as SmartCloud Managed Backup (SCMB), this is IBM's version of Backup-as-a-Service, also using IBM Spectrum Protect
This session was for people interested in enhancing your own backup capability or understanding how cloud providers can provide data protection services. The panel offered new insights on how hybrid solutions can help you take advantage of the cloud without losing sight of your data. IBM Spectrum Protect can help you keep pace with the flexibility, improved service levels and low cost available from cloud backup providers.
The evening wrapped up with a 2-hour long concert of Sir Elton John! There were 23,000 attendees at this conference, but the MGM Grand Garden Arena only holds 16,800 people, so the rest were directed to MGM's Hakkasan Night Club. Next to my hotel at the Monte Carlo, they are constructing a new "Las Vegas Arena" that will hold 20,000 people for events such as these.