Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured

Countdown to CCPA:
Is Your IBM i Secure and Compliant?
Becky Hjellming
Sr. Director, Product Marketing, Syncsort
Patrick Townsend
President & CEO, Townsend Security

Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your
computer speakers.
• If you need technical assistance with the web interface
or audio,
please reach out to us using the chat window.
Questions Welcome
• Submit your questions at any time during the
presentation
using the chat window.
• We will answer them during our Q&A session following
the presentation.
Recording and slides
• This webcast is being recorded. You will receive an
email following the webcast with a link to download
both the recording and the slides.
Patrick Townsend
Townsend Security
Becky Hjellming
Syncsort

Today’s Topics
1 Introduction to CCPA
2 Breach penalties under CCPA
3 Using encryption to prevent consumer data exposure
4 Hardening systems to prevent breach
5 How Syncsort can help
6 More resources

“
”
This presentation and related materials are provided for
informational purposes only, and are not intended to provide,
and should not be relied on for, legal advice pertaining to
regulatory compliance.
If you have specific questions on how this may affect your
organization, consult your legal advisor.
Disclaimer

What is CCPA?
The California Consumer Privacy Act gives California residents
numerous data privacy rights while penalizing organizations
that are in violation.
The law covers a much broader set of information than
any other regulation, including GDPR.

Legislation: California AB 375
Origins: Drafted and signed in just a few days to avoid ballot vote
on consumer-driven privacy initiative
Date passed: June 2018
Effective data: January 1, 2020
Clarification: Additional guidance promised in Fall 2019
New clarifying law by June 2020
The CCPA Timeline
You can read CCPA at
https://leginfo.legislature.ca.gov/faces/billTextCli
ent.xhtml?bill_id=201720180AB375

Organizations are required to comply with CCPA if they collect data on
residents of California and meet one or more of the following criteria:
1. Annual revenue > $25 million
2. Collected or purchase information on 50,000+ people
3. 50% of annual revenue comes from selling/sharing personal information
Thousands of global organizations are affected by CCPA
• Regardless of whether the organization is located in California
• Both public and private organizations are subject to CCPA
• For organizations also subject to other regulations, CCPA has additional
regulations not covered in those laws
Who Must Comply with CCPA?

Core rights given to consumers by the CCPA include:
• The right to know what information is being collected
• The right to opt-in to data sharing before information collected
• The right to opt-out of the sharing personal information
• The right to know how personal information is being used
• The right to receive a copy of personal information
• The right to delete personal information – and data shared with 3rd parties
• The right to not be discriminated against after exercising privacy rights
• And more
CCPA also puts pressure on organizations to protect personal data from being
exposed via a data breach
Rights Granted to Consumers

CCPA broadly defines personal information – extending beyond the definition in GDPR and other regulations
Scope of Personal Information
• Personal & commercial
behavior
• Protected class information
• Biometric information
• Property records
• Consumer histories – products
and services purchased
• Internet browsing history
• Internet search history
• Geolocation data
• Professional or employment
information
• Education information that is not
publicly available
• Inferences drawn from any of the
information above to create a
profile of the consumer’s
preferences, psychological trends,
preferences, behavior, attitudes,
abilities, aptitudes and more
• Name
• Alias
• Postal address
• IP address
• Email address
• Social security number
• Driver’s license number
• Passport number
Data collected since January 1, 2019, is covered by the law

Penalties can be imposed by the Attorney General of the State of California
• Fines per breached record
• $2500 per record lost or in non-compliance
• $7500 per record for an “intentional” violation
Ignoring a warning letter from the AG qualifies as intentional
Penalties enabled through consumer litigation
• Under CCPA, consumers have the right to bring a class action suit against
a company that loses UNENCRYPTED data
• Fully meeting CCPA requirements and encrypting data is the path to
limiting exposure
CCPA does not provide a maximum amount that can result from the
imposition of penalties
CCPA Penalties

• CCPA more broadly defines “person” to include data on either a
consumer or household
• CCPA defines a broader range of covered data – even inferred data
• CCPA allows for private class action suits for data breaches that
compromise unencrypted data – in addition to fines from the California
Attorney General
• CCPA does not state a maximum penalty
GDPR Compliance Is Not
Enough for CCPA

1. Identify and document all sensitive information that you collect or
derive from interpretations of the data.
2. Identify and document all of the third parties with whom you share
information and what you share.
3. Ensure you meet the explicit requirements of the CCPA, such as
updating your privacy statement per the CCPA requirements.
4. Institute processes for handling consumer privacy requests.
5. Revise agreements with 3rd party service providers to bind the them
to the new CCPA regulations.
6. Encrypt the data and use good encryption key management. Your
only safe-harbor from litigation in the event of a data loss is
encryption.
The time to get started is right now.
CCPA Compliance
Recommendations

CCPA gives consumers the right to sue if their personal information is
disclosed and that data wasn’t encrypted or otherwise made unreadable.
In addition to encryption, CCPA mentions “redaction” or “deidentification”
of shared data.
To protect yourself from the penalties of non-compliance and potential
legal actions in the event of a breach, you must:
1. Obscure protected data so that it is unreadable should a breach occur
2. Deidentify data prior to sharing it
3. Implement technologies and processes that will prevent a breach
Protecting Data from Breach

• Encryption transforms readable information into an unreadable
format (or “ciphertext”)
• Encryption is based on proven, well-known algorithms – common
algorithms include AES, RSA, Triple DES and others
• The best encryption algorithms are open, vetted, and continuously
scrutinized – with regular attempts made to break them
• The best encryption solutions are independently certified to validate
compliance with standards (e.g. NIST)
• Algorithms rely on secret “keys” for encrypting/decrypting data
Encryption algorithms are never secret,
but encryption keys must be kept secret
Obscuring Data with Encryption

Field Procedures (FieldProc)
• Based on exit point technology
• Available beginning with IBM i V7R1
• FieldProc calls an encryption algorithm and the algorithm uses the key to
encrypt/decrypt the data
Few (if any!) application changes are required
• Most applications will run without changes
• There are a few caveats that may require minor application modifications
No database changes required with FieldProc
• No field type or size changes
• No problems with Zoned and Packed data
IBM i Field Encryption Is
Simple with Field Procedures

Encryption Key Management
Is Critical
• Hackers don’t break encryption algorithms – they find the keys
• Encryption keys are secret and must be protected since the
algorithms are public
• Compliance regulations (PCI, HIPAA, GLBA/FFIEC, and others)
require proper key management
• There are industry standards and best practices for key
management (FIPS 140-2)

Encrypting IBM i Data
with Assure Security

Assure Encryption
Complete protection for data at rest
• IBM i FieldProc exit point software for encryption
• High performance encryption libraries
• Built-in masking of decrypted data based on user or group
• Provides key management with a local key store
• Includes extensive data tokenization capabilities
The only NIST-certified
AES encryption solution for IBM i

Assure Encryption
Easy to manage and monitor data access
• Easy-to-use management interface
• User access controlled by policy with Group Profile support
• Built-in data access auditing

Assure Encryption
Integrates with other applications and key managers
• Encryption commands for Save Files, IFS, and much more
• Extensive encryption APIs for RPG and COBOL
• Built to integrate with Townsend Security’s Alliance Key
Manager for off-partition key management
• Integrates with any OASIS KMIP-compliant key manager

Alliance Key
Manager
Flexible
• Works with all major business
and cloud platforms
• Integrates with all leading
encryption applications
• Multiple deploying options
including a VMware VM,
Hardware Security Module
(HSM), or cloud module (AWS,
Microsoft Azure)
Compliant
• FIPS 140-2 compliant – the US
standard for approving
cryptographic solutions with
both hardware and software
components
• OASIS KMIP (Key Management
Interoperability Protocol)
compliant
• Certified for PCI-DSS version 3
by Coalfire, a certified QSA
auditor
Easy and Cost Effective
• Affordable for any size
Enterprise
• No additional client-side license
or usage fees
• Ready-to-use client software
speeds deployment and reduces
IT costs

Assure Encryption can also tokenize data
• Tokenization replaces sensitive data with substitute values or “tokens”
• Format-preserving tokens have the characteristics of the original data
• The same token can be used for every instance of the original data
• Tokens are stored in a database or “token vault”
• The relationship between the original value and token is maintained
by the vault
• The vault can (and should) be encrypted to secure the original data
• When displayed in its original form, data is masked based on user privilege
• Adheres to PCI DSS standards
Tokenization
with Assure Encryption

Assure Encryption’s tokenization also anonymizes data
• When token generated by Assure Encryption’s tokenization capabilities
are not stored in a token vault, they are non-recoverable and sensitive
data is permanently replaced
• This is also referred to as anonymization/deidentification/redaction
• A variety of anonymization methods can be used (e.g. scrambling)
• NOT a solution for use on a production server since tokens are
unrecoverable, but it is ideal for data shared with a 3rd party
Anonymization
with Assure Encryption

Adding Layers of Security
for Breach Prevention

Layers of Security
are required to
protect IBM i
systems and their
data from breach
Physical
Security
Network
Security
IBM i OS
Security
System
Access
Security
File and
Field
Security
Security
Monitoring
& Auditing
DATA

Physical
Security
DATA
Physical Security
Control access to computer
rooms and data centers,
ensure computing
equipment and peripherals
cannot be tampered with,
and secure end points.

Physical
Security
Network
Security
DATA
Network Security
Implement intrusion
prevention and detection
technologies, group and
protect related resources
within network segments,
encrypt network traffic.

Physical
Security
Network
Security
IBM i OS
Security
DATA
IBM i OS Security
Properly configure necessary
security settings within the
IBM i OS, keep the OS and
PTFs up to date, and closely
manage user profiles.

Physical
Security
Network
Security
IBM i OS
Security
System
Access
Security
DATA
System Access Security
Keep unauthorized users off
your IBM I and maintain
tight control over what
authorized users are able to
do once logged in.

Physical
Security
Network
Security
IBM i OS
Security
System
Access
Security
File and
Field
Security
DATA
File and Field Security
Ensure sensitive data cannot
be seen by unauthorized
individuals, whether internal
or external.

Physical
Security
Network
Security
IBM i OS
Security
System
Access
Security
File and
Field
Security
Security
Monitoring
& Auditing
DATA
Security Monitoring and
Auditing
Alert administrators and
security officers whenever
suspicious activity is
detected and log all security-
related events for the
purposes of tracing and
documentation

Physical
Security
Network
Security
IBM i OS
Security
System
Access
Security
File and
Field
Security
Security
Monitoring
& Auditing
DATA
Each layer is
designed to catch
anything that
manages to break
through another.

Assure
Access
Control
Assure
Data
Privacy
Assure
Compliance
Monitoring
Assure Security
Risk
Assessment
Assure Security
Assure Core Distribution Services
Assure
Multi-Factor
Authentication
Assure Elevated
Authority
Manager
Assure System
Access Control
Assure Encryption
Assure
Secure File
Transfer **
Assure Monitoring
& Reporting *
Assure Db2 Data
Monitor
* SIEM Add-On available
** PGP Add-On available
Choose the full product
Choose a feature bundle
Or select a specific capability
Assure Security
strengthens IBM i
security and assures
regulatory compliance

Security Risk
Assessment Service
Let Syncsort’s security experts
conduct a thorough risk
assessment and provide a report
with remediation guidance
Security Risk
Assessment Tool
Thoroughly check all aspects of
IBM i security and obtain detailed
reports and recommendations
Assure
Security Risk
Assessment

Assure Multi-Factor
Authentication
Strengthen login security by
requiring multiple forms of
authentication
Assure Elevated
Authority Manager
Automatically elevate user
authority as-needed and on a
limited basis
Assure System
Access Manager
Secure all points of entry into to
your system including network
access, database access,
command line access and more
Assure Access
Control

Assure Secure File Transfer
Securely transfer files across
internal or external networks
using encryption
Assure Encryption’s
Tokenization Feature
Remove sensitive data from a
server by replacing it with
substitute values that can be used
to retrieve the original data
Assure Encryption
Transform human-readable data
into unreadable cypher text using
industry-certified encryption &
key management solutions
Assure Data
Privacy

SIEM Integration
Add-On
Integrate IBM i security data with
data from other platforms by
transferring it to a Security
Information and Event
Management console
Assure Monitoring and
Reporting
Simplify analysis of IBM i journals
to monitor for security incidents
and generate reports and alertsAssure
Compliance
Monitoring
Assure Db2 Data Monitor
Monitor for views of sensitive
Db2 data and optionally block
data from view

Assure Security delivers innovative capabilities that lead the
market in multiple facets of security:
✓ Comprehensive control of both legacy and modern IBM i system
access points
✓ NIST-certified encryption, including integration with FIPS-
compliant, off-platform key management from Townsend Security
✓ Powerful, flexible multi-factor authentication with RSA certification
✓ Unique and innovative new solution for monitoring views of highly
confidential data
✓ Ability to forward IBM i security data to leading SIEM solutions,
including QRadar certification
✓ Integration with Syncsort HA solutions via monitoring dashboard
and failover scripting
Assure Security Advantages
S u p p o r t s C o m p l i a n c e w i t h
SOX GLBA
GDPR HIPAA
CCPA HITECH
23 NYCRR 500 BASEL II/III
PCI DSS and more

Helpful Resources
Download our ebook to read more about CCPA
and IBM i security
Download Townsend Security’s podcast
on CCPA and how companies can better
protect consumer information

Data Quality and CCPA
Register now for other webinars in our CCPA-
preparedness series!
Click to Register Click to Register

• As the most populous US state and the world’s 5th largest economy, it’s
not unusual for California to be at the forefront of tech-related legislation.
• With CCPA on the books, data privacy legislation is now pending in New
York, Massachusetts, and Rhode Island. Other states are likely to follow.
• Regardless of whether your organization needs to comply with CCPA or
not, one or more data privacy regulations are likely to come your way.
• The time to prepare is now.
• Encrypt your data with strong, standards-based encryption and key
management to protect against breaches, penalties and legal action.
• Harden security and redact data shared with third parties to meet
compliance requirements.
• We are here to help!
Recap

Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured

Protects keys from theft and loss
• Stores keys separately from the encrypted data
• Restricts access to keys
• Backs up keys securely
• Supports regular key rotation
Supports best practices for key management
• Separation of duties between data manager and key manager
• Dual control of key management processes
• Split knowledge of complete key values
• Ensuring origin and quality of keys
• As with encryption, key manager certifications are available; e.g. Federal
Information Processing Standards (FIPS) 140-2
• KMIP-compliance ensures future compatibility with encryption solutions
Pair a Key Manager with your
Encryption Solution

Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured

More Related Content

What's hot (17)

Similar to Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured (20)

More from Precisely (20)

Recently uploaded (20)

Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured