IBM i Encryption Made Easy

IBM i Encryption
Made Easy
Jeff Uehling
Product Management Director, Syncsort
Patrick Townsend
Founder and CEO, Townsend Security

Today’s Presenters
2 | IBM i Encryption Made Easy
Jeff Uehling
Product Management Director, Syncsort
Patrick Townsend
Founder and CEO, Townsend Security

• IBM i encryption basics
• What FieldProc is and how it works
• How to easily encrypt and decrypt data without impacting existing applications
• Challenges and practical considerations for FieldProc encryption
• The importance of encryption key management to meet compliance requirements
• Introduction to encryption and key management from Syncsort and Townsend
Security
• Q&A
Agenda

IBM i Encryption Algorithms
IBM i APIs exist to allow applications to encrypt data
• Included with the OS
• Key management integrated with the API design
(master keys and key store files)
Syncsort provides NIST-certified encryption support
• NIST-certified encryption algorithms in Alliance AES/400
• Key Management solution from Townsend Security, including
“off partition” support

A data encryption key should be well protected or data
is exposed
• Key is used to encrypt data (SSN’s, credit card numbers, etc.)
It is recommended to encrypt the data key
with a key encrypting key (KEK)
• Used to encrypt data encryption keys
A Master Key can then be used to encrypt all KEKs
• A master key is used to encrypt KEKs or Data Encryption Keys
• Top level key, in the clear! If master key is compromised,
data is compromised.
• How do you securely store this master key?
Cryptographic Key Protection - Terminology
1 2 3KEK2
1 2 3
KEK1
Master
Clear Text
NOTE: Encryption Algorithms
are public knowledge.
Encryption keys must be kept
secret and protected.

Crypto Key Management
IBM i has GUI & CL interfaces to manage master
keys & keystore files
• Included as part of the base OS
Syncsort provides “off partition” key management
via tight integration with the encryption products
with NIST-certified algorithm support
Off-partition encryption key management using
Townsend Security’s Alliance Key Manager

Field Procedures
• Available beginning with IBM i V7R1
• Exit point technology
• Implemented on IBM System z in DB2 v9
• Implemented by customers or vendors
What is FIELDPROC and
How Does it Work?

It’s an Application Software Project
• Identify all of the fields you want to encrypt
• Decide if triggers can work for you (partial solution)
• Identify all RPG or COBOL applications that must be changed
• Modify the applications
• Test, test, and test again
Encryption Before V7R1

It’s a database change, not an application change
• Identify all of the fields you want to encrypt
• Install FIELDPROC exit point software
• Activate FIELDPROC protection
Encryption with FIELDPROC

No database changes required with FIELDPROC
• No field type or size changes
• No problems with Zoned and Packed data
Few (if any!) application changes required
• Most applications can will run without changes
• There are a few caveats (covered later) that may require
minor application modifications
Your Encryption Project
Just Got a Whole Lot Easier!

ORDMASTER
cardno
prodlib/exitpgm
How Does FIELDPROC Work?
YOUR
FIELDPROC
APPLICATION
Like most exit points you must register your exit point program (uses SQL)
A SQL statement used to do this:
ALTER TABLE ordmaster
ALTER COLUMN cardno
SET FIELDPROC prodlib/exitpgm
CONSTANT ‘Unique-Value’
Now the DB will call your API program on every I/O operation

NO!
FIELDPROC works with files created with DDS. You don’t need to convert them to
SQL tables. There are some benefits to SQL conversion, but it is not required.

- Encryption
- AuditDatabase Table
YOUR
FIELDPROC
APPLICATION
FIELDPROC:
What It Is and Isn’t
What it does:
• Provides a column level exit for insert/read/update operations on a database
What it does not do:
• Does not provide encryption, audit, or key management software
• You have to provide software for the Exit (an executable program) to handle encrypt/decrypt
• FIELDPROC does not provide security controls – that’s up to you!
• Does not log actions for compliance
FIELDPROC

FIELDPROC
DB2
Key Manager
MYPROG
ODBC
DFU
FTP
DBU
New Security Concerns
APPLICATION

The new FIELDPROC exits expose new security challenges!
Once an exit point program is installed, it will be called
regardless of the user application. Common utilities such
as DBU, Display Physical File Member, Query, and FTP can
trigger automatic decryption of data.
You will need:
• User access controls
• Encryption key access controls
• Automatic masking of data by policy
• QAUDJRN logging of access
Security Concerns

Everything you need to get FIELDPROC right
• Easy-to-use management interface
• Exit point software for encryption
• Key management (more later)
• User access controls by policy with Group Profile support
• Data masking
• Audit
• NIST-certified AES encryption
Alliance AES/400
and FIELDPROC

• IBM i customers with legacy RPG applications can
now deploy automatic DB2 encryption over sensitive
data which are indexes
• Leverage OAR capabilities by replacing the legacy
RPG file I/O with modern SQL operations
• Sensitive indexes include social security numbers,
bank accounts, etc.
Major Step Forward
in FIELDPROC Encryption

With Legacy RPG Encrypted
Indexes Often Do Not Work
RPG Application
DB2
Legacy I/O Model (no SQL / SQE)
AES Encryption
Alliance Key Manager
SQL

Legacy RPG File I/O Model
• Does not implement SQL interface to DB2
• Record-oriented file access
• Translates I/O Operations (CHAIN, READE, etc.) to
Encrypted operations
• Does not resolve encrypted indexes to unencrypted
sort order
• I.e. no index scan

Problem Symptoms with Legacy
RPG I/O and Encrypted Indexes
• Empty reports when sorted in a range
• Empty subfile displays
• Broken program logic with related tables/files
• Substring operations on encrypted indexes do not work
• Join logical files on encrypted indexes will not build
These issues are insurmountable for
many IBM i customers

Any IBM i customer who indexes by sensitive data:
• Banks and credit unions
• Hospitals, HMOs, and other medical entities
• Insurance providers and brokers
(casualty, liability, PMI, auto, etc.)
• Brokerages and traders
• Pharmaceutical
• Retail
• Telecos
• And many others
Who is Most Affected by
the Encrypted Index Issue?

With Open Access for RPG (OAR)
There Is A Way to Fix RPG!

Open Access for RPG Enables:
• The replacement of the legacy RPG I/O engine
• You define a “Handler” to take over I/O operations
• A Handler is a program you write (*PGM or *SRVPGM)
• The Handler is passed the RPG operation
• READ, CHAIN, etc.
A Handler can do anything!
Think of a Handler as an Exit Point
for an RPG “F” specification

OAR with SQL File Handler
to the Rescue
RPG Application with OAR
SQE / DB2
SQL File Handler maps RPG I/O to SQL
AES Encryption
AKM Key Manager

+ S Q L
O A R
• Translates RPG I/O Operations (CHAIN, READE, etc.) to SQL
• Implements SQL interface to DB2
• Encrypted indexes now work as expected
RESULT:
• Display files work properly
• Reports work as expected
• Sort order is correct
RPG with SQL OAR Handler

Requires One Line of New Code
FMyFile UF E Disk
F Handler(‘SrvProgram(function)’)
RPG application code must be modified to add the OAR handler on a file extension specification,
and the program must be re-compiled.
Normal system testing should be performed to assure proper operation.
RPG OAR Implementation

Data
Protected Data
Key
• AES is not a “secret”
• The key is the real “secret”• Key Management SP800-57
• Cryptographic Module Validation
• Program (CMVP)
• National Voluntary Laboratory
• Accreditation Program (NVLAP)
• FIPS-140
Key Management
Is Crucial for Compliance

• Dual control
• Separation of duties
• Split knowledge
• Key rotation
• Separate keys from the data they protect
Key Management
for Compliance

Key management is critically important to encryption
• Hackers don’t break encryption, they find the keys
• A good key management system will…
1. Control access to keys
2. Manage keys through the life cycle
3. Log access to keys
4. Back up keys
5. Roll keys
6. Expire keys, etc
FIELDPROC and Key Management?

• Local key store (based on X9.24)
• External encryption key management
• Alliance Key Manager
• FIPS 140-2 compliant
• Available As: HSM, Cloud HSM, VMware, Cloud
The keys are the secret –
they must be protected and managed
Two Choices for Key Management

Encryption will have an impact – how much?
• AES encryption libraries vary in performance
• Alliance AES/400 libraries are highly optimized
• 116x faster than native IBM i software library
• 50x faster than IBM Power8 on-chip AES
• Key management impacts performance
• Alliance Key Manager TLS + secure caching
Practical Issues –
Performance
Example: IBM model 515
Power 5 single processor,
1 Gig storage, 2 disks,
3800 CPW, 1 Million records,
unique index: 16,000+ records
per second decryption

Sort sequence of encrypted indexes
• IBM indexes based on encrypted value, not decrypted value
• Index lookups based on encrypted value, not plaintext value
• Range bound reads, some RPG operation impacts
• SETLL followed by READE, etc.
Encrypted Indexes

Incompatible with DDS-based join files on encrypted values
• Joined fields are a different type (Input only)
• Errors when re-creating join logical file after FIELDPROC active
• NOT a problem with native SQL joins
Join Logical Files

IBM DB2 FIELDPROC SQL Server EKM
Oracle 10g/11g SharePoint
Tape, storage, etc.
Critical infrastructure for multiple platforms
• Centralized key management reduces security exposure
• One key vault for all OSs – IBM i, Windows, Linux, UNIX, IBM z, etc.
• One key vault for all platforms – Client, server, cloud, mobile, etc.
• One key vault for all applications:
Enterprise Key Management

Making it easy
• Fully functional software – Internet download
• Local key management included
• Alliance Key Manager as VMware or Internet instance
• Free training, Quick Start guides, on-line help
Alliance Key Manager
Software Evaluations

Data Privacy
Protecting the privacy of sensitive
data by ensuring that it cannot be
read by unauthorized persons
using encryption, tokenization
and secure file transfer
Access and Authentication
Control
Ensuring comprehensive control
of unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Security & Compliance
Assessments
Assessing your security risks or
regulatory compliance
Auditing and Monitoring
Gaining visibility into all security
activity on your IBM i and
optionally feeding it to an
enterprise console
Syncsort Security
addresses the issues
on every CISO and
system admin’s
radar screen

• Only NIST-validated AES encryption for the IBM i
• High performance encryption libraries
• Does not use slow IBM libraries like other competitors
• Better performance than Power8 on-chip encryption
• Encryption key management options
• Local key store
• FIPS 140-2 compliant Key Manager
• Built-in data masking based on user, group
• Built-in data access audit
• Extensive encryption APIs for RPG and COBOL
• Encryption commands for Save Files, IFS, and more
Why Choose Alliance AES/400?

Compatibility
• Works with all major business and cloud platforms
• Integrates with all leading encryption applications
Compliant
• FIPS 140-2 compliant – the US Federal Information Processing Standard for
approving cryptographic solutions with both hardware and software components.
• OASIS KMIP (Key Management Interoperability Protocol) compliant
• Certified for PCI-DSS version 3 by Coalfire, a certified QSA auditor
Flexible Deployment Options
• VMware, Hardware Security Module (HSM) or cloud deployment (AWS, Microsoft
Azure) options for deploying Key Manager
Cost Effective
• Affordable for any size Enterprise
• No additional client-side license or usage fees.
Easy to Use
• Ready-to-use client software speeds deployment and reduces IT costs
Why Alliance Key Manager?

Syncsort’s Security Solutions
Syncsort Security
Cilasoft
QJRN/400
QJRN Database & QJRN System
CONTROLER
EAM
RAMi
CENTRAL
Alliance
Alliance
AES/400
Townsend’s Alliance
Key Manager
Alliance Token
Manager
Alliance
FTP Manager
Alliance
LogAgent Suite
Alliance Two Factor
Authentication
Enforcive
Enterprise Security Suite
Security Risk Assessment
Cross-Platform Audit
Cross-Platform Compliance
Password Self-Service
AIX Security
Quick
Quick-CSi
Quick-Anonymizer
Syncsort’s Security
solutions have the breadth and
depth to meet your IBM i
compliance or security needs.

Flexible services offerings for security
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (installing hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Leverage Syncsort’s team of seasoned security experts!
Global Professional Services
Add Value to Your Investment

Q&A
Learn more about Syncsort security
solutions at
www.syncsort.com/en/assure

IBM i Encryption Made Easy

More Related Content

Similar to IBM i Encryption Made Easy (20)

More from Precisely (20)

Recently uploaded (20)

IBM i Encryption Made Easy