Securing Sensitive IBM i Data At-Rest and In-Motion
1 like97 views
The document details various methods for securing sensitive IBM i data, including encryption, tokenization, and anonymization, each with its pros and cons. It emphasizes the importance of protecting data from unauthorized access and compliance with regulations like PCI DSS, HIPAA, and GDPR. It also outlines how Syncsort can assist organizations in implementing these security measures effectively.
Securing Sensitive IBM i Data At-Rest and In-Motion
- 1. Securing Sensitive IBM i Data at Rest and in Motion Alan Hamm Sales Engineer 1
- 2. Agenda 1 – Encryption 2 – Tokenization 3 – Anonymization 4 – Secure file transfer Tradeoffs: DIY or 3rd party solutions5 – How Syncsort can help6 –
- 3. Why protect sensitive data? • Prevent data breaches • Prevent the negative publicity resulting from breaches • Protect your customer’s trust in your handling of their data Who should you protect your data from? • Users should see only the data they need as part of their jobs • Protect your data from internal staff, contractors and business partners – as well as criminal intruders What regulations require sensitive data protection? • PCI DSS • HIPAA • GDPR 3 Sensitive Data Protection • GLBA • State privacy laws • And more
- 4. Encryption What Is Encryption? • Use of one or more algorithms to transform human-readable information into an unreadable format • Requires a decryption key to return data to a human-readable format • Key management is highly recommended to keep encryption keys safe and manage them throughout their lifecycle • Integrates with IBM i FieldProc exit point (IBM i 7.1 or greater) to enable field encryption without application changes • Encryption and decryption activities can be logged • Decrypted data can be masked based on the user’s privileges Pros • Mature technology • Standards offer independent certification • Algorithms are continuously scrutinized • Confidence in meeting requirements of regulations that mandate sensitive data protection such as HIPAA/HITECH, PCI- DSS, state privacy laws and more Tips • Specified by certain regulations; verify the requirements of the regulations your business must comply with • Better for applications requiring higher performance • Look for a secure implementation of a secure algorithm • Check for certifications 4 Cons • Depending on the implementation, encrypting and decrypting field data can have a performance penalty • Encryption may not preserve the original format of fields, which can affect field validation processes • Applications may need modification to prevent using encrypted indexes
- 5. Tokenization What Is Tokenization? • Replaces sensitive data with substitute values or “tokens” • Tokens are stored in a database or “token vault” that maintains the relationship between the original value and token • Format-preserving tokens retain the characteristics of the original data (e.g. a VISA number would still look like a VISA number and pass a LUHN check) • Token consistency enables the same token to be used for every instances of the original data • When tokenized data is displayed in its original form, it should be masked based on the privilege of the user Pros • Tokens cannot be reversed with a key as there is no algorithmic relationship to the original data • Tokenization maintains database relationships • Removing data from the production server reduces risk of exposure from a breach • Tokenizing a server’s data can remove it from the scope of compliance • Specifically referenced for PCI DSS and supports compliance other regulations Tips • Available thru credit card payment networks for tokenizing credit card numbers • Good for BI and queries since tokenization maintains database relationships • Useful when sending data to outside services for processing when sensitive data is not required – or for development and test systems 5 Cons • Tokenization is not recognized as widely as encryption by standards bodies • Tokenization has a performance impact to register tokens and retrieve them
- 6. Anonymization What Is Anonymization? • A form of tokenization that permanently replaces sensitive data with substitute values (or “tokens”) • Substitute values are not stored so a secured token vault is not required • Can replace every instances of a piece of original data with the same token • Format-preserving : Retain the characteristics of the original data • A variety of anonymization methods can be used (masking, scrambling, etc.) • NOT a solution for use on a production server since tokens are unrecoverable Pros • Cannot be reversed with a key as there is no algorithmic relationship to the original data • Supports compliance with GDPR and other regulations • Keeps non-production servers out of the scope of compliance Tips • Not a solution for data on your production server • Ideally used for anonymizing sensitive data on a development or test system • Good for sending data to outside services for processing • When coupled with a high availability solution for replication to non-HA node, it can feed dev/test system with anonymized data 6 Cons • Anonymization is not recognized as widely as encryption by standards bodies
- 7. Secure File Transfer What Is Secure File Transfer • Securing data in motion across internal or external networks • Data is secured by encrypting it on the IBM i before transferring and decrypting it on the receiving end • Required by regulations such as PCI, HIPAA, GDPR, GLBA and others • Common protocol options include • Secure Shell (SSH sFTP) • Secure FTP (SSL FTPS) • Desirable for solutions to negotiate firewalls and creating an audit trail of file transfer activities • Solutions can automate the transfer process Pros • Protects data from being seen in clear text when transferred on the network • Meets requirements of regulations such as PCI, HIPAA and others that require encrypted transfer and logging of transfer activity • Mature discipline with standards and certifications available Tips • Look for solutions that meet standards • Ensure any solution you consider can navigate the complexities of your firewall configurations • Set up a hub-and-spoke configuration that manages all your file transfer activities 7 Cons • Technical-Know-How
- 8. Tradeoffs Do-It-Yourself In-House • Resources may be stretched and pulled off project • May need to bring in consultants or hire new employee because of lack of knowledge • Need to stay on top of new PTFs or updates to the OS • Knowledgeable resource may leave or retire Third-Party Solutions • Frees up your resources for business critical projects • Leverages experts in the field • Vendor is in the business of releasing updated software • Vendors ensure solutions stay current to the latest threats and OS capabilities • Ensures optimal performance • Vendors also offer services to help you get started and succeed with your implementation long term 8
- 10. Data Privacy Protect the privacy of data at-rest or in-motion to prevent data breaches Access Control Ensure comprehensive control of unauthorized access and the ability to trace any activity, suspicious or otherwise Compliance Monitoring Gain visibility into all security activity on your IBM i and optionally feed it to an enterprise console Security Risk Assessment Assess your security threats and vulnerabilities 10 Assure Security addresses the issues on the radar screen of every security officer and IBM i admin
- 11. Secure File Transfer Securely transfer files across internal or external networks using encryption Tokenization Remove sensitive data from a server by replacing it with substitute values that can be used to retrieve the original data Encryption Transform human-readable database fields into unreadable cypher text using industry- certified encryption & key management solutions Assure Data Privacy 11
- 12. Expert services are available for • Security risk assessment • Quick start services • Quick check services • Security update services (hot fixes, PTFs, new releases, etc.) • System update services (ensuring security solution is properly configured after system changes to IP addresses, OS versions, etc.) • Auditor assist (supporting internal or external auditors) • Managed security services • A la carte consulting Leverage the seasoned security experts in Syncsort Global Services! The Syncsort Services Team Is Here for You 12