WBN_Securing Your IBM i_E_250300003.pptx
Download as PPTX, PDF•0 likes•40 views
PowerPoint
WBN_Securing Your IBM i_E_250300003.pptx
- 1. Securing Your IBM i: The Critical Role of Encryption Bill Hammond | Director, Product Marketing
- 2. Today’s Topics 2 • Understanding the changing regulatory landscape • Effective encryption strategies • Data privacy decisions for your organization • Q & A
- 4. Cybersecurity mesh Comprehensive audit reporting • A new approach to security, which will involve connecting different security tools and technologies to create a more comprehensive security solution. • Enables organizations to monitor compliance status effectively while providing detailed insights into security practices. Data Protection AI and machine learning • Customers will be tasked deploying strong cryptography for data encryption and enhanced access control • Organizations move away from perimeter-based security models. Zero-trust assumes that no one can be trusted and requires continuous verification of users and devices. 4 • This will be pervasive across all areas of technology and data risks, consumer/investor protections, and risk management and governance Regulatory Uncertainty • These will be used more extensively to detect and respond to threats leading to more sophisticated security solutions that can adapt to new threats Zero-trust security
- 6. Why Encryption is Critical • Data Breaches: • Minimizes the impact of data breaches. Even if attackers gain access to your systems, encrypted data remains useless. • Reduces the risk of sensitive information (customer data, financial records, intellectual property) falling into the wrong hands. • Compliance: • Meets regulatory requirements like GDPR and HIPAA, which mandate the use of encryption for sensitive data. • Demonstrates a commitment to data privacy and builds trust with customers and partners. • Competitive Advantage • Protects your valuable assets, giving you a competitive edge in the market. • Enhances customer trust and loyalty by demonstrating a strong commitment to data security. • Remote Work • Secures data transmitted over unsecured networks when employees work remotely. • Protects company information from interception during transit.
- 7. 7 Malware and Ransomware are Rampant Increasing sophistication and complexity • Advanced technology that is very difficult to detect • “Remediation” can be impossible Unprecedented threat to businesses of all sizes • Not limited to larger or more advanced businesses • Not just “disruption”: Can mean permanent end of the business • Yet legal liabilities remain, even after the business is destroyed Rapid proliferation • Cyber-criminals are organizing and sharing • Malware-as-a-Service is already a reality
- 8. 8 Data Encryption: The last line of Defense Encryption transforms readable information into an unreadable, unusable format (or “cyphertext”) • No matter how or why it is obtained, encrypted data is useless • A shield against extortion, even if data is otherwise destroyed • Helps to minimize or eliminate legal liabilities Encryption is based on proven, well-known algorithms • AES, RSA, Triple DES, and more • Independent certifications are available to validate compliance with national and global standards, such as those issued by the National Institute of Standards (NIST)
- 9. Protect your stored data with AES Encryption • The US government and agencies have accepted the Advanced Encryption Standard (AES) as a format standard (FIPS -203, 204 & 205) for encrypting data • For PCI-DSS, HIPAA, and specific government privacy rules, AES-256 is the preferred encryption method. • The encryption methods recognized by the National Institute of Standards and Technology (NIST) ensure that your data is protected to the highest standards. 9
- 10. Encryption at Rest and in Motion • Why Encrypt Data at Rest? • Safeguards Stored Information: Encryption transforms data into an unreadable format, protecting it from unauthorized access even if storage is compromised (e.g., lost device, stolen hard drive, or breached server). • Compliance Requirements: Many regulations (HIPAA, GDPR, etc.) mandate encryption for sensitive data at rest to ensure privacy and security. • Reduces Risk of Data Breaches: Encryption minimizes the impact of a potential breach by rendering stolen data useless without the decryption key. • Why Encrypt Data in Motion? • Secures Data in Transit: Encryption protects data as it travels across networks, preventing eavesdropping, tampering, or interception during transmission. • Maintains Confidentiality: Ensures that sensitive information remains private and confidential while being transmitted between systems or individuals. • Prevents Man-in-the-Middle Attacks: Encryption thwarts attackers from intercepting and altering data during communication, preserving data integrity. 10
- 11. Data in Motion Challenges • Manual transfer processes are unwieldy and time consuming • Tracking transfers and resubmitting failed transfers is tedious • Capturing files from FTP servers for processing into an ERP system or other application is a cumbersome manual process or requires programming • Securely sending ACH and Positive Pay records to a financial services company’s FTP server is another burdensome transfer to manage • Manual management leaves too much margin for human error 11
- 12. The Importance of a Comprehensive Approach End-to-End Protection Encrypting both at rest and in motion provides a robust defense against various security threats, ensuring data protection throughout its lifecycle. 12 Multi-layered Approach • Encryption complements other security measures (firewalls, access controls) to create a comprehensive security posture. Peace of Mind • Knowing that your data is encrypted both at rest and in motion provides assurance and confidence in your security practices.
- 14. 14 IBM i Encryption Tips • Beware of home-grown or non-standard encryption and key management • Look for independent assessments and certifications (FIPS-197; FIPS 140-2) of the implementation of a secure algorithm • Best option for applications requiring higher performance • Can be easily implemented for Db2 databases in IBM i 7.1 or greater using FieldProc solutions with few (if any) application or database changes • 3rd party solutions provide APIs and CL commands to encrypt IFS files, backups, etc. • Open Access for RPG (OAR) handlers simplify your project if you have legacy RPG applications and need to encrypt indexes • FIELDPROC exits expose security challenges. Make sure you also implement access logging, automatic masking, access control for common utilities (like DBU, Display Physical File Member, and FTP), access control for encryption keys
- 15. Disk Level vs. File Level Encryption
- 16. What is disk level encryption? 16 • On the IBM i, full disk encryption allows you to encrypt data that is stored in basic disk pools and independent disk pools • Full disk encryption protects data from several different threats: • Protects data transmission to and from the disk drive (important in a SAN environment) • Protects data transmission in the cross-site mirroring environment (only when the data being mirrored is on an encrypted independent disk pool) • Protects data in the case of theft of the disk drive
- 17. What is field level encryption? 17 • Field procedures can provide field level (or column level) encryption on DB2 for IBM i • A field procedure is a user-written exit routine to transform values in a single column • When values in the column are changed, or new values inserted, the field procedure is invoked for each value • The field procedure can transform values (encode it) in any way. • The encoded value is then stored • When values are retrieved from the column, the field procedure is invoked for each encoded value. • The field procedure decodes each value back to the original value. • Any indexes defined on a column that uses a field procedure are built with encoded values. • The fields are encrypted at rest and will be decrypted when a database operation is performed against the file that has the field in it. • Fields can be ”masked” based on specific users or groups.
- 18. So why is field level encryption better than disk level encryption? 18 Disk level encryption utilizes the same key for everything. If the key gets compromised, all the data on the system can be decrypted with one key Field level encryption can utilize a different key for every field, or every file depending on how you want to implement it. If one key gets compromised, the rest of your data is still protected Disk level encryption does not allow for masking individual fields, whereas field level encryption allows for masking to hide sensitive data from those that may have access to the file but shouldn’t be able to see the sensitive field data
- 20. Implementing encryption has its challenges EXCLUSIVE LOCKS SMALL WINDOW • IBM i Field Procedures (FieldProc) needs an Exclusive Lock on file data to add/remove an encryption program and encrypt/decrypt a column • Your maintenance window may be too small to encrypt/decrypt all files during the allotted time APPLICATION RISK • Encryption processing changes every record within a file – increasing risk to applications 20
- 21. The Encrypt While Active option 21 Combines market-leading Assure technology to: • Create a pre-production copy of your encrypted data • Promote that file to production with only minutes of downtime • Optionally compress the file being encrypted by removing deleted records Based on Assure MIMIX and Assure Security products • Assure MIMIX Enterprise for replication • Assure MIMIX Promoter, a feature of MIMIX High Availability, for file promotion • Assure Encryption, a component a Assure Security, for encryption Combination of Software and Services • Software to facilitate encryption without downtime and remove encryption risks • Expert services to manage the process and ensure a successful outcome
- 22. Benefits of Encrypt While Active • Minimizes downtime for encryption operations • Mitigates the risk of application failure after encryption • Ensures HA/DR-readiness throughout the encryption process 22 As an added benefit, deleted records can be removed from the file during the encryption – a Compress While Active service
- 23. Data Privacy Is Essential Protecting data is fundamental to your business • Customers, partners and employees trust you to prevent breaches • Your business suffers negative publicity if breached Data could be compromised from the inside or outside • Users should see only the data they need as part of their jobs • Data must be protected from internal staff, contractors and business partners – as well as criminal intruders Regulations require that personally identifiable information (PII), payment card information (PCI) and personal health information (PHI) be encrypted • HIPAA • GDPR • PCI DSS • CCPA • DORA • …and more 23
- 24. Meeting Stringent Regulatory Requirements with Complete Visibility into Security Issues Compliance Monitoring Fully Implementing Powerful IBM i and Best-of-Class Data Protection Capabilities Data Privacy Establishing Multi- layered, Comprehensive Protection Against Advanced Threats Malware Defense Assure Security: Strategic Focus Areas 24 Protecting Systems and Data against Unauthorized Users and Malicious Attackers Access Control • Prevent unauthorized logon • Manage users’ system privileges • Control and restrict access to data, system settings, and command line options • Automate security and compliance alerts and reports • Monitor and block views of sensitive data • Integrate IBM i security data into SIEM solutions • Encrypt IBM i data • Secure encryption key management • Tokenization and Anonymization • File transfer security for Data in Motion • Harden all systems and data against attacks • Automate and integrate security technologies and management • Design for depth and resilience if one or more defenses fail
- 25. Q & A
Editor's Notes
- #25: Is the Optimize IMS product a service engagement or software? It is both. What is the expected implementation timeline for configuring this solution?