Article Date: 01 Jun 2010
By Mark Simmonds
Senior Product Marketing Manager IM System z
By Ernest Mancill
Executive IT Specialist DB2 Tools for z/OS
Information protection is one of the common entry points for organizations getting started with information governance. Protecting sensitive data serves a clear business need, and protecting data is the goal of many current regulations. Over the next couple of months, we will be looking at the protection of data, starting by looking at the security of IBM® Data Servers on z/OS® systems.
"SAFER" Information Protection Capabilities from IBM
Information protection is one of the common entry points for organizations getting started with information governance. Protecting sensitive data serves a clear business need, and protecting data is the goal of many current regulations. Over the next couple of months, we will be looking at the protection of data, starting today by looking at the security of IBM® Data Servers on z/OS® systems. This article will be followed by another article looking at audit and compliance.
IBM provides a comprehensive set of information protection capabilities for IBM hardware platforms that help organizations discover which data needs to be protected, secure access to it, provide encryption of the data, and ensure that privacy controls are in place throughout the information lifecycle. In addition, IBM provides organizations with powerful and flexible analysis, real-time auditing, and reporting tools.
Figure 1: IBM provides organizations with a comprehensive set of information protection capabilities.
Information protection for IBM System z
It’s estimated that 95 percent of Fortune 1000 companies store business data on IBM System z®.¹ Its business-focused capabilities, such as advanced business continuity features, security, transaction integrity, scalability, dynamic workload balancing capabilities, and powerful tools for access control and protection, make the System z platform an excellent choice for storing and processing business-critical information.
However, organizations must demonstrate accountability by complying with industry, financial and regulatory guidelines and be able to answer the who, what, when, where and how questions when it comes to data access. Regulations exist at the worldwide level, in addition to the local specific laws and regulations that must be followed.
For example, in the US the Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Basel II and U.S. Senate Bill 1396 are just a few regulations with which organizations must comply. Other countries adopt the same or similar regulations.
Research shows that the perceived quality of a company's corporate governance can influence its share price, as well as the cost of raising capital.²
Let’s take a closer look at information protection on the System z platform, starting today with security of your data on System z and z/OS.
Security on IBM data servers on z/OS
Authentication is the first security capability a user encounters when attempting to use services provided by IBM data servers on the IBM z/OS® operating system. The user must be identified and authenticated before being allowed to use any of these services.
The primary job of identification and authentication in IBM data servers on z/OS is assigned to the security subsystem. On z/OS, the z/OS security server, which is the IBM Remote Access Control Facility (RACF®) or its equivalent, provides authentication and authorization services to control access to the database subsystem. This technique means that access for many resources can be consistent, whether the resource is a file, a printer, or communications or database access.
For the purposes of this discussion, RACF and its primary competitors, CA-TopSecret and CA-ACF2, are security products that provide access control and security functionality for z/OS and the IBM z/VM® operating system for virtualized environments.
RACF and DB2 databases
In an IBM DB2® database on z/OS configuration, the z/OS security server (IBM RACF® or equivalent) is used for the following purposes:
- Control connections to the DB2 subsystem
- Assign identities
- Protect the underlying DB2 data store (underlying data sets of DB2 can be protected by RACF data-set services)
In addition to database server-provided security, RACF can be used to control access to database objects, authorities, commands and utilities by using the RACF access control module of the database server.
RACF and IMS
The IBM Information Management System (IMS®) has been enhanced to make use of RACF for controlling access to IMS resources. You can use the original IMS security features, the new RACF features, and combinations of these. RACF provides more flexibility than the older security features. The normal features of RACF can be used to protect both system and database IMS data sets.
Using IBM Tivoli products to enhance RACF
By putting a user-friendly layer on top of RACF, IBM Tivoli® zSecure Admin provides a comprehensive, easy-to-use Interactive System Productivity Facility (ISPF) interface for low-level RACF administrators. The product generates the required syntax for RACF commands (based on the input from the window). Generating RACF commands automatically reduces errors that can lead to security exposures or system downtime. The zSecure Administrator can help automate recurring work during RACF administration, freeing advanced administrators to focus on higher-value tasks.
IBM Tivoli zSecure Visual, a Microsoft® Windows®-based graphical user interface (GUI) for RACF administration, allows RACF administration tasks to be delegated to junior security administrators. You use the zSecure Visual GUI to communicate with a server running under z/OS UNIX® to perform the native RACF commands. This capability insulates the zSecure Visual administrator from the complexities of native RACF and TSO/ISPF.
Encryption and data obfuscation
The requirement to encrypt data at rest is fundamental to many regulatory compliance initiatives. Encryption is the process whereby clear text data is transformed into cybertext data. This transformation uses a mathematical formula, known as an encryption algorithm, in conjunction with a data encrypting key to create the cybertext data. Two basic encryption algorithms are generally accepted as secure today: Triple Data Encryption Standard (TDES) and Advanced Encryption Standard (AES). Keys are hexadecimal strings of randomly generated characters, varying in length from 128 to 512 bits. In general, the longer the key, the more secure the encryption implementation.
Contrasted with encryption, data obfuscation is the process whereby sensitive data is transformed to generate a new data value, which has the same general characteristics of the original value, but which represents a fictional data value. In general, the obfuscation is performed in such a manner that the original value, through causal reverse engineering, cannot be derived.
IBM data servers and z/OS Communications Server-based network encryption
While data at rest is the primary concern here, there should be no disagreement that a robust encryption implementation must include techniques to encrypt critical information throughout its lifecycle. This includes the requirement to encrypt data that flows into and out of the enterprise through network connections, including data that is shared with external business partners.
Capabilities inherent in the z/OS operating system, such as the z/OS Communications Server, can help protect network resources. The z/OS Communications Server works with DB2 and IMS for z/OS and uses well-designed implementations that allow organizations to take advantage of different types of network-based encryption such as:
- Secure Sockets Layer (SSL), which is a communications protocol that provides secure communications over an open communications network.
- Internet Protocol Security (IPSec), which is intended to protect traffic between two TCP/IP stacks transparently to the applications.
- Application Transparent Transport Layer Security (AT-TLS), which is intended to protect traffic between specific client and server applications, and between the TCP/IP stacks to which these applications are bound.
IBM data servers and encryption of data at rest
There are many ways to encrypt data in DB2 and IMS. The questions, What do you want to protect and from whom? and How much effort can be used? are asked to determine which technique to use and where to encrypt and decrypt.
The choice of encryption technique does mean some trade-offs in function, usability and performance. Organizations using DB2 for z/OS V8 and later can elect to implement encryption by using the DB2 built-in function. It does, however, have some problematic characteristics that can impact the flexibility required for a robust enterprise solution.
For IMS, there is no DBMS implementation of encryption, so there is a need to consider other mechanisms for encrypting data.
Key management using ICSF services
Integrated Cryptographic Service Facility (ICSF) is a component of z/OS that is designed to transparently use the available cryptographic functions, whether CP Assist for Cryptographic Function (CPACF) or Crypto Express2, to address the data encryption requirements of z/OS applications and subsystems.
ICSF supports the AES and TDES algorithms for data privacy. TDES (Triple Data Encryption Standard) was originally published in 1999 and is still a well-adopted industry standard. AES (Advanced Encryption Standard) was announced by the National Institute of Standards and Technology in 2001 and became effective as a Federal government standard in 2002. AES is the first publicly accessible and open cipher approved by the NSA for top-secret information. This updated algorithm provides stronger encryption and is the recommended algorithm for "data-at-rest" requirements. Key lengths of 128, 192 and 256 bits are supported, depending on the class of System z processor used. Keys generated with ICSF services are used by the IBM Data Encryption for IMS and DB2 Databases tool.
The cryptographic hardware (also known as the coprocessor) available to IBM Data Encryption for IMS and DB2 Databases depends on processor or server model. z/OS ICSF supports the Crypto Express3 Feature that is available on IBM System z10® Enterprise Class and IBM System z10 Business Class processors. For IBM System z9® and z10® processors, the Crypto Express2 feature is also available.
ICSF provides a secure environment for key generation, storage and use, and is preferred over application-based key management as implemented in encryption approaches such as the DB2 V8 built-in function.
IBM Data Encryption for IMS and DB2 Databases
IBM Data Encryption for IMS and DB2 Databases provides a data encryption function for both IMS and DB2 for z/OS databases in a single product. It enables protection of sensitive data for IMS at the segment level and for DB2 at the table level.
IBM Data Encryption for IMS and DB2 Databases is implemented using standard IMS exits and DB2 EDITPROCs. The exit or EDITPROC code invokes the System z Crypto hardware to encrypt data for storage and decrypt data for application use, thereby protecting sensitive data located on various storage media. System z hardware has provided improving support for the encryption instructions and features, thereby decreasing the performance overhead of encryption.³
For both IMS and DB2 programs, the routines that are generated by IBM Data Encryption for IMS and DB2 Databases are transparent to the application programs that access the databases, thus requiring no application changes to implement. This tool can save the time and effort required to write and maintain encryption software for use with such exits or within applications.
Implementing the generated exit is simple. When implemented based on the type of SQL or IMS statement, the exit is driven by the DBMS at the appropriate point, and encryption or decryption occurs as needed.
With encrypted tables, standard recovery assets including the DB2 recovery log and DB2 image copy data sets are also encrypted. The recovery log record is encrypted by virtue of the log image reflecting the row after the EDITPROC is driven. The DB2 image copy data set is encrypted due to the nature of the image copy utility being a page-level operation. With an IMS implementation, the image copy data sets are also encrypted. This is important for organizations that deliver recovery assets to offsite storage facilities; in the event that data in transit is lost or stolen, there is no exposure because the data being encrypted is protected from unauthorized usage.
Conclusion
The cost of implementing security measures is far cheaper than fixing a breach after it occurs, not to mention the bad publicity and potential negative effect on an organization’s stock price and reputation. The financial penalties and losses surrounding data breaches are never truly realized until many years after the event. Frankly, there is no longer any excuse for security-related failures. IBM Information Management information protection solutions for z/OS offer comprehensive end-to-end capabilities to help manage business risk and reduce the threat of data breaches and security exposures, wherever your data is, whoever is using it, and whenever it is being used. IBM can help you find ways to take back control and be S.A.F.E.R.
Join us soon for the next article in this series focused on Auditing and Compliance.
Learn more
To learn how IBM Information Management information protection solutions for z/OS can help you reduce the threat of data breaches and security exposures, contact your IBM representative or visit http://www.ibm.com/software/data/db2imstools/solutions/data-governance.html.
Legend
¹ Moutsos, Kim. IMS at 40: Stronger than Ever, IBM Database, October 2008. http://www.dbmag.intelligententerprise.com/story/showArticle.jhtml?articleID=211300235
² O’Donovan, Gabrielle. A Board Culture of Corporate Governance. Corporate Governance International Journal, Vol 6, Issue 3, July 2003. http://findarticles.com/p/articles/mi_go1494/is_200307/ai_n9035264
³ The IBM System z cryptographic functions are described at the following Web page: http://www.ibm.com/servers/eserver/zseries/security/cryptography.html
Disclaimer:
The information provided by the author of this document represents the views and experiences of the author. IBM has provided access to this document on the basis that it may provide usefully information to the recipients. However, as IBM has not in any respect validated nor necessarily agrees with the information provided, IBM does not accept any liability whatsoever in the use to which this information may be put.
