AUDIO WILL COMMENCE WHEN THE MEETING BEGINS · 2020-04-13 · replication of data can be used via...

You must use Computer Audio• This session is being conducted using

Audio Broadcast – it is not possible to join by phone

• Attendees do not have microphone capability

Use the Q&A panel to ask questions

The call will be recorded and replay posted on the TechU Talks web page.https://www.ibm.com/services/learning/events/techutalks

Click the arrow

Type your question in

the box – hit “Send”

AUDIO WILL COMMENCE WHEN THE MEETING BEGINS

1

2

3

If you do not see Q&A, click the icon with 3 dots, and

select Q&A

Audio quality is highly dependent on individual’s internet bandwidth. If you experience audio issues, we recommend you :

1) Turn off your company VPN connection2) Check if you have applications running in the background –

anti-virus can completely cut audio3) If your computer is connected to a virtual environment, it

can effect quality – connect from a PC w/out virtual environment if possible

IBM Systems TechU (c) Copyright IBM Corporation 2020 1

Introducing IBM z15 Data Privacy Passports

Michael JordanIBM Distinguished Engineer IBM Z Security

2020 IBM Systems TechUApril 9, 2020

Topics

3

—Current landscape

—Data Privacy Passports Introduction

—Use Cases

—Recap

IBM Systems TechU (c) Copyright IBM Corporation 2020

4

The Data Dilemma

Data

Data Breaches

Data privacy

regulations

Journey to Cloud

5G and IOT

Business Data

Exchange

Data Analytics


5IBM Systems TechU (c) Copyright IBM Corporation 2020

Data Security

—Keeping data safe

Data Privacy

—Appropriate use of data

IBM Systems TechU © Copyright IBM Corporation 2020

Encryption and decryption occurs at each point as data traverses the network. Any data stored at endpoints and intermediate points

must be explicitly encrypted.

Data itself is encrypted at the starting point and remains encrypted until it reaches the end

point. Data stored at endpoints and intermediate points is implicitly encrypted and

managed through centralized policy

Data Centric - end-to-endSiloed - point-to-point

Protection that remains in place when the data moves and allows the data to play an active roll in its own protection.

The Emergence of Data Centric Protection


Coverage

Co

mp

lex

ity

Full disk, tape & SANAt-rest data with zerohost CPU cost

File and data setsSensitive data tied to access control for in-flight and at-rest data

DatabasesSensitive in-use, in-flight and at-rest data

Applications

Hyper-sensitive data

Security Control

Typical Data Centric Solutions

• Typical application level protection can be extremely costly and only protects a small number of fields• Can you have security control with broader coverage and less complexity?

Achieving Data Centric Protection

7IBM Systems TechU (c) Copyright IBM Corporation 2020

Protect individuals’ identity in a digitized world with IBM Data Privacy Passports


Current State

Data protected through siloed products

Desired State

Data protected for the life of the data with 1 product

Desired State: Trusted Data Objects

End-to-end protection via “Trusted Data Objects”

Desired State: Enforced Data

Controlling the usage of data and auditability of data

• Protection – Encryption and Revocation

• Privacy – Controls and Consent

• Proof – Audit and Record Keeping for Compliance

3rd Parties

Public Cloud

Private Cloud

Desired State

Starting from

IBM Z®

or any system

of record

* Trusted Data Object is provided back to the Passport Controller and has been transformed from protected data into enforced data.

*DPP

IBM Data Privacy Passports leveraging IBM Hyper Protect Virtual Servers


Point-to-point protection of sensitive mission critical data with granular privacy control across the enterprise and broader hybrid cloud ecosystem

IBM Data Privacy Passports IBM Hyper Protect Virtual Servers

Extends data access controls beyond the system of record through policies which enforce data control throughout the data lifecycle.

Offers a virtual server for highly secure compute resources to meet data privacy regulations.

Passport Controller Trusted Data Object

• Passport Controller provides an intercept point to transform “raw” data into “trusted data objects” or enforce data protection

• The policy that governs the protection and usage of the data is maintained in the Passport Controller

• Needs to be deployed on IBM Z for protection and/or enforcement of data

• Contains data that is protected and portable between multiple environments.

• A Trusted Data Object is the encrypted data element plus metadata. The data element is encrypted using a specific key and all required instructions on how to open and identify the Trusted Data Object are included in the metadata.


Components of Data Privacy Passports

Data Protection States

11

— Enforced Data (irreversible)

• Data elements are transformed (masked) at the time of consumption

• Transformations based on a user’s need to know

• Can be performed on Protected Data or raw data

11

Protected Data (reversible)

• Data elements are encrypted into Trust Data Objects (TDO) before leaving the platform

• Data can be shown in different views based on the user’s need to know using a Passport Controller

Bob Smith

Bob Smith Bob Smith

IBM Systems TechU © Copyright IBM Corporation 2020


Where is the protected or enforced data stored?


Enforced Data • Can be stored in a table with the same schema as

the source table• Data can be enforced in a way where it remains

compatible with the original source schema • Provides application transparent consumption transformed data

Protected Data • Data elements can be packaged into

Trusted Data Objects (TDO) using the Passport Controller• The TDOs are NOT the same size as the source data,

it is an encrypted package with additional metadata• Meta data is cryptographically bound to the cipher

text in the TDO• The target tables needs to be able to store data with a

different schema than the source table• This structured data source with a JDBC connection can

be on any system and does not need to be stored by the same database as the original source table

What are the flows for enforcement on data?


Raw data can be enforced• Eligible source data remains in the clear and clients connect to a

proxy which will enforce data based on policy• No changes needed to the original SQL database that is accessed

through a JDBC connection

Data can be protected then enforced• Eligible source data is encrypted into Trusted Data Objects (TDO) and

then insertedinto a new protected table

• New protected table elements are stored as Trusted Data Objects• Clients connect to the new protected table and based on policy are

presented an enforced view of the data

13

• The data is protected at the point of

extraction and is enforced at the point

of consumption

• Move data from IBM Z to distributed as

Trusted Data Objects – Supports SQL

data sources accessed via JDBC

• Passport Controller* is deployed into

Hyper Protect Virtual Servers

• Dynamically update the policy to revoke

user access to data through the

passport controller

• Create a single protected table to

provide multiple views of data

according to defined policy

Clear Text TableDb2®

Passport

Controller*

Administrator

Administrative Commands

Keys Policy

Logic

Clear Text TableDb2

VSAM or Sequential Data

x86 / Power® /

Linux on Z

IBM DVM

JDBC

JDBC

JDBC

Postgres

Db2 for z/OS

Data Lake

JDBC

sftp

Pro

tecte

d w

ith P

erv

asiv

e E

ncry

ptio

nUse case – Protecting data as it moves in the enterprise (ETL)

14

External

Identity

Management

JDBCz/OS® LPAR

*IBM Hyper Protect Virtual Servers V1.2 (5737-I09) is required.** Current version only supports SQL structured data sources accessed via JDBC

Use case – Consuming IBM Z data in the enterprise


• Enforce with client defined policies when TDOs are consumed using Passport Controller

• Dynamically update the policy to revoke user access to the data through the Passport Controller

• Identity can be managed on IBM Z (i.e. z/OS)

• Connection to Passport Controller is through industry standard Apache Hive drivers

Passport Controller

Protected Table

Data Copy

Data Scientist

Data Owner

Regulator

Virtual Table

SQL Queries

Keys Policy

LogicExternal Identity

Management

POLL


Which DPP capability interests you the most (check all that apply)?

a) Protection using Trusted Data Objects

b) Ability to create a single protected table to provide multiple enforced views of data according to defined policy

c) Ability to dynamically update the policy to revoke user access to data through the passport controller

Use case: Single Data Source for Multiple Views


Business problem

— An insurance company needs to share details about their customers to a Data Scientist, the customer themselves via a web portal, and a Regulator.

Solution

— IBM Data Privacy Passports can create a single protected table of data from policies that allow multiple views of data varying by needs.


ProtectedDatabases

SoR

Enforced Dataor Adhoc Queries

Pa

ssp

ort

Co

ntr

oll

er

JDBC

SoR

SoR Data Sources

IIDR SQLTDOs

TDO is not opened

JDBC

• Eligible source data is encrypted into Trust Data Objects (TDO) protecting it atthe point of extraction prior to the data moving from IBM Z.

• Personas connect to the new protected tables, the policies are enforced by ausers’ identity

• Data can be masked, encrypted or returned in the clear for individual fields,depending on policy

Use case: Data Revocation by Policy


Business problem

— A business unit has shared information with the analytics division of their company to complete a 6-month market research assignment. After the project is complete the analytics division should no longer have access to the eligible data.

Solution

— IBM Data Privacy Passports provides data revocation by policy of data shared to the analytics division and requires a trip to the Passport Controller to be viewed.


ProtectedDatabases

SoR

Enforced Dataor Adhoc Queries

Pa

ssp

ort

Co

ntr

oll

er

JDBC

SoR

SoR Data Sources

IIDR SQLTDOs

TDO is not opened

JDBC


• Clients connect to the new protected tables and based on policy are presentedan enforced view of the data. Opening the data requires a return trip to thePassport Controller. Requests to open data are audited.

• Policy for enforcement can be changed dynamically to revoke or entitle users todata access through the Passport Controller.

Use case: Data Access Control for Data Privacy


Business problem

— A corporation operating a data warehouse SaaS service has established monitoring and defensive controls to keep data operations by applications and users restricted. Some of the information in their data warehouse is sensitive data.

— To date they have setup stringent environmental regulations for which the data can be viewed, but they need to embrace a more open network.

Solution— IBM Data Privacy Passports provides

documentation and logging as data is accessed. Data access and use of eligible data is controlled by centrally managed policy. Protection and enforcement requests made through Passport Controller are audited.


— Batched base replication of data can be used via JDBC to push whole tables, or IBM InfoSphere Data Replication (IIDR) can provide a way to replicate data based on changes.

— Providing replicated copies from a System of Record is an existing model for many clients who do not wish to impact performance.

ProtectedDatabases

SoR Enforced Dataor Adhoc Queries

Pa

ssp

ort

Co

ntr

oll

er

JDBC

SoR

SoR Data Sources

IIDR SQLTDOs

Enforce

JDBC


• Clients connect to the new protected tables and based on policy are presentedan enforced view of the data. Opening the data requires a return trip to thePassport Controller. Requests to open data are audited.

• Policy for enforcement can be changed dynamically to revoke or entitle users toprotected data. Changes are audited.

Audit

Use case: Data Segmentation and Brokering


Business problem

— A large multi-national corporation has a disjoint human resource systems in each of its geographic locations and wishes to allow for new analytics on employee retention, motivation, and job satisfaction across the entire global workforce.

Solution

— IBM Data Privacy Passports allows the organization to segment which users have access to view data in the unencrypted form.


• IBM Data Privacy Passports can control which parties can use and combinewhich data.

• No one persona has access to all of the data within the enterprise.• Opening the data requires a return trip to the on-premise Passport Controller,

where policy enforces the permitted view of the data by persona.

ProtectedDatabases

SoR

Data Scientist

Pa

ssp

ort

Co

ntr

oll

er

JDBCSoR

SoR Data Sources

IIDR SQL TDOs

Enforce

JDBC

Product Deployment V1.0


Passport Controller is deployed in a Hyper Protect Virtual Server

Manual policy management

All data accessed through Passport Controller is audited

Announce date: March 10, 2020General availability: March 20, 2020

Data Privacy Passports - Protected, Private, Provable


• Create a single protected table with multiple policy defined views of data

• The eligible data is protected at the point of extraction and is enforced at the point of consumption

• Move eligible data from IBM Z to distributed as Trusted Data Objects or enforced data

• Data requests that are made through the Passport Controller are audited

• Policy access can be changed dynamically to revoke a users access and is applied to a data copy passed through the Passport Controller


—

z14

z15Protection

Cross Enterprise / Hybrid CloudIBM Z

Protection Privacy Proof+ +

Replay availability!

Michael Jordan

IBM Distinguished Engineer IBM Z Security

ibm.com

• Please feel free to send Questions you were unable to ask in the live call to my email: [email protected]

• The replay, pdf of presentation and Q&A transcript will be available on the TechU Talks page. https://www.ibm.com/services/learning/events/techutalks


https://www.ibm.com/services/learning/events/techutalks

Notices and disclaimers

— © 2019 International Business Machines Corporation. No part of this document may be reproduced or transmitted in any form without written permission from IBM.

— U.S. Government Users Restricted Rights — use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

— Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. This document is distributed “as is” without any warranty, either express or implied. In no event, shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted per the terms and conditions of the agreements under which they are provided.

— IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.”

— Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

— Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those

— customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

— References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

— Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

— It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer follows any law.


Notices and disclaimers continued

— Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products about this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM expressly disclaims all warranties, expressed or implied, including but not limited to, the implied warranties of merchantability and fitness for a purpose.

— The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

— IBM, the IBM logo, ibm.com and [names of other referenced IBM products and services used in the presentation] are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml


http://www.ibm.com/legal/copytrade.shtml

AUDIO WILL COMMENCE WHEN THE MEETING BEGINS · 2020-04-13 · replication of data can be used via...

Documents

Transcript of AUDIO WILL COMMENCE WHEN THE MEETING BEGINS · 2020-04-13 · replication of data can be used via...