PUG IMS Encryption - IMS UG March 2013 Phoenix
-
date post
19-Oct-2014 -
Category
Technology
-
view
563 -
download
1
description
Transcript of PUG IMS Encryption - IMS UG March 2013 Phoenix
1 © 2011 IBM Corporation
Dennis EichelbergerIT Specialist IMS Advanced Technical [email protected]
Guardium Encryption for IMS data
2Copyrite IBM 2013
Topics
• What are the business needs driving data protection
• Intro to data protection terminology
• An encryption solution from IBM for IMS databases
Copyrite IBM 2013
The Primary Source of Breached Data are Database Servers
Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Source of Records Breached (2012)
0 20 40 60 80 100
% of Records Breached
All other sources <1%
Desktop/Workstation 34%
Mail server 2%
Reg employee/end-user 1%
Database server 96%
Web/app server 80%
POS server 1%
Copyrite IBM 2013
LensCrafters -- Mainframe Breach Luxottica Group S.p.A. owns LensCrafters chain and world's
largest supplier of high-end eyewear
Personally Identifiable Information (PII) for 59,419 employees stolen, with victims in all 50 states
"Generally, mainframes are not accessible to the Internet, so the hacker most likely had to compromise other systems internally before getting to the mainframe," said Chris Petersen, a former IT auditor with Price Waterhouse and Ernst & Young.
Sources: http://www.internetnews.com/security/article.php/3787431/Mainframe+Breach+at+LensCrafters+Parent+Hits+59K.htm http://privacy.wi.gov/databreaches/2008/nov08.jsp
Polo Ralph LaurenPradaVersace brands
Ray-BanDolce & GabbanaDonna Karan
Copyrite IBM 2013
LensCrafters -- Mainframe Breach “As mainframes become a major component in service-oriented
architectures, they are increasingly exposed to malware. Web services on the mainframe have had a significant impact on security.” -SearchCompliance.com
Copyrite IBM 2013
TJX Companies -- Security Breach
Parent company of T.J. Maxx, HomeGoods, Marshalls, etc. A security breach originally reported to have occurred in May of 2006
was not discovered until December of the same year A forensic investigation by IBM and General Dynamics
showed the breach may have occurred in July of 2005 How much did the breach cost TJX Companies?
• Initial estimate: $4.5B ($100 per stolen record)• Later estimate: Up to $300 per stolen record
Sources: http://www.computerworld.com/s/article/9014782/TJX_data_breach_At_45.6M_card_numbers_it_s_the_biggest_ever https://www.braintreepayments.com/blog/pci-compliance-and-the-cost-of-a-credit-card-breach
http://www.informationweek.com/news/199203277SearchCompliance.com
Copyrite IBM 2013
Certegy -- an Insider Tale Certegy is a subsidiary of Fidelity National Information Services
that provides check authorization & check cashing services, partly for the gaming industry
Senior DBA sold 8.5 million customer records containing the following for $580K to data broker
Data theft came to light after retailer reported correlation between transactions and receipt of marketing offers by its customers
• Certegy engaged the U.S. Secret Service, which found data had come from separate company owned by the Certegy DBA
• “Why did it take Certegy more than five years to find out that confidential consumer information was being sucked out of its database?” (St. Petersburg Times)
NamesAddresses Birth dates
Bank account info Credit card info
Sources: http://www.sptimes.com/2007/11/15/news_pf/Northpinellas/Largo_man_stole_data_.shtmlhttp://www.prnewswire.com
Copyrite IBM 2013
Settled class-action suit for $4 million, plus:• $975,000 in fines from Attorney General• Mandatory security audit every year• 2 years of credit monitoring services ($180 per customer)
Rogue DBA sentenced to nearly 5 years in prison
Certegy -- an Insider Tale
Sources: http://www.sptimes.com/2007/11/15/news_pf/Northpinellas/Largo_man_stole_data_.shtmlhttp://www.prnewswire.com
Copyrite IBM 2013
Other Real-World Examples of Insider Threats
Unauthorized changes to financial data• DBA accidentally deleted critical financial table during production
hours (was doing a favor for application developer, bypassing change process)
• Outsourcer erased logs showing he made changes during the day (because it was more convenient than during the night)
Theft of sensitive data• Departing employees stealing design information & other intellectual
property• DBAs and outsourcers selling customer information to competitors and
crime syndicates
Copyrite IBM 2013
Other Real-World Examples of Insider Threats
Internal fraud• Mortgage processor -- insider changed credit scores to make loans
look better• Mobile telecom -- insider created & sold pre-paid phone cards• Electric utility -- insider gave free service to friends and family as part
of low-income assistance program• Health provider -- insider sold medical identities for insurance fraud
Copyrite IBM 2013
The Smarter (& More Secure) Mainframe
71% of the Global 500 run on mainframes• 100% of the world’s top 50 banks• 22 of the top 25 retailers
Unique IT value proposition• Efficiency, utilization & server consolidation• Proven reliability, availability & quality-of-service
• z/OS with IMS, SAP, WebSphere, InfoSphere Warehouse, Cognos 8 BI, …
• z/VM & Linux with Oracle, MySQL, Cognos, …• Virtualization
Robust Security Model
• Built-in encryption with hardware acceleration• z LPAR hosting is the only server with Common Criteria EAL5
certification• z/OS, RACF & Tivoli zSecure Audit protect access to system
resources (CICS, DB2, IMS…)
12Copyrite IBM 2013
Data Protection Drivers
Industry Compliance
Regulatory Compliance
Information Governance
13Copyrite IBM 2013
Industry Compliance Driving Data Protection
PCI “Payment Card Industry” compliance…• World-wide accepted standards that protect against credit
card fraud- Requires adaptation of business controls to protect against
compromising sensitive data• Examples of standards- Protect stored cardholder data- Restrict access to cardholder data by business on a
“need-to-know” basis- Restrict physical access to cardholder data
14Copyrite IBM 2013
PCI “Payment Card Industry” compliance (cont’d)• PCI standards require sensitive personal information of
credit card holders to be encrypted, including:- Account number- Expiration date- Name and address- Social Security number
• Compressed data is not acceptable as data encryption
Industry Compliance Driving Data Protection
15Copyrite IBM 2013
Regulatory Compliance Driving Data Protection Governmental Regulations
• Basel III (2010-2011)− Measurement of total banking risk based on capital adequacy,
stress tests and market liquidity risks• Sarbanes-Oxley Act (2002)
• Strengthen financial reporting and internal controls by fixing responsibility within a companies’ management
• HIPAA (1996)− Provide national standards for electronic health care records
and secure those medical records, prove how they have been used and who has used them
16Copyrite IBM 2013
Regulatory Compliance Driving Data Protection Governmental Regulations
• Patriot Act (2001)- Prevent usage of the financial system to support illegal
activities, particularly terrorism• Various anti-money laundering (AML)- Prevent the laundering of money derived from illegal activities
• Gramm-Leach-Bliley Act (1999)- Protection of personally identifiable financial information (PII)
17Copyrite IBM 2013
Data Protection - Not Just an Activity for One Group
Initial concerns and questions
- What is the right database encryption solution?- Would the application need to be modified?- Would application performance be impacted?- Which group will own key management?- What is the security team’s role?- What is the audit team’s role?- What is IMS systems programmer role?- What is the DBA’s role?
18Copyrite IBM 2013
Focal Areas for a Strong Security Strategy Encrypting the data
• Reduce the liability even if data is accessed, using encryption reduces the usability of that data
Monitoring access to the data• Have visibility to data access -- identify who accessed data,
when it was accessed or updated
19Copyrite IBM 2013
What is Encryption? Data that is not encrypted is referred to as “clear text” Clear text is encrypted by processing with a “key” and an
encryption algorithm• Several standard algorithms exist including DES, TDES and
AES Keys are bit streams that vary in length
• For example AES supports 128, 192 and 256 bit key lengths
20Copyrite IBM 2013
What is Encryption?
Encryption is a process where clear-text is converted using a known ALGORITHM
• AES• DES• TDES
A key is used in the encryption process to produce CYPHERTEXT and can be either a:
• Clear key• Secure key
21Copyrite IBM 2013
Encryption is a technique used to help protect data from unauthorized access
Data that is not encrypted is referred to as “clear text” Clear text is encrypted by processing with a “key” and an encryption algorithm
– Several standard algorithms exist, include DES, TDES and AES (next slide) Keys are bit streams that vary in length
– For example AES supports 128, 192 and 256 bit key lengths
Encryption Process
Encryption algorithm(e.g. AES)
Clear TextCiphertext
(Encrypted Data)
Decryption Process
Encryption algorithmCiphertext
Clear TextKey
Key
22Copyrite IBM 2013
Encryption Algorithms – Which Ones Are Best?
DES (Data Encryption Standard)− 56-bit, viewed as weak and generally unacceptable today by the
NIST TDES (Triple Data Encryption Standard)
− 128-bit, universally accepted algorithm AES (Advanced Encryption Standard)
− 128- or 256- bit, newest commercially used algorithm What is acceptable?
– DES is viewed as unacceptable– TDES is viewed as acceptable and compliant with NIST (National
Institute of Standards and Technology)– AES 128 or 256 is also viewed as acceptable and strategic
23Copyrite IBM 2013
Encryption Algorithms – Which Ones Are Best?
For more information:– TDES NIST Special Publication 800-67 V1 entitled
"Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher" and can be found at
http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf
– TDES NIST FIPS Publication 197 entitled "Announcing the Advanced Encryption Standard (AES)" and can be found at
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24Copyrite IBM 2013
Integrated Cryptographic Service Facility (ICSF) Provides: z/OS integrated software support for data encryption Operating System S/W API Interface to Cryptographic
Hardware − CEX2/3C hardware feature
Enhanced Key Management for key creation and distribution− Public and private keys− Secure and clear keys− Master keys
Created keys are stored/accessed in the Cryptographic Key Data Set (CKDS) with unique key label− CKDS itself is secured via Security Access Facility
See Reference Section of this presentation for more details
25Copyrite IBM 2013
What are Encryption Keys?
Master Keys– Used to generate, encrypt, and store user keys into the
CKDS (Cryptographic Key Data Set)– Loaded into the CEX2/3C hardware, and stored
NO WHERE else
User Keys (Data Encrypting Keys)– Generated via ICSF services – Stored inside the CKDS– Public or Private– Clear or Secure– Used by the IBM InfoSphere Guardium Encryption Tool
along with encryption algorithm to convert user data to Ciphertext
26Copyrite IBM 2013
Cryptography on z/OS
Clear Key– Key is exposed in the storage
of processor– Can be viewed in dump of
storage– If correctly interpreted can
expose data– Sometimes acceptable for
short-lived keys with other constraints
– Used in software-based cryptography
– Used by CPACF
Secure Key– Key is only ever exposed in
bounds of a secure processor– Can never be seen in storage– Dump will not reveal key– Key is held encrypted under
Master key– Crypto Express 2/3 (Configured
as CEX2/3C) provides this function for System z Fee based option
– APIs available via Integrated Cryptographic Support Facility (ICSF)
– Can be used from Java on z/OS platform
27Copyrite IBM 2013
How can you as an IMS Support person achieve this ?
Encryption in a Nutshell
28Copyrite IBM 2013
InfoSphere Guardium Data Encryption for DB2 and IMS Databases
InfoSphere Guardium Data Encryption protects Sensitive and Private information minimizing the liability risks associated with Information Governance.
High Performance and Low overhead by using the available cryptographic hardware
Uses the major encryption algorithms
Conforms to the existing z/OS security model
Complies with Security and Privacy regulations
Implementation at the IMS segment level
No changes to application programs
29Copyrite IBM 2013
To create an exit that encrypts and decrypts IMS data, the Tool can be implemented in one of two ways:
1) Through JCL. The product provides sample jobs where the JCL can be modified to meet your needs for encrypted IMS databases. These jobs can be found in the distribution libraries:
DECIMSSK – IMS Secure Key DECIMSCK – Clear Key DES DECIMSCB – Clear and Secure Key AES DECIMSDV – Driver exit for compressed and encrypted IMS segmentDECIMSJB – IMS Clear Key
2) Using the ISPF interface. ISPF panels are presented to you to create customized jobs for encrypting non-compressed and compressed IMS database segments.
InfoSphere Guardium Data Encryption for DB2 and IMS Databases
30Copyrite IBM 2013
Implementation steps
− Create an encryption key
− Create an encryption exit
− Unload database to be encrypted
− Generate and install DBD with encryption exit
− Reload database using the new DBD
InfoSphere Guardium Data Encryption for DB2 and IMS Databases
31Copyrite IBM 2013
Selections:1 = use to create an encryption exit that will be used standalone; that is without co-existence with a compression routine2 = use to create both an encryption exit and a driver module to call an existing compression routine then the encryption exit
InfoSphere Guardium Data Encryption – ISPF Main Menu
32Copyrite IBM 2013
CSF lib = Installation Encryption datasetZAP lib = Dataset containing AMASPZAP programSMP lib = Guardium load datasetEXIT lib = Load dataset for Encryption exitExit Name = Load module name for Encryption exit
IMS Clear key selected
Usual Jobcard
Encryption routine is called DSECRYPT
The label (name) of the Encryption key that has been previously created by a security administrator
InfoSphere Guardium Data Encryption – ISPF Definition for Creating Encryption Exit
33Copyrite IBM 2013
ISPF created linkjob for encryption exit creation (step 1)
Encryption routine is called DSECRYPT
InfoSphere Guardium Data Encryption – ISPF Definition for Creating Encryption Exit
34Copyrite IBM 2013
Encryption routine is called DSECRYPT
Encryption key label used by DSECRYPT exit
InfoSphere Guardium Data Encryption – ISPF Creating Zap Job for Encryption Exit Key
35Copyrite IBM 2013
Encryption routine is called DSECRYPT
The COMPRTN is added to the DBD source to invoke encryption Note, that only DATA is being encrypted here
InfoSphere Guardium Data Encryption – DBD Definition with Encryption Exit
36Copyrite IBM 2013
InfoSphere Guardium Data Encryption – Browse of IMS HDAM Database with Clear Data
Clear data
37Copyrite IBM 2013
Implementation steps
− Unload database
− Generate and install DBD with encryption exit
− Reload database using the new DBD
InfoSphere Guardium Data Encryption for DB2 and IMS Databases
38Copyrite IBM 2013
Encrypted data
InfoSphere Guardium Data Encryption – Browse of IMS HDAM Database with Encrypted Data
39Copyrite IBM 2013
Protects sensitive and private data
Reduces liability risks
Uses the available cryptographic hardware
Conforms to the existing z/OS security model
Complies with Security and Privacy regulations
Implementation at the IMS segment level
Implemented using standard IMS procedures and exits
InfoSphere Guardium Data Encryption
40Copyrite IBM 2013
Protects sensitive and private data
Reduces liability risks
Uses the available cryptographic hardware
Conforms to the existing z/OS security model
Complies with Security and Privacy regulations
Implementation at the IMS segment level
Implemented using standard IMS procedures and exits
InfoSphere Guardium Data Encryption
Copyrite IBM 2013
Reference Section
42Copyrite IBM 2013
Cryptography on z/OS
Clear Key– Key is exposed in the storage
of processor– Can be viewed in dump of
storage– If correctly interpreted can
expose data– Sometimes acceptable for
short-lived keys with other constraints
– Used in software-based cryptography
– Used by CPACF
Secure Key– Key is only ever exposed in
bounds of a secure processor– Can never be seen in storage– Dump will not reveal key– Key is held encrypted under
Master key– Crypto Express 2/3 (Configured
as CEX2/3C) provides this function for System z Fee based option
– APIs available via Integrated Cryptographic Support Facility (ICSF)
– Can be used from Java on z/OS platform
43Copyrite IBM 2013
CKDS – Cryptographic Key Dataset Key element of the IBM encryption solution on z/OS VSAM Key Sequenced Dataset Contents are ICSF generated data encrypted keys Accessed by ICSF API and Services
− Key Label (known by application requestor) used to find key record in the CKDS
Copy of CKDS cached in operating system storage at first ICSF invocation for performance− Refreshable
CKDS administration performed using ICSF services and ISPF interfaces.
Use of specific individual keys can be controlled via RACF profiles and permissions
CEX2/3C hardware feature required for use− Unless with a combination of HCR7751 or greater and clear key only,
then CEX2/3C is optional
44Copyrite IBM 2013
IMS Data Encryption for IMS and DB2 Databases The following restrictions apply:
An IMS segment can be associated with only one Segment Edit/Compression exit. If your IMS segment is already associated with a non-IBM Segment Edit/Compression exit and you want to implement Data Encryption for IMS and DB2 Databases, you must code an alternative solution for your existing exit.
HIDAM index databases cannot be encrypted (the IMS DBD COMPRTN) parameter does not allow index databases to be specified on the Segment Edit/Compression exit).
Administrators of data governance should consider the following points: When you install and initialize ICSF, consider setting the CHECKAUTH installation option to
NO. Setting CHECKAUTH to YES adds considerable CPU path length. Setting KEYAUTH to YES also adds CPU path length.
Depending on your security requirements, you can define different encryption key labels for as many segments as you need to. (Encryption key labels are set up by your security analyst.) A separate exit must be built for each encryption key label that you define. Note that you need
to balance your security requirements against the increased maintenance of multiple exits.
The first time that you use Segment Edit/Compression exits at your installation, your system programmer needs to provide APF authorization for the Segment Edit/Compression EXITLIB. If you are already using Segment Edit/Compression exits, you need to ensure that the Segment
Edit/Compression exits reside in an APF-authorized EXITLIB.
45Copyrite IBM 2013
Details About Clear Key Versus Secure Key Performance
Clear key elapsed time performance is MUCH superior than secure key.
Secure key (performed inside the CEX2C) is generally viewed as more secure from a cryptographic perspective.
Clear key uses special instructions that run on the z9 – z10 general purpose processors, so performance is measured in milliseconds.
Secure key encryption is dispatched to run on the cryptographic coprocessors on the CEX2C crypto feature. This tends to be measured in microseconds as this is essentially an I/O operation.
Secure key elapsed time measurements (depending on workload and type) can be from 10x to 40x more than clear key.
Secure key is probably NOT appropriate for most (to date all) OLTP workloads, but each customer needs to make this encryption decision based on their security requirements and performance expectations