1

Using FDRCRYPT and FDRERASE to Protect

Sensitive DataSHARE SEATTLE 2006

Session 3029An updated discussion of the Privacy Compliance, Data Protection

and Data Security concepts introduced at SHARE BOSTON 2005

Presented by Thomas J Meehan

INNOVATION Data Processing

tmeehan@fdrinnovation.com

SHARE SEATTLE 2006

Session 3029

A discussion of Privacy Compliance, Data Protection and Data Security

Presented by Thomas J Meehan

INNOVATION Data Processingtmeehan@fdrinnovation.com

INNOVATION Data Processing

2

2

Objectives

Recognize

• Personal Identity Protection (PIP) and Security Breach Notification (SBN) legislation impact on data protection and data security plans.

• Appropriate use of data protection technologye.g. incremental levels of encryption and secure erasure.

• INNOVATION solutions employing this technology are available to help meet PIP/SBN requirements.

INTRODUCTION

The objective of this discussion is that at its conclusion you will be able to:1. Recognize how your enterprise’s perception of recent corporate

governance, compliance, privacy, Personal Identity Protection (PIP) and Security Breach Notification (SBN) legislative requirements will impact existing data protection and data security plans.

2. Be more familiar with certain types of data protection technology such as different levels of encryption and secure erasure.

3. Identify areas where INNOVATION solutions employing these technologies can help you meet new requirements.

Trademarks and statements IBM, System Z, System z9, z990 and z/OS are trademarks or registered trademarks of International Business Machines Corporation. FDR, FDRABR, FDRERASE and FDRCRYPT are service marks, trademarks or registered trademarks of Innovation Data Processing Corporation. All other service marks, trademarks or registered trademarks are the property of their respective owners.

Copyright 2006, INNOVATION Data Processing

3

3

What are we talking about?Sensitive Data, Protection, PIP/SBN !!

• Sensitive Data• Unencrypted information that can identify an individual with a social security

number, financial account, medical health, education progress or any other “Private” data.

• Sensitive Data Protection• Administrative, technical, and/or physical measures to safeguard sensitive data

against unauthorized access.

• Personal Identity Protection (PIP) and Security Breach Notification (SBN) Legislation

• Requires companies notify individuals when there is a possibility that security of their sensitive data may have been compromised.

What are we talking about?

• Sensitive Data— Laws, regulations, corporate standards and guidelines from higher authority

define “Private and Sensitive” data as unencrypted computerized information that can identify an individual, combined with a social security number, drivers license or financial account access code, i.e. credit card PIN. And “unencrypted” as meaning when either the identifying information or data element is not encrypted or is encrypted with a key that has also been compromised.

• Sensitive Data Protection— The US Government defines sensitive data protection as administrative,

technical, or physical measures to guard against unauthorized access. Sensitive data, privacy and identity theft protection obligations, in HIPAA, Sarbanes-Oxley and the Payment Card Industry Data Security Standard (PCIDSS) for example, impose an obligation to erase disk storage and to encrypt data on tape media leaving a site's physical control.

• Personal Identity Protection (PIP) and Security Breach Notification (SBN) legislative

— Twenty-three states have legislation that require companies notify customers any time “unencrypted” personal information is lost.

4

4

Executive Summary

Recent Federal and State Legislation:• Requires the same level of protection for sensitive data leaving

your physical control as within the data center.• Impose an obligation to encrypt data leaving a site and erase

data from disk storage and tape media prior to disposal.• Failure to comply, violates the law and will be met with high

monetary penalties, even stricter requirements, more oversight…and possibly jail.

Executive Summary

Responding to heightening concern over identity theft recent legislation requires you ensure the same level of protection for sensitive data leaving your physical control on disk and tape as for sensitive data within the data center.

Federal and state definitions of sensitive data protection imposes an obligation to encrypt data leaving a site's physical control as well as to erase disk storage and tape media prior to disposal.

Failure to comply will violate the law and be met with high monetary penalties, even stricter requirements, more oversight and…possibly staying out of jail.

5

5

Media Hysteria! or a call to action!…Media Hysteria! or a call to action!…

• Current Tsunami Of Embarrassing Headlines.• It could it happen to you, don't be a victim of circumstance.

• Data Loss• 6 million people compromised by loss of unencrypted computer tapes.

• Improper Disposal• Disk/tape containing sensitive data released to the public.

• Stricter Requirements, More Oversight, Higher Penalties… • Federal Trade Commission recently imposed penalties totaling $15 million on

one firm for failure to meet data protection obligations.

Hysteria or Headlines• A wave of stories concerning, stolen or lost backup tapes and improper

disposal of disks/tapes containing sensitive data are now receiving the lion’s share of media coverage and regulatory scrutiny.

Data Loss• Backups containing the details of 3.9 million consumer-loan accounts lost

by a common carrier in transit to a credit bureau. • Tapes containing information on some 1.2 million U.S. government charge-

card accounts never reaching their appointed destination. • Privacy Rights Clearinghouse (www.privacyrights.org), documents private

data of 6 million people compromised by the loss of unencrypted computer tapes in first half of 2005.

Improper Disposal• Disk and tape storage containing sensitive data is released to the public

every day when leases on large disk-storage systems run out and are returned to the lease holders. No one records how much corporate and personal data is exposed when this equipment is put out into the pre-owned market.

Stricter Requirement, Oversight and Penalties • The continuing compromise of personal identity information has fueled

regulatory agencies aggressiveness, just recently the Federal Trade Commission imposed penalties totalling $15 million on one victim of a security breach for its alleged failure to meet its data protection obligations.

6

6

Preserve and Protect… It’s the law!

• 21 CFR Part 11 – FDA Compliance

• California SB 1386/1950 – Security Breach

• Check 21 Banking Industry Checking in the 21st Century

• GLBA – Gramm-Leach-Bliley Act

• HIPAA – Health Insurance Portability & Accountability Act

• IRS RP 97-22 – Internal Revenue Service

• NASD 324 – National Association of Security Dealers

• NYSE 17a-4 – New York Stock Exchange

• SOX 802 – Sarbanes-Oxley Act

• PCIDSS – Payment card industry data security standard

• ASD C3I Memo June 4, 2001 DoD Disposition of Computer Disks

• DoD NISPOM – DoD National Industrial Security Program Operating Manual

• FERPA PPRA – Family Educational Rights and Privacy Act and Protection of Pupil Rights Amendment (PPRA), Buckley-Pell Amendment

• FISMA – Federal Information Security Management Act of 2002

• GAO FISCAM - Federal Information Systems Controls Audit Manual

• GPEA – Government Paperwork Elimination Act

• NIST SP – National Institute of Standards and Technology Special Publications

• EUPA - European Union Data Protection Directive

• ISO 17799 – International IT Security Standard

• UK PPA – Data Protection Act

• Canadian PIPEDA – Personal Information Protection and Electronic Documents Act (2000)

• German BSI ITBPM – Federal Office for Information Security

• Irish PPAA – Data Protection Amendment Act 2003

• Japanese JPIPA – Personal information Protection Act of 2003

• Australia – The Privacy Act

• New Zealand – SBSIT 207

• Hong Kong – Infosec

The law says you have the same responsibility to prevent unauthorized access to data when it leaves your control, as you have to protect that data while it’s in your possession…

You know corporate data is a valuable resource. Undoubtedly there is information which you do not want to share with anyone outside your company, and sometimes not even with others in your company. Every organization has “sensitive data” which federal and state government regulations require you to preserve, protect and keep secure.

You already have security and backup procedures in place which limit access to, preserve protect sensitive data when it is in your data center. Under state, national and international government regulation you have the same responsibility to prevent unauthorized access to that data when it leaves your control.

The question is “How can you continue to control who has access to sensitive data after it leaves your control?”

7

7

Don’t get caught on…the wrong side of the law!

Despite well publicized Federal data security legislation like SOX, HIPAA and GLB headlines that tell of personal data security breaches due to stolen or missing backup tapes continue.

Concern this rash of incidents might mean corporations are not serious about reforming their data security practices or are willing to gamble on lax auditors, twenty-three states now have Personal Identity Protection (PIP) and Security Breach Notification (SBN) legislation. Twenty-two states, in 2005, joining California to require companies notify customers any time “unencrypted” personal information is lost. Seven showing even more concern went further requiring secure erasure of all electronic disk and tape storage prior to its disposal.

Don't be caught unaware or become a victim of circumstance. It’s no excuse. Make sure you’re on the right side of the law!

How can you continue to control access to that data when it leaves your control? Be proactive, meet data security, PIP and SBN obligations with FDRCRYPT and FDRERASE.

8

8

What’s Common in PIP and SBN Legislation

What is…and Why look at regulatory commonality?• You will be subject to more than one regulation…

Common procedures will address multiple regulations

• Commonalities:• Protect electronic records (Restrict Access)• Implement backup procedures (Business Continuance Plan)• Prevent the release of current or legacy client data (Data Security)

• Business Continuance plans must now have an additional element• Notify individuals when “unencrypted” personal information is lost.

==> Protect records from loss and keep them confidential <==

• Common Solutions• Encrypt backups and files leaving a site• Securely erase disk and tape prior to disposal

You must now protect records against loss and keep them confidential, even when not in your physical control.

Why look at regulatory commonality?Undoubtedly any enterprise employing large storage systems will be subject to more than just one regulation and with an understanding of the commonalities in these regulations you can plan for common procedures that will address the requirements of multiple regulations.

What are the recognizable commonalities?• Protection of electronic records (Restrict Access)• Implement backup procedures (Business Continuance)• Prevent the release of current or legacy client data (Security)• Encrypt Backups. That way you will not lose backups of

“unencrypted” sensitive personal identity information.

9

9

Practical Value Considerations

Security

…Balanced against…

Cost and Capacity

No or Low Value

Some Value

High Value

Highest Value

This presentation discusses encrypting to prevent unauthorized access toback up tapes and data exchange files, as well as securely erasing data from disk and tape volumes prior to their disposal.

However there are practical considerations for what is an appropriate way to go about “encrypting” a backup tape or securely “erasing” data.

Consider what level of encryption or erasure is secure enough in the light of the cost (i.e. what is the CPU resource requirement is to accomplish this)?

How much data, or how many volumes, do you have in light of how much time you have to accomplish the task?

All data is not of equal value so; you have to ask yourself the question; Is the solution secure enough, cost efficient enough and do you have the capacity for it to be fast enough?

10

10

How can you protect data when it leaves your control?

• Encrypt data that is on backup and data exchange tapes with…FDRCRYPT

• Erase data on tape volumes with…FATS

• Erase data on disk systems with…FDRERASE

FDRERASE disk erase, FATS tape erase and FDRCRYPT encryption solutions are the most efficient means available today for "z9 and zSeries" mainframe customers to fulfill their data security, PIP and SBN obligations.

11

11

…The Key to Securing Your Data

• FDRCRYPT protects backup tapes and data exchange files against inappropriate access.

• FDRCRYPT denies unauthorized individuals access, to data on backup tapes and in sequential files leaving your control, by encrypting the data.

The INNOVATION FDRCRYPT solution is the most efficient means available today for "z9 and zSeries" mainframe customers to fulfill their obligation to protect the data residing on backups and in sequential files being transported to remote locations from unauthorized access.

FDRCRYPT enhances FDR, FDRDSF, FDRABR and FDRAPPL, backup and restore with encryption and decryption facilities as well as allowing FDRTCOPY/FDRTSEL backup copy utilities to make duplicate copies of encrypted backup tapes, and encrypt or decrypt while making a copy of a backup.

FDRCRYPT also includes FDRCAMS, a utility which allows sequential copies of VSAM files and sequential data sets to be encrypted for data exchange with other companies and government agencies. FDRCAMS encrypted datasets can be on tape or disk for delivery via email or FTP.

12

12

Secure and Fast Data Encryption

FDRCRYPT is an additional FDR cost option

• Secure: FDRCRYPT offers multiple levels of secure encryption including AES the U.S. Government standard algorithm for encryption of classified data...

• Fast: Advancing levels of security allow you to strike a balance between the strength of encryption, the resources necessary to encrypt and the sensitivity or value of the underlying information

FDRCRYPT is an optional additional cost encryption facility • Secure:

FDRCRYPT offers users multiple levels of encryption foremost being the Advanced Encryption Standard algorithm (AES), adopted by the National Institute of Standards and Technology (NIST) as US FIPS PUB 197, the current US Government standard for providing extremely secure encryption of unclassified as well as classified data up to the levels of Secret and Top Secret.

• Fast and Efficient: Incrementally more sophisticated encryption algorithms offer advancing levels of security making it more and more unlikely that data can be reconstructed (decrypted), even in the face of sophisticated cryptanalysis attacks. Granularly advancing the levels of security allows a balance to be struck between resource consumption and the value of the underlying information.

13

13

• Obscuring information to make it unreadable without special knowledge

• Encryption, to keep information secret, has been around for thousands of years

• Julius Caesar invented a simple shift cipher• Sherlock Holmes deciphered a message written using stick figures in

“The Dancing Men”• In WWII, the Axis powers used ciphers generated by the “Enigma”

machine…which the Allies were able to break.

What is Encryption?

Encryption, or the science of cryptography which has been around throughout history, is a means of converting information from its normal comprehensible form into an incomprehensible format, rendering it unreadable without secret knowledge.

Encryption is a practical means of ensuring the secrecy of sensitive communications, such as those of spies, military leaders, diplomats and later bankers. Julius Caesar is credited with inventing a simple shift cipher (substitution).

Various devices have been used over the years as aids for encryption. Early in the 20th century, mechanical devices capable of performing very strong encryption were invented. Ciphers implemented by machine, most famously the Enigma Rotor Machines used by Germany in World War II and broken by the Allies, brought about a significant increase in the complexity of encryption.

14

14

Modern Encryption Algorithms

• Modern encryption algorithms mathematically apply keys (values) against the data to make it unrecognizable.

• The longer the key, the more secure the encryption• 56-bit vs. 128-bit vs. 256-bit vs. 2048-bit

• Asymmetric algorithms use a pair of keys, a public key to encrypt, a private (secret) key to decrypt and are very resource intensive.

• Symmetric key algorithms encrypt and decrypt using a single shared secret key and are less resource intensive.

Today’s ciphers must withstand sophisticated computer attacks. Human-based codes being too easy for a computer to crack most forms of cryptography now rely on computers to mathematically apply key values to make the data unrecognizable. Typically the longer the key the more secure the encryption. Current research in cryptography, analyzing computing power improvement predictions recommends that if you want your data to be secure through 2010, you must employ 128-bit symmetric keys and 2,048-bit asymmetric key. Selecting Cryptographic Key Sizes - Lenstra, Verheul (2001)

PKI (Public Key Infrastructure) is a synonym for asymmetric key encryption a form of cryptography which allows users to communicate securely without having to a share a secret key. Using a pair of key values, one distributed as a public encryption key and a second retained as a private decryption key. Asymmetric key cryptography which depends on resource intensive complex mathematical computations is unsuited for encrypting large amounts of data, like a backup.

Symmetric key algorithms use the same single key for both the encryption and the decryption process. This single “symmetric” key, represents a shared secret between two or more parties that allows them to maintain a private information link. Symmetric key algorithms are much less resource intensive making them much more suitable for encrypting backups and large data exchange files.

15

15

AES – US Government Symmetric Key Standard

• DES (Data Encryption Standard)• 56-bit key bit-shifting algorithm• US standard from 1976 – De-certified May 2005

• DES3 (triple DES)• 168-bits (using three 56-bit DES keys in three rounds E-D-E) • US standard from 1999 – Use officially discouraged May 2005

• AES (Advanced Encryption Standard)• US standard as of 2001

– Became the preferred US Government standard in 2002

DES (Data Encryption Standard), a 56 bit key driven substitution and transposition algorithm was invented by IBM during the mid-1970’s. DES became the US government standard in 1976 and after nearly thirty years of use was only recently de-certified in May 2005.

Reports of successful attacks on DES led the US Government to open a competition for a new cipher standard in 1997. A DES breaker machine “Deep Crack” and a parallel computing effort “distributed.net” both succeeded in breaking a DES key in under twenty-four hours in 1999. The US government in response announced Triple DES (T-DES), an encrypt, decrypt and encrypt process using a 168-bit key (three 56-bit DES keys), as a replacement preferred standard. More secure T-DES also had the benefit of allowing continued use of the old DES hardware.

A symmetric key algorithm the Advanced Encryption Standard (AES) won the government competition to become a standard in 2001. An extremely sophisticated block-cipher encryption algorithm AES became the preferred US Government standard for encryption in 2002, when the National Institute of Standards and Technology (NIST) of the US Commerce Department published an official description of AES in the US Government Federal Information Processing Standards Publication (FIPS) 197.

16

16

Symmetric Key Cryptography

Symmetric key algorithms;• SUBSTITUTION• Transposition (CIPHER)• AES (ADVANCED ENCRYPTION STANDARD)

• No hardware dependency• z9 hardware and compatible software implementation• No special hardware required at disaster sites

• No system software dependency• No dependency on ICSF

FDRCRYPT offers multiple symmetric key block-cipher encryption algorithms of incrementally increasing strength. All FDRCRYPT encryption algorithms make data unreadable to users without the appropriate key. Offering incrementally increasing levels of encryption strength with succeeding higher degrees of security; SUBSTITUTION, CIPHER and ADVANCED ENCRYPTION STANDARD (AES) allow users to strike a balance between resource consumption and information value.

FDRCRYPT allows all zSeries customers to employ software encryption/decryption and z9 customers to leverage the benefits of hardware encryption without concern for the type of mainframe in their disaster recovery sites. All FDRCRYPT cryptographic software algorithms are implemented in FDR modules and do not depend on any encryption hardware or the z/OS Integrated Cryptographic Service Facility (ICSF).

Transparently employing z9 AES hardware when it is available or its own software facilities, FDRCRYPT gives customers the flexibility to take advantage of z9 cryptographic hardware efficiencies to protect FDR tapes they use to exchange privileged and confidential data with other sites, regardless of what processor the other site may have, as well as for the protection of backup data.

17

17

!Factorial Strength

“!Factorial” is a measure of defense against brute force attacks

• Expressed as !(x) when x is the number of permutations• 3! Factorial = 6

i.e. possible permutations of 123 are 123,132, 213, 231, 312 and 321.

• 10! permutations is the number of possible reordering of numbers 0 to 9i.e. 3.6 103 (or 3,628,800 permutations)

• 26! permutations is the number of possible reordering of letters A to Zi.e. 4.033 × 1026 permutations

• 27! permutations results from adding BLANK to the 26 letter A to Zi.e. 1.089 × 1028 permutations

• 37! permutations of letters, numbers & BLANKi.e. 1.38 × 1043 permutations

• 256! (factorial) = approaches infinity

!Factorial Strength: • A measure of defense against brute force attacks (i.e. sophisticated

guessing).

• Increasing the number of different byte values in the data, increases the “factorial” value, i.e. the number of ways in which objects can be permuted (reordered). For example, 3! Factorial = 6, since the six possible permutations of 1,2,3 are 123,132, 213, 231, 312, 321.

• A higher “factorial” value represents an increase in the number of possible permutations and a consequently higher level of defense against brute force attacks.

• 256! (factorial) = approaches infinity.

18

18

SUBSTITUTION

• A 256 byte substitution (i.e. translation) table results in completely unrecognizable data

Translation

C1F317 is translated to D842FE

SUBSTITUTION is a translation that makes data unrecognizable.• Employing a 128-bit encryption key to generate a 256 byte substitution (i.e.

translation) table, which is then used in a single round to translate each individual byte in a compressed backup data block into a totally different byte value.

• For example, the substitution table may specify that every character A (hex C1) is translated to character Q (hex D8), every character 3 (hex F3) is translated to hex 42, and every byte containing hex 17 is translated to hex FE. So if data in the compressed backup block contains the hex string F3C117, it is translated to 42D8FE.

• Substitution table generation works best when the encryption key contains relatively random values, consequently the strength of the algorithm is higher when you allow FDRCRYPT to generate random encryption keys.

(Random key generation and unique keys are discussed a bit further on in this presentation).

19

19

Transposition

Transposition

• Applying a 256 byte transposition table each translated byte is relocated to a different position in the backup block, increasing the number of permutations to between 256! and 512!

• Transposition relocates each translated byte, i.e. it is repositioned to a different location in the backup block. Applying a 256 byte transposition table each translated byte is relocated to a different position in the backup block, increasing the number of permutations to between 256! and 512!

• 256! (factorial) = approaches infinity

20

20

Transposition

• Transposition moves data bytes around within the backup block in a random fashion based on the key

Transposition moves the data bytes around within the backup block in a random fashion based on a random key.

21

21

Transposition

FDRCRYPT CipherHigh Security at Reasonable Cost

• Employs both substitution and transposition.

• Offers a very secure level of protection.

• Recommended for use on all data not subject to an AES compliance requirement.

FDRCRYPT CIPHER employs both substitution and transposition• …to produce a block-cipher encryption that is fast, efficient and offers a

very high “factorial” defense against a brute force attack.

• Strength: Cipher is a strong encryption, because after compression and substitution, transposition moves adjacent bytes away from one another, increasing the factorial number of permutations (i.e. ordered combinations) making it very difficult to comprehend the original data pattern.

• A brute force cryptanalysis attack, would require unrealistic amounts of known or well chosen plaintext to discover the original information.

• CIPHER is recommended for use on all data not subject to an AES compliance requirement.

• The relatively low overhead of Cipher also makes it appropriate to discourage “dumpster diving” and disguise otherwise low value data.

• Cipher works best when the encryption key contains relatively random values, consequently the strength of the algorithm is higher when you allow FDRCRYPT to generate random encryption keys.

22

22

AES (ADVANCED ENCRYPTION STANDARD)

• US Government preferred standard for encryption• FIPS-197 prescribes key lengths of 128, 192 or 256 bits

• AES employs repetitive “rounds” of processing: • Substitution • Transposition (shift rows)• Mathematical transformation (mix columns)

• There is no record of a practical attack on AES

AES is the US Government preferred encryption standard for classified information…

• AES performs substitution, translating each individual byte, then follows with row transposition and column mixing.

• AES performs these operations for a number of successive “rounds” on successive sub-blocks of data within a backup data block.

• Strength: A very strong form of encryption the nature of AES provides that any key value is as secure as any other, just a 1 bit change in the key will produce a significantly different encrypted result.

AES, marks the first time the public has access to a cipher approved by NSA for TOP SECRET information. The CNSS Policy Fact Sheet “National Policy on the use of AES to Protect National Security Systems and National Security” Jun 03, states AES may be used for classifiedinformation saying “The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to SECRET. TOP SECRET information will require use of either 192 or 256 key lengths…”.

23

23

Substitution Transposition

MixColumns AddRoundKey

One AES Round

An extremely secure, mathematically-based, algorithm AES performs repetitive transformations to produce an encrypted version of the data which is next to impossible to decipher without the key.

• Operating for a number of rounds on successive sub-blocks of data within a backup data block, AES, employing standard tables, performs substitution translating each individual byte, then follows with row transposition, column mixing and finally using the AES transposition tables FDRCRYPT cyclically shifts the rows of data and multiplies each byte of data in a column with an AES round key it derives from the encryption key.

Each round of AES encryption, (except the last round) consists of four stages:

• Substitute Bytes — a non-linear substitution step where each byte is replaced with another according to a lookup table.

• Shift Rows — a transposition step where each row of the block is shifted cyclically a certain number of steps.

• Mix Columns — a mixing operation which operates on the columns of the block, combining the four bytes in each column using a linear transformation. The final round omits the Mix Columns stage.

• AddRoundKey — each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule.

24

24

Multiple AES Rounds

Substitution Transposition

MixColumns AddRoundKey

Increasing “rounds” can strengthen AES AES-128 bit key hardware and software is 10 rounds

AES-192 bit key software is 12 roundsAES-256 bit key software is 14 rounds

With a substantial increase in CPU consumption

Increasing “rounds” can strengthen AES AES-128 bit key hardware and software is 10 rounds

AES-192 bit key software is 12 roundsAES-256 bit key software is 14 rounds

With a substantial increase in CPU consumption

The US Government AES algorithm defines a specific number of rounds in association with each key length (i.e. an AES 128-bit key is 10 rounds, an AES 192-bit key is 12 rounds and an AES 256-bit key 14 rounds.)

The z9-109 processor (and its successors) has a co-processor to provide hardware support for AES-128. If the co-processor is enabled, FDRCRYPT will use it when AES128 is specified or is the default. Encryption employing a hardware co-processor will take less CPU time than a software encryption.

The z9-109 co-processor does not provide support for AES-192 or AES-256, which are implemented by FDRCRYPT in software. This has an effect on the CPU time of the process; 12 rounds for a 192-bit key is an increase in CPU time while 14 rounds for a 256-bit key is a substantial increase in CPU time especially over AES-128 hardware encryption.

25

25

FDRCRYPT – AES

• FDRCRYPT transparently employs AES-128 hardware encryption on the new z9-109.

• Compatible AES-128 FDRCRYPT hdw/sfw implementations allow z9 and earlier processors to exchange encrypted data.

• Extremely secure AES encryption is recommended for data subject to AES compliance. AES software encryption is appropriate only for the most critically sensitive (highly valuable) information.

FDRCRYPT AES is an extremely secure block-cipher encryption.• FDRCRYPT transparently employs the new CP Assist for Cryptographic

Function (CPACF) Advanced Encryption Standard (AES) hardware feature for both data encryption and decryption on all z9-109 models.

• FDRCRYPT allows all zSeries customers to employ software encryption/decryption and z9 customers to leverage the benefits of hardware encryption without concern for the type of mainframe in their disaster recovery sites.

• The AES-128 results produced by FDRCRYPT software encryption and by FDRCRYPT using the z9 hardware co-processor are identical, allowing encryption with the hardware co-processor and restores on a system without the co-processor, and vice versa.

• Resource intensive software AES protection is appropriate for only the most critically sensitive (highly valuable) information and data subject to AES compliance.

26

26

FDRCRYPT Encryption Enhancements

• Compatible AES-128 FDRCRYPT hdw/sfw implementations

• Data Compression

• Cipher Block Chaining

• Sophisticated key management capability• Random key generation• Unique Individual Backup Key• Key file (key data base)• Master Key encryption

• Decrypt Validation

FDRCRYPT enhances the encryption algorithms by:

• Transparently compatible AES-128 FDRCRYPT hardware and software implementations allows all zSeries customers to employ AES-128 encryption/decryption and z9 customers to leverage the benefits of hardware encryption without concern for the type of mainframe intheir disaster recovery sites.

• Data Compression

• Cipher Block Chaining

• Unique Individual Backup Key

• Random Key Generation

• Sophisticated multi-level key management facilities

— Key File (key data base) for Automated Recovery

— Master Key Encryption for Keys

— RACF protection of Key File and Master Keys

• Decryption Validation.

27

27

Data Compression and Encryption

• Encryption defeats tape hardware compression

• FDRCRYPT employs software compression• reduces amount of data to be stored and encrypted

• Typically a 30% to 70% data reduction

• limits media requirement increases• reduces encryption CPU time • strengthens encryption by eliminating duplicates

• Compression CPU time is equal for all algorithms

Encryption defeats tape hardware compression because encrypted data is usually not compressible. Encrypting backup tapes can increase tape requirements two to three times over unencrypted backups. FDRCRYPT compresses data, before it is encrypted, using a proprietary algorithm; which does not save any dictionary of known data strings which might help an attacker decrypt the data. Compression, before encryption, means less backup data which helps save tape.

Compressing data before encryption also helps in other ways. It speeds up encryption/decryption and lowers the encryption/decryption CPU overhead by reducing the amount of data FDRCRYPT must process. Additionally, by disguising commonly occurring and easily recognizable patterns, as well as by increasing the variety of byte values in the data, it strengthens what ever algorithm is chosen.

The CPU overhead compression adds is the same for all encryption algorithms and can be bypassed. However bypassing compression will cause an increase in encryption CPU overhead, as there will be more data to encrypt. Compression CPU overhead ultimately is dependant on how well the data compresses, as uncompressible data consumes more CPU time. Skipping compression is recommended only for data which is known to be uncompressible.

28

28

Cipher Block Chaining

• FDRCRYPT uses cipher block chaining to strengthen all of its encryption algorithms.

• Cipher block chaining (CBC) applies the content of the previous encrypted sub-block to the content of the current sub-block prior to its encryption.

• CBC makes it more difficult to decrypt individual sub-blocks without first decrypting previous pieces.

CIPHER BLOCK CHAINING• All FDRCRYPT encryption algorithms employ a variation of “cipher block

chaining”, a technique where during the encryption of the individual sub-blocks of data within a block, the content of the previous sub-block is applied by the algorithm during encryption to the current sub-block. In cipher-block chaining (CBC) mode, each block of plaintext is XORed withthe previous encrypted block before being encrypted making each encrypted sub-block dependent on all the prior plaintext blocks up to that point in the block chain. Cipher block chaining increases the strength of all the algorithms against brute force parallel attacks, as an attacker must find the beginning of a cipher block chain before attempting the brute force attack, and reduces the likelihood of recognizable plaintext existing in any of the encrypted sub-blocks.

29

29

FDRCRYPT – Key Management

“the key to secure encryption is key security”

FDRCRYPT Key Management includes:• Unique Individual Backup Key• Random Key Generation• Key File (Key Data Base) • RACF Key File Protection• Master Key Encryption• RACF Master Key Storage Protection• Decryption Validation.

“the key to secure encryption is key security”•…as the key to maintaining secure encryption is key security, it is essential that unauthorized persons who might gain access to your backups be denied access to the keys that can decrypt them.

FDRCRYPT, follows the recommendations for secure key management in the FFIEC Information Technology Handbook(Federal Financial Institutions Examination Council):

These Key Management facilities optionally include :•Unique Individual Backup Key

•Random Key Generation

•Key File (Key Data Base)

•RACF Key File Protection

•Master Key Encryption

•RACF Master Key Storage Protection

•Decryption Validation

30

30

Individual Backup Keys

Strengthening the overall level of protection

• Employing a single key for all backups greatly weakens the security for all backups.

• Employing a unique key for each volume back up affords more protection, as gaining unauthorized access to one backup does not provide access to any other backup.

Individual Backup Keys

FDRCRYPT can strengthen the level of protection for your overall enterprise by employing a unique key for each and every disk volume that it backs up, even when they are all in the same FDR step and even on the same tape.

Although it may seem easier to manage if you use just a single encryption key for all disk backups or even for all disk backups on a single tape volume, it greatly weakens the security of all your backup data. If an unauthorized person can manage to get a key for one backup, they have in practice access to all your backup data.

FDRCRYPT can employ a unique, user supplied or random generated key for every individual volume it backs up. The value of individual keys is that if by any means someone manages to compromise the encryption key for one backup, all your other backups remain secure as the compromised key will not decrypt any other backup.

31

31

Random Key Generation

Strengths the overall level of protection

• Randomly-generating different keys, for each disk back up, enhances the security of the encryption.

• FDRCRYPT uses multiple sources to produce truly random keys.

• Best Practice: Let FDRCRYPT generate a random key for every volume backup

Random Key Generation

FDRCRYPT randomly-generating keys, i.e. a different for each disk back up, enhances the overall security of the encryption.

Although it may seem easier to manage if you specify an encryption key you are familiar with for all backups, this makes you responsible for determining and securing those key values. Remember predictable keys can greatly reduce the security of your backup data.

FDRCRYPT does not use pseudo-random generation code because the number of randomly generated values may be limited. Rather it will randomly generate keys starting with a seed value from the hardware system clock and multiple other variable sources in a system.

INNOVATION recommends, that rather than you supplying the encryption keys, you allow FDRCRYPT to generate random encryption keys.

32

32

Key Data Base File (Key File)

Employing a Key File simplifies the use of random keys

• Recording encryption keys in a Key File eliminates the need for restore JCL changes.

• Restore automatically selects the decryption key

• Protect a Key File the same way as you would the system security(e.g. RACF) data base.

• Users need no additional authorization to employ a Key File• Any FDRCRYPT backup/restore can access the Key File.• Only users with a need to create, display or delete the Key File need have

access to the key file.

FDRCRYPT use of randomly-generated keys, i.e. different for each FDR/ABR back up, enhances the security of the encryption. This greatly improves your level of protection but managing a large number of keys can become impractical. FDRCRYPT resolves the key management issue by employing a key file or data base i.e. the “Key File” to store encryption keys it employs.

FDRCRYPT identifies the key it stores in the Key File for an individual backup by disk volser and time of backup. This allows FDRCRYPT to retrieve the appropriate key to decrypt backups automatically. Business continuance plans must include provisions to securely transport the Key File to the recovery site separately from the backups.

You should protect the Key File the same way as you would protect the system security (e.g. RACF) data base. FDRCRYPT does not require any additional access authority to allocate, read, and write a key data base file. Any user who can create or restore a backup will be able to access and enjoy the benefit of the Key File, but only under FDRCRYPT. Authority to create, display or delete a Key File should be limited to the few users who are responsible for maintaining the Key File.

33

33

Master Key (a key to the key)

• If an FDRCRYPT “Backup Encryption Key” is lost, or otherwise not available, a Master Key is the only way to restore an encrypted backup.

• Specifying a Master Key is a backup time option.• When employing a Master Key FDRCRYPT records the “Backup

Encryption Key” on the backup protecting it with the additional AES-128 Master Key.

• Using FDRCRYPT randomly-generated keys, you should always use a master key.

Master Key

Warning: if the FDRCRYPT “Backup Encryption Key” is lost or otherwise not available, a Master Key is the only way to restore an encrypted backup. If both the Backup Encryption Key and the Master Key are not available there is no way to restore an encrypted backup.

Master keys are an optional backup time FDRCRYPT facility that provides a means to restore an encrypted backup when the Backup Encryption Key (and the Key File) is not available or not current.

Employing a 128-bit AES master key FDRCRYPT can reconstruct the actual encryption key used for any associated backup. You may choose to use a single master key for all your FDR backups, or employ unique master keys for different sets of backups. Restore of an encrypted backup using a master key is only possible if a master key is specified at backup time.

INNOVATION recommends that if you use randomly-generated AES keys, you also use a master key.

34

34

Master Key Security

Master Keys:

• Must be kept extremely secure – limit distribution • Avoid easily remembered keys, repetitive characters and

recognizable strings.

• Securely stored in a security system (e.g. RACF) profile• Backup retrieves the master key itself using the profile name

• Often physically stored in safe deposit boxes to limit access

• Never displayed by FDRCRYPT

Master Key Security• …avoid using easily remembered key values as well as repetitive

characters and recognizable strings as a master key or for that matter for any secure key.

FDRCRYPT never displays a Master Key.• A secure way to employ master keys is to store them in a specially named

FACILITY class profile in your security system (e.g., RACF profile name FDRCRYPT.keyname). Running an FDRCRYPT backup job, you need only specify the profile keyname suffix and FDRCRYPT will retrieve the actual master key. During restore master key values are provided on a control statement.

• Limiting knowledge of the Master Key values to a few select individuals and storing a copy of the Master Keys in a secure facility, like a safe deposit box, that is physically distant from the primary processing site are well know best practices. Changing master keys on a regular schedule (e.g., quarterly) and especially after their use at a disaster recovery site are also best practices that enhance the security of the encrypted data.

35

35

Decryption Validation

• A token checksum value stored with the FDRCRYPT backup validates the encryption key prior to restore.

• Key validation prior to restore prevents corruption of target volumes with invalidly decrypted data.

• It is impossible using the AES encrypted token to derive the encryption key from the checksum.

Decryption Validation

An encrypted backup restored with an incorrect key will result in meaningless data values being written to the target disk. The FDRCRYPT Decryption Validation function is meant to minimize the chance of a restore attempt with the wrong key overlaying a target disk with improperly decrypted data. FDRCRYPT stores a token checksum value derived from the encryption key in the backup itself. This checksum token is encrypted with AES-128 or, an equivalent level of AES to match the data encryption. During any restore, FDRCRYPT initially tries to decrypt the checksum using the encryption key and will fail the restore if the token does not decrypt as anticipated, ensuring a restore attempt with the wrong key will not overlay a target disk with improperly decrypted data.

36

36

Preparing for Disaster Recovery

• Keep Backup Output Listings as hardcopy backup of key values.

• Only transmit Backup Output Listings and Master Key values via secure means.

• Always take a separate AES-encrypted backup of the Key File, after all other backups complete.

• Always transport Key File backups to the disaster recovery site separately from all other backup tapes.

• Never transport Master Key values with anything else.

Preparing for Disaster/Recovery

FDRCRYPT displays the backup encryption key it uses in the output listing, unless you specify an operand to suppress that display. This allows the output listings to serve as a backup source for the encryption keys, but printed and electronic copies of these listings must be securely stored and always shipped separately from the backup tapes. FDRCRYPT never displays a master key value. Only transmit Backup Output listings (containing the encryption key) and Master Key values via secure means.

The best practice at a disaster recovery site is to automate restores using a copy of the Key File. Consequently after all other backups are complete, using a unique encryption key, take a separate AES-encrypted backup of the Key File and transport the Key File backup separately from all the other backup tapes to the disaster recovery site. Always restore the Key File before beginning any other restores.

Always transport printed/electronic copies of listing containing keys and encrypted backups of key files separately from backups they are managing.

Never transport master key values with anything else.

37

37

FDRCRYPT Supports!

• FDR full-volume backup and restore• FDRDSF data set backup and restore• FDRABR backup, restore, archive and auto-recall• FDRDRP full-volume restores• FDRAPPL application backup and restore• FDRTCOPY and FDRTSEL backup copy utilities• FDRCAMS seq copies of VSAM and seq files • FDR/UPSTREAM*, SOS* and RESERVOIR*

*Future delivery as additional cost options

FDRCRYPT supports:• FDR full-volume backup and restore• FDRDSF data set backup and restore• FDRABR backup, restore and archive, full, incremental and data set restore including auto-recall

• FDRDRP full-volume restores• FDRAPPL application backup and restore• FDRTCOPY and FDRTSEL (components of FDR and ABR), allow you to

create encrypted copies of backups, create unencrypted copies of encryptedbackups, and run functions such as ARCEDIT on encrypted backups.

• and includes FDRCAMS…a no charge component which employingan IBM IDCAMS REPRO command will encrypt the output sequential data set and when reading decrypt an encrypted data set.— This allows sequential copies of VSAM and other z/OS data sets to be

encrypted for shipment to government agencies or other companies. The encrypted data set can be on tape, or on disk for delivery via email or FTP. A no charge copy of FDRCAMS can be downloaded and installed at receiving sites to decrypt the files they receive.

—Future delivery as additional cost options include:FDR/UPSTREAM FDRSOSFDR/UPSTREAM/SOSRESERVOIR

38

38

Employing FDRCRYPT Cryptographic Functions

• FDRCRYPT z9 hardware or software encryption is simple.Just add a few new parameters to an existing DUMP statement.

• Normally create two backup copies? Encrypt either or both, with no extra overhead to do both.

• RESTORE needs no additional operands, when a current Key File is available backups are automatically decrypted.

• Optional FDRCRYPT DD statements can supply DUMP, RESTORE and COPY with additional KEYFILE, ENCRYPT and DECRYPT parameters.

Encryption Operation

FDRCRYPT z9 hardware or software encryption uses normal FDR backup (DUMP) JCL and is optionally invoked by simply adding a few new operands to the DUMP statement.

Creating two backup copies, you can encrypt either or both, there is no extra overhead to do both.

FDRCRYPT uses existing FDR restore JCL; there are no special operands required on the RESTORE statement as FDRCRYPT recognizes encrypted backups and when a current Key File is available decrypts them automatically.

An optional FDRCRYPT DD statement is available to provide DUMP, RESTORE and COPY steps additional KEYFILE, ENCRYPT and DECRYPT control statements to specify key values and additional encryption options.

39

39

Encrypt an FDRABR Volume Backup

//DUMP EXEC PGM=FDRABR,REGION=0M

//SYSPRINT DD SYSOUT=*

//TAPE1 DD UNIT=CART,DSN=ABR1,DISP=(,KEEP),EXPDT=99000

//TAPE11 DD UNIT=CART,DSN=ABR11,DISP=(,KEEP),EXPDT=99000

//SYSIN DD *

DUMP TYPE=FDR,ENCRYPT=COPY2,ENCRYPTTYPE=AESMOUNT VOLG=DB2

MOUNT VOLG=SYS//FDRCRYPT DD * ENCRYPT VOL=SYS*,ENCRYPTTYPE=BYPASSENCRYPT MASTERKEYID=ABRBKUP

Two new FDRCRYPT operands is all it takes

This example is encrypting the second copy of a set of ABR full-volume backups of a number of disk volumes.

The COPY2 backups (TAPE11) in this case are encrypted using the AES algorithm, except that the system volumes are not going to be encrypted.

INNOVATION recommends that you do not encrypt system volume backups. The content of system volumes is often very predictable and consequently offers a great deal of “known cleartext” to anyone planning a cryptographic attack. Consider placing “system security” and other files that might need encryption on volumes that do not contain standard system files.

INNOVATION recommends you let FDRCRYPT randomly generate the encryption keys by default, and since there is no KEYFILE statement FDRCRYPT will dynamically allocate the Key File identified in the FDR Global Option Table, to record the encryption keys it creates for each backup.

Remember INNOVATION recommends not only that you let FDRCRYPT randomly generate AES key values but also that when you employ random keys you also use an FDRCRYPT master key. The master key for all the backups in this example is obtained from the RACF security profile FACILITY/FDRCRYPT.ABRBKUP, as shown in MASTERKEYID parameter.

40

40

Restore Encrypted FDRABR Volume Backup

//RESTORE EXEC PGM=FDRABR,REGION=0M

//SYSPRINT DD SYSOUT=*

//SYSUDUMP DD SYSOUT=*

//SYSIN DD *

RESTORE TYPE=FDR,CPYVOLID=YES,CONFMESS=NO,DYNTAPE,ONLINE

SELECT VOL=DB1SAL,NVOL=DR0001

SELECT VOL=DB2MAR,NVOL=DR0002

SELECT VOL=PROD01,NVOL=DR0003

With the current Key File available…there are no additional parameters for restore.

This example does ABR full-volume restores of volumes from encrypted backups. This could be a restore at your home site, or at a disaster site after first restoring the current key file. Using the current Key File there are no additional parameters.

41

41

Restore Encrypted FDRABR Volume Backup using a Master Key

//RESTORE EXEC PGM=FDRABR,REGION=0M

//SYSPRINT DD SYSOUT=*

//SYSUDUMP DD SYSOUT=*

//SYSIN DD *

RESTORE TYPE=FDR,CPYVOLID=YES,CONFMESS=NO,DYNTAPE,ONLINE

SELECT VOL=DB1SAL,NVOL=DR0001 SELECT VOL=DB2MAR,NVOL=DR0002

SELECT VOL=PROD01,NVOL=DR0003 //FDRCRYPT DD * DECRYPT MASTERKEY=A342CC0012947FE71442344773F6DEA8

You provide the key(s), when a Key File is not available

This example does ABR full-volume restores of volumes from encrypted backups, when the current FDRCRYPT key file is not available.

It will apply the master key value provided on the DECRYPT control statement for those specified backups.

The master key allows FDRCRYPT to retrieve an encrypted version of the backup key from each backup, and decrypt the data. It does not matter what encryption type was used. This type of restore should be used ONLY if the key file or the individual encryption keys cannot be provided. The master key must be kept extremely secure and used only by authorized individuals when necessary.

A restore using a master key can be done only if a master key was specified during the backup.

Note: Since this ABR full-volume restore may read incremental backups and a full-volume backup while restoring each disk volume, it is necessary that all of those backups be done using the same master key. Although master keys can be changed at any time, for ABR backups it is recommended they change only when full-volume backups are taken (the beginning of a new generation).

42

42

Strength of Encryptionand CPU Requirements

• Backup can require the encryption of TBs of data daily

• CPU time requirements relate directly to the encryption algorithm chosen and the availability of z9 AES hardware support.

• Individual sites must determine their proper balance • Strength of encryption they desire...• What encryption overhead they can afford...

Backup can require the encryption of TBs of data on a daily basis. CPU time requirements relate directly to the encryption algorithm chosen and the availability of z9 AES hardware support. Individual sites must balance the level of encryption security they desire for their data with what CPU overhead they can afford.

43

43

FDRCRYPT Dump Time CPU sec/GB HW/SW encrypt on, z9, z990, z890 & z800

6.2 7.09.2

19.3

11.4

23.7

36.0

75.1

0.0

10.0

20.0

30.0

40.0

50.0

60.0

70.0

80.0

Seconds/GB to Dump on z9 w/AES CPACF Hdw assist

Seconds on z990No AES Hdw assist

Seconds adj to z890No AES Hdw assist

Seconds adj to z800No AES Hdw assist

FDRCRYPT on z9, z990, z890 and z800 Dump CPU sec/GB

FDRCrypt/ Cipher

FDRCrypt/ AES-128

Sample z9 and z990 CPU time to dump 6.4 GB of data with good compression; adjusted to show comparative z890 and z800 CPU times...

• AES (AES-128) using CPACF hardware assist on the z9 and software processing only on the others….

Innovation has made every effort to ensure AES software encryption processing is as efficient as possible, and we believe faster than other software implementations.

44

44

FDRCRYPT Dump Time CPU sec/GB employing HW/SW encrypt on z9

4.8

7.0

15.9

17.7

0.0

2.0

4.0

6.0

8.0

10.0

12.0

14.0

16.0

18.0

z9 C

PU S

econ

ds

FDRCrypt/ Compression

FDRCrypt/ AES-128 Hardware

FDRCrypt/ AES-192 Software

FDRCrypt/ AES-256 Software

Type Encryption

z9 CPU sec/GB (@ 41% comp)

Sample CPU Dump time per GB of data, at a moderate 41% compression ratio, run on a z9-109 Capacity Model 720.

• The proportional increase in CPU time for the increasing stronger encryption algorithms remains the same as in the previous example.

• New with the z9 the introduction of a CP Assist for Cryptographic Function (CPACF) AES-128 hardware feature on all z9 models lowers the CPU overhead of AES-128 encryption to less than twice that of compression alone.

• FDRCRYPT in addition to providing AES-128 hardware encryption on the z9 also provides the even higher levels of AES-192 and AES-256 encryption as a software process….

45

45

Cryptanalysis (code breaking)“What one man can invent another can discover,” said Holmes.

There is no record of a practical attack on AES

• Incrementally sophisticated features make it more and more unlikely FDRCRYPT data can be decrypted, even in the face of sophisticated cryptanalysis, in any reasonable time.

• Random keys defeat “Related-key attacks”• Multiple random keys, compression, substitution and transformations

defeat “Chosen plaintext attacks”• Automated Key Management defeats “Human engineering attacks”

(e.g., “rubber hose decryption”)

“What one man can invent another can discover,” said Holmes.

Cryptanalysis is the practice of code breaking and to date, there is no record of a practical attack successfully compromising AES.

A “Related-key-attack” is running an algorithm with different keys when some relationship concerning the key is known (e.g. a fixed difference between keys). This is why random key generation is important.

A “Chosen plaintext attack” runs an algorithm with known plaintexts to obtain corresponding ciphertexts and eventually the key. This is why employing multiple random keys, compression, substitution and transformations are important. An April 2005 announcement of an attack on AES employing over 200 million chosen plaintexts, gave experts in the field cause to say such an attack on AES is simply not practical against real-world implementations.

Incrementally more sophisticated, each succeeding higher level of encryption makes it more and more unlikely that backup data can be reconstructed (decrypted), in any reasonable time, even in the face of sophisticated cryptanalysis.

“Human engineering”, e.g. bribery, physical coercion, burglary, inserted spyware key logging, and so forth, are increasingly becoming more effective than traditional cryptanalysis. This is why employing multiple generated keys securely maintained by an automated key management system rather than a human administrator is important.

46

46

Generally Availabile

Future Enhancements:FDRSOS extra-cost option to support encryption.

FDR/UPSTREAM and Reservoir extra-cost option to encrypt vault backups.

Questions?

Future Enhancements:• FDRSOS with an extra-cost option will support encryption.

• FDR/UPSTREAM and Reservoir with an extra-cost option will encrypt vault backups.

Questions…

For additional information on FDRCRYPT go to http://www.innovationdp.com/products/fdrcrypt/index.cfm

47

…denies access to disk data leaving your control

FDRERASE

SECURE ERASUREData Protection Compliance Solution

for Large-Scale Storage Systems Leaving Your Control

INTRODUCTION

Beginning this session, my objective is that at its conclusion you will be able to:

1. Recognize how your enterprise’s perception of recent corporate governance, compliance and privacy legislation requirements will impact existing data protection plans.

2. Be more familiar with certain types of data protection technology such as secure erasure.

3. Identify areas where INNOVATION solutions employing these technologies can help you meet new requirements.

Trademarks and statements IBM and z/OS are trademarks or registered trademarks of International Business Machines Corporation. FDR, FDRABR, FDRERASE and FDRCRYPT are service marks, trademarks or registered trademarks of Innovation Data Processing Corporation. All other service marks, trademarks or registered trademarks are the property of their respective owners.

Copyright 2006, INNOVATION Data Processing

48

48

By removing your data from disks, when …

• Returning or selling disks…• in conjunction with FDRPAS non-disruptive migration

• Reusing disks within your organization• in conjunction with FDRPAS non-disruptive migration

and volume consolidation

• Leaving a disaster site

• …Scrapping or Decommissioning

FDRERASE denies access to disk data leaving your control

FDRERASE is the solution for, denying access to valuable data when it resides on disk storage systems that are leaving your control. Use FDRERASE in conjunction with FDRPAS to remove your data from disks you are selling or returning, reusing within your own organization, when you would otherwise be leaving your data at a disaster site after a D/R test and when you are scrapping or decommissioning disks systems.

49

49

Erasing Data...

• Deleting datasets –Is it secure enough? NO!

VTOC

Deleting a dataset only removes the entry from the VTOC

The actual data remains on disk and can still be accessed

VTOC Entry

Dataset

VTOC

z/OS utilities and programs can still access the data on a volume after a delete. Deleting a data set from disk does not erase the data from the disk tracks, it just deletes the VTOC pointers to the tracks containing the data.

There is a security ERASE option which will actually erase a data set after it is deleted but it is rarely used because of the overhead.

50

50

• ICKDSF Minimal INIT –Is it secure enough? NO!

Erasing Data...

Dataset #1

Minimal INIT with ICKDSF only re-writes the VTOC

The original data remains on disk and can still be accessed Dataset #2

Dataset #3

Dataset #4

VTOC

ICKDSF Minimal INIT deletes or rewrites the VTOC, which deletes the VTOC address pointers to the tracks containing the data. It does not erase the data from the disk tracks.

z/OS utilities and programs can still access the data on a volume after an ICKDSF Minimal Init.

51

51

ICKDSF Medial INIT of a single 3390-3 takes approximately 5-8 mins.

INIT runs as a serial operation- so to “ERASE” multiple volumes, you must run multiple individual steps/ jobs.

Erasing Data...

• ICKDSF Medial INIT –Is it fast enough? NO!

ICKDSFINIT

z/OS utilities and programs can not access the data on a volume after a Medial INIT. ICKDSF Medial INIT overwrites a track’s record zero. And slow as it is, ICKDSF Medial INIT does not meet current government guidelines, as specified by the National Institute Science and Technology (NIST), for erasing classified information from disk.

Modern disk subsystems use off-the-shelf open system FBA (Fixed Block Architecture) (i.e. SCSI, FIBRE, ATA) disks to emulate the CKD (count-key-data) disks used by MVS systems (OS/390 and z/OS).

These open system disks can be removed from the disk subsystem and attached to another system as an FBA disk where it may be possible to simply read the residual data directly.

52

52

FDRERASE…Secure and Fast Data Erasure

• Secure: All FDRERASE erase techniques make data unreadable to conventional ECKD disk access.

• FDRERASE design complies with current US National Institute of Science and Technology (NIST), as well as US Department ofDefense (DOD) guidelines for erasing computer disks prior to disposal.

• Fast: FDRERASE erases data at hardware speed and allows for balance with advancing levels of security.

FDRERASE is a business data protection solution from INNOVATION Data Processing

• Secure:All FDRERASE erase techniques make data unreadable to conventional ECKD disk access. FDRERASE complies with current U.S. Government National Institute of Science and Technology (NIST) guidelines for erasing computer disks prior to disposal... and the Department of Defense concurs that the erasure technique FDRERASE employs for Secure Erase satisfies the US Department of Defense (DOD) requirements for erasure, specified in the Assistant Secretary of Defense (ASD/C3I) memo of June 4 2001, of computer hard disks prior to disposal.

• Fast:FDRERASE erases data as fast as the disk hardware will allow offering incrementally advancing levels of security so you can strike a balance between resource consumption, the value of the underlying information and the potential risk that someone my be able to gain access to that information after the disk systems leave your control.

54

54

FDRERASEAdvancing Levels of Security

• FDRERASE allows you to strike a balance between the sensitivity of your data (need for security) and the cost of security (elapsed time); with three advancing levels of secure data erasure and the ability to confirm an erasure.

• QUICKERASE* • Note: QUICKERASE is not a CC certified erase option

• ERASE• SECUREERASE• VERIFY

• All FDRERASE erase levels make data unreadable to conventional z/OS (MVS and OS/390) ECKD disk access.

Only FDRERASE allows you to strike a balance between the value of your data i.e. the need for security and the cost of securing it e.g. elapsed time it takes; by offering three succeeding higher levels of data erasure security; QUICKERASE*, ERASE and SECUREERASE, and the ability to confirm an erasure; VERIFY.

All FDRERASE erase levels make data unreadable to conventional z/OS (MVS and OS/390) ECKD disk access.

Incrementally more sophisticated each succeeding higher level of intensive overwrite offers a higher level of security making it more and more unlikely that data can be reconstructed, even if the FBA disk drives are removed from disk storage system.

55

55

QUICKERASE*

• The fastest method on most hardware.

• Uses standard ECKD commands to erase data.

• More secure than ICKDSF minimal INIT• data no longer available to any MVS program.

• Recommended for use when re-using disks in-house and upon leaving a trusted D/R site

*Note: QUICKERASE is not a CC certified erase option

QUICKERASE* is the fastest method of erasing disks on most hardware.

• QUICKERASE uses hardware CKD commands to erase all records from all tracks of selected disk devices. There are several commands used, depending on the manufacturer and emulation mode of the disk subsystem. However the result is the same: all records are erased from the tracks and the tracks appear to be empty (contain no records).

• QUICKERASE makes all the data on a volume unavailable when the disks are accessed through the subsystem, as CKD disks. However depending on the subsystem manufacturer, the data may not be completely erased from the FBA disk drives internal to the subsystem. It may still be possible to recover the data if the FBA hard drives are removed from the subsystem and read as open system disks.

• QUICKERASE is most appropriate when a subsystem will be reused, such as when you plan to reuse the disks for another purpose, or when leaving a trusted disaster/recovery site.

*Note: QUICKERASE is not a CC certified erase option

56

56

ERASE

• More secure than QUICKERASE

• Overwrites tracks with binary zeros• Or user specified pattern

• Meets NIST guideline for “clearing” data

• Adequate for all but the most sensitive or highly classified data

• Appropriate when selling off or scrapping disks and leaving an unsecured D/R site

ERASE is a more secure method of erasing disks on most vendor’s hardware.

• ERASE, by default, overwrites each track with a record of binary zeros (or a user specified pattern) then waits to ensure that the data is hardened (written) to the FBA disks before concluding; this may take some seconds. Overwriting data, the default ERASE function, meets the NIST guideline for “clearing” information from computer disks.

• ERASE makes it impossible to recover the original data using normal read commands. Even if the FBA disks are removed from the storage subsystem, ERASE is adequate to prevent most attempts to recover data from the internal “SCSI” disk drives. This is usually adequate for erasing all but the most sensitive or highly classified data.

• ERASE is most appropriate when a subsystem will be sold, scrapped, or returned to the manufacturer and upon leaving an unsecured D/R site.

57

57

SECUREERASE

• The most secure level of data erasure

• Overwrites tracks multiple times• Randomly generates patterns• Minimum of three erase passes• Even passes use complement of previous pass pattern

• Meets NIST guideline for “purging” data

• Appropriate for your most sensitive data

SECUREERASE is the most secure method of erasing CKD data from disks on any vendor’s hardware.

• SECUREERASE is similar to an ERASE operation, except by default a minimum of three passes (ERASEPASS=3) is forced using special data patterns. The first pattern will be a random value (other than 00, 01, FE and FF), the second pass will use the complement of the first pattern, and the third pattern will be a new random value (different from the first two). Up to 8 passes can be requested; the fourth pattern will be a complement of the third, and so on.

• SECUREERASE will be slower than other erase functions, since it always writes a non-zero record, multiple times, to every track. It also waits at the end of each pass to ensure that the data is hardened (written) to the FBA disks before continuing; this may take some seconds.

• The use of an alternating two‘s complement data pattern is a specification in the NIST guideline for “purging” computer disks, making it very unlikely that the data can be recovered even if the FBA hard drives are removed.

• SECUREERASE is most appropriate when a subsystem contains your most sensitive and highly classified data.

58

58

VERIFY

• Many DoD directives require independent confirmation of an erasure by a second user

• VERIFY enables a user to confirm that the physical tracks of a z/OS DASD volume have indeed been overwritten sufficiently that no residual information remains.

• Samples a percentage of a volume by default, but can verify an entire volume if needed.

Many DoD directives require independent confirmation of an erasure by a second user. VERIFY enables a user to verify that the physical tracks of a z/OS DASD volume have indeed been overwritten sufficiently that no residual information remains. VERIFY samples a percentage of a volume by default, but can verify an entire volume if needed.

59

59

RAID Rank RAID Rank

RAID Rank RAID Rank

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

FDRERASE Performance

• FDRERASE can concurrently erase up to 64 disks

All modern mainframe disk subsystems use large capacity FBA disks to emulate virtual CKD disks. These FBA disks are usually in some sort of RAID configuration for automated recovery from disk failures.

FDRERASE will erase data as quickly as possible, but the actual elapsed times in any environment will depend on the disk vendor and disk subsystem model, as well as the types of channel (ESCON vs. FICON) and other workload in the system and channels running concurrent with FDRERASE.

FDRERASE, by default, can process up to 64 disks concurrently, if you have identified 64 or more eligible disks on a single MOUNT statement. The maximum concurrent disks can be reduced below 64 by the MAXTASKS=nn operand.

Erasing a large number of CKD disks which are physically located on the same underlying FBA disk or in the same RAID rank can cause congestion on the disk adapter data paths, contention in the raid arrays and excessive head movement on the physical disks themselves. The consequence of this is that the total ERASE elapsed time for a given number of CKD disks may be much greater than if the same number of disks were run in smaller groups or are spread across different physical resources.

60

60

RAID Rank RAID Rank

RAID Rank RAID Rank? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

? ? ? ? ? ? ? ?? ? ? ? ? ?

Minimizing Contention for the Best Possible Performance

• FDRERASE automatically selects logical volumes from different physical disk raid ranks to minimize contention and sustain the best possible performance.

You will always achieve the best possible erase performance, by specifying a large number of disk device addresses on the MOUNT statement and letting FDRERASE manage their order of selection.

Employing CKD commands (which vary depending on the vendor and disk type) to identify the underlying physical disk or RAID group associated with each CKD disk it will erase, FDRERASE will concurrently start an ERASE on no more than eight CKD volumes associated with the same underlying disk or RAID group.

You can override this default limit of eight with the MAXEU=nn operand. A larger MAXEU= value, for example, may be appropriate for a very high-performance disk subsystem, although you will need to experiment a bit to find the proper value.

A MAXEU= limit can also prevent FDRERASE from concurrently erasing the number of volumes specified as a MAXTASKS= value, unless the MOUNT statement specifies sufficient CKD disk address on different underlying disks (and RAID groups), or in separate disk subsystems.

61

61

FDRERASE User Experiences

• FDRERASE user experience at a D/R site, using ERASE on 2105-F20 and 2105-800 FICON-attached SHARK storage systems; erased 41TB, from (1,600) 3390-27 volumes…in just over 5 hours

• For more information on FDRERASE go to…• http://www.innovationdp.fdr.com/products/fdrerase/corpemail.cfm• http://www.innovationdp.fdr.com/products/fdrerase/erasereport.pdf

FDRERASE user experience at a disaster recovery site, using ERASE on 2105-F20 and 2105-800 FICON-attached SHARK storage systems; erased 41TB, from (1,600) 3390-27 volumes…in just over 5 hours

For more information on FDRERASE go to…

http://www.innovationdp.fdr.com/products/fdrerase/corpemail.cfm

http://www.innovationdp.fdr.com/products/fdrerase/erasereport.pdf

62

62

FDRINSTANT

FDRSOSABR UPSTREAM

FDRFASTCPK

FDRPAS

FDRERASE V5.4 L50

INNOVATION Software Solutions: Working to Modernize your Data Protection

INNOVATION provides enterprise storage systems users "right-size” and “right time” solutions for Business Data and Personal Identity Protection.

INNOVATION INSTANT technology solutions include:• ABR Instant non-disruptive volume, dataset and incremental backup

• FDRInstant Restore, Instant FastCPK and FastCOPY

• FDRSOS non-disruptive cross platform backup/restore

• FDR/UPSTREAM/SOS for non-disruptive enterprise storage protection

• “RESERVIOR” distributed enterprise data storage protection

• FDRPAS™ non-disruptive disk hardware installation and volume relocation.

• FDRERASE for business data and personal identity information protection when disk storage systems are leaving your physical control.

• FDRCRYPT protection for valuable sequential flies and backup data leaving your physical control for transport another location.