IBM i AES Encryption Data Protection for GDPR PCI NYCRR 500 GLBA FFIEC
IBM i AES encryption and anonymization is a compliance requirement for many personal data protection, federal and state laws like GDPR, PCI, NYCRR 500, GLBA, FFIEC, HIPAA and HITRUST security regulations. IBM i encryption protects private data at rest, no matter where the data ends up or how it is accessed, which why encryption is the most important protection for sensitive data, and required by data protection laws. Only users with a business need should have access to users’ personal data defined by their job, and only the minimum amount of the data should be viewable to complete their required task.
Companies with privacy compliance requirements, have additional consent requirements for storing personal data that does not directly require encryption, however financial penalties for personal data infractions would be significantly less if the data was encrypted. Personal data must be protected from employees, contractors, business partners and other external threats. External threats include both cyber criminals, as well as externally interconnected trading partners.
IBM i encryption software uses an exit program that the DB2 FIELDPROC API calls to get instructions on how to present sensitive data to users in your applications and for any other means the data can be accessed. The personal data presented to your users will be based on the permissions you define within our software. Users with authority of full access will see unencrypted data, others only masked or partially masked, and most will only see the encrypted data (unreadable cyphertext). Administrators can also control which applications the user can access personal data. For instance, Human Resources may only be permitted to view social security data when accessed through JD Edwards, and cannot access social security numbers using Excel or FTP. Our IBM i encryption software does not require any database field types or sizes to be changed, and usually does not require any application changes. Older RPG applications not using the native SQL Query Engine (SQE) for database access and have a database index (key field) that needs to be encrypted, would need to change a single line of code using Open Access for RPG (OAR) to make the switch.
Our IBM i AES encryption software uses the only algorithms certified by the National Institute of Standards (NIST), and are publicly known, vetted and scrutinized by other industry security experts. The only secrete portions of our IBM i encryption software, are the user’s secrete keys for encrypting and decrypting data. If encryption keys are ever breached or made public, all encrypted data becomes unsecure. AES encryption has never been broken, and is not likely to be broken any time soon. However, cyber criminals have gotten a hold of encryption keys. As noted by all industry experts, hardened encryption key management processes (i.e. FIPS 140-2) is the most critical part of any encryption solution.
Almost any IBM i object type with personal data can be protected with AES encryption, including fields in IBM i DB2 files, entire database files, save files, spool files, backup tape media and many other common OS400 object types. The combination of PGP encryption and SFTP can be used to protect data in motion and must remain encrypted at its final destination. For private data can be encrypted in fields of IBM i DB2 files, as well as entire database files, save files, spool files and backup tape media. Almost any IBM i object type with personal data can be encrypted for protection and compliance.
Encryption key management solutions protects keys from theft and loss, on a separate system “location” then the encrypted data, and supports routine key rotation. Good key managers will also provide separation of duties for data manager and key management, allow for dual controls, split knowledge for complete key values and ensure authenticity of origin. Just like encryption algorithms and software, encryption key managers also have certifications that you can confirm they meet your requirements, such as Federal Information Processing Standards (FIPS 140-2) and KMIP-compliance. Key managers are available in the cloud, and can be deployed on VM or a Hardware Security Module (HSM).
IBM i encryption setup only requires three quick steps to implement: Creating the Encryption Keys, Defining User Access Permissions and Executing Encryption Policies. The most time consuming tasks required for encryption projects will involve identifying and locating all the sensitive and personal data that must be protected. There are a few tools available to help with these tasks, as well using native DDS and SQL Create source to search DB2 files and.
Companies that would like to take their production IBM i systems out of scope for any compliance requirements, should consider using tokenization. IBM i tokenization replaces sensitive data on a production IBM i database with tokens that have the same format and characteristics of the original data, and stores the original data on a separate database called a “token vault” not on production. Unlike encryption, tokenization does not use a key to display or provide access to the data. Just like encryption, sensitive data that is tokenized, can also be displayed and masked according to user permissions the administrator has defined in our software. Similarly, if the tokens are not stored or are lost, the data becomes anonymized forever.
Key Features of Product
Encryption key management solutions protects keys from theft and loss, on a separate system “location” then the encrypted data, and supports routine key rotation. Good key managers will also provide separation of duties for data manager and key management, allow for dual controls, split knowledge for complete key values and ensure authenticity of origin. Just like encryption algorithms and software, encryption key managers also have certifications that you can confirm they meet your requirements, such as Federal Information Processing Standards (FIPS 140-2) and KMIP-compliance. Key managers are available in the cloud, and can be deployed on VM or a Hardware Security Module (HSM).
IBM i encryption setup only requires three quick steps to implement: Creating the Encryption Keys, Defining User Access Permissions and Executing Encryption Policies. The most time consuming tasks required for encryption projects will involve identifying and locating all the sensitive and personal data that must be protected. There are a few tools available to help with these tasks, as well using native DDS and SQL Create source to search DB2 files and.
Companies that would like to take their production IBM i systems out of scope for any compliance requirements, should consider using tokenization. IBM i tokenization replaces sensitive data on a production IBM i database with tokens that have the same format and characteristics of the original data, and stores the original data on a separate database called a “token vault” not on production. Unlike encryption, tokenization does not use a key to display or provide access to the data. Just like encryption, sensitive data that is tokenized, can also be displayed and masked according to user permissions the administrator has defined in our software. Similarly, if the tokens are not stored or are lost, the data becomes anonymized forever.
Key Features of Product
High performance encryption libraries with minimal impact on system resources
Built-in masking of decrypted data based on user or group
Includes key management with a local key store, and integrates with other third-party OASIS KMIP-compliant key managers
Includes extensive data tokenization capabilities
Simple to implement and manage interface
User access control policies with Group Profile and Supplemental Group support
Detailed auditing
Provides encryption commands for Save Files, IFS, and much more
Provides encryption APIs for RPG, COBOL and SQL applications
Built-in masking of decrypted data based on user or group
Includes key management with a local key store, and integrates with other third-party OASIS KMIP-compliant key managers
Includes extensive data tokenization capabilities
Simple to implement and manage interface
User access control policies with Group Profile and Supplemental Group support
Detailed auditing
Provides encryption commands for Save Files, IFS, and much more
Provides encryption APIs for RPG, COBOL and SQL applications
Encryption should be implemented as a company’s first line of defense, however necessary security access controls will still be required to control how users use sensitive and private data on the system. Any user with read access to sensitive data, can also download it and save it to another location (laptop, thumb drive, cloud, email, etc.), without any auditing or controls in place.
IBM i Security Reminders:
Users with *ALLOBJ authority or which can adopt this All Object authority through an OS400 group profile or supplemental group can access any sensitive data on the IBM i.
Users with *USE authority can download sensitive data to their workstation
Users with Limited Capability can run CL commands
Applications that use adopted authority or perform a profile swap typically use *SECOFR authority
Users with *ALLOBJ authority or which can adopt this All Object authority through an OS400 group profile or supplemental group can access any sensitive data on the IBM i.
Users with *USE authority can download sensitive data to their workstation
Users with Limited Capability can run CL commands
Applications that use adopted authority or perform a profile swap typically use *SECOFR authority
After your company has completed implementing encryption, be sure to investigate how to monitor and control user access using exit programs for all the OS400 application server exit points, open database protocols, commands that can be run over TCP, legacy SNA exit points. Archiving and forwarding IBM i audit logs to a SIEM, SYSLOG Server or SOC should also be high on the compliance checklist. Please contact with any questions, consulting, implementation, demonstrations, POCs, training or other professional services your company may need. Below are a few of the services we offer that relate to IBM i Security, Compliance and Data Protection Laws:
- IBM i Encryption Implementation Services
- IBM i Security Consulting Services
- Data and IT Security Assessment, Vulnerability Management, Penetration Testing, Security Incident Forensics, Incident Response Planning or Training
- Data Privacy Assessment, Training, Design and Data Inventory or Mapping
- Compliance Breach Response, GDPR, PCI, HIPAA/HITRUST, NIST, ISO, CCPA, CIS CSC, CSA Star, SOC2 or Privacy Shield
Consulting Services performed by CISSP, CIPP, CIPM, GSLC, CISA, CCSK and PMP