Driven by a continuous stream of news about personal information stolen from major retailers and financial institutions, consumers and regulatory bodies are demanding more in terms of data protection and privacy. Personal data protection is required by government and industry regulations such as PCI, HIPAA, GDPR, FISMA and more. Data encryption provides another layer of protection around IBM i Db2 columns that contain sensitive data, and it’s never been easier since the introduction of FIELDPROC in IBM i 7.1. Other solutions are also available to remove sensitive data from servers entirely and to secure data in motion.
View this 15-minute webcast on-demand and get up to speed on the key concepts you need to know to secure sensitive data on your IBM i servers, including topics such as:
• FIELDPROC encryption and key management
• Tokenization and anonymization
• Tools for securing data in motion
• Tradeoffs between do-it-yourself and third-party solutions
2. Agenda
1 – Encryption
2 – Tokenization
3 – Anonymization
4 – Secure file transfer
Tradeoffs: DIY or 3rd party solutions5 –
How Syncsort can help6 –
3. Why protect sensitive data?
• Prevent data breaches
• Prevent the negative publicity resulting from breaches
• Protect your customer’s trust in your handling of their data
Who should you protect your data from?
• Users should see only the data they need as part of their jobs
• Protect your data from internal staff, contractors and business
partners – as well as criminal intruders
What regulations require sensitive data protection?
• PCI DSS
• HIPAA
• GDPR
3
Sensitive Data Protection
• GLBA
• State privacy laws
• And more
4. Encryption
What Is Encryption?
• Use of one or more algorithms to
transform human-readable information
into an unreadable format
• Requires a decryption key to return data
to a human-readable format
• Key management is highly recommended
to keep encryption keys safe and manage
them throughout their lifecycle
• Integrates with IBM i FieldProc exit point
(IBM i 7.1 or greater) to enable field
encryption without application changes
• Encryption and decryption activities can
be logged
• Decrypted data can be masked based on
the user’s privileges
Pros
• Mature technology
• Standards offer independent certification
• Algorithms are continuously scrutinized
• Confidence in meeting requirements of
regulations that mandate sensitive data
protection such as HIPAA/HITECH, PCI-
DSS, state privacy laws and more
Tips
• Specified by certain regulations; verify
the requirements of the regulations your
business must comply with
• Better for applications requiring higher
performance
• Look for a secure implementation of a
secure algorithm
• Check for certifications
4
Cons
• Depending on the implementation,
encrypting and decrypting field data can
have a performance penalty
• Encryption may not preserve the original
format of fields, which can affect field
validation processes
• Applications may need modification to
prevent using encrypted indexes
5. Tokenization
What Is Tokenization?
• Replaces sensitive data with substitute
values or “tokens”
• Tokens are stored in a database or “token
vault” that maintains the relationship
between the original value and token
• Format-preserving tokens retain the
characteristics of the original data (e.g. a
VISA number would still look like a VISA
number and pass a LUHN check)
• Token consistency enables the same
token to be used for every instances of
the original data
• When tokenized data is displayed in its
original form, it should be masked based
on the privilege of the user
Pros
• Tokens cannot be reversed with a key as
there is no algorithmic relationship to the
original data
• Tokenization maintains database
relationships
• Removing data from the production server
reduces risk of exposure from a breach
• Tokenizing a server’s data can remove it
from the scope of compliance
• Specifically referenced for PCI DSS and
supports compliance other regulations
Tips
• Available thru credit card payment
networks for tokenizing credit card
numbers
• Good for BI and queries since
tokenization maintains database
relationships
• Useful when sending data to outside
services for processing when sensitive
data is not required – or for development
and test systems
5
Cons
• Tokenization is not recognized as widely
as encryption by standards bodies
• Tokenization has a performance impact to
register tokens and retrieve them
6. Anonymization
What Is Anonymization?
• A form of tokenization that permanently
replaces sensitive data with substitute
values (or “tokens”)
• Substitute values are not stored so a
secured token vault is not required
• Can replace every instances of a piece of
original data with the same token
• Format-preserving : Retain the
characteristics of the original data
• A variety of anonymization methods can
be used (masking, scrambling, etc.)
• NOT a solution for use on a production
server since tokens are unrecoverable
Pros
• Cannot be reversed with a key as there is
no algorithmic relationship to the original
data
• Supports compliance with GDPR and other
regulations
• Keeps non-production servers out of the
scope of compliance
Tips
• Not a solution for data on your
production server
• Ideally used for anonymizing sensitive
data on a development or test system
• Good for sending data to outside services
for processing
• When coupled with a high availability
solution for replication to non-HA node, it
can feed dev/test system with
anonymized data
6
Cons
• Anonymization is not recognized as
widely as encryption by standards bodies
7. Secure File Transfer
What Is Secure File Transfer
• Securing data in motion across internal or
external networks
• Data is secured by encrypting it on the
IBM i before transferring and decrypting
it on the receiving end
• Required by regulations such as PCI,
HIPAA, GDPR, GLBA and others
• Common protocol options include
• Secure Shell (SSH sFTP)
• Secure FTP (SSL FTPS)
• Desirable for solutions to negotiate
firewalls and creating an audit trail of file
transfer activities
• Solutions can automate the transfer
process
Pros
• Protects data from being seen in clear text
when transferred on the network
• Meets requirements of regulations such as
PCI, HIPAA and others that require
encrypted transfer and logging of transfer
activity
• Mature discipline with standards and
certifications available
Tips
• Look for solutions that meet standards
• Ensure any solution you consider can
navigate the complexities of your firewall
configurations
• Set up a hub-and-spoke configuration
that manages all your file transfer
activities
7
Cons
• Technical-Know-How
8. Tradeoffs
Do-It-Yourself In-House
• Resources may be stretched and pulled
off project
• May need to bring in consultants or hire
new employee because of lack of
knowledge
• Need to stay on top of new PTFs or
updates to the OS
• Knowledgeable resource may leave or
retire
Third-Party Solutions
• Frees up your resources for business
critical projects
• Leverages experts in the field
• Vendor is in the business of releasing
updated software
• Vendors ensure solutions stay current to
the latest threats and OS capabilities
• Ensures optimal performance
• Vendors also offer services to help you
get started and succeed with your
implementation long term
8
10. Data Privacy
Protect the privacy of data at-rest
or in-motion to prevent data
breaches
Access Control
Ensure comprehensive control of
unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Compliance Monitoring
Gain visibility into all security activity
on your IBM i and optionally
feed it to an enterprise console
Security Risk Assessment
Assess your security threats
and vulnerabilities
10
Assure Security
addresses the issues on
the radar screen of
every security officer
and IBM i admin
11. Secure File Transfer
Securely transfer files across
internal or external networks
using encryption
Tokenization
Remove sensitive data from a
server by replacing it with
substitute values that can be used
to retrieve the original data
Encryption
Transform human-readable
database fields into unreadable
cypher text using industry-
certified encryption & key
management solutions
Assure Data
Privacy
11
12. Expert services are available for
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Leverage the seasoned security experts in Syncsort Global Services!
The Syncsort Services Team
Is Here for You
12