ims database encryption for ims

Click here to load reader

Post on 20-Jul-2015

112 views

Category:

Technology

7 download

Embed Size (px)

TRANSCRIPT

  • IBM Corporation

    IMS Database Encryption for IMS NY IMS User Group May 19, 2015

    Dennis Eichelberger

    IT Specialist, IMS Support zGrowth Team of the Washington Systems Center

    [email protected]

  • Really?

    You can do this online

    now.

  • Sophisticated attackers break through safeguards every day

    SQL

    injection Watering

    hole

    Physical

    access

    Malware Third-party

    software

    DDoS Spear

    phishing

    XSS Undisclosed

    Attack types

    Note: Size of circle estimates relative impact of incident in terms of cost to business Source: IBM X-Force Threat Intelligence Quarterly 1Q 2014

    2011

    Year of the breach

    2012

    40% increase

    2013

    500,000,000+ records breached

    61% of organizations say

    data theft and cybercrime

    are their greatest threats 2012 IBM Global Reputational Risk & IT Study

    $3.5M+ average cost of a data breach 2014 Cost of Data Breach, Ponemon Institute

  • Compromises Take Weeks and Months to Discover

    http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038

    Time span of events by percent of breaches

  • Data is the key target for security breaches.. and Database Servers Are The Primary Source of Breached Data

    http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

    2012 and 2013 Data Breach Report from Verizon Business RISK Team

    Database servers contain your clients most valuable information

    Financial records

    Customer information

    Credit card and other account records

    Personally identifiable information

    Patient records

    High volumes of structured data

    Easy to access

    WH

    Y?

    Web application and database servers form another logical grouping, and once again account for most of the records breached. That makes sense because, well, those assets

    store a lot of records.

  • Key concerns

    Mainframe customers are more vulnerable to security incidents

    Source: IBM Webinar 2/6/2014, Security Intelligence Solutions for System z and the Enterprise

    As mainframes become a major component in service-

    oriented architectures, they are increasingly exposed

    to malware. Web services on the mainframe have

    significantly impacted security.

    Meenu Gupta

    President, Mittal Technologies Inc.

    The solution

    % concerned with privileged insiders 50 % concerned with advanced persistent threats 21

    % concerned with web-enabled z/OS apps 29

    % of customers agree that deploying multiple layers of defense provides the best mainframe protection

    86

  • But System z is already secure - Why need more? Separation of duties

    o Privileged users need to know vs abuse or mistake

    o Trace-based auditing controlled by privileged users

    o SAF plays a vital role in protection of data on z/OS, but is not tamper-resistant and actionable

    Achieving audit readiness is labor-intensive and introduces latency

    o RACF lacks sufficient granularity for reporting

    o IMS logging is real time, But reporting of that information is usually after the fact

    Real time vs. batch processing

    o Batch processing of audit data from external sources prevents real time alerting

  • 8

    Data Protection Drivers

    Industry Compliance

    Regulatory Compliance

    Information Governance

  • 9

    Industry Compliance Driving Data Protection

    PCI Payment Card Industry compliance

    World-wide accepted standards that protect against credit card fraud

    - Requires adaptation of business controls to protect against compromising sensitive data

    Examples of standards

    - Protect stored cardholder data - Restrict access to cardholder data by business on a need-to-

    know - Restrict physical access to cardholder data

  • 10

    PCI Payment Card Industry compliance (contd)

    PCI standards require sensitive personal information of credit card holders to be encrypted, including:

    - Account number - Expiration date - Name and address - Social Security number

    Compressed data is not acceptable as data encryption Many Encryption techniques and Algorthims

    Industry Compliance Driving Data Protection

  • 11

    Regulatory Compliance Driving Data Protection

    Governmental Regulations

    Basel III (2010-2011) Measurement of total banking risk based on capital adequacy, stress

    tests and market liquidity risks

    Sarbanes-Oxley Act (2002) Strengthen financial reporting and internal controls by fixing

    responsibility within a companies management

    HIPAA (1996) Provide national standards for electronic health care records and

    secure those medical records, prove how they have been used and who has used them

    Patriot Act (2001) - Prevent usage of the financial system to support illegal activities,

    particularly terrorism

    Various anti-money laundering (AML) - Prevent the laundering of money derived from illegal activities

    Gramm-Leach-Bliley Act (1999) - Protection of personally identifiable financial information (PII)

  • 12

    CCA (Common Cryptographic Architecture)

    PKCS (Public-Key Cryptography Standards)

    OCSF (Open Cryptographic Services)

    ANSI (American National Standards Association)

    ISO (International Organization for Standardization)

    FIPS (Federal Information Processing Standards)

    CryptoGraphic Standards

  • 13

    Data Confidentiality Symmetric DES/TDES, AES Asymmetric RSA, Diffie-Hellman, ECC Data Integrity Modification Detection Message Authentication Non-repudiation Financial Functions Key Security & Integrity

    CryptoGraphic Functions

  • 14

    Data Protection - Not Just an Activity for One Group

    Initial concerns and questions

    - What is the right database encryption solution? - Would the application need to be modified? - Would application performance be impacted? - Which group will own key management? - What is the security teams role? - What is the audit teams role? - What is IMS systems programmer role? - What is the DBAs role?

  • 15

    Focal Areas for a Strong Security Strategy

    Encrypting the data

    Reduce the liability even if data is accessed, using encryption reduces the usability of that data

    Monitoring access to the data

    Have visibility to data access -- identify who accessed data, when it was accessed or updated

  • Encryption is a technique used to help protect data from unauthorized access

    Data that is not encrypted is referred to as clear text

    Clear text is encrypted by processing with a key and an encryption algorithm

    Several standard algorithms exist, include DES, TDES and AES (next slide)

    Keys are bit streams that vary in length

    For example AES supports 128, 192 and 256 bit key lengths 16

    Encryption Process

    Encryption algorithm (e.g. AES)

    Clear Text

    Ciphertext (Encrypted Data)

    Decryption Process

    Encryption algorithm

    Ciphertext

    Clear Text

    Key

    Key

  • Encryption Algorithms Which Ones Are Best? DES (Data Encryption Standard)

    56-bit, viewed as weak and generally unacceptable today by the NIST

    TDES (Triple Data Encryption Standard)

    128-bit, universally accepted algorithm

    AES (Advanced Encryption Standard)

    128- or 256- bit, newest commercially used algorithm

    What is acceptable?

    DES is viewed as unacceptable TDES is viewed as acceptable and compliant with NIST (National

    Institute of Standards and Technology)

    AES 128 or 256 is also viewed as acceptable and strategic

    17

  • Encryption Algorithms Which Ones Are Best? DES (Data Encryption Standard)

    56-bit, viewed as weak and generally unacceptable today

    18

    Plain text Encrypted text Encrypt

    Reverse to Decrypt

    Key 1

  • Encryption Algorithms Which Ones Are Best? TDES (Triple Data Encryption Standard)

    128-bit, universally accepted algorithm

    Note: same key can be used for each step for DES compatibility

    Plain text Cipher text 1

    Encrypt

    Reverse process to Decrypt

    Key 1 Cipher text 2

    Cipher text 3

    Key 2 Key 3

    Encrypt Decrypt

  • Encryption Algorithms Which Ones Are Best? (Advanced Encryption Standard)

    128- , 192- or 256- bit, newest commercially used algorithm

    Rijndael Algorithm

    Block Cipher (16-byte blocks) 128, 192, 256-bit Key Length Multiple Rounds Four Steps per Round Byte Substitution

    Shift Row

    Mix Column

    Add Round Key

  • Encryption Algorithms Which Ones Are Best? For more information:

    TDES NIST Special Publication 800-67 V1 entitled

    "Recommendation for the Triple Data Encryption Algorithm

    (TDEA) Block Cipher" and can be found at

    http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf

    TDES NIST FIPS Publication 197 entitled "Announcing the

    Advanced Encryption Standard (AES)" and can be found at

    http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

    21

  • Why do we care about lengths a of keys and hashes?

    The longer a key the lower the probability to guess the right key

    The longer a hash the lower the probability to guess a matching text for a given

    hash Key and hash sizes that are considered secure change over time

    Crypto Cryptography is not security, it is only low probability!? - But Low is

    VERY LOW!

    NIST 800-131a -- that provides guidance on key sizes, algorithms and time period to move to stronger hashes, longer keys and algorithms

    Examples of sizes:

    22

  • Integrated Cryptographic Service Facility (ICSF)

    Provides: z/OS integrated software support for data encryption

    Operating System S/W API Interface to Cryptographic Hardware

    CEX2/3C hardware feature for z114, z10 and z196

    CEX4S hardware feature for z12BC and z12EC

    CEX5S hardware feature for z13 (2x faster over CEX4S)

    Enhanced Key Management for key creation and distribution

    Public and private keys

    Secure and clear keys Master keys

    Created keys are stored/accessed in the Cryptographic Key Data Set (CKDS) with unique key label CKDS itself is secured via Security Access Facility

    See Reference Section of this presentation for more details 23

  • What are Encryption Keys?

    Master Keys

    Used to generate, encrypt, and store user keys into the CKDS (Cryptographic Key Data Set)

    Loaded into the CEXnn hardware, and stored NO WHERE else

    User Keys (Data Encrypting Keys)

    Generated via ICSF services

    Stored inside the CKDS

    Public or Private

    Clear or Secure

    Used by the IBM InfoSphere Guardium Encryption Tool along with encryption algorithm to convert user data to Ciphertext

    24

  • 25

    How can you as an IMS Support person

    achieve this ?

    Encryption in a Nutshell

  • 26

    InfoSphere Guardium Data Encryption for DB2 and IMS Databases

    InfoSphere Guardium Data Encryption protects Sensitive and Private information minimizing the liability risks associated with Information Governance.

    High Performance and Low overhead by using the available cryptographic hardware Uses the major encryption algorithms Conforms to the existing z/OS security model Complies with Security and Privacy regulations Implementation at the IMS segment level No changes to application programs

  • IMS Encryption Flow

    Encryption

    1. IMS application program passes a segment REPL, ISRT, or LOAD request to the IMS control region. IMS uses the DBD to determine that a Segment Edit/Compression exit is required, so IMS loads the exit.

    2. Exit invokes ICSF services, passing user-defined data encryption key label (provided by exit) and unencrypted segment.

    3. When the segment has been successfully encrypted, the exit passes the segment back to IMS.

    4. IMS then puts the encrypted segment into the database

  • IMS Decryption Flow

    Decryption

    1. IMS application program passes segment GET request to IMS control region. IMS determines, from DBD, that a Segment Edit/Compression exit is required, so IMS loads the exit.

    2. IMS retrieves encrypted segment from the database.

    3. IMS then calls the exit and passes it the encrypted segment. The exit invokes ICSF services, which passes the user-defined data encryption key label (provided by exit) and the encrypted segment.

    4. When the segment has been successfully decrypted, the exit passes the segment back to IMS.

    5. IMS passes the decrypted segment back to the application.

  • There are three routines supplied with Guardium DECENA01 IMS Clear Key Exit routine DECENB01 IMS CPACF Protected Key exit routine DECENC01 IMS Secure Key exit routine These routines are found in the installed dataset hlq.SDECLMD0

    InfoSphere Guardium Data Encryption for DB2 and IMS Databases

  • To create an exit that encrypts and decrypts IMS data, the Tool can be implemented in one of two ways:

    1) Through JCL. The product provides sample jobs where the JCL can be

    modified to meet your needs for encrypted IMS databases. 2) Using the ISPF interface. An ISPF dialog is available for you to create

    customized jobs for encrypting IMS database segments. Both processes allow: - A Standalone Encryption/Decryption routine - Encryption/Decryption in combination with database Compression.

    InfoSphere Guardium Data Encryption for DB2 and IMS Databases

  • Through JCL. The product provides sample jobs where the JCL can be modified to meet

    your needs for encrypting IMS databases. These jobs can be found in the distribution libraries: hlq.SDECSAMP

    Each job link edits the selected exit routine with the required Integrated

    Cryptographic Service Facility (ICSF) callable services. DECIMSCK Clear Key links DECENA01 DECIMSCB Protected Key links DECENB01 DECIMSJB Secure Key links DECENC01 DECIMSDV Driver exit for both compressed and encrypted IMS

    segments

    InfoSphere Guardium Data Encryption for DB2 and IMS Databases

  • Using the ISPF interface. An ISPF dialog is available for you to create customized jobs for encrypting

    IMS database segments. The ISPF dialog creates customized JCL based on the sample jobs from the previous slide and edited with the information the user supplies.

    InfoSphere Guardium Data Encryption for DB2 and IMS Databases

  • How is crypto Implemented with the Data Encryption Tool for IMS?

    Implementing IMS Encryption with the Data Encryption Tool

    o Generate Key using ICSF KGUP (Key Generation Update Program)

    o Prepare your exit using Data Encryption Tool providing ICSF Keylabel

    o Generate the DBD and ACB(s) to include the COMPRTN value

    o Unload target database

    o Activate the ACB to your IMS systems

    o LOAD the target database

    o /STA db

    o Encryption is now operational

  • How is crypto Implemented with the Data Encryption Tool for IMS?

    ISPF Dialog Walk through

  • InfoSphere Guardium Data Encryption ISPF Main Menu

    Selection 3 for Jobcard creation

  • Standard installation Jobcard information

  • InfoSphere Guardium Data Encryption ISPF Main Menu

    Selection 1 for an IMS Encryption Implementation

  • Selections:

    1 = use to create an encryption exit that will be used standalone; that is

    without co-existence with a compression routine

    2 = use to create both an encryption exit and a driver module to call an

    existing compression routine then the encryption exit

  • The F1 key provides help information for the screen displayed.

  • Encryption routine is called DSECLEAR

    The label (name) of the Encryption key that has been previously created by a security administrator

    IMS Clear key selected

    CSF lib = Installation Encryption services dataset ZAP lib = Dataset containing AMASPZAP program SMP lib = Installed Guardium load dataset EXIT lib = Load dataset for the new Encryption exit Exit Name = Load module name for the new Encryption exit

  • Encryption program is called DSECLEAR

    Guardium supplied Clear Key exit routine

    Here is the generated JCL to create the Encryption/Decryption routine link edit. The two ICSF CSNBnnn routines are included and the resulting executable module is place into the dataset DDS0027.ENCRYPT.LOADLIB member DSECLEAR Remember the DDS0027.ENCRYPT. LOADLIB must be in the IMS regions STEPLIB DD or the module must be copied to an existing dataset in the STEPLIB DD

  • Encryption program DSECLEAR to be ZAPd

    Encryption Key Label being ZAPd into DSECLEAR

    Here is the generated JCL to create the ZAP onto Encryption/Decryption routine. Our Key Label is previously defined and resides in our ICSF dataset. This defined label is ZAPd onto the routine providing the encryption key to be used.

  • Now lets try a combination Compression and Encryption implementation. The Compression and the Encryption routine must be available.

  • Here is the input to create the Link edit job for the combination module. The Driver module will be called DSEEXIT. It will include a Compression/Decompression routine named DSECOMP. It will include an Encryption/Decryption routine called DSECRYPT. Both of these modules must already exist in the named datasets.

  • The first step of the Link edit job creates the IMS Driver module name in the target load dataset. (SYSLMOD)

  • The second step of the Link edit job includes the named Compression routine and the named Encryption routine to create the composite module named DSEEXIT in the target load dataset.

    Available Compression routine

    Available Encryption routine

    New Driver module to invoke Compression & Encryption

  • How is crypto Implemented with the Data Encryption Tool for IMS?

    Implementing IMS Encryption with the Data Encryption Tool

    o Generate Key using ICSF KGUP (Key Generation Update Program)

    o Prepare your exit using Data Encryption Tool providing ICSF Keylabel

    o Generate the DBD and ACB(s) to include the COMPRTN value

    o Unload target database

    o Activate the ACB to your IMS systems

    o LOAD the target database

    o /STA db

    o Encryption is now operational

  • InfoSphere Guardium Data Encryption for DB2 and IMS Databases

    IMS DBD update

    COMPRTN = is added

    The value of DATA Encrypts only the segment data

    This value may be entered as KEY to Encrypt any segment field

    Generate the DBD and the ACB(s)

    DBD NAME=F2O1P4,ACCESS=(HDAM,OSAM),RMNAME=(DFSHDC40,10,100) DSG001 DATASET DD1=F2O1P41,DEVICE=3380,SIZE=(8192),SCAN=1

    *

    SEGM NAME=ROOT,BYTES=20,PTR=(TB),

    PARENT=0,COMPRTN=(DSEEXIT,DATA,INIT)

    FIELD NAME=(ROOTKEY,SEQ,U),BYTES=10,START=1,TYPE=C

    FIELD NAME=ROOTFLD1,BYTES=1,START=4,TYPE=C

    FIELD NAME=ROOTFLD2,BYTES=1,START=5,TYPE=C

  • How is crypto Implemented with the Data Encryption Tool for IMS?

    Implementing IMS Encryption with the Data Encryption Tool

    o Generate Key using ICSF KGUP (Key Generation Update Program)

    o Prepare your exit using Data Encryption Tool providing ICSF Keylabel

    o Generate the DBD and ACB(s) to include the COMPRTN value

    o Unload target database

    o Activate the ACB to your IMS systems

    o LOAD the target database

    o /STA db

    o Encryption is now operational

  • Clear IMS data

  • How is crypto Implemented with the Data Encryption Tool for IMS?

    Implementing IMS Encryption with the Data Encryption Tool

    o Generate Key using ICSF KGUP (Key Generation Update Program)

    o Prepare your exit using Data Encryption Tool providing ICSF Keylabel

    o Generate the DBD and ACB(s) to include the COMPRTN value

    o Unload target database

    o Activate the ACB to your IMS systems

    o LOAD the target database

    o /STA db

    o Encryption is now operational

  • Encrypted data

    Encrypted IMS data

  • InfoSphere Guardium Data Encryption for DB2 and IMS Databases

    IMS Database segment level Encryption

    Application Transparent

    Acceptable overhead when accessing the database segment

    No Additional Security

    The Database must be Unloaded and Loaded to implement encryption

    Indexes may be encrypted

  • Defense in Depth of DB2, IMS, and VSAM Data First Layer - Encryption (this forces only access to clear text data must be in the form of an SQL or

    DLI statement) IBM InfoSphere Guardium Encryption Tool for DB2 and IMS Databases

    Second Layer - Database Activity Monitoring (this ensures each DLI statement is inspected, audited, and subject to security policy control) Guardium Database Activity Monitoring

    Third Layer - Audit access to VSAM linear datasets Guardium Datasets Activity Monitoring

    Fourth Layer - Implement business need to know control for critical data (this reduces abuse of privilege access) DB2 10 Row masking and Column filtering; OPTIM On-Demand Masking

    Fifth Layer - Protect the use of unloads and extracts for the purpose of:

    oTest data management and generation Optim TDM/ Data Privacy

    oUnloaded data for batch processes IBM Encryption Facility for z/OS

    oExtracts for external uses IBM Encryption Facility for z/OS

    oReplicated data IBM InfoSphere Guardium Data Encryption

    oBackup and Recovery assets

  • Gracias

    Merci

    Grazie

    Obrigado Danke

    Japanese

    French

    Russian

    German

    Italian

    Spanish

    Brazilian Portuguese

    Arabic

    Traditional Chinese

    Simplified Chinese

    Thai

    Tack Swedish

    Danke

    Dzikuj Polish

  • References TechDocs - http://www-03.ibm.com/support/techdocs/atsmastr.nsf/Web/TechDocs

    FQ123875 - Where do I find Performance numbers for z/OS Communications Server and for comparisons of network performance with and without security

    TC000087 - System SSL and Crypto on System z

    WP100810 - A Synopsis of System z Crypto Hardware

    PRS4660 - ICSF (HCR7780) and Crypto on zEnterprise Update

    WP101240 - IBM z10 DES Cryptographic Hardware Performance Versus z/OS Software DES

    PRS2680 - DRIVICSF - ICSF Stress Test and Reporting Tool for z/OS zSeries

    WP100647 - A Clear Key / Secure Key / Protected Key Primer

    IBM Redbooks

  • Data Encryption for IMS - Reference Materials

    SC18-9549 IBM Data Encryption Tool for IMS and DB2 Databases User Guide

    o Includes an appendix on activating crypto on your hardware

    ICSF Manuals

    o SA22-7520 ICSF System Programmers Guide

    o SA22-7521 ICSF Administrators Guide

    Redbooks

    o DB2 UDB for z/OS Version 8 Performance Topics SG24-6465

    Articles

    o IMS Newletter article: Encrypt your IMS and DB2 data on z/OS - ftp://ftp.software.ibm.com/software/data/ims/shelf/quarterly/fall2005.pdf

  • Link to more information about this and upcoming tech talks can be found on the InfoSphere Guardium developerWorks community: http://ibm.co/Wh9x0o

    Please submit a comment on this page for ideas for tech talk topics.

    Next tech talk: Checking in on Guardium Recent Enhancements

    Speaker: Luis Casco-Arias, Product Manager

    Date/time: Tuesday, March 24th, 2015 at 8:30 AM PACIFIC

    Register here! https://ibm.biz/BdEkRJ

    Reminder: Next InfoSphere Guardium Tech Talk