© 2015 IBM Corporation
IBM Security
1© 2015 IBM Corporation
InfoSphere® Guardium® Tech TalkData Encryption for DB2® and IMS™ on z/OS®
Ernie MancillExecutive Technical Specialist - NA IOT - zAnalyticsInformation Protection Competency Team Lead
© 2015 IBM Corporation
IBM Security
2
This tech talk is being recorded. If you object, please hang up andleave the webcast now.
We’ll post a copy of slides and link to recording on the Guardiumcommunity tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions inthe chat to the Q and A group.
We’ll try to answer questions in the chat or address them atspeaker’s discretion.
– If we cannot answer your question, please do include your emailso we can get back to you.
When speaker pauses for questions:– We’ll go through existing questions in the chat
Logistics
© 2015 IBM Corporation
IBM Security
3
Link to more information about this and upcoming tech talks can be found on the InfoSphereGuardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Next tech talk: Checking in on Guardium Recent Enhancements
Speaker: Luis Casco-Arias, Product Manager
Date/time: Tuesday, March 24th, 2015 at 8:30 AM PACIFIC
Register here! https://ibm.biz/BdEkRJ
Reminder: Next InfoSphere Guardium Tech Talk
© 2015 IBM Corporation
IBM Security
4
Guardium community on developerWorks
bit.ly/guardwiki
Right nav
© 2015 IBM Corporation
IBM Security
5
InfoSphere Guardium Encryption Tool for DB2 and IMS Databases
Product Introduction and Overview
Product Demonstration – Part 1
– Data Encrypting Key Generation using KGUP
– EDITPROC Generation using Encryption Tool for DB2 and IMS Databases
– Simple implementation use case
– Q&A
Overview of Cryptographic Support on IBM System z
– ICSF
– CPACF
– CEXxS
– Key Management
Product Demonstration – Part 2
– CKDS Creation
– Pass Phrase Master Key Generation
– CKDS Initialization
– 3 Part Master Key Rotation
– Q&A
Agenda
© 2015 IBM Corporation
IBM Security
6
Encryption and “Data at Rest” Protection
Key requirement for most of the “popular” data protection initiatives
Main requirement is to protect “data at rest” to ensure that only access iffor business need-to-know, and through mechanisms which can becontrolled by the native security mechanisms (such as RACF)
Consider the following scenario:
– DB2 Linear VSAM datasets are controlled via RACF from directaccess outside of DB2 via dataset access rules
– DBA or Storage Administrator has RACF authority to read VSAMdatasets in order to perform legitimate storage administrationactivities.
– Administration privileges can be abused to read the linear VSAMdatasets directly and access clear-text data outside of DB2/RACFprotections.
Now consider the above scenario, but with the underlying Linear VSAMdatasets encrypted
– When DBA or Storage Administrator uses their RACF datasetauthorities in a manner which is outside of business need-to-know,the data retrieved is cybertext and thus remains encrypted andprotected.
– Only way to access and obtain clear-text data will be via SQL whichcan be protected via DB2/RACF interface
21
© 2015 IBM Corporation
IBM Security
7
External print of the tablespace container showing unencryptedtable and clear text exposure of data
© 2015 IBM Corporation
IBM Security
8
External print of the tablespace container showingencrypted table and Cyber-text data without exposure of data
© 2015 IBM Corporation
IBM Security
9
InfoSphere Guardium Data Encryptionfor DB2 and IMS Databases
Existing implementation uses DB2 EDITPROC for row level encryption
• Application Transparent
• Acceptable overhead when accessing any column in table
• No Additional Security
• Table must be dropped and reloaded to add EDITPROC
• Indexes not encrypted
User Defined Function (UDF) for column level encryption
• Requires changes to SQL when accessing encrypted column
• High overhead when accessing encrypted column, no overhead on non-encrypted columns
• Can secure UDF in RACF for additional security
• Index Encryption
• Data encrypted in place
• Implementation can be less disruptive that other approaches (SQL based)
New Functionality Fieldproc
• Same basic characteristics as EDITPROCs
© 2015 IBM Corporation
IBM Security
10
How is crypto invoked with the Data Encryption Tool?
Via an EDITPROC, for every row processed by any SQL Utility for DB2 or IMS
– Encrypted row same length as clear row
– No application changes required
– One key per table or segment specified in the EDITPROC
– Can use Clear Key, Secure Key or Protected Key
• Protected key requires HCR7770 or later and CEX3
Implementing Encryption with the Data Encryption Tool
– Generate Key using ICSF KGUP (Key Generation Update Program)
– Prepare EDITPROC using Data Encryption Tool providing ICSF Keylabel
– Unload target table
– DROP / RECREATE table specifying EDITPROC
– LOAD table
– Encryption is now operational
© 2015 IBM Corporation
IBM Security
11
1)
Application Storage
Encryption EDITPROC
IntegratedCryptographic Service
Facility
(ICSF)
Cryptographic KeyData Set
DB2 Buffer Pool
1 SQL Insert/Update
2 5
3 Unencrypted Row
4 Encrypted Row
6
6
EncryptionPut Encrypted
Row
DB2 Data Encryption Flow – Insert / Update
Unencrypted Row B Encrypted Row
EncryptedRow
EncryptedRow
SQL Request
Application Storage
Unencrypted Row
KeyLabel
User Key
B
B
© 2015 IBM Corporation
IBM Security
12
Encryption Flow for IMS
© 2015 IBM Corporation
IBM Security
13
Product Demonstration
Product Demonstration – Part 1
– Data Encrypting Key Generation using KGUP
– EDITPROC Generation using Encryption Tool for DB2 and IMSDatabases
– Simple implementation use case
– Q&A
© 2015 IBM Corporation
IBM Security
14
Overview – HW Crypto support in z Systems
CPC Drawer
Smart Cards
CryptoExpress4S/5S
Smart Card Readers
PU SCMEach PU iscapable ofhaving theCPACFfunction
PCIe I/Odrawers
Trusted Key Entry(TKE)
TKE required formanagement
of Crypto Express5Sand EP11
© 2015 IBM Corporation
IBM Security
15
TKDS
ICSF – Interface to the Crypto Hardware
z/OS ICSF AddressSpace
ICSFData Space
CKDS
PKDS
Appl Program(or product)
Call
CSF API(parms)
ICSFRoutines
CKDS
TKDSCache
APIs Key Storage Load Balancing Security
PKDS
© 2015 IBM Corporation
IBM Security
16
Clear Key / Secure Key / Protected Key
Clear Key – key may be in the clear, at least briefly, somewhere in theenvironment
Secure Key – key value does not exist in the clear outside of the HSM (secure,tamper-resistant boundary of the card)
Protected Key – key value does not exist outside of physical hardware, althoughthe hardware may not be tamper-resistant
© 2015 IBM Corporation
IBM Security
17
© 2015 IBM Corporation
IBM Security
18
CPACF - CP Assist For Cryptographic Functions
DES, T-DESAES128AES192AES256
SHA-1SHA-256SHA-384SHA-512
PRNGDRNG
YYYY
YYYY
YY
YYYY
N/AN/AN/AN/A
N/AN/A
ProtectedKey
Provides a set of symmetric cryptographic functionsand hashing functions for:
− Data privacy and confidentiality
− Data integrity
− Random Number generation
− Message Authentication
Enhances the encryption/decryption performance ofclear-key operations for
− SSL
− VPN
− Data storing applications
Available on every Processor Unit defined as a CP, IFL,and zIIP
Supported by z/OS, z/VM, z/VSE, z/TPF and Linux on zSystems
Must be explicitly enabled, using a no-chargeenablement feature (#3863),
− SHA algorithms enabled with each server
Protected key support for additional security ofcryptographic keys
− Crypto Express4s or Crypto Express5S required in CCA mode
SupportedAlgorithms
ClearKey
© 2015 IBM Corporation
IBM Security
19
Crypto Express5SThree configuration options for the PCIe adapter
Only one configuration option can be chosen at any given time
Switching between configuration modes will erase all card secrets– Exception: Switching from CCA to accelerator or vice versa
One PCIe adapter per feature
− Initial order – two features
Designed to be FIPS 140-2 Level 4
Installed in the PCIe I/O drawer
Up to 16 features per server
Prerequisite: CPACF (#3863)
Designed for 2X performance increase over CryptoExpress4S
Accelerator CCA Coprocessor EP11 Coprocessor
Secure Key cryptooperations
Secure Key cryptooperations
Clear Key RSAoperations and SSL
acceleration
TKE N/A
CPACF NO
UDX N/A
CDU N/A
TKE OPTIONAL
CPACF REQUIRED
UDX YES
CDU YES(SEG3)
TKE REQUIRED
CPACF REQUIRED
UDX NO
CDU NO
Business Value
High speed advanced cryptography; intelligent encryption of sensitive data that executes off processor saving costs
PIN transactions, EMV transactions for integrated circuit based credit cards(chip and pin), and general-purposecryptographic applications using symmetric key, hashing, and public key algorithms, VISA format preservingencryption(VFPE), and simplification of cryptographic key management.
Designed to be FIPS 140-2 Level certification to meet regulations and compliance for PCI standards
© 2015 IBM Corporation
IBM Security
20
Product Demonstration Part 2
Product Demonstration – Part 2
– CKDS Creation
– Pass Phrase Master Key Generation
– CKDS Initialization
– Q&A
© 2015 IBM Corporation
IBM Security
21
Defense in Depth of DB2, IMS, and VSAM Data
First Layer - Encryption (this forces only access to clear text data must be in the form of an SQLstatement) – IBM InfoSphere Guardium Encryption Tool for DB2 and IMS Databases
Second Layer - Database Activity Monitoring (this ensures each SQL statement is inspected,audited, and subject to security policy control) – Guardium Database Activity Monitoring
Third Layer - Audit access to VSAM linear datasets – Guardium Datasets Activity Monitoring
Fourth Layer - Implement business need to know control for critical data (this reduces abuse ofprivilege access) – DB2 10 Row masking and Column filtering; OPTIM On-Demand Masking
Fifth Layer - Protect the use of unloads and extracts for the purpose of:
– Test data management and generation – Optim TDM/ Data Privacy
– Unloaded data for batch processes – IBM Encryption Facility for z/OS
– Extracts for external uses – IBM Encryption Facility for z/OS
– Replicated data – IBM InfoSphere Guardium Data Encryption
– Backup and Recovery assets
© 2015 IBM Corporation
IBM Security
22
References
TechDocs - http://www-03.ibm.com/support/techdocs/atsmastr.nsf/Web/TechDocs
FQ123875 - Where do I find Performance numbers for z/OS Communications Server and forcomparisons of network performance with and without security
TC000087 - System SSL and Crypto on System z
WP100810 - A Synopsis of System z Crypto Hardware
PRS4660 - ICSF (HCR7780) and Crypto on zEnterprise Update
WP101240 - IBM z10 DES Cryptographic Hardware Performance Versus z/OS Software DES
PRS2680 - DRIVICSF - ICSF Stress Test and Reporting Tool for z/OS zSeries
WP100647 - A Clear Key / Secure Key / Protected Key Primer
IBM Redbooks
IBM zEnterprise EC12 Technical Guide - www.redbooks.ibm.com/redpieces/abstracts/sg248049.html
IBM zEnterprise EC12 Technical Introduction - www.redbooks.ibm.com/abstracts/sg248050.html
Securing and Auditing Data on DB2 for z/OS - www.redbooks.ibm.com/abstracts/sg247720.html
Security Functions of IBM DB2 10 for z/OS - www.redbooks.ibm.com/abstracts/sg247959.html
© 2015 IBM Corporation
IBM Security
23
Data Encryption for DB2 - Reference Materials
SC18-9549 IBM Data Encryption Tool for IMS and DB2 Databases User Guide
– Includes an appendix on activating crypto on your hardware
ICSF Manuals
– SA22-7520 ICSF System Programmer’s Guide
– SA22-7521 ICSF Administrator’s Guide
Redbooks
– DB2 UDB for z/OS Version 8 Performance Topics – SG24-6465
Articles
– IMS Newletter article: “Encrypt your IMS and DB2 data on z/OS” -ftp://ftp.software.ibm.com/software/data/ims/shelf/quarterly/fall2005.pdf
© 2015 IBM Corporation
IBM Security
24
Link to more information about this and upcoming tech talks can be found on the InfoSphereGuardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Next tech talk: Checking in on Guardium Recent Enhancements
Speaker: Luis Casco-Arias, Product Manager
Date/time: Tuesday, March 24th, 2015 at 8:30 AM PACIFIC
Register here! https://ibm.biz/BdEkRJ
Reminder: Next InfoSphere Guardium Tech Talk
© 2015 IBM Corporation
IBM Security
25
GraciasMerci
Grazie
ObrigadoDanke
Japanese
French
Russian
German
Italian
Spanish
Brazilian Portuguese
Arabic
Traditional Chinese
Simplified Chinese
Thai
TackSwedish
Danke
DziękujęPolish