Essential Layers of IBM i Security: File and Field Security
Download as PPTX, PDF0 likes140 views
Numerous regulations require that sensitive data is protected and cannot be seen by unauthorized individuals, whether internal or external. Learn the keys to protecting files and data on the IBM i.
Ad
More Related Content
What's hot (20)
Similar to Essential Layers of IBM i Security: File and Field Security (20)
Ad
More from Precisely (20)
Ad
Recently uploaded (20)
Essential Layers of IBM i Security: File and Field Security
- 1. Layers of Security File and Field Security Patrick Townsend – Founder and CEO, Townsend Security Bill Hammond – Sr, Product Marketing Manager
- 2. Housekeeping Webinar Audio • Today’s webinar audio is streamed through your computer speakers • If you need technical assistance with the web interface or audio, please reach out to us using the Q&A box Questions Welcome • Submit your questions at any time during the presentation using the Q&A box Recording and slides • This webinar is being recorded. You will receive an email following the webinar with a link to the recording and slides 2
- 3. Today’s Agenda • Layers of Security Overview • IBM i File and Field Security • Object-level authority management • Row and Column Access Control (RCAC) • File-access protection • Encryption • Tokenization of field data • Anonymization • Q & A 3
- 4. Townsend Security ENCRYPTION KEY MANAGEMENT 4 Townsend Security creates data privacy solutions that help organizations meet evolving compliance requirements and mitigate the risk of data breaches and cyber-attacks. The company’s solutions easily integrate with Precisely’s Assure Security products. Companies worldwide trust Townsend Security’s NIST and FIPS 140-2 compliant solutions to meet encryption and key management requirements in PCI DSS, GDPR, CCPA, HIPAA/HITECH, FISMA, and other regulatory compliance requirements. Technology Partners Include
- 6. IBM i File and Field Security Protect personally identifiable information (PII), personal health information (PHI), personal credit card information, and other sensitive data from being exposed should a breach occur. 6
- 7. IBM i File and Field Security 1 Object-level authority management 2 Row and Column Access Control (RCAC) 3 File-access protection 5 Encryption7 4 6 Tokenization of field data Anonymization
- 9. Object-level authority management 9 • For any file (*FILE or *STMF) containing sensitive data, it is critical that the authority designation is set to PUBLIC (*EXCLUDE). • Designated users can be given specific authority to: • Access these files through private authority • Group profiles can help with administration • Access via application techniques that inherit additional authority • Program adopted authority • Profile swapping
- 10. Row and Column Access Control (RCAC)
- 11. Row and Column Access Control (RCAC) • Included with Db2 beginning with 7.2 of the IBM i OS, RCAC provides the ability to prevent selected users from viewing specified rows in a file and/or data in particular columns. • For example, accounting staff should only be able to see rows in a file where the Department field equals “Accounting,” or only select managers should be able to see the Salary column within a file. • Note that RCAC cannot be used for IFS stream files • Compatible with FieldProc encryption – use both! 11
- 13. File-access protection 13 • Building upon object-level authority management, various exit points can be used with rules-based exit programs to further control access to files in very specific ways; • A particular file may only be accessed or a particular command may only be used during specific days or hours. • Third-party solutions streamline the creation and management of these kinds of exit programs HINT: Remember to enable system logging and collect authority failures.
- 14. Encryption
- 15. Encryption 15 • By combining one or more publicly available algorithms with a proprietary encryption key, human-readable data is transformed into unreadable “ciphertext.” • When the encrypted data needs to be decrypted for permitted users, the same encryption key is used. • Encryption requires the careful management of encryption keys to ensure they don’t fall into the wrong hands. CAUTION: Newer regulations like CCPA requirement proper key management! Storing keys on the same server may expose you to litigation (see California AB 1130 – Data Breach Notification)
- 16. Encryption Data at Rest • Precisely encryption solutions can encrypt sensitive data on the IBM i—such as credit card numbers—at the field level within databases. • Technologies are also available that encrypt backup media and disk drives Data in Motion • Encrypt application data sent across networks. • When entire files containing sensitive information need to be sent between systems or entities via FTP, they should always be encrypted, both during transit and when transfer files reside within send/receive staging areas. • Secure file transfer processes are typically done with third-party solutions as they provide strong algorithms, sound encryption-key management processes, and a variety of features that streamline and automate file transfer processes. 16
- 18. Tokenization 18 • Replace sensitive data with non-sensitive substitute values called tokens • Third-party tokenization solutions • utilize a database called a token vault • stores both the sensitive data and information about the relationship between it and its replacement token • permanently replaces sensitive data with a substitute value • Tokenization is often used to replace credit card numbers, social security numbers, and other personally identifiable information.
- 19. Anonymization
- 20. Anonymization 20 • Differences from Tokenization • Eliminates use of a token vault • Permanently replaces sensitive data with a substitute value • Makes the original data unrecoverable • Top use case for anonymization • Production data needed for development • Production data being used in a test environments.
- 21. Top Takeaways • Know where your sensitive data is • Know where your sensitive data goes • Know who should have access to the data • Apply encryption and access controls • Do periodic reviews! Data tends to leak into unexpected places. No one regretted protecting their sensitive data AFTER they had a data breach. 21
- 23. Download the White Paper The six layers of IBM i security and how Precisely can help 23 https://www.precisely.com/resource-center/whitepapers/the-essential- layers-of-ibm-i-security
- 24. Layers of Security Webinar Series 24 Topic 1 Topic 2 Topic 3 access on Resource Center Topic 5 Topic 6Topic 4 register now!today
- 25. Q & A
Editor's Notes
- #2: BH
- #4: Bill
- #5: Patrick I will speak to drivers for encryption including compliance regulations (CCPA, etc.), protection of IP and business secrets, etc.
- #6: Bill The increased frequency of high-profile breaches and the corresponding rise of new and expanded regulatory compliance requirements is putting enormous pressure on IT departments to assure their corporate executives that business-critical systems and data are secure. One particular statistic from a recently conducted Precisely survey of IT professionals is revealing in that 69% of respondents said they were only “somewhat confident” (or worse) in the effectiveness of their company’s IT security program. Given today’s rapidly evolving security threats, even being “somewhat confident” doesn’t cut it. Improving confidence in one’s IT security posture requires a solid understanding of all potential vulnerabilities as well as the most effective best practices and technologies in order to minimize the possibility of a breach. To help, Precisely has created this white paper as a roadmap, grouping together important security best practices and technologies into six primary categories or “layers.” These layers cover physical devices, networks, configuration of the IBM i OS, access to systems, protection of data at the file and field level, and monitoring and auditing of systems. The reason it’s particularly helpful to view these security categories as “layers” is that, to some extent, each category overlaps with the others to provide multiple lines of defense. In other words, should one security layer be somehow compromised, there’s a good chance that another layer will thwart a would-be intruder. The six layers of IBM i security are summarized in the following diagram and are detailed in the remainder of this white paper
- #7: Bill Numerous regulations require companies in various industries to protect personally identifiable information (PII), personal health information (PHI), personal credit card information, and other sensitive data from being exposed should a breach occur. The following strategies and technologies are key to protecting files and data on the IBM i:
- #8: Bill
- #9: Bill
- #10: Patrick Note: Added the bullet point about group profiles
- #11: Bill
- #12: Patrick In instances where users need to access IBM i environments containing especially sensitive data, third-party technologies can be implemented that require two or more identifying factors from users before access is granted. Most people are implementing MFA today. Some regulations require MFA per system not just once when sign into the network. Everyday examples. This is a way to take a step further to resource access. In addition to being used to control access to systems, multi-factor authentication solutions can typically be implemented via API calls to control access to specific databases, individual files, or even commands.. Bill: I added the note about RCAC is compatible with encryption. That was always confusing to IBM I customers.
- #13: Bill
- #14: Patrick I added the last bullet point about system logging. Good tie in to Precisely monitoring solutions.
- #15: Bill
- #16: Patrick I added the last note about proper key management.
- #17: Patrick I think I would change “Third-party encryption solutions” to “Precisely encryption solutions”. I don’t think that is too salesy, but of course up to you. I will talk about the Precisely managed FTP solution, too.
- #18: Bill
- #19: Patick I just added the bit “or when sending to outside service providers”.
- #20: BH
- #21: Patrick
- #22: Patrick Bill: Just some suggestions as we wrap up the conversation. Thoughts?
- #23: Bill The increased frequency of high-profile breaches and the corresponding rise of new and expanded regulatory compliance requirements is putting enormous pressure on IT departments to assure their corporate executives that business-critical systems and data are secure. One particular statistic from a recently conducted Precisely survey of IT professionals is revealing in that 69% of respondents said they were only “somewhat confident” (or worse) in the effectiveness of their company’s IT security program. Given today’s rapidly evolving security threats, even being “somewhat confident” doesn’t cut it. Improving confidence in one’s IT security posture requires a solid understanding of all potential vulnerabilities as well as the most effective best practices and technologies in order to minimize the possibility of a breach. To help, Precisely has created this white paper as a roadmap, grouping together important security best practices and technologies into six primary categories or “layers.” These layers cover physical devices, networks, configuration of the IBM i OS, access to systems, protection of data at the file and field level, and monitoring and auditing of systems. The reason it’s particularly helpful to view these security categories as “layers” is that, to some extent, each category overlaps with the others to provide multiple lines of defense. In other words, should one security layer be somehow compromised, there’s a good chance that another layer will thwart a would-be intruder. The six layers of IBM i security are summarized in the following diagram and are detailed in the remainder of this white paper
- #24: Bill
- #25: Bill
- #26: Bill and Patrick – Bill will moderate the Q&A
- #27: BH