5 Ways To Protect Your Sensitive Data on IBM i

Laurie LeBlanc, iTech Solutions

Regulations (FISMA, HIPPA, SOX, and more) are forcing companies to evaluate how they protect their sensitive data. Industries such as finance, insurance, and healthcare have the most pressure to comply with these regulations which are geared towards protecting consumer’s private information.  The issue is that companies may not understand how to properly secure their data to protect their consumers.

Any good security plan takes a layered approach to protect data.  You have to consider where the data resides and how someone could gain access to it.  Then you have to put controls in place to ensure that you put as many roadblocks in place as possible to prevent unauthorized access.

There are many approaches you can take to ensure you are complying with regulations and protecting your companies information.

Below are five ways to protect your sensitive data.

TLS Encryption

TLS encryption provides communications level encryption between a client and a server.  This should be your first layer of defense when it comes to encryption as it’s by far the easiest to implement. Having TLS encryption enabled helps ensure that only those users who should have access to your system gain access as any communications are encrypted over the wire. This means someone can’t intercept and read sensitive data such as passwords or financial information while in transit.

We often see companies who don’t keep their digital certificates current or worse; they don’t encrypt their communications at all. The result is that all communications to and from their IBM i partitions are sent over the network in plain text. This is asking for trouble.

Encrypting Backups

Companies understand the importance of encrypting their backup media because this exposure has been discussed for a long time.  Since it’s important to keep copies of your physical media offsite for recovery purposes, it makes sense that you wouldn’t want that data to fall into the wrong hands.  When it comes to tape encryption, there are two options: hardware encryption and software encryption.  Each has their advantages.

Hardware encryption would be something like implementing an encryption enabled tape drive which is capable of encrypting while it is being written to media.  Simplifying the encryption process and taking the workload off the system onto the drive.  You are required to implement IBM Security Key Lifestyle Manager (SKLM) to manage the encryption keys, which needs to run on a separate server.

Software encryption would be done using BRMS.  In BRMS you can set up your backups to be encrypted.  You do not need encryption-enabled hardware to support this option.  Instead, you need to install the BRMS Advanced Feature and Encrypted Backup Enablement features.  You need to create a master key, create a keystore file, generate a keystore file entry, and then create a media policy for the environment.  You can’t encrypt the system information, only the user portion of the backup.  When doing a full system restore, the system needs to restore the LIC, OS, and LPPs, and then setup encryption, before it could read the software encrypted data from tape.

Row and Column Access Control

Starting with IBM i 7.2, you can natively implement row and column access controls over your sensitive DB2 files.  Without any additional software, you can restrict users from being able to access specific rows and columns of data.  For example, you can restrict access to the payroll master file to everyone except people in the Payroll Department and then you can hide the salary field of all the executives in the file from all Payroll users except for the Payroll Manager.  This allows you to give users access to the information they need to perform their job while protecting sensitive data from being accessed.  The best part is this is part of the OS, so there’s nothing to buy!

Encryption at Rest

Companies also have to worry about what happens to their sensitive data when they are discarding their media, or if a disk is removed from their machine. It’s important to ensure that the data on discarded disk drives is also not accessible.  Encrypting data at rest on the disk is the best way to ensure that your sensitive data is truly protected.  On IBM i, this requires that you use external SAN Storage, as native IBM i storage can’t encrypt data at rest.  It is an easy implementation with IBM Storwize SAN Storage.

Encryption at rest is something that a lot of IBM i companies haven’t done yet.  However, due to regulations, they are going to have to address sooner rather than later.

Monitoring sensitive data files

You can add an additional layer of monitoring around your sensitive files. There are software solutions that monitor changes or even reads to sensitive data files and can alert you immediately when someone attempts unauthorized access providing additional protection. You can also get reports of the before and after images of the data, which is extremely helpful when its audit time.  You can never have too many layers of security around your data.

If you’re looking to improve the security of your sensitive data, we can help you determine the most cost-effective way to ensure that your data is protected.  We can start with a high-level security assessment of your environment and help you implement a security plan that will truly protect your companies sensitive data.

Click here to sign up for a high-level security assessment of your environment.

Leave a Comment

Your email address will not be published. Required fields are marked *