02
Sat, Nov
2 New Articles

Technology Focus: If Your Data Eggs Are in One Basket, You Should at Least Scramble Them

General
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

It's never too late to protect your data and apps with software encryption…until it is too late.

 

It may be only a slight exaggeration to say that it seems like hardly a week goes by without news of yet another organization suffering a data breach. With world commerce coming to rely so heavily on moving large amounts of data rapidly between computers, the benefits of stealing that data has become irresistible to some.

 

Encrypting data, both in transit and in storage, is rapidly becoming a commonsense approach to living in a world that's become dangerous for data. But while there are some legal mandates, such as the federal Health Insurance Portability and Accountability Act (HIPAA), and industry requirements such as the Payment Card Industry Data Security Standard (PCI DSS), which force some enterprises to pay attention to this data problem, they aren't universal. That means some enterprises, their business partners, and their customers are operating at some risk.

 

We're Too Small to Worry about That

"Most of the larger companies are implementing encryption for sensitive data," observes Bob Luebbe, chief architect at Linoma Software, "but some of the smaller companies think they are 'under the radar' and are putting off encryption projects."

 

"Due to compliance requirements, we find that customers processing healthcare, pharma, and/or cardholder data are fully on board with encryption and/or tokenization, while other customers are more hesitant to join the bandwagon due to hits in performance," notes Theresa Robison, director of information security at Liaison Software.

 

"Most IT professionals we talk to today seem to understand the importance of encryption," reports Bryan Schaap, director of client solutions at Applied Logic Corporation. "We've definitely heard that 'no one would be interested in our data' or that 'there's such a small chance that anything would happen,' but for the most part people…realize the importance. Over the last few years, enough data breaches have made the news to ensure that this issue shows up on the radar of the average CIO or CEO, and more often than not the directive to address security issues comes down the chain of command rather than it starting in the trenches with the IT professional."

 

Is Software Better Than Hardware for Encryption?

For the sake of brevity, this article covers only software-based approaches to encryption for IBM i servers. It's worth noting that hardware-based encryptionfor example, using full-disk encryption on hard drives, or virtual tape librariesis an option. However, hardware solutions have their drawbacks.

 

"Hardware-based encryption is the fastest approach, but [it] can be more expensive since you will have to replace your current disk drives," summarizes Linoma's Luebbe. "The main problem with hardware-based encryption for data at rest is that you cannot control precisely who has access to the sensitive data. With software-based encryption, you can set up authorization lists of users and groups at a granular level so you can specifically control access."

 

"Price does typically favor the software-based encryption methodologies," Schaap points out, "but, besides that, I would suggest that software methods offer more flexibility and can be more easily tailored to meet specific needs. In addition, software-based encryption is more easily upgraded and is generally more scalable."

 

Liaison's Robison cites scalability as software encryption's biggest advantage. "Software-based methods lend themselves well to solutions that scale with load." In addition, she offers, "as the Internet of Things and Big Data become more and more prevalent, [these trends] may stress the limits of some existing hardware-based solutions."

 

How Many Bits Are Enough for an Encryption Key?

If you should decide that software encryption is the best path for your organization, one of the first issues you'll face is whether 256-bit encryption keys, such as offered by the Advanced Encryption Standard (AES-256), is sufficient. Surprisingly, the three vendors interviewed for this article disagree on this issue.

 

"AES-256 is the industry standard algorithm for encryption. There is no reason to use any other encryption algorithms because AES-256 has been available for many years and most commercial products support it. Since AES-256 is a very fast encryption algorithm, there is no need to use an algorithm with fewer bits," Linoma's Luebbe declares.

 

Liaison's Robison is even more succinct. "If you're going to encrypt your sensitive data, then you should use an encryption algorithm of at least 256 bits. Period. There is no point in encrypting your data if you're not going to encrypt it appropriately."

 

However, Applied Logic's Schaap disagrees. "You'll be secure with lesser encryption as well. It really comes down to which size of key you'd like to usein general, the longer the key, the stronger the protection, so a bigger key gives you a better chance of staying secure. But if a brute force attack would require 500 years to break a 128-bit key vs. needing 500,000,000 years to crack a 256-bit key, you're covered pretty well with either option, right? And, depending on volume, a possible consideration is that AES-256 encryption requires a bit more time than AES-128. Bottom line: AES 128-bit encryption will be more than adequate."

 

Finding a Software Solution for Encryption

Below are software products that provide encryption options for IBM i servers and their data. One feature offered by some vendors is Format Preserving Tokenization (FPT), which is not strictly encryption. FPT software generates tokens for sensitive data, such as Social Security or account numbers. The tokens maintain the length and format of the original data to simplify handling by applications but don't offer actual numbers in the clear.

 

Each product includes a brief description of major features and a link to the appropriate vendor product page. Please be aware that the descriptions offered here are only summaries, and fuller information on each product is available from the offering vendor.

 

Software Encryption Options for IBM i Servers

 

Applied Logic Corporation

Pro/Encrypt

Pro/Encrypt uses encryption algorithms to protect data for secure backup and storage, file transfer, or physical transport. The function can run interactively or in batch, can use up to 256-bit encryption, can encrypt single files or whole libraries, and uses a symmetric key or pass phrase for decryption. It requires no special hardware and offers AES-128, AES-192, and AES-256 encryption options.

 

Arpeggio Software

ARP-ZIP

ARP-ZIP is freeware that supports file compression as well as offering AES- and password-based optional encryption. ARP-Zip is compatible with WinZIP and PKZIP.

 

HiT Software, Inc.

SafeConduct

SafeConduct uses SSL, 256-bit data encryption, and digital-certificate authentication to protect access to any point-to-point application data traffic. It establishes a secure communications channel between two TCP/IP nodes, requires no changes to application code, and provides a Windows-based audit log. SafeConduct requires a Java runtime environment on IBM i and also runs under AIX.

 

IBM Corporation

IBM Symantec PGP Encryption

IBM Symantec PGP Encryption helps protect sensitive data across endpoints, removable storage media, and email, against loss or unauthorized access. The solution secures e-mail communications with policy based message encryption, and supports regulatory compliance requirements with integrated encryption applications for a variety of environments and applications.

 

Liaison Technologies

Liaison Protect

Liaison Protect is an all-in-one encryption, tokenization, and key management solution. It supports FTP, encrypted data transfers and tokenization systems, and user choice between two data-protection methods, complete event logging, and AIX compatibility.

 

Liaison Protect TaaS

Liaison Protect TaaS is a cloud-based tokenization service for enterprises routing sensitive data transmissions through the cloud. The service meets PCI DSS standards, reduces administrative requirements for users, maps tokens to credit-card numbers rather than individual transactions, and handles all tokenization implementation, operational, and monitoring functions. The service supports both IBM i5/OS and AIX.

 

Linoma Software

Crypto Complete

Crypto Complete encrypts database fields, backups, and IFS files to protect sensitive information at the source. It provides encryption-key management, auditing, and reporting features, as well as support for tokenization systems. It can tokenize, encrypt, and store data from diverse platforms (e.g., IBM i, Linux, UNIX, Windows) and also supports the AIX OS.

 

PKWARE

SecureZIP Server

SecureZIP Server is a data-compression and encryption utility for exchanging data between Windows desktops, AIX/Linux/UNIX and Windows servers, i5/OS midrange, and z/OS mainframe operating systems, as well as automatically converting the data to the format of the target machine. The product supports encryption using passphrases and X.509 digital certificates and can process encrypted data without staging it to disk first.

 

Prime Factors

EncryptRIGHT

EncryptRIGHT is a cryptographic API that separates programming from the implementation of cryptography and tokenization. Developers can use the API to add these services to custom applications. The API runs under the IBM i5/OS, AIX, and many other operating systems. The product includes PCI compliance, key management, audit trails and reporting, and the ability to encrypt fields, files, whole applications, and databases.

 

Townsend Security

AES Encryption for the IBM i

AES Encryption for the IBM i (also called Alliance AES/400) is a system of strong encryption for databases, unstructured data, reports, and offline storage. It requires no coding changes to applications using the data, supports the V7R1 FIELDPROC exit point, automatically masks designated numbers after decryption, is NIST-compliant, and includes security key administration features.

 

Alliance Token Manager

Alliance Token Manager is a tokenization system designed specifically for IBM i that features masked tokens, eliminates the need to store data in an encrypted format, and meets Visa tokenization best-practices standards.

 

PGP File Encryption

PGP File Encryption uses the PGP language as a basis for file encryption of IBM i and z systems. The product includes key management features, encryption and decryption automation via library and IFS file-system scans, and encryption activity scheduling.

 

Encryption and Tokenization Products for AIX and Linux

 

SafeNet

Luna SA

Luna SA is an Ethernet-attached hardware module that provides cryptographic security for sensitive data originating on platforms using AIX and other operating systems. Scalable for cloud environments, Luna SA is capable of up to 6,000 RSA and 400 ECC transactions per second, enables remote administration, and supports certificate signing, code or document signing, and bulk key generation.

 

Software Diversified Services

SDS E-Business Server

SDS E-Business Server provides encryption and authentication functions on Linux, UNIX, Windows, and z/OS platforms. In addition to OpenPGP encryption and decryption, SDS E-Business Server provides data compression, generation of key pairs and split keys, creation and authentication of digital signatures, a browser-based control panel, and APIs for outside applications.

 

Voltage Security

Voltage SecureData

Voltage SecureData offers end-to-end encryption, tokenization, and data masking to protect PCI cardholder data and all other sensitive information in a C- and Java-based API. It supports centralized encryption-key management, PCI DSS and HIPAA standards, and a policy-driven approach to protecting data. SecureData operates on platforms running AIX, Windows, and other operating systems.

John Ghrist

John Ghrist has been a journalist, programmer, and systems manager in the computer industry since 1982. He has covered the market for IBM i servers and their predecessor platforms for more than a quarter century and has attended more than 25 COMMON conferences. A former editor-in-chief with Defense Computing and a senior editor with SystemiNEWS, John has written and edited hundreds of articles and blogs for more than a dozen print and electronic publications. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: