It's never too late to protect your data and apps with software encryption…until it is too late.
It may be only a slight exaggeration to say that it seems like hardly a week goes by without news of yet another organization suffering a data breach. With world commerce coming to rely so heavily on moving large amounts of data rapidly between computers, the benefits of stealing that data has become irresistible to some.
Encrypting data, both in transit and in storage, is rapidly becoming a commonsense approach to living in a world that's become dangerous for data. But while there are some legal mandates, such as the federal Health Insurance Portability and Accountability Act (HIPAA), and industry requirements such as the Payment Card Industry Data Security Standard (PCI DSS), which force some enterprises to pay attention to this data problem, they aren't universal. That means some enterprises, their business partners, and their customers are operating at some risk.
We're Too Small to Worry about That
"Most of the larger companies are implementing encryption for sensitive data," observes Bob Luebbe, chief architect at Linoma Software, "but some of the smaller companies think they are 'under the radar' and are putting off encryption projects."
"Due to compliance requirements, we find that customers processing healthcare, pharma, and/or cardholder data are fully on board with encryption and/or tokenization, while other customers are more hesitant to join the bandwagon due to hits in performance," notes Theresa Robison, director of information security at Liaison Software.
"Most IT professionals we talk to today seem to understand the importance of encryption," reports Bryan Schaap, director of client solutions at Applied Logic Corporation. "We've definitely heard that 'no one would be interested in our data' or that 'there's such a small chance that anything would happen,' but for the most part people…realize the importance. Over the last few years, enough data breaches have made the news to ensure that this issue shows up on the radar of the average CIO or CEO, and more often than not the directive to address security issues comes down the chain of command rather than it starting in the trenches with the IT professional."
Is Software Better Than Hardware for Encryption?
For the sake of brevity, this article covers only software-based approaches to encryption for IBM i servers. It's worth noting that hardware-based encryption—for example, using full-disk encryption on hard drives, or virtual tape libraries—is an option. However, hardware solutions have their drawbacks.
"Hardware-based encryption is the fastest approach, but [it] can be more expensive since you will have to replace your current disk drives," summarizes Linoma's Luebbe. "The main problem with hardware-based encryption for data at rest is that you cannot control precisely who has access to the sensitive data. With software-based encryption, you can set up authorization lists of users and groups at a granular level so you can specifically control access."
"Price does typically favor the software-based encryption methodologies," Schaap points out, "but, besides that, I would suggest that software methods offer more flexibility and can be more easily tailored to meet specific needs. In addition, software-based encryption is more easily upgraded and is generally more scalable."
Liaison's Robison cites scalability as software encryption's biggest advantage. "Software-based methods lend themselves well to solutions that scale with load." In addition, she offers, "as the Internet of Things and Big Data become more and more prevalent, [these trends] may stress the limits of some existing hardware-based solutions."
How Many Bits Are Enough for an Encryption Key?
If you should decide that software encryption is the best path for your organization, one of the first issues you'll face is whether 256-bit encryption keys, such as offered by the Advanced Encryption Standard (AES-256), is sufficient. Surprisingly, the three vendors interviewed for this article disagree on this issue.
"AES-256 is the industry standard algorithm for encryption. There is no reason to use any other encryption algorithms because AES-256 has been available for many years and most commercial products support it. Since AES-256 is a very fast encryption algorithm, there is no need to use an algorithm with fewer bits," Linoma's Luebbe declares.
Liaison's Robison is even more succinct. "If you're going to encrypt your sensitive data, then you should use an encryption algorithm of at least 256 bits. Period. There is no point in encrypting your data if you're not going to encrypt it appropriately."
However, Applied Logic's Schaap disagrees. "You'll be secure with lesser encryption as well. It really comes down to which size of key you'd like to use—in general, the longer the key, the stronger the protection, so a bigger key gives you a better chance of staying secure. But if a brute force attack would require 500 years to break a 128-bit key vs. needing 500,000,000 years to crack a 256-bit key, you're covered pretty well with either option, right? And, depending on volume, a possible consideration is that AES-256 encryption requires a bit more time than AES-128. Bottom line: AES 128-bit encryption will be more than adequate."
Finding a Software Solution for Encryption
Below are software products that provide encryption options for IBM i servers and their data. One feature offered by some vendors is Format Preserving Tokenization (FPT), which is not strictly encryption. FPT software generates tokens for sensitive data, such as Social Security or account numbers. The tokens maintain the length and format of the original data to simplify handling by applications but don't offer actual numbers in the clear.
Each product includes a brief description of major features and a link to the appropriate vendor product page. Please be aware that the descriptions offered here are only summaries, and fuller information on each product is available from the offering vendor.
Software Encryption Options for IBM i Servers
Applied Logic Corporation
Pro/Encrypt uses encryption algorithms to protect data for secure backup and storage, file transfer, or physical transport. The function can run interactively or in batch, can use up to 256-bit encryption, can encrypt single files or whole libraries, and uses a symmetric key or pass phrase for decryption. It requires no special hardware and offers AES-128, AES-192, and AES-256 encryption options.
Arpeggio Software
ARP-ZIP is freeware that supports file compression as well as offering AES- and password-based optional encryption. ARP-Zip is compatible with WinZIP and PKZIP.
HiT Software, Inc.
SafeConduct uses SSL, 256-bit data encryption, and digital-certificate authentication to protect access to any point-to-point application data traffic. It establishes a secure communications channel between two TCP/IP nodes, requires no changes to application code, and provides a Windows-based audit log. SafeConduct requires a Java runtime environment on IBM i and also runs under AIX.
IBM Corporation
IBM Symantec PGP Encryption helps protect sensitive data across endpoints, removable storage media, and email, against loss or unauthorized access. The solution secures e-mail communications with policy based message encryption, and supports regulatory compliance requirements with integrated encryption applications for a variety of environments and applications.
Liaison Technologies
Liaison Protect is an all-in-one encryption, tokenization, and key management solution. It supports FTP, encrypted data transfers and tokenization systems, and user choice between two data-protection methods, complete event logging, and AIX compatibility.
Liaison Protect TaaS is a cloud-based tokenization service for enterprises routing sensitive data transmissions through the cloud. The service meets PCI DSS standards, reduces administrative requirements for users, maps tokens to credit-card numbers rather than individual transactions, and handles all tokenization implementation, operational, and monitoring functions. The service supports both IBM i5/OS and AIX.
Linoma Software
Crypto Complete encrypts database fields, backups, and IFS files to protect sensitive information at the source. It provides encryption-key management, auditing, and reporting features, as well as support for tokenization systems. It can tokenize, encrypt, and store data from diverse platforms (e.g., IBM i, Linux, UNIX, Windows) and also supports the AIX OS.
PKWARE
SecureZIP Server is a data-compression and encryption utility for exchanging data between Windows desktops, AIX/Linux/UNIX and Windows servers, i5/OS midrange, and z/OS mainframe operating systems, as well as automatically converting the data to the format of the target machine. The product supports encryption using passphrases and X.509 digital certificates and can process encrypted data without staging it to disk first.
Prime Factors
EncryptRIGHT is a cryptographic API that separates programming from the implementation of cryptography and tokenization. Developers can use the API to add these services to custom applications. The API runs under the IBM i5/OS, AIX, and many other operating systems. The product includes PCI compliance, key management, audit trails and reporting, and the ability to encrypt fields, files, whole applications, and databases.
Townsend Security
AES Encryption for the IBM i (also called Alliance AES/400) is a system of strong encryption for databases, unstructured data, reports, and offline storage. It requires no coding changes to applications using the data, supports the V7R1 FIELDPROC exit point, automatically masks designated numbers after decryption, is NIST-compliant, and includes security key administration features.
Alliance Token Manager is a tokenization system designed specifically for IBM i that features masked tokens, eliminates the need to store data in an encrypted format, and meets Visa tokenization best-practices standards.
PGP File Encryption uses the PGP language as a basis for file encryption of IBM i and z systems. The product includes key management features, encryption and decryption automation via library and IFS file-system scans, and encryption activity scheduling.
Encryption and Tokenization Products for AIX and Linux
SafeNet
Luna SA is an Ethernet-attached hardware module that provides cryptographic security for sensitive data originating on platforms using AIX and other operating systems. Scalable for cloud environments, Luna SA is capable of up to 6,000 RSA and 400 ECC transactions per second, enables remote administration, and supports certificate signing, code or document signing, and bulk key generation.
Software Diversified Services
SDS E-Business Server provides encryption and authentication functions on Linux, UNIX, Windows, and z/OS platforms. In addition to OpenPGP encryption and decryption, SDS E-Business Server provides data compression, generation of key pairs and split keys, creation and authentication of digital signatures, a browser-based control panel, and APIs for outside applications.
Voltage Security
Voltage SecureData offers end-to-end encryption, tokenization, and data masking to protect PCI cardholder data and all other sensitive information in a C- and Java-based API. It supports centralized encryption-key management, PCI DSS and HIPAA standards, and a policy-driven approach to protecting data. SecureData operates on platforms running AIX, Windows, and other operating systems.
LATEST COMMENTS
MC Press Online