Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Strengthen your security posture! Getting started with IBM Z Pervasive Encryption

145 views

Published on

This session covers Pervasive Encryption on the IBM Z mainframe platform, Crypto features and concepts, and how to get started with Data Set level encryption. Presented at IBM TechU in Johannesburg, South Africa September 2019 as part of the z/OS Fast Start for Rookies track.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Strengthen your security posture! Getting started with IBM Z Pervasive Encryption

  1. 1. Strengthen your security posture! Getting started with IBM Z Pervasive Encryption Tony Pearson IBM Master Inventor, Senior IT Management Consultant, TechU Content Manager 2019 IBM Systems Technical University 10-12 Sep 2019 | Johannesburg, SA
  2. 2. Agenda IBM Systems Technical University © Copyright IBM Corporation 2019 2 What is Pervasive Encryption? Understanding IBM Z Crypto How to Get Started with z/OS Data Set Encryption
  3. 3. Data protection and compliance are business imperatives 13 Billion 4% Of the only breached since 2013 were encrypted 3 records $3.6MAverage cost of a data breach in 2017 2 Likelihood of an organization having a data breach in the next 24 months 1 28% “It’s no longer a matter of if, but when …” Health Insurance Portability and Accountability Act (HIPAA) European Union General Data Protection Regulation (GDPR) Payment Card Industry Data Security Standard (PCI-DSS) 1, 2 Source: 2017 Ponemon Cost of Data Breach Study: Global Overview -- http://www.ibm.com/security/data-breach/ 3 Source: Breach Level Index -- http://breachlevelindex.com/ Extensive use of encryption is one of the most impactful ways to help reduce the risks and financial losses of a data breach and help meet complex compliance mandates. IBM Systems Technical University © Copyright IBM Corporation 2019 3
  4. 4. Implementing Encryption can be complex IBM Systems Technical University © Copyright IBM Corporation 2019 4 — Michael Jordan — IBM Distinguished Engineer, IBM Z Security
  5. 5. Focus on eliminating barriers: • Decouple encryption from classification • Extensive application changes • Encryption of database indexes and/or key fields • High cost associated with processor overhead Protecting only enough data to achieve compliance should be the bare minimum, not a best practice. Pervasive encryption: A paradigm shift in data protection IBM Systems Technical University © Copyright IBM Corporation 2019 5
  6. 6. Unrivaled Data Protection —No Application Changes —No Impact to SLAs IBM Z and LinuxONE are the world’s most secure servers Protect your data with encryption in-flight and at-rest with new capabilities in hardware, OS, and middleware. IBM Systems Technical University © Copyright IBM Corporation 2019 6
  7. 7. How does encryption and decryption work? Supply a cryptographic key value and clear text to a cryptography algorithm to produce cipher text (i.e. encryption) Cipher TextClear Text Encrypt But what are cryptographic keys? IBM Systems Technical University © Copyright IBM Corporation 2019 7 Supply a cryptographic key value and cipher text to a cryptography algorithm to produce clear text (i.e. decryption) Cipher TextClear Text Decrypt
  8. 8. Security Strength is based on Algorithm and Number of Bits in Key AES RSA ECC Years 1024 160 106 2048 224 109 128 3072 256 1015 192 7680 384 1033 256 15360 512 1051 Data*Data Data* Data * * Symmetric Key (AES 256) • Same key is used to encrypt/decrypt • Fast, ideal for large amounts of data • Must keep the key secret Encryption “Public” Key Decryption “Private” Key  Pairs of different keys are used to encrypt & decrypt data  Encrypt with “Public” key; it may be distributed widely available without fear of compromise  Decrypt with “Private” key; must keep this key secret Asymmetric Key (RSA 2048) ED Key Pair Data Data Data Data E DAES – Advanced Encryption Standard RSA – Rivest Shamir Adleman ECC – Elliptical Curve Cryptography IBM Systems Technical University © Copyright IBM Corporation 2019 8
  9. 9. Two-Tier Encryption Scheme Problem: Realtors, Landlords, and Apartment managers must carry hundreds of keys, one unique to each dwelling unit Solution: All units have their unique key kept inside a locked box hanging on the door knob. Realtors, Landlords, and Apartment managers carry a single master key that opens every lockbox Data A E D A Data B B Encryption: Each flash, disk, or tape assigned a unique symmetric “Operational Data Key” Data key itself is encrypted or “wrapped” with Master “encrypting key” Decryption: Operational Data key is decrypted with Master “decrypting key” Unique Operational data key is then used as needed IBM Systems Technical University © Copyright IBM Corporation 2019 9
  10. 10. Broadly protect Linux file systems and z/OS data sets using policy controlled encryption that is transparent to applications and databasesData at Rest Integrated Crypto Hardware Hardware accelerated encryption on every core, CPACF performance improvements of 7x Crypto Express6S – PCIe Hardware Security Module (HSM) & Cryptographic Coprocessor Protect z/OS Coupling Facility data end-to-end, using encryption that’s transparent to applicationsClustering Protect network traffic using standards based encryption from end to end, including encryption readiness technology to ensure that z/OS systems meet approved encryption criteriaNetwork Secure deployment of software appliances including tamper protection during installation and runtime, restricted administrator access, and encryption of data and code in-flight and at-rest Secure Service Container 10 The IBM Enterprise Key Management Foundation (EKMF) provides real-time, centralized secure management of keys and certificates with a variety of cryptographic devices and key stores Key Management z14 Unrivaled data protection Protect IBM Z data with encryption in-flight and at-rest with capabilities in hardware, OS, and middleware. IBM Systems Technical University © Copyright IBM Corporation 2019 Pervasive Encryption with IBM Z Enabled through tight platform integration
  11. 11. z14 -- Designed for Pervasive Encryption • CPACF – Dramatic advance in bulk symmetric encryption performance • Crypto Express6s – Doubling of asymmetric encryption performance for TLS handshakes • CFCC – Designed for CF data encryption (wrapped encryption key stored for recovery scenarios) z/OS -- New approach to encryption in-flight and at-rest data • z/OS data set encryption – Transparent encryption of data at-rest • z/OS CF encryption –Transparent end-to-end encryption of CF data • z/OS Communication Server - Intelligent Network Security discovery & reporting Linux on z/LinuxONE -- Full Power of Linux Ecosystem combined with z14 Capabilities • LUKS dm-crypt – Transparent file and volume encryption using industry unique CPACF protected-keys • Network Security – Enterprise scale encryption and handshakes using z14 CPACF and SIMD • Secure Service Container – Automatic protection of data and code for virtual appliance Software-only elements expected on previous generation of z Systems with differentiated value for z14 Pervasive Encryption with IBM z Systems IBM Systems Technical University © Copyright IBM Corporation 2019 Technical Foundation 11
  12. 12. Agenda IBM Systems Technical University © Copyright IBM Corporation 2019 12 What is Pervasive Encryption? Understanding IBM Z Crypto How to Get Started with z/OS Data Set Encryption
  13. 13. z14 Integrated Cryptographic Hardware IBM Systems Technical University © Copyright IBM Corporation 2019 13 CP Assist for Cryptographic Functions (CPACF) • Hardware accelerated encryption on every microprocessor core • Performance improvements of up to 7x for selective encryption modes Suited for high speed bulk symmetric encryption Crypto Express6S • Next generation PCIe Hardware Security Module (HSM) • Performance improvements up to 2x • Industry leading FIPS 140-2 Level 4 Certification Design Suited for high value transactions, key protection and asymmetric acceleration Why is it valuable: • More performance = lower latency + less CPU overhead for encryption operations • Highest level of protection available for encryption keys • Industry exclusive “protected key” encryption
  14. 14. Protecting Operational Keys: Using Secure & Protected Keys Operational keys should not be stored in the clear in the host environment. Secure keys are strongly recommended for persistent key storage (e.g. key data sets). Protected keys are recommended for storing keys in address space memory (e.g. Db2, DFSMS). Only protected keys created from secure keys should be used for Pervasive Encryption. Secure Key Key values are encrypted under a Master Key. Crypto operations are performed only on a Crypto Express adapter Clear Key Key values are not encrypted. Crypto operations may be performed in CPACF or on a Crypto Express adapter Protected Key Key values are encrypted under a CPACF wrapping key. Crypto operations are performed only using CPACF Note: With z/OS data set encryption, protected keys are implicitly created from secure keys. IBM Systems Technical University © Copyright IBM Corporation 2019 14
  15. 15. What IBM tools are available to manage keys? Enterprise Key Management Foundation (EKMF) EKMF securely manages keys and certificates for cryptographic coprocessors, hardware security modules (HSM), cryptographic software, ATMs, and point of sale terminals. Supports Operational Keys Trusted Key Entry (TKE) Workstation TKE securely manages multiple Cryptographic Coprocessors and keys on various generations of IBM Z from a single point of control. Supports Master Keys and Operational Keys Security Key Lifecycle Manager (SKLM) SKLM v2.7 provides key storage, key serving and key lifecycle management for IBM and non-IBM storage solutions using the OASIS Key Management Interoperability Protocol (KMIP) and IBM Proprietary Protocol (IPP). Supports Operational Keys for Self Encrypting Devices (SEDs) Integrated Cryptographic Services Facility (ICSF) ICSF provides callable services and utilities that generate, store, and manage keys, and also perform cryptographic operations. Supports Master Keys and Operational Keys IBM Systems Technical University © Copyright IBM Corporation 2019 15
  16. 16. Enterprise Key Management Considerations Encryption of data at enterprise scale requires robust key management The current key management landscape can be characterized by clients who have … … already deployed an enterprise key management solution … developed a self-built key management solution … not deployed an enterprise key management solution • Policy based key generation • Policy based key rotation • Key usage tracking • Key backup & recovery Key management for pervasive encryption must provide … The IBM Enterprise Key Management Foundation (EKMF) provides real-time, centralized secure management of keys and certificates in an enterprise with a variety of cryptographic devices and key stores. EKMF IBM Systems Technical University © Copyright IBM Corporation 2019 16
  17. 17. Agenda IBM Systems Technical University © Copyright IBM Corporation 2019 17 What is Pervasive Encryption? Understanding IBM Z Crypto How to Get Started with z/OS Data Set Encryption
  18. 18. The Encryption Pyramid Multiple layers of encryption for data at rest provide robust data protection IBM Systems Technical University © Copyright IBM Corporation 2019 18
  19. 19. z/OS Data Set Encryption – Encryption keys Key label: 64-byte label of a key in the ICSF Cryptographic Key Data Set (CKDS) • Required to access an encrypted data set Encryption data key: • Require AES-256 bit key • Must be set up in CSFKEYS as a protected key • Recommend secure keys (protected by Crypto Express AES Master Key) Encryption mode: • DFSMS uses XTS mode IBM Systems Technical University © Copyright IBM Corporation 2019 19
  20. 20. z/OS Data Set Encryption – Client Value IBM Systems Technical University © Copyright IBM Corporation 2019 20 Clients who are required to protect customer data can leverage the IBM Z hardware encryption for data at rest through existing policy management… without application changes. A.No application changes required B.Data set level granularity C. Supports separation of access control for data set and encryption key label D.Enabled through RACF and / or SMS policy E. Audit readiness Designed to take advantage of the processing power of the z14
  21. 21. A. Application transparency via access methods IBM Systems Technical University © Copyright IBM Corporation 2019 21 — Supported access methods/data set types • BSAM and QSAM o Sequential extended format data sets • VSAM and VSAM/RLS o VSAM (KSDS, ESDS, RRDS, VRRDS, LDS) extended format data sets — Supported access methods/data set types new for z/OS 2.4 • BPAM, BSAM and QSAM o PDSEs (data members) Transparent! No application changes or awareness that sequential or VSAM data is encrypted when accessed using the standard access method APIs. Covers DB2, IMS, zFS, CICS/VSAM, Middleware, Logs, Batch, & ISV Solutions*. Refer to product documentation for information regarding support. (*) Note: For those applications that use the licensed Media Manager services, changes to Media Manager interfaces required to access encrypted data sets.
  22. 22. B. Naming Conventions & Granular Access Control PROD MKPROD App1 Data1 PROD.App1.Data1.VerX App2 Data2 PROD.App2.Data2.VerX AppN DataN PROD.AppN.DataN.VerX PROD CKDS PROD.App1.Data1.VerX PROD.App2.Data2.VerX PROD.AppN.DataN.VerX *** *** *** Leveraging naming conventions & z Security to enforce separation across application instances  Naming conventions can be used to segment applications, data, and keys, e.g. –Environment: PROD, QA, TEST, DEV –Application: App1, App2,…, AppN –Data-Type: Account, Payroll, Log –Version: Ver1, Ver2,…,Verx  Application resources (data sets, encryption keys) can be assigned names based on naming conventions, e.g. –PROD.APP2.LOG.VER10 –PROD.APP1.PAYROLL.KEY.VER7  Security rules can be used to enforce separation with granular access control for application resources and encryption keys Flexible! Data set encryption is designed to be flexible in allowing as much granularity as desired when identifying key labels for data sets. There is no limit as to how many key labels and encryption keys are used across the data sets…however, planning for key management is critical. Life of the data set is life of the key! IBM Systems Technical University © Copyright IBM Corporation 2019 22
  23. 23. C. Access Control - Segregation of Duties IBM Systems Technical University © Copyright IBM Corporation 2019 23 Data owners that must access content will need authority access to the data set as well as access to the encryption key label Storage administrators who only manage the data sets need access to the data set but not access to the key label (thus protecting access to the content) Different keys can be used to protect different data sets – ideal for multiple tenants or data set specific policies. Prevent administrators from accessing the content Many utilities can process data preserving encrypted form COPY, DUMP and RESTORE Migrate/Recall, Backup/Recover, Dump/Data Set Restore PPRC, XRC, FlashCopy®, Concurrent Copy, etc. Data owner Manages the content Limit access to data in clear! Remove certain roles from compliance scope….by controlling access to the data through SAF permissions. System administrator Manages the data set
  24. 24. D. Creating encrypted data sets via policy IBM Systems Technical University © Copyright IBM Corporation 2019 24 — A data set is defined as ‘an encrypted data set’ when a key label is supplied on allocation of a new data set of a supported data set type for data set encryption • sequential extended format o Note: Allocated as extended format version 2, regardless of user's specification for version number on DSNTYPE or the PS_EXT_VERSION keyword in IGDSMSxx member in PARMLIB. • VSAM extended format — A key label can be supplied in any of the following sources (in order of precedence as follows): • Security policy: RACF data set profile DFP segment • Explicity: JCL, Dynamic Allocation, TSO Allocate, IDCAMS DEFINE • SMS policy: Data class o To allocate via ISPF 3.2, can specify a data class with key label Ease of use! Easy to create an encrypted data set just by specifying a key label. Even easier when enabled via RACF or SMS policy.
  25. 25. E. Audit readiness IBM Systems Technical University © Copyright IBM Corporation 2019 25  Auditors can rely on system interfaces, not individuals, for compliance  Data set encryption attributes displayed in various system interfaces –SMF records –DCOLLECT records –LISTCAT –IEHLIST LISTVTOC Simplifies compliance! Allows enhanced tooling to help simplify the audit process.
  26. 26. 1 2 3 Generate an encryption key and key label, store it in the CKDS . Setup RACF for use of key label Allow secure key to be used as protected key via ICSF segment - SYMCPACFWRAP - SYMCPACFRET Grant access to key label Associate the key label with the desired data set(s). In RACF, alter DFP segment in data set profile - DATAKEY() In DFSMS, assign to data class – OR – – AND – DB2: Online Reorg IMS HA Database: Online Reorg zFS Container: zfsadmin encrypt VSAM or Seq data set: 1. Stop application 2. Copy data 3. Restart application Migrate to encrypted data 4 In RACF, permit access to new resource in FACILITY class Non- disruptive Non- disruptive Non- disruptive Defining a robust key management strategy is critical! Storage Admin Security Admin DBASecurity AdminICSF Admin User Storage Admin User Create new data OR User Data set encryption – High Level Steps Consider zDMF IBM Systems Technical University © Copyright IBM Corporation 2019 26
  27. 27. 1. Prepare ICSF CKDS for use — ICSF Admin must ensure encryption keys exist • Secure AES256 data encryption keys/key labels defined in CKDS o Use Crypto Express to protect keys in the CKDS as secure keys — Various methods available to create keys, for example • IBM Enterprise Key Management Foundation (EKMF) • ICSF CKDS Keys Panel (HCR77C1) • ICSF APIs (CSNBKGN, CSNBKRC2) • ICSF KGUP ICSF Admin Data keys must be accessible EVERYWHERE that the encrypted data sets must be accessed. IBM Systems Technical University © Copyright IBM Corporation 2019 27
  28. 28. Data set encryption – High Level Steps IBM Systems Technical University © Copyright IBM Corporation 2019 28 1 2 3 Generate an encryption key and key label, store it in the CKDS . Setup RACF for use of key label Allow secure key to be used as protected key via ICSF segment - SYMCPACFWRAP - SYMCPACFRET Grant access to key label Associate the key label with the desired data set(s). In RACF, alter DFP segment in data set profile - DATAKEY() In DFSMS, assign to data class – OR – – AND – DB2: Online Reorg IMS HA Database: Online Reorg zFS Container: zfsadmin encrypt VSAM or Seq data set: 1. Stop application 2. Copy data 3. Restart application Migrate to encrypted data 4 In RACF, permit access to new resource in FACILITY class Non- disruptive Non- disruptive Non- disruptive Storage Admin Security Admin DBASecurity AdminICSF Admin User Storage Admin User Create new data OR User Consider zDMF
  29. 29. 2. Prepare system to allow data set encryption IBM Systems Technical University © Copyright IBM Corporation 2019 29 Security Admin must consider whether migration action should prevent creation of encrypted data sets via resource in FACILITY class: STGADMIN.SMS.ALLOW.DATASET.ENCRYPT • Ensure all systems that may need to access the data have the CKDS with key material required to decrypt the data sets AND are at the correct HW/SW levels. RDEFINE FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT UACC(NONE) • To allow the system to create encrypted data sets when the key label is specified via a method outside of the DFP segment in the RACF data set profile, the user must have at least READ authority to the resource in the FACILITY class. PERMIT FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT ID(*) ACCESS(READ) Allows security admin to control who can create encrypted data sets. Security Admin
  30. 30. 2. Prepare system to allow data set encryption IBM Systems Technical University © Copyright IBM Corporation 2019 30 Security Admin must consider whether allocation of non-extended format data sets with key label should result in allocation failure via resource in FACILITY class: STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC • Default allows successful allocation for non-encrypted non-extended format data sets. Info message is issued in this case. RDEFINE FACILITY STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC UACC(NONE) • To fail the allocation, the user must have at least READ authority to the resource in the FACILITY class. RALTER FACILITY STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC UACC(READ) Allows security admin to control whether key label should be ignored for unsupported data set types. Security Admin
  31. 31. 2. Set up access to key labels via CSFKEYS class IBM Systems Technical University © Copyright IBM Corporation 2019 31 Security Admin sets up profiles in the CSFKEYS class based on installation requirements. Any user that must access data in the clear must have access to the key label • Must update the ICSF segment of the covering profile to allow ICSF to return a protected key: SYMCPACFWRAP(YES) SYMCPACFRET (YES) — Examples • Define profile such that no one has access to the key label RDEFINE CSFKEYS DATASET.keylabel.v1 UACC(NONE) ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES)) • Allow key label to be used by JOHN when accessed by any application PERMIT DATASET.keylabel.v1 CLASS(CSFKEYS) ID(JOHN) ACCESS(READ) • Allow key label to be used by MIKE only when accessed by DFSMS PERMIT DATASET.keylabel.v1 CLASS(CSFKEYS) ID(MIKE) ACCESS(READ) WHEN(CRITERIA(SMS(DSENCRYPTION))) Allows security admin to control who can access data in the clear. Security Admin
  32. 32. Data set encryption – High Level Steps 1 2 3 Generate an encryption key and key label, store it in the CKDS . Setup RACF for use of key label Allow secure key to be used as protected key via ICSF segment - SYMCPACFWRAP - SYMCPACFRET Grant access to key label Associate the key label with the desired data set(s). In RACF, alter DFP segment in data set profile - DATAKEY() In DFSMS, assign to data class – OR – – AND – DB2: Online Reorg IMS HA Database: Online Reorg zFS Container: zfsadmin encrypt VSAM or Seq data set: 1. Stop application 2. Copy data 3. Restart application Migrate to encrypted data 4 In RACF, permit access to new resource in FACILITY class Non- disruptive Non- disruptive Non- disruptive Storage Admin Security Admin DBASecurity AdminICSF Admin User Storage Admin User Create new data OR User IBM Systems Technical University © Copyright IBM Corporation 2019 32 Consider zDMF
  33. 33. 3. Creating encrypted data sets – supplying key labels A data set is defined as ‘encrypted’ when a key label is supplied on create of a sequential or VSAM extended format data set. Options for assigning key label (with order of precedence): • Security policy: RACF data set profile DFP segment o Security Admin can update RACF DS profile to request encryption by adding key label: DATAKEY Note: Key label specified in the DFP segment is used regardless of the ACSDEFAULTS(xx) setting specified in SYS1.PARMLIB(IGDSMSxx) • JCL, Dynamic Allocation, TSO Allocate, IDCAMS DEFINE o User can modify JCL or program to request encryption by adding key label: JCL DSKEYLBL, Dynalloc DALDKYL, DEFINE KEYLABEL • SMS policy: Data Class o Storage Admin can update specific data class(es) via ISMF to request encryption by adding: Data Set Key Label. o Storage Admin can update ACS routines to select data classes enabled for data set encryption. Storage Admin User IBM Systems Technical University © Copyright IBM Corporation 2019 33 Security Admin
  34. 34. 3. Optionally, prepare for compressed format A data set is defined as compressed format via COMPACTION option in data class Assigning COMPACTION • SMS policy: Data Class o Storage Admin can update specific data class(es) via ISMF to request compressed format via COMPACTION option: - Sequential extended format data sets support generic, tailored, or zEDC compression - VSAM extended format KSDS supports generic compression (Only KSDS can be compressed format) o Storage Admin can update ACS routines to select data classes enabled for compression IBM Systems Technical University © Copyright IBM Corporation 2019 34 Storage Admin
  35. 35. Data set encryption – High Level Steps 1 2 3 Generate an encryption key and key label, store it in the CKDS . Setup RACF for use of key label Allow secure key to be used as protected key via ICSF segment - SYMCPACFWRAP - SYMCPACFRET Grant access to key label Associate the key label with the desired data set(s). In RACF, alter DFP segment in data set profile - DATAKEY() In DFSMS, assign to data class – OR – – AND – DB2: Online Reorg IMS HA Database: Online Reorg zFS Container: zfsadmin encrypt VSAM or Seq data set: 1. Stop application 2. Copy data 3. Restart application Migrate to encrypted data 4 In RACF, permit access to new resource in FACILITY class Non- disruptive Non- disruptive Non- disruptive Storage Admin Security Admin DBASecurity AdminICSF Admin User Storage Admin User Create new data OR User IBM Systems Technical University © Copyright IBM Corporation 2019 35 Consider zDMF
  36. 36. 4. How can Auditors be sure the data is encrypted? IBM Systems Technical University © Copyright IBM Corporation 2019 36 — Encryption attributes displayed in various system interfaces • SMF records • DCOLLECT records • LISTCAT • IEHLIST LISTVTOC • Catalog Search Interface (CSI) • ISITMGT — To view encrypted data, can use DFSMSdss PRINT Tracks
  37. 37. zSecure Pervasive encryption support Command Verifier: Command Verifier policy for DATAKEY Admin: Easy administration DATAKEY on DFP segment Audit: Report on non-VSAM and VSAM data sets key labels • Extend existing report types DSN / SENSDSN Audit: Report key protection CSFKEYS • New report types ICSF_SYMKEY, ICSF_PUBKEY Audit: Report which systems sharing DASD can decrypt ds Audit: Extend report type SMF • Type 14/15 non-VSAM and Type 62 VSAM keylabel use • ICSF • zERT records to show encryption strengths zSecure also collects, formats and enriches data set encryption information that is sent to SIEMs including IBM QRadar® for enhanced enterprise-wide security intelligence. IBM Systems Technical University © Copyright IBM Corporation 2019 37
  38. 38. z/OS Data Set Encryption – Evaluate impact IBM Systems Technical University © Copyright IBM Corporation 2019 38 zBNA Background: • A no charge, “as is” tool originally designed to analyze batch windows • PC based, and provides graphical and text reports • Available on techdocs for customers, business partners, and IBMers http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5132 • Previously enhanced for zEDC to identify & evaluate compression candidates zBNA Encryption Enhancements: • Enhanced to help clients estimate encryption CPU overhead based on actual client workload SMF data • Ability to select z13 or z14 as target machine • Support provided for • z/OS data set encryption • Coupling Facility encryption z Batch Network Analyzer (zBNA) zBNA 1.8.1 Note: z/OS Capacity Planning tool zCP3000 also updated to provide encryption estimates http://w3-03.ibm.com/support/americas/wsc/cpsproducts.html Use zBNA to evaluate candidates for encryption, and for estimated CPU overhead if data sets converted to data set encryption. Estimating CPU Cost of Data Protection
  39. 39. Final Thoughts IBM Systems Technical University © Copyright IBM Corporation 2019 39 Pervasive Encryption reduces the manual effort of deciding which data is encrypted IBM Z has hardware features to minimize performance overheads z/OS Data Set Level Encryption is a simple way to get started
  40. 40. Thank you! IBM Systems Technical University © Copyright IBM Corporation 2019 40 Tony Pearson tpearson@us.ibm.com +1-520-799-4309 Please complete the Session Evaluation!
  41. 41. Resources IBM Systems Technical University © Copyright IBM Corporation 2019 41 — Getting Started with z/OS Data Set Encryption Redbook http://www.redbooks.ibm.com/redpieces/abstracts/sg248410.html?Open — IBM Z pervasive encryption landing page https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.izs/pervasiveEncryption.html — IBM Z pervasive encryption solution guide (Knowledge Center) https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.izs/izs.htm — IBM Z pervasive encryption FAQ: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=ZSQ03116USEN — IBM Crypto Education page: https://ibm.biz/BdiAah — zPET Test Reports: https://www.ibm.com/developerworks/community/groups/service/html/communitystart?communityUuid=43 ea8e78-acbe-49f5-9290-379e4f4569cb — MOP demo white paper: http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP102734 — Youtube Videos: • Data Set Encryption: https://www.youtube.com/watch?v=zdSXRUSmkb4 • CF Encryption: https://www.youtube.com/watch?v=lTmsFWuJwJU • zERT: https://www.youtube.com/watch?v=1CgEcCTX_o8 • MOP MPL Bank: https://www.youtube.com/watch?v=EP488nLdGts
  42. 42. Special Thanks I would like to thank the following colleagues who contributed charts, insights, and review comments for these presentation materials — Cecilia Carranza Lewis — Barbara McDonald — Eysha Powers — Theresa Tai IBM Systems Technical University © Copyright IBM Corporation 2019 42
  43. 43. About the Speaker 43 Tony Pearson is a Master Inventor, Senior IT Management Consultant, and Content Manager for the IBM Systems Technical University events. Tony joined IBM Corporation in 1986 in Tucson, Arizona, USA, and has lived there ever since. Tony presents briefings on storage topics covering the entire IBM Storage product line, IBM Spectrum Storage software products, and topics related to Cloud Computing, Analytics and Cognitive Solutions. He interacts with clients, speaks at conferences and events, and leads client workshops to help clients with strategic planning for IBM’s integrated set of storage management software, hardware, and virtualization solutions. Tony writes the “Inside System Storage” blog, which is read by thousands of clients, IBM sales reps and IBM Business Partners every week. This blog was rated one of the top 10 blogs for the IT storage industry by “Networking World” magazine, and #1 most read IBM blog on IBM’s developerWorks. The blog has been published in series of books, Inside System Storage: Volume I through V. Over the past years, Tony has worked in development, marketing and consulting for various IBM Systems hardware and software products. Tony has a Bachelor of Science degree in Software Engineering, and a Master of Science degree in Electrical Engineering, both from the University of Arizona. Tony is an inventor or co-inventor of 19 patents in the field of IBM Systems and electronic data storage. 9000 S. Rita Road Bldg 9032 Floor 1 Tucson, AZ 85744 +1 520-799-4309 (Office) tpearson@us.ibm.com Tony Pearson Master Inventor Senior Management Consultant, IBM Systems La Services IBM Storage IBM Systems Technical University © Copyright IBM Corporation 2019
  44. 44. My Social Media Presence Blog*: ibm.co/Pearson LinkedIn: https://www.linkedin.com/in/az990tony Books: www.lulu.com/spotlight/990_tony IBM Expert Network on Slideshare: www.slideshare.net/az990tony Twitter: twitter.com/az990tony Facebook: www.facebook.com/tony.pearson.16121 Instagram: www.instagram.com/az990tony/ Email: tpearson@us.ibm.com * Not a typo. This is short URL for https://www.ibm.com/developerworks/mydeveloperworks/blogs/InsideSystemStorage/ IBM Systems Technical University © Copyright IBM Corporation 2019 44
  45. 45. Notices and disclaimers — © 2019 International Business Machines Corporation. No part of this document may be reproduced or transmitted in any form without written permission from IBM. — U.S. Government Users Restricted Rights — use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. — Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. This document is distributed “as is” without any warranty, either express or implied. In no event, shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted per the terms and conditions of the agreements under which they are provided. — IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.” — Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. — Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those — customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. — References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. — Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. — It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer follows any law. IBM Systems Technical University © Copyright IBM Corporation 2019 45
  46. 46. Notices and disclaimers continued — Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products about this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non- IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM expressly disclaims all warranties, expressed or implied, including but not limited to, the implied warranties of merchantability and fitness for a purpose. — The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. — IBM, the IBM logo, ibm.com and [names of other referenced IBM products and services used in the presentation] are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml IBM Systems Technical University © Copyright IBM Corporation 2019 46
  47. 47. This presentation uses the IBM Plex™ font IBM Plex™ is our new typeface. It’s global, it’s versatile and it’s distinctly IBM. IBM Plex Sans The IBM company is freeing itself from the cold, modernist cliché and replacing Helvetica with a new corporate typeface. Also replaces Arial, Calibri, Lucida Grande, Trebuchet, etc. IBM Plex Mono A little something for developers. Replaces Courier New, Letter Gothic, Lucida Console, etc. IBM Plex Serif A hybrid of the third kind (combining the best of Plex, Bodoni, and Janson into a contemporary serif). Replaces Cambria, Garamond, Lucida Bright, Times New Roman, etc. IBM Plex is freely available as TrueType and OpenType at: https://github.com/IBM/plex/releases and looks consistently good across Windows, Linux and Mac IBM Systems Technical University © Copyright IBM Corporation 2019 47

×