The document discusses IBM's Key Lifecycle Manager (SKLM) software solution for centralized encryption key management. SKLM can manage encryption keys for various devices including tape drives, disk storage arrays, databases, and cloud storage. The document provides an overview of SKLM's capabilities and deployment options for both distributed and z/OS environments.

1. Gestire l’encryption dei dati
IBM Security Key Lifecycle Manager
IBM SECURITY INTELLIGENCE & ANALYTICS
Luigi Perrone
IBM SWG – Security Systems
Security & Audit for zSystem & enterprise
Security Intelligence solution
luigi_perrone@it.ibm.com
Gennaio, 2017

2. 2 IBM Security
Qual è il vero patrimonio del nostro sistema IT ?
Innovation
Data
Sommersi da molteplici tecnologie che moltiplicano la diffusione di….

3. 3 IBM Security
Un mondo digitale… in continua trasformazione
Più velocità, più interconnessione, più condivisione, più dispositivi e più dati ….
Le varie organizzazioni sviluppano ed
implementano nuove piattaforme di
gestione dei dati (cloud, virtualization,
mobile, social business, ecc.)
EVERYTHING
IS EVERYWHERE
Con il social business si sono persi i
confini tra il tempo personale e quello
lavorativo, tra l’utilizzo confinato dei
dispositivi e l’utilizzo mobile, tra la
separazione fisica del dato personale con
quello aziendale.
NO BORDERS
NO LIMITS
NO DIVISION
La necessità di accedere ai velocemente
ai dati da qualsiasi dispositivo in uso ha
determinate un esplosione di quantità di
dati generata dalle numerose interazioni
digitali
DATA
EXPLOSION
La maggior esposizione del dato ha
permesso una velocità di crescita di
attacchi informatici che a loro volta hanno
incrementato la qualità e la complessità
dell’attacco stesso
EXPOSITION TO
SOPHISTICATED
ATTACKS

4. 4 IBM Security
Cloud
MobileInternet
Social Big Data
Business
Innovation
Are you security ready…?
Le moderne tecnologie hanno eliminato la “mainframe isolation”
%
of all active code
runs on the mainframe
74%
of enterprise data is
housed on the mainframe
85
La protezione e salvaguardia del dato non può più essere
“superficiale”
Il mainframe è al passo con questa trasformazione ?

5. 5 IBM Security
Ma se parliamo di sicurezza sul mainframe…
 Il Mainframe è riconosciuto come la piattaforma HW+SW più sicura in ogni tipo di
scenario e contesto IT presente nel mondo
 Unica piattaforma in continua evoluzione che è sempre riuscita a rinnovarsi ed
aggiornarsi con le nuove tecnologie HW+SW emergenti
 Unica piattaforma capace di fornire continuità e compatibilità tra vecchi sistemi e
software sviluppati di ultima generazione
 Nessuna piattaforma IT è ancora riuscita ad eguagliare il mainframe in termini di solidità,
affidabilità e sicurezza.
Security
Intelligence
capability

6. 6 IBM Security
IBM ha una soluzione globale di sicurezza
Consulting Services | Managed Services
QRadar Risk Manager
QRadar Incident Forensics
SiteProtector
Network Protection XGS
Key Lifecycle Manager
Guardium
zSecure
BigFix
Trusteer Apex
MaaS360
Trusteer Mobile
Trusteer Rapport
Trusteer Pinpoint
Resilient
Systems Incident
Response
Identity Manager
Access Manager
Identity Governance and Intelligence
Privileged Identity Manager
DataPower
Web Security
Gateway
AppScan
Security
Intelligence
Cloud
Cloud Security Enforcer
QRadar SIEM
QRadar Vulnerability Manager
QRadar Log Manager
Global Threat Intelligence
X-Force Exchange
App Exchange
IBM Security
6200+ Security Experts - 11 SOCs - 10 Research Centers
15 Development Labs - 12K+ Clients in 133 countries - 3700+ Patents
SECURITY OPERATION
AND RESPONSE
INFORMATION RISK
AND PROTECTION

7. 7 IBM Security
Advanced Fraud Protection
Trusteer
Rapport
Trusteer Pinpoint
Malware Detection
Trusteer Pinpoint
ATO Detection
Trusteer Mobile
Risk Engine
Trusteer Apex
IBM MobileFirst
Protect (MaaS360)
Endpoint Manager
zSecure
Security Intelligence and Analytics
QRadar
Log Manager
QRadar
Security Intelligence
QRadar
Risk Manager
QRadar
Vulnerability Manager
QRadar Incident
Forensics
IBM X-Force Research
People
Identity Governance
Identity Manager
Access Manager
Family
Privileged Identity
Manager
Federated Identity
Management
Directory Integrator /
Directory Server
Data
Guardium Database
Activity Monitoring
Guardium Data
Encryption
Optim Data Privacy
Key Lifecycle
Manager
Applications
AppScan
Source
AppScan
Enterprise / Standard
DataPower Web
Security Gateway
Security Policy
Manager
Network Infrastructure Endpoint
Network Intrusion
Prevention (GX)
Next Generation
Network Protection
(XGS)
SiteProtector
Threat Management
Proteggere il dato… si, ma come ?

8. 8 IBM Security
SSL/TLS
Link
encryption
Tape encryption
Database
encryption
Application level
encryption
PIN
processing
File
encryption
SAN Switch
encryption
Protecting Data
at Rest Protecting Data
in Motion
Digital rights
management
Tokenization
Protecting Data in Use
IPsec
Disk encryption
Email encryption
Analisi dell’area di protezione del dato

9. 9 IBM Security
• Key exchange: chiavi utilizzate per la sessione di comunicazione
• Data in Motion: utilizzo di una singola chiave di encryption
• Data at rest: le chiavi di encryption hanno lunga durata
Assicurare la Privacy di
Data in Motion &
Data at Rest
• Necessaria per verificare la proprietà o possesso delle chiavi di
encryption/decryption
• I digital-certificate forniscono ulteriori prove d’identità
Stabilire l’identità
• Integrità del dato realizzata tramite keyed-hashes
• Hashes: fornisce integrity-checking per Data-in-Transit
Proteggere dalle modifiche
non autorizzate o da
possibili violazioni
• La Digital Signature determina il proprietario o autore del dato
senza alcun possibilità di repudio
Assegnare la proprietà
(ownership) del dato o del
messaggio
E’ fondamentale abilitare la crittografia del dato

10. 10 IBM Security
Security challengesLower Higher
KeyManagementchallenges
Higher
SSL
Link
encryption
Laptop disk
encryption
Digital rights
management
Tape encryption
Database
encryption
Application
level
encryption
Server file
encryption
Email
encryption
Vai di Encryption… ma come gestirla ?
Sposare l’encryption significa gestire il ciclo di vita delle encryption-keys

11. 11 IBM Security
Le principali esigenze nella gestione delle chiavi
I need a simple key management solution:
• Ease of admin / operations / backup / scalability
• Automated, enterprise solution should mean no more key
expiration problems, high confidentiality, etc.
Support all of my encrypting targets:
• First focus: Tape, disk
• Include my new big data, data warehouse, cloud storage,
smart metering … initiatives
I need a flexible, low-cost solution:
• Software better than numerous hardware appliances
• The cost of encryption key management should be negligible
as compared to my storage investment
The solution needs to be cloud friendly:
• Solution should be able to be deployed both on physical
servers and on virtual machines

12. 12 IBM Security
Unica soluzione centralizzata per gestire le chiavi relative a tutti i tipi di encryption
Disk Storage Tape Storage Flash Storage Database Servers
IoTApplications
SKLM
La soluzione SKLM

13. 13 IBM Security
SKLM soddisfa le diverse esigenze di encryption
CISO:
“My key management is under
control”
Auditor:
“Clear trails of access and use
make audit easy”
Solution Architect:
“We are following industry
standards for interoperability and
protection – no more proprietary ”
Storage / Applications Admin:
“Easy to integrate and use,
flexible, scalable, redundant, and
can be deployed as a VM or on
hardware”

14. 14 IBM Security
Self-Encrypting Devices
SKLMBackground
• SKLM is a Key Distribution and
Management software solution
• Uses standard protocols
(i.e. KMIP: Key Management
Interoperability Protocol)
• Provides centralized key mgmt for
self-encrypting drives (tape, disk)
• Light-weight & highly-scalable
• SKLM helps customers keep data
private, compliant, and encryption
keys well-managed
• Expanding support for flash
storage, cloud storage, network
devices, etc.
KMIP/IPP
Cloud file systems,
Big Data / Data
Warehouse
(IBM Spectrum Scale
(formerly GPFS),
Netezza, etc.)
Databases
Smart Meter
Infrastructures
Network storage
servers (NetApp)
Disk Storage Arrays
e.g. DS8000, DS5xxx, IBM Spectrum
Accelerate (XIV), …
Enterprise Tape Libraries
e.g. TS11xx, TS2xxx, TS3xxx,
SKLM
La soluzione SKLM…nel dettaglio

15. 15 IBM Security
29,000+ Installations across these enterprises
100+ Countries where SKLM is deployed
870+ Installations in Healthcare Enterprises (Globally)
6,000+ Installations in Banking Enterprises (Globally)
11,000+ Installations in Insurance Enterprises (Globally)
4,200+ Enterprises have deployed SKLM
SKLM: ma chi lo usa ?

16. 16 IBM Security
SKLM for Distributed Operating Systems SKLM for z/OS
Current version: v2.7 Current version: v1.1
SKLM SKLM
SKLM: quale versione ?
SKLM V2.7 distributed & SKLM for z/OS V1.1

17. 17 IBM Security
Le principali 5 differenze tra i due prodotti :
1. Server Platform:
• SKLM (distributed) servers can run on Windows, RHEL, Linux on z, and AIX
• SKLM for z/OS’s server is hosted on z/OS
2. Supported devices:
• SKLM (distributed) – Greater device support
3. KMIP Support:
• SKLM (distributed) – KMIP & IPP Support
• SKLM for z/OS – IPP Only
4. Hardware Key Storage/Protection:
• SKLM (distributed) optionally integrates with external HSMs (PKCS#11)
• SKLM for z/OS can leverage Z-HW (ICSF, RACF)
5. User Interface:
• SKLM (distributed) provides a graphical user interface.
• SKLM for z/OS is operator console command line based.
SKLM V2.7 for distributed
platforms
SKLM for z/OS V1.1
SKLM distributed vs z/OS: quali differenze ?

18. 18 IBM Security
Schema logico di funzionamento del Key Serving
Self-Encrypting Storage
(encrypts & stores data)
SKLM Server
Applications
Key Response
(IPP or KMIP)
Key Request
(IPP or KMIP)

19. 19 IBM Security
IBM Self-Encrypting Storage: disk & tape
DS8870
DS3500
XIV
N series
TS3500
library
TS1140
drive
LTO6 drive
TS3310
library
Spectrum Scale
Advanced
Netezza
Self-encrypting
solutions that protect
Data-at-Rest
*New as of SKLM V2.7
KMIP-
conforming
databases
(e.g. IBM
DB2 V11.1*)
Software
(e.g.
VMware VM
encryption*)

20. 20 IBM Security
Tape Encryption: quale metodo utilizzare ?
Application-managed encryption (AME)
• Use when application already supports encryption
• Auditing not required
• Key management not required
System-managed encryption (SME)
• Only choice for zSeries and stand-alone drives
• Requires small change on the server OS
Library-managed encryption (LME)
• Requires a media library that supports encryption
• Transparent to the application and server OS
• Recommended for Linux/UNIX

21. 21 IBM Security
• Application responsible for encryption
• Application can decide to encrypt only information that needs it
• Supported by Tivoli Storage Manager
• Does not require ISKLM
• Requires changes in
the application(s)
• Difficult to audit
21
AME: Application Managed Encryption

22. 22 IBM Security
• Server OS responsible for encryption
• No modification to the application
• Server OS can request keys from SKLM
• Required for
stand-alone drives
• Only option with
zSeries
• Supported with
Linux/UNIX
22
SME: System Managed Encryption

23. 23 IBM Security
• Media (tape or disk) library responsible for encryption
• No modifications to the application or server OS
• The library
requests keys
from SKLM
23
LME: Library Managed Encryption

24. 24 IBM Security
Schema logico di funzionamento: Tape-Encryption
• Encryption implemented in the tape drive encrypts the data before it is written to the cartridge. If the
tape compression is enabled, the tape drive first compresses the data then encrypts it. This means
that there is no loss of capacity with IBM Tape Encryption
• To encrypt the data, the tape drive needs a key. This key is provided by SKLM in an encrypted form to
make the Tape Encryption solution secure

25. 25 IBM Security
Un esempio architetturale di deployment
Tape Libraries
Disk Storage
Elastic Storage
Apps and DBs
SKLM VMsCloneMaster
Primary
Data Center
Secondary
Data Center
LAN/WANSynchronized
Servers
… …
SKLM VMs
CloneClone
Cloud Storage
SKLMEncryptionKeyManagement
Self-EncryptingDevices

26. 26 IBM Security
Simple GUI for
managing up to
8M keys
DR
SKLM: da considerare bene il DR o HA !

27. 27 IBM Security
SKLM: quale repository utilizzare ?
• JCEKS  File based key store
• JCECCAKS (only z/OS)  Used for keys that are stored directly in ICSF
• JCECCARACFKS (only z/OS)  Certificates in RACF, keys in either ICSF or RACF
• JCERACFKS (only z/OS)  Certificates and keys managed and stored by RACF

28. 28 IBM Security28
SKLM in ambiente z/OS: l’ installazione
• Creazione dello Started tasks e setup ambiente RACF se utilizzato
• SKLM è una Java Application (Java 1.6 o superiore) che gira in ambiente OMVS
• Creazione del file di configurazione

29. 29 IBM Security29
SKLM in ambiente z/OS: i comandi operativi
• Linea comandi per la gestione del servizio SKLM
S ISKLM
F ISKLM,APPL=‘isklm-command’
P ISKLM

30. 30 IBM Security30
SKLM in ambiente distribuito
• Sui sistemi Windows, Linux o AIX, l’installazione di SKLM fornisce il sw di base e
tutti i component necessary (embedded components)

31. 31 IBM Security
SKLM distributed: login GUI

32. 32 IBM Security
SKLM distributed: key & device management

33. 33 IBM Security
SKLM distributed: creazione delle chiavi

34. 34 IBM Security
SKLM distributed: identificazione dei drives

35. 35 IBM Security
Tape Drives:
Product name Machine type Model
TS1120 Tape Drive 3592 E05
TS1130 Tape Drive 3592 E06/EU6
TS1140 Tape Drive 3592 E07
TS1150 Tape Drive 3592 E08
TS2340 Tape Drive 3580 S43/S4X
TS2240 Tape Drive 3580 H4S/S4E
TS2350 Tape Drive 3580 S53/S5X
TS2250 Tape Drive 3580 H5S/S5
TS2260 Tape Drive 3580 H6S/S6E
TS1040 Ultrium Tape Drive 3588 F4A
TS1050 Ultrium Tape Drive 3588 F5A
TS1060 Ultrium Tape Drive 3588 F6A
PRODUCTS
Tape Libraries:
Product name Machine type Model
TS2900 Tape Autoloader 3572 S4H, S4E,
S4R, S3H, S3R
3592 C20 Frame 3592 C20
TS1120 Tape Control 3592 C06, J70
TS3100 Tape Library 3573 L2U, L4U,LT04,
LT05, LT06,
TS3200 Tape Library LTO-4-specific models:
S42, S44, E42,
E44,F4S, S4S,
F4H, S4H
TS3310 Tape Library 3576 L5B, E9U
TS3500 Tape Library 3584 L22, L23, L32,
L52, L53
TS3400 Tape Library 3577 L5U
3494 Tape Library 3494 L10, L12, L14,
L22
TS3400 Tape Library 3577 L5U
3953 Library Manager 3953 F05
TS4500 Tape Library 3584 S25, S55, D25,
D55, L25, L55
TS7740 Virtualization Engine
TS7700 Virtualization Engine
SKLM: quali devices sono supportati ? (1/3)

36. 36 IBM Security
Disk Storage:
Product name Machine type Model
DS8000 Storage Controller 2107 921, 922, 9A2, 931, 932, 9B2
DS8000 Storage Controller 2421 931, 932, 9B2, 941
DS8000 Storage Controller 2422 931, 932, 9B2, 941
DS8000 Storage Controller 2423 931, 932, 9B2, 941
DS8000 Storage Controller 2424 931, 932, 9B2, 941
DS8800 Storage Controller 2421 951, 95E
DS8800 Storage Controller 2422 951, 95E
DS8800 Storage Controller 2423 951, 95E
DS8800 Storage Controller 2424 951, 95E
DS8870 storage Controller 242x 961, 96E
DS5020 Storage Controller 1814 20A
DS5100 Storage Controller 1818 51A
DS5300 Storage Controller 1818 53A
DS5300 Storage Controller 1746 C2A, C4A, C4T, A2S, A2D, A4S, AD, T4D
DS3700 Storage Controller 1818 80C
System Storage SAN32B-E4 2498-E32
IBM Spectrum Accelerate (XIV) for cloud block storage
IBM Spectrum Scale (GPFS) - data/file management system (big data solution)
IBM Netezza V7.2.1 data warehouse appliances
Also these cloud/big data/data warehouse solutions :
PRODUCTS
SKLM: quali devices sono supportati ? (2/3)

37. 37 IBM Security
SKLM: quali devices sono supportati ? (3/3)
• Quantum i500, i2000 and i6000 tape libraries
• Spectra Logic T120 & T50 tape drives
• Dell ML6000, TL1000, TL2000, TL4000 tape Libraries
• Network Appliance FAS2040, machine type FAS, Model 2040
• Network Appliance FAS2240, machine type FAS, Model 22xx
• Network Appliance FAS2552, 2554 & 2520, machine type FAS, Model 25xx
• Network Appliance FAS3200, machine type FAS, Model 32xx
• Network Appliance FAS6200, machine type FAS, Model 62xx
• Network Appliance FAS8000, machine type FAS, Model 8xxx
• Emulex OneCommand Guardian (part number 2Port-02-100) with OneSecure HBAs
using a prefix that starts with LPSe12002
• Lenovo System x Servers with self-encrypting disk drives
• Sensus smart meters
PRODUCTSNON -

38. 38 IBM Security
www.ibm.com/software/products/key-lifecycle-manager
”Devices
supported”
tab
La lista aggiornata dei devices supportati è disponibile al URL:
SKLM distributed: devices supportati

39. THANK YOU
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
FOLLOW US ON:
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

40. 40 IBM Security
ISKLM
SKLM: gli step di encryption