The document outlines methods for protecting sensitive data through encryption, tokenization, and anonymization, emphasizing the importance of preventing data breaches and maintaining customer trust. It discusses the differences and advantages of each method, regulatory requirements for data protection, and best practices for implementation, including the need for secure key management. Finally, it highlights how Syncsort offers various services and tools to assist organizations in ensuring their data security and compliance.

1. Security 101:
Protecting Data with Encryption,
Tokenization & Anonymization
Jeff Uehling
Product Management Director, Security
1

2. Agenda
1 – Encryption
2 – Tokenization
3 – Anonymization
4 – How Syncsort can help

3. Why protect sensitive data?
• Prevent data breaches
• Prevent the negative publicity resulting from breaches
• Protect your customer’s trust in your handling of their data
Who should you protect your data from?
• Users should see only the data they need as part of their jobs
• Protect your data from internal staff, contractors and business
partners – as well as criminal intruders
What regulations require sensitive data protection?
• PCI DSS
• HIPAA
• GDPR
3
Sensitive Data Protection
• GLBA
• State privacy laws
• And more

4. A data encryption key should be well protected or data is exposed
• A Key is used to encrypt data (SSN’s, credit card numbers, etc.) via the
encryption algorithm, such as AES (Advanced Encryption Standard)
It is recommended to encrypt the data key with a key encrypting key (KEK)
• Used to encrypt data encryption keys
A Master Key can then be used to encrypt all KEKs
• A master key is used to encrypt KEKs or Data Encryption Keys
• Top level key, in the clear! If master key is compromised, data
is compromised.
• How do you securely store this master key?
Cryptography - Terminology
1 2 3KEK2
1 2 3
KEK1
Mast
er
Clear Text
NOTE:
Encryption Algorithms, such as AES,
3DES, etc. are public knowledge.
Encryption keys must be kept
secret and protected
to provide value for security
4

5. Encryption
What Is Encryption?
• Use of one or more algorithms to
transform human-readable information
into an unreadable format
• Requires a strong encryption key in
addition to the encryption algorithm
• Requires the algorithm & encryption key
to return data to a human-readable
format
• A Professional Key Management solution
is highly recommended to keep
encryption keys safe and manage them
throughout their lifecycle
• Integrates with IBM i FieldProc exit point
(IBM i 7.1 or greater) to enable field
encryption without application changes
• Encryption and decryption activities can
be logged
• Decrypted data can be masked based on
the user’s privileges
Pros
• Mature technology
• Standards offer independent certification
• Algorithms are continuously scrutinized
• Confidence in meeting requirements of
regulations that mandate sensitive data
protection such as HIPAA/HITECH, PCI-
DSS, state privacy laws and more
Tips
• Specified by certain regulations; verify
the requirements of the regulations your
business must comply with
• Better for applications requiring higher
performance
• Look for a secure implementation of a
secure algorithm
• Check for certifications
5
Cons
• Depending on the implementation,
encrypting and decrypting field data can
have a performance penalty
• Encryption may not preserve the original
format of fields, which can affect field
validation processes
• Applications may need modification to
prevent using encrypted indexes

6. Tokenization
What Is Tokenization?
• Replaces sensitive data with substitute
values or “tokens”
• Tokens are stored in a database or “token
vault” that maintains the relationship
between the original value and token
• Format-preserving tokens retain the
characteristics of the original data (e.g. a
VISA number would still look like a VISA
number and pass a LUHN check)
• Token consistency enables the same
token to be used for every instances of
the original data
• When tokenized data is displayed in its
original form, it should be masked based
on the privilege of the user
Pros
• Tokens cannot be reversed with a key as
there is no algorithmic relationship to the
original data
• Tokenization maintains database
relationships
• Removing data from the production server
reduces risk of exposure from a breach
• Tokenizing a server’s data can remove it
from the scope of compliance
• Specifically referenced for PCI DSS and
supports compliance other regulations
Tips
• Available thru credit card payment
networks for tokenizing credit card
numbers
• Good for BI and queries since
tokenization maintains database
relationships
• Useful when sending data to outside
services for processing when sensitive
data is not required – or for development
and test systems
6
Cons
• Tokenization is not recognized as widely
as encryption by standards bodies
• Tokenization has a performance impact to
register tokens and retrieve them

7. Anonymization
What Is Anonymization?
• A form of tokenization that permanently
replaces sensitive data with substitute
values (or “tokens”)
• Substitute values are not stored so a
secured token vault is not required
• Can replace every instances of a piece of
original data with the same token
• Format-preserving : Retain the
characteristics of the original data
• A variety of anonymization methods can
be used (masking, scrambling, etc.)
• NOT a solution for use on a production
server since tokens are unrecoverable
and original data is required in
production mode
Pros
• Cannot be reversed with a key as there is
no algorithmic relationship to the original
data
• Supports compliance with GDPR and other
regulations
• Keeps non-production servers out of the
scope of compliance
Tips
• Not a solution for data on your
production server
• Ideally used for anonymizing sensitive
data on a development or test system
• Good for sending data to outside services
for processing
• When coupled with a high availability
solution for replication to non-HA node, it
can feed dev/test system with
anonymized data
7
Cons
• Anonymization is not recognized as
widely as encryption by standards bodies

8. How Syncsort
Can Help
8

9. Sensitive Data Protection
Protecting the privacy of sensitive
data by ensuring that it cannot be
read by unauthorized persons
using encryption, tokenization
and secure file transfer
Intrusion
Detection/Prevention
Ensuring comprehensive control
of unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Security & Compliance
Assessments
Assessing your security risks or
regulatory compliance
Auditing and Monitoring
Gaining visibility into all security
activity on your IBM i and
optionally feeding it to an
enterprise console
Syncsort Security
addresses the issues
on every CISO and
system admin’s
radar screen
9
Learn more at
www.syncsort.com/en/assure

10. Syncsort Can
Help You
Protect Your
Sensitive Data
10
Alliance FTP Manager
Alliance PGP Encryption
Encryption
Alliance AES/400
Alliance Key Manager
by Townsend Security
Enforcive Field Encryption
Tokenization
Secure File Transfer
Alliance Token Manager
Quick-Anonymizer

11. Expert services are available for
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (for hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Leverage Syncsort’s team of seasoned security experts!
The Syncsort Services Team
Has your Back
11

12. Learn more at
www.syncsort.com/en/assure