Do you know encryption fact from fiction? With data breaches frequently making the headlines, businesses are losing more business and personally identifiable information than ever. Every industry and company is at risk – public and private. Encryption is one of the best ways to protect this information, but misperceptions related to cost, performance, and ease of use run rampant. View this webcast on-demand where we talk with Patrick Townsend, Founder & CEO of Townsend Security, to set the record straight on the top 5 encryption myths for IBM i users.

1. Top 5 Encryption Myths
for IBM i Users
July 17, 2018

2. Patrick Townsend
Founder and CEO, Townsend Security
Today’s Presenters
Becky Hjellming
Product Marketing Director, Syncsort
2

3. Agenda
▪Encryption myths
▪FIELDPROC encryption for IBM i
▪Security concerns
▪Introduction to Alliance AES/400
TOP 5
ENCRYPTION
MYTHS
3

4. MYTH #1
Private companies do not have to encrypt
sensitive data for PCI, GDPR, etc.
TOP 5
ENCRYPTION
MYTHS
4

5. MYTH #2
Encryption on the IBM i is complicated
and requires too many technical
resources.
TOP 5
ENCRYPTION
MYTHS
5

6. MYTH #3
Database and application performance
will be terrible.
TOP 5
ENCRYPTION
MYTHS
6

7. MYTH #4
Data is secure if it is encrypted.
TOP 5
ENCRYPTION
MYTHS
7

8. MYTH #5
Key management is expensive,
dangerous and not scalable.
TOP 5
ENCRYPTION
MYTHS
8

9. What is FIELDPROC and How Does it Work?
Field Procedures
▪ New in V7R1, and continues in V7R2, V7R3 and future
▪ Column level exit point technology
▪ Implemented on IBM System z in DB2 v9
▪ Programmed by customers or vendors
9

10. Encryption Before V7R1
It’s an Application Software Project
▪ Identify all of the fields you want to encrypt
▪ Decide if triggers can work for you (partial solution)
▪ Identify all RPG or COBOL applications that must be changed
▪ Modify the applications
▪ Test, test, and test again
10

11. Encryption with FIELDPROC
It’s a database change, not an application change
▪ Identify all of the fields you want to encrypt
▪ Install FIELDPROC exit point software
▪ Activate FIELDPROC protection
11

12. Your Encryption Project Just Got a Whole Lot Easier!
▪ No database changes required
- No field type or size changes
- No problems with Zoned and Packed data
▪ Few (if any!) application changes required
- Most applications can will run without changes
- There are a few caveats (covered later) that may require minor
application modifications
12

13. How Does It Work?
Like most exit points you must register your exit point program (uses SQL)
A SQL statement used to do this:
ALTER TABLE ordmaster
ALTER COLUMN cardno
SET FIELDPROC prodlib/exitpgm
CONSTANT ‘Unique-Value’
Now the DB will call your API program on every I/O operation
YOUR
FIELDPROC
ORDMASTER
cardno
prodlib/exitpgm
13

14. FIELDPROC Programs
What Can You Do with FIELDPROC?
Developers have freedom to implement virtually any column
encoding & decoding scheme
▪ Encryption (From 3rd party providers like Townsend Security)
▪ Change control / Audit logging
▪ Data Compression
FIELDPROC Program Requirements:
▪ FIELDPROC program must be an ILE program object & contain no SQL
▪ Handle 3 different events:
- FIELDPROC registration to define encoded attributes
- Write operations encode data
- Read operations decode data
14

15. FIELDPROC Programs
How Do They Get Installed?
FIELDPROC Registration Interface (SQL only!)
CREATE TABLE orders (
custid CHAR (5),
cardnumCHAR(16) FIELDPROC mylib/mypgm)
ALTER TABLE orders ALTER COLUMN cardnum
SET FIELDPROC mylib/mypgm
FIELDPROC Removal
ALTER TABLE orders ALTER COLUMN cardnum
DROP FIELDPROC
15

16. FIELDPROC Programs
When Are They Invoked by DB2/400?
FIELDPROC Add/Update Events
▪ SQL Insert, Update, & Merge statements
▪ Native RPG record-level writes and updates
▪ Query searches: WHERE card number=‘1111222233334444’
▪ “Writing” CL Commands: CPYF, RGZPFM, STRDFU, ….
▪ Trigger Processing
- FIELDPROC processing occurs after BEFORE triggers
- FIELDPROC processing occurs before AFTER triggers
FIELDPROC Read Events
▪ SQL Select & Fetch
▪ Native RPG record-level reads
▪ “Reading” CL commands: CPYF, RGZPFM, DSPPFM, FTP …
▪ Trigger processing
16

17. FIELDPROC Programs
Do I Have To Change My Database To SQL?
NO!
FIELDPROC works with files created with DDS. You don’t need to convert them to SQL
tables. There are some benefits to SQL conversion, but it is not required.
17

18. FIELDPROC Programs
Do I Have To Change or Recompile My Programs?
NO!
Programs do not need to be re-compiled. The data interface will be the same after
FieldProc implementation.
18

19. FIELDPROC: What It Is and Isn’t
What it does:
▪ Provides a column level exit for insert/read/update operations on a database
What it does not do:
▪ Does not provide encryption, audit, or key management software
▪ You have to provide software for the Exit (an executable program) to handle encrypt/decrypt
▪ FIELDPROC does not provide security controls – that’s up to you!
▪ Does not log actions for compliance
FIELDPROC
FIELDPROC
PROGRAM
- Encryption
- AuditDatabase Table
19

20. Security Concerns
The FIELDPROC Exits expose new security challenges!
Once an exit point program is installed, it will be called regardless of the user application. Common
utilities such as DBU, Display Physical File Member, Query, and FTP can trigger automatic
decryption of data.
You will need:
▪ User access controls
▪ Encryption key access controls
▪ Automatic masking of data by policy
▪ Provide QAUDJRN logging of access
20

21. Alliance AES/400 and FIELDPROC
Everything you need to get FIELDPROC right
▪ Easy-to-use management interface
▪ Exit point software for encryption
▪ Key management (more later)
▪ User access controls by policy with Group Profile support
▪ Data masking
▪ Audit
▪ NIST-certified AES encryption
21

22. Why Choose Alliance AES/400
▪ Only NIST-validated AES encryption for the IBM i
▪ High performance encryption libraries – Does not use slow
IBM libraries like other competitors.
▪ Better performance than Power8 on-chip encryption
▪ Encryption key management options
▪ Local key store
▪ FIPS 140-2 compliant key manager
22

23. Why Choose Alliance AES/400
▪ Best encryption performance
▪ Built-in Data Masking based on user, group
▪ Built-in data access audit
▪ Extensive encryption APIs for RPG and COBOL
▪ Encryption commands for Save Files, IFS, and much more
▪ Integration with Alliance LogAgent for SIEM monitoring
▪ Integration with Alliance Two Factor Authentication
23

24. Alliance AES Encryption for IBM iSeries
Validation #568
Implementation: IBM Power with IBM i5/OS on 64-bit Power
Alliance AES Library (IBM i V5R4)
Validation #1338
Implementation: IBM Power6 w/ IBM i V5R4
Alliance AES Library (IBM i V6R1)
Validation #1339
Implementation: IBM Power6 w/ IBM i V6R1
Alliance AES Library (IBM i V7R1)
Validation #1340
Implementation: IBM Power6 w/ IBM i V7R1
Certified on All Major Releases
of IBM i
24

25. Key Management for Compliance
▪ Dual Control
▪ Separation of Duties
▪ Split Knowledge
▪ Key rotation
▪ Separate keys from the data they protect
25

26. FIELDPROC and Key Management?
Key management is critically important to encryption
▪ Hackers don’t break encryption, they find the keys
▪ A good key management system will…
1) Control access to keys
2) Manage keys through the life cycle
3) Log access to keys
4) Back up keys
5) Roll keys
6) Expire keys, etc.
26

27. Two Choices for Key Management
The keys are the secret - they must be protected and managed
▪ Local key store (based on ANSI X9.24)
▪ External encryption key management
▪ Alliance Key Manager
▪ FIPS 140-2 compliant
▪ Available As: HSM, Cloud HSM, VMware, Cloud
27

28. Practical Issues – Encrypted Indexes
Sort sequence of encrypted indexes
▪ IBM indexes based on encrypted value, not decrypted value
▪ Index lookups based on encrypted value, not plaintext value
▪ Range bound reads, some RPG operation impacts
- SETLL followed by READE, etc.
28

29. Practical Issues – Join logical files (DDS)
Incompatible with DDS-based join files on encrypted values
▪ Joined fields are a different type (Input only)
▪ Errors when re-creating join logical file after FIELDPROC active
▪ NOT a problem with native SQL joins
29

30. Wouldn’t it be Nice if RPG Could Use SQL without
Re-engineering the Code? We’ve Got You Covered!
▪ Open Access for RPG (OAR) hooks the file interface
▪ Often used to create web interfaces for display files
▪ Works great with DB2 externally described files
▪ OAR handlers are quite flexible
30

31. Software Evaluations
Making it easy
▪ Fully functional software – Internet download
▪ Local key management included
▪ Alliance Key Manager as VMware or Internet instance
▪ Free training, Quick Start guides, on-line help
31

32. Solutions for IBM i
Compliance and Security

33. SIEM Integration
Ensure IBM i security activity can
be fed into an enterprise security
monitoring console
Fraud
Detection/Prevention
Ensure comprehensive control of
unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Compliance
Prove to auditors that access is
controlled and the system is in
complianceSyncsort
can help with
all compliance,
security or SIEM
integration needs
33

34. Syncsort’s Security Portfolio
Security
Cilasoft
Cilasoft Compliance
and Security Suite
QJRN/400
QJRN Database & QJRN System
CONTROLER
EAM
RAMi
CENTRAL
Alliance
Alliance
AES/400
Townsend’s Alliance
Key Manager
Alliance Token
Manager
Alliance
FTP Manager
Alliance
XML/400
Alliance
LogAgent Suite
Alliance Two Factor
Authentication
Enforcive
Enterprise Security
Suite
Security Risk
Assessment
Cross-Platform Audit
Cross-Platform
Compliance
Password Self-Service
AIX Security
Quick
Quick-CSi
Quick-Anonymizer
34

35. Security Risk Assessment
Security Risk
Assessment Tool
Security Risk
Assessment Service
Syncsort
Security
Solutions
35
Security Risk
Assessment

36. Compliance Acceleration
Cilasoft
QJRN/400
Enforcive
Policy Compliance,
Compliance Accelerator,
Cross-Platform
Compliance
Syncsort
Security
Solutions
36
Security Risk
Assessment
Compliance
Acceleration

37. Sensitive Data Protection Syncsort
Security
Solutions
Alliance AES/400,
Townsend Alliance Key Manager,
Alliance Token Manager
Enforcive
Field Encryption
Quick-Anonymizer
37
Security Risk
Assessment
Sensitive
Data
Protection
Compliance
Acceleration

38. Secure Data Transfer
Alliance FTP Manager,
Alliance XML/400
Syncsort
Security
Solutions
38
Secure Data
Transfer
Security Risk
Assessment
Sensitive
Data
Protection
Compliance
Acceleration

39. Multi-Factor Authentication
Cilasoft Reinforced
Authentication
Manager for i (RAMi)
Alliance Two Factor
Authentication
Syncsort
Security
Solutions
39
Secure Data
Transfer
Enhanced
Password
Management
Security Risk
Assessment
Sensitive
Data
Protection
Compliance
Acceleration

40. Elevated Authority Management
Cilasoft Elevated
Authority Manager
(EAM)
Syncsort
Security
Solutions
40
Elevated
Authority
Management
Secure Data
Transfer
Enhanced
Password
Management
Security Risk
Assessment
Sensitive
Data
Protection
Compliance
Acceleration

41. Comprehensive Access Control
Cilasoft CONTROLER
Enforcive Enterprise
Security Suite
(for IBM i and for AIX)
Syncsort
Security
Solutions
41
Elevated
Authority
Management
Secure Data
Transfer
Enhanced
Password
Management
Access
Control
Security Risk
Assessment
Sensitive
Data
Protection
Compliance
Acceleration

42. System and Database Auditing
Cilasoft
QJRN/400
Enforcive
Enterprise Security Suite
(for IBM i and AIX),
Cross-Platform Audit
Quick-CSi
Syncsort
Security
Solutions
42
Elevated
Authority
Management
Secure Data
Transfer
Enhanced
Password
Management
System &
Database
Auditing
Access
Control
Security Risk
Assessment
Sensitive
Data
Protection
Compliance
Acceleration

43. Reporting, Alerting, Log
Forwarding & SIEM Integration
Cilasoft
Security Suite
Alliance LogAgent Suite
Enforcive Security Suite
with Data Provider
Ironstream for i
Syncsort
Security
Solutions
43
Elevated
Authority
Management
Secure Data
Transfer
Enhanced
Password
Management
System &
Database
Auditing
Access
Control
Security Risk
Assessment
SIEM
Integration
Alerts and
Reports
Sensitive
Data
Protection
Compliance
Acceleration
Log
Forwarding

44. Additional Security Tools
Cilasoft
Reinforced Authentication
Manager for i (RAMi)
Cilasoft
CENTRAL
Cilasoft
Job Log Explorer
Enforcive
Firewall Manager
Enforcive
Password Self-Service
Syncsort
Security
Solutions
44
Elevated
Authority
Management
Secure Data
Transfer
Enhanced
Password
Management
System &
Database
Auditing
Access
Control
Security Risk
Assessment
SIEM
Integration
Alerts and
Reports
Sensitive
Data
Protection
Compliance
Acceleration
Log
Forwarding
Network
Security
Password
Self-Service
Supervised
4-Eyes
Operations
Job Log
Analysis
Secure Data
Consolidation
&
Distribution

45. Syncsort Global Security Services
Flexible Services Offerings for Security
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (installing hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Syncsort’s team of seasoned experts is here for you!
45

46. Syncsort can help
with all your
compliance,
security or SIEM
integration needs!
46
Elevated
Authority
Management
Secure Data
Transfer
Enhanced
Password
Management
System &
Database
Auditing
Access
Control
Security Risk
Assessment
SIEM
Integration
Alerts and
Reports
Sensitive
Data
Protection
Compliance
Acceleration
Log
Forwarding
Network
Security
Password
Self-Service
Supervised
4-Eyes
Operations
Job Log
Analysis
Secure Data
Consolidation
&
Distribution
Learn more at
www.syncsort.com/en/assure

47. Q&A