Townsend Security Data Privacy Blog

It was a great time of year to be in Anaheim, California last week for the IBM System z Mainframe SHARE user conference. The rains had just passed through and the weather was balmy. The Anaheim convention center is right next door to Disneyland, a place that was paradise to me growing up in Southern California.  The juxtaposition was not lost on anyone – Mainframes being the really serious computing platform, and Disneyland being the silliest and most fun place on planet Earth. But there was fun at the SHARE conference, too.

The death of the Mainframe has been predicted for years, but it keeps chugging along as one of the workhorses of large organizations. IBM has invested a lot in the hardware technology to keep it up to date, and you get a lot of bang for the buck with one of these systems. You can now even run Linux under z/VM and there are some really big installations of Linux on this platform.  All in all, it’s an impressive system.

I was at SHARE to support our partner, Software Diversified Services as they are now our distributor for PGP on the Mainframe z/OS platform. They are doing a great job of bringing this important encryption technology to IBM’s largest server system. People are often amazed at what you can do with PGP on the Mainframe. Create an Apple Mac self-decrypting archive on z/OS??? You have to be kidding, right? Nope, the PGP solution on the Mainframe creates self-decrypting archives for Windows, Mac, Linux, and flavors of UNIX. Also, it integrates with PGP Universal key server for key management. Another feature is that it compresses data up to 98 percent for encrypted data files. Additionally, it supports Mainframe file systems like PDS, Sequential, and VSAM. So PGP is an impressive offering for Mainframe customers who need to encrypt data for compliance. It was great to talk to the Mainframe customers who were approaching PGP with some trepidation. They were a lot more comfortable knowing that they could run PGP using normal JCL scripts.

With the customer base holding steady at between 6,000 and 7,000 customers worldwide, and with IBM continuing to improve the platform and make it more affordable, I believe it will be an important computing platform for years to come.  We’ll be seeing a lot more of Mainframes and Mickey Mouse for years to come.

Click here for a free evaluation version of PGP for the Mainframe.

Patrick

Earlier this month we released a comprehensive upgrade to our secure managed file transfer solution – Alliance FTP Manager. This latest release incorporates a number of existing Townsend Security products that were previously priced separately and features new capabilities. FTP Manager 5.2 brings together the existing products Alliance FTP Security, Alliance Cross Data, and Alliance All-Ways secure into a single product.

This is a really a big win for our existing customers as well as IBM i customers. Our existing Alliance FTP Manager customers automatically receive the upgrade to FTP Manager 5.2 and so do all of our existing Cross Data and All-Ways Secure customers. We know there are a variety of security challenges facing IBM i customers who send data over networks and FTP Manager 5.2 provides those customers with the most comprehensive and flexible Secure Managed File Transfer offering available.

Highlights of FTP Manager 5.2 include encrypted PDF and encrypted Zip functionality. The new encrypted PDF functionality allows customers to generate encrypted and un-encrypted PDF documents using a familiar interface. And now that FTP Manager 5.2 fully supports zip encryption to the WinZip standard it will provides IBM i customers with a new tool to meet compliance regulations. Users can create Zip files on the IBM i platform and then use a variety of delivery methods to send the Zip files to customers, vendors, and employees.

There are a lot of exciting things on the horizon for Townsend Security and our customers. This release of FTP Manager 5.2 is just the start…..October promises to be a month full of major accomplishments and milestones.

IBM i (AS/400, iSeries) users send a lot of sensitive information to their customers, vendors, and employees which needs to be protected with strong encryption. Our customers today are using our PGP encryption solution to protect files. But there has been a big need to generate and protect information in common PC formats. With our upcoming release of Alliance FTP Manager for IBM i, we are stepping up our support with encrypted Zip files and encrypted PDF files.

Zip compression is very commonly used to send files via email. Not only does zip compression make our email attachments smaller, but the most popular zip compression programs now support 256-bit AES encryption of the contents. The ability to encrypt Zip files with AES provides a much better level of security than older zip protection methods. In the new release of Alliance FTP File Manager for IBM i we fully support Zip encryption to the WinZip standard. This means that you can create and protect Zip files on your IBM i platform, and then use a variety of delivery methods to get the Zip files in the hands of your customers, vendors, and employees. This will immediately give IBM i customers a new tool to meet compliance regulations.

The new Zip support provides rich capabilities to IBM i users. You can create encrypted or un-encrypted zip archives, include sub-directories, and use wild cards to select files. When uncompressing and decrypting you can specify any directory as the target for the files. This capability integrates with our automation facilities for processing received files. Lastly, we provide a Windows command line Zip application to help our customers who don’t already have a Zip application. I’m confident that this new capability will help our customers achieve a better level of security.

The other new security technology in FTP Manager for IBM i is our encrypted PDF support. In this first implementation, our customers will be able to create encrypted PDFs with their own content, and then use the automation facilities to distribute the PDFs via email, FTP, and other distribution methods. Encrypted PDF support includes the ability to set fonts and colors, embed watermark and graphic images, set headers and footers, and create tables and lists. The resulting encrypted PDF file is compatible with any PDF reader that supports the AES encryption standard for PDF. We’ve tested with a wide variety of PDF readers on PCs, Apple Macs, Blackberry, Linux desktops, and so forth. This will give our customers an additional tool to secure their sensitive data.

These new technologies for the IBM i customer will increase their abilities to meet compliance regulations and secure sensitive data. I hope you get the idea that we are dedicated to helping you protect your sensitive data and corporate assets. You are going to see a lot more of these types of new capabilities as we go forward.

Patrick

Many of us have been watching the on-going drama between RIM (makers of the ubiquitous Blackberry) and various governments around the world. Governments have been successfully pressuring RIM to provide access to their internal messaging servers in order to get access to encrypted messages sent and received by Blackberry users. I think RIM has been trying to fight this access as best they can. After all, one of their key product messages is around the security of their systems. In spite of that I suspect some governments have been successful in getting at least limited access to the Blackberry servers that process secure messages.

At first I was puzzled by this story when it started to emerge. I mistakenly thought that the private key needed to decrypt a message was stored on the receiver’s Blackberry and that the intermediate message servers would not have the key necessary to decrypt a message. I was apparently wrong about this architecture and it turns out that the Blackberry message servers do have the ability to decrypt messages in transit. That ability puts RIM in the uncomfortable headlights of law enforcement and security agencies around the world.

People have been asking me if a similar situation exists with other common encryption technologies. For example, when I encrypt a file with PGP can it be decrypted by someone (A government? A credit card thief?) before it reaches the intended recipient. Before the drama with RIM I was not hearing this question, but now I think many people are wondering about it.

The short answer is to the question is No: When you encrypt a file with PGP it is not possible to decrypt it before it gets to the intended recipient. PGP is based on the widely used public/private key encryption technology deployed in many secure systems such as VPNs, web browsers, and secure FTP. When I encrypt some information with a public key, only the person holding the private key can decrypt the information. As long as I protect my private key an intermediary can’t decrypt a message intended only for me. Almost all of our assumptions about security depend on this fact.

Is this system perfect? No. As a recipient of secure messages I may inadvertently disclose my private key or lose it by failing to protect it properly. Also, I may be legally compelled by a government agency to relinquish it. Many governments are now requiring people to disclose their private keys and passwords when ordered by a court to do so. You might think that you can’t be compelled to give up a password or private key, but I think that resolve might fade after a few days of sitting in a jail cell. The bottom line is this: public/private key technology is the best method we have of protecting sensitive information. When done well it prevents anyone but an intended recipient from reading the sensitive information. But it also means that you have to pay attention to how you manage and protect encryption keys. Proper encryption key management is essential to any data protection method you use. We’ll be talking more about this in the days ahead.

Patrick