Townsend Security Data Privacy Blog

Upgrade to V7R1 for New Security Features

Posted by Luke Probasco on May 4, 2012 8:19:00 AM

v7r1 fieldproc encryptionIBM announced recently the end of support date for V5R4. This has prompted many IBM i shops running this older OS to upgrade to a newer release - either V6R1 or V7R1. Traditionally, we have seen that most IBM i administrators upgrade just one release forward. In this particular case, we recommend going to V7R1. Not only is upgrading to V7R1 a fully supported path by IBM, there are security reasons. I recently sat down with Patrick Townsend, Founder & CEO, to discuss IBM i V7R1 and how Townsend Security can help organizations take advantage of FIELDPROC, a new feature that allows companies to encrypt their sensitive data without changing their applications.

You said recently that upgrading your IBM i to V6R1 is a bad idea. Can you explain why?

Security today is more important than it was even two or three years ago. We live in an evolving world around security and organizations of every size - from small companies to global companies - really have been under severe attack. The bad guys are getting much better at what they do and we are faced with highly sophisticated attacks. Even mid-sized companies are now under pressure to protect their data. So we live in a world that is far more sensitive and insecure, and we really have to put more attention on protecting sensitive data.

IBM gave us FIELDPROC in the latest release of the operating system (V7R1), which allows encryption with no application changes. FIELDPROC is really attractive for mid-sized and large customers. It makes the usually very difficult task of encrypting data in our systems much easier. I think that customers who are on older versions of the operating system (V5R4, for example) and who might in the past have just moved up one level, should really move up to V7R1. From a security perspective, it is time to jump a level from V5R3 or V5R4, past V6R1, which would be the next release, to V7R1 and get the benefits of FIELDPROC encryption.

What would an organization need to do to take advantage of FIELDPROC once they upgrade? They still need third-party encryption, right?

Yes, FIELDPROC is the ability to do encryption, but IBM relies on third-party vendors like us to actually provide the encryption libraries and appropriate encryption key management. When customers deploy our FIELDPROC encryption solution on V7R1, they are getting our NIST-certified encryption libraries, as well as seamless integration with Alliance Key Manager, our encryption key manager. Alliance Key Manager is FIPS140-2 certified, and when used with our encryption, lines up perfectly with best practices for encryption across all compliance regulations. Whether it is PCI/DSS with Credit Cards, HIPAA/HITECH in the Healthcare industry, FFIEC in the financial industry, DICAP if you are a civilian company working with the federal government, or if you are a federal agency where it is a mandate that you must have a FIPS140-2 solution.

Our FIELDPROC solution installs into an IBM i customer’s environment, provides both our optimized and certified AES encryption libraries, and the key management you need to be compliant. IBM has done the hard work of making this capability available and we do the work of snapping in proper encryption and key management.

Download a free 30-day evaluation of our Alliance AES/400 encryption, built specifically for IBM i V7R1. Alliance AES/400 is the only NIST-certified FIELDPROC encryption available.

Click me

Topics: IBM i, V7R1, AES Encryption

New Secure Shell sFTP in IBM i 7.1 (V7R1)

Posted by Luke Probasco on Apr 27, 2012 12:55:00 PM

Download Podcast

Podcast

Download podcast "IBM i Security: Skip V6R1 and Upgrade to V7R1"

Click Here to Download Now

We have been talking a lot recently about the benefits of FIELDPROC as being the main reason to upgrade to IBM i 7.1 (V7R1). Since IBM recently announced the end of support date for IBM i 5.4 (V5R4), we are seeing many shops planning upgrade projects and discussing whether to move their systems to V6R1 or V7R1. Without a doubt, V7R1 is the correct choice – it is even a fully supported V5R4 upgrade  path from IBM.  So, aside from FIELDPROC, what other security reason is there to skip V6R1?  Simply, the updates to Secure Shell sFTP.  I recently sat down with Patrick Townsend, Founder & CEO, to discuss how these updates can help further secure your data.

Another key security feature in V7R1 is a new version of the Secure Shell sFTP application. How is it different and better?

IBM has been making Open SSH available on the IBM i for quite some time. We had the ability to install it back on V5R3. It has become a very popular secure file transfer mechanism, especially for financial institutions. We are seeing large commercial banks across the board moving to Secure Shell sFTP for encrypted file transfers. IBM brings the latest version of SSH to each new release and V7R1 is no exception. The latest version has picked up new security features since the V5R4 release, some of which are quite important. I think moving to V7R1 and getting the latest version of Secure File Transfer (sFTP) is really important. We are learning from security professionals at the NSA, NIST, and SANS just how important it is to make sure the patches to our systems are up-to-date. So again, having the latest version of any security technology is imperative, which re-emphasizes skipping V6R1 when upgrading from V5R4.

Download our podcast “IBM i Security: Skip V6R1 and Upgrade to V7R1” for more information on the security reasons that you should go straight to V7R1. Additionally, we will discuss how Townsend Security can help you take advantage of FIELDPROC, a new addition to V7R1, which allows companies to encrypt their sensitive data without changing their applications.

Click me  

Topics: IBM i, V7R1, SFTP

Should I Upgrade My IBM i to V6R1 or V7R1?

Posted by Luke Probasco on Mar 27, 2012 9:52:00 AM

Download Podcast

Podcast

Download podcast "IBM i Security: Skip V6R1 and Upgrade to V7R1"

Click Here to Download Now

Today, data security is more important than ever. We live in world now where organizations of every size - from small companies to large global companies – need to make sure their sensitive data is safe. The bad guys are getting much better with more sophisticated attacks. Even mid-sized companies are now targets. So, with the most up-to-date security features included in IBM i 7.1 (V7R1), why would you still be using or consider using the V6R1 release?  I recently sat down with Patrick Townsend, Founder & CEO, to discuss the latest IBM i OS and the security reasons a company who is on an upgrade path from V5R4 should bypass V6R1 and install V7R1.

What do you have to say to the company who traditionally moves up just one release? For example the company that would just upgrade to V6R1 because they feel that it has all the kinks worked out.

Well, I understand that motivation and I have been in that seat before. OS upgrades are always something you want to be very cautious about - whether you are talking about your IBM i or even your Linux, UNIX, and Windows servers. You know that a certain number of bugs will get worked out after a new release has come into the market and you tend to be a little cautious about applying the latest release upgrade. Having been released for over a year, V7R1 is now pretty mature and I haven’t heard of any significant upgrade problems.

IBM i users that are on V5R4 know that IBM recently announced the end of support date for that release (which means maintenance and support will stop in about a year) and people will need to upgrade. There are two reasons it is a good idea to jump past V6R1 straight and to V7R1. First, it is a fully supported path by IBM. Second, there are security benefits to making that jump. You are getting significant new security features in V7R1 that you won’t see in V6R1. I know that there are external factors that sometimes influence moving forward on releases. Some software vendors may not be ready for V7R1 and this can represent a significant barrier in terms of getting to the latest release of the operating system. If you have not yet begun a discussion with your software vendors on whether they have certified their software on V7R1, now is the time to do that. IBM makes it very easy for a software vendor to test their software on a pre-release version of the operating system. We do that, and your other software vendors should be doing that too, well before IBM releases a new version of the operating system. This is one time that you should balance the security benefits of V7R1 against the cautionary approach of going only to V6R1, which will be just one step for many people.

Download our podcast “IBM i Security: Skip V6R1 and Upgrade to V7R1” for more information on the security reasons that you should go straight to V7R1. Additionally, we will discuss how Townsend Security can help you take advantage of FIELDPROC, a new addition to V7R1, which allows companies to encrypt their sensitive data without changing their applications.

Click me

Topics: system security, IBM i, V7R1

Skip V6R1 on IBM i and Upgrade to V7R1 - A Security Note

Posted by Patrick Townsend on Mar 1, 2012 9:17:00 AM

IBM i FIELDPROCEveryone in the IBM i (AS/400, iSeries) world with responsibility for these large servers knows that IBM will soon announce the next release of the IBM i operating system, and that version V5R4 will go off of support a short time after that. While the date of the next release and the sunset date for V5R4 have not been announced, IBM has a fairly predictable pattern of new OS releases and support schedule. You can read Timothy Pickett Morgan’s thoughts in an article he wrote titled "The Carrot: i5/OS V5R4 Gets Execution Stay Until May."

So right now IBM shops running V5R4 are busy planning their upgrades. Many are planning to move just one version ahead to V6R1.

News Update! IBM just announce the support end date for V5R4. It’s September 30, 2013. You can read it here.

Upgrading your IBM i (AS/400) to V6R1 instead of V7R1 is a bad idea. Here’s why:

In V7R1 IBM provided a new automatic encryption facility in DB2/400 called FIELDPROC (That’s short for “Field Procedure”). This new facility gives IBM i customers their first shot at making encryption of sensitive data really easy to do. With the right software support you can implement column level encryption without any programming. The earlier trigger and SQL View options were very unsatisfactory, and the new FIELDPROC is strategically important for customers who need to protect sensitive data.

Another key feature in V7R1 is a new version of the Secure Shell sFTP application. This is rapidly becoming the file transfer method of choice. And IBM provides version 4.7 in V7R1. If you are doing a substantial amount of file transfers with sFTP, or you plan to do so, you will want all of the latest security patches in OpenSSH.

I know that an operating system upgrade is a lot of work, and that’s why IBM i shops are reluctant to do it very often. And when they do an upgrade, there stay there as long as possible. But FIELDPROC is only available in V7R1, it is not patched back to V6R1. And the latest version of OpenSSH is provided in the V7R1 distribution.

So I think you should skip V6R1 and go directly to V7R1. You won’t want to be locked in to a version of the OS without important security features. And the jump from V5R4 directly to V7R1 is a fully supported path by IBM. I hope I’ve convinced you to consider this important security option as you look at your OS upgrades this year. 

Download our podcast on "The Benefits of FIELDPROC Encryption" to learn more about FIELDPROC capabilities and the benefits of transparent encryption.  Additionally, we have a podcast titled "FIELDPROC Performance - Speed Matters" for those who are wondering how it will impact their systems.

Patrick

Are you going to COMMON in Anaheim? I will be doing four sessions on security on the IBM i. Be sure to stop by the booth and say Hello!

Click me

Topics: IBM i, V7R1, FIELDPROC

FIELDPROC Questions: Tape Backup and Data Masking

Posted by Luke Probasco on Dec 22, 2011 10:01:00 AM

automatic encryptionWhile FIELDPROC was introduced nearly two years ago with IBM i V7R1, it is becoming new to administrators who are finally upgrading to the latest IBM i OS.  Lucky for you newbies, we have plenty of experience with this release and can share a wealth of knowledge for your encryption project.  FIELDPROC allows us to bring you automatic encryption – encryption with no application changes!  We recently hosted a webinar titled “Automatic Encryption on the IBM i” and received some great questions.  Patrick Townsend, Founder & CTO, recently took some time to answer a few questions that we received during the webinar.  If you have any further questions on FIELDPROC and how your organization can implement automatic encryption with no application changes, send them our way.

When you back up encrypted data to tape, does it back it up un-encrypted?

No.  Data that is encrypted by FIELDPROC, when you do a backup, is going to be encrypted on the backup tape.  If you a put a file under FIELDPROC control and you back it up, you can then just dump that tape and see that the data is encrypted on the tape.  Backup operations do not trigger FIELDPROC decryption and you can securely back up a file on to tape for it to be protected.  That is a part of the built-in capabilities within FIELDPROC.  However, if you copy a file with the “copy” command, the database WILL trigger FIELDPROC and decrypt that data.

Can masking be done by group profile or only by a specific user?

Good question.  Yes, you can use group profiles for user access controls and masking.  We understand that a lot of our customers have a large number of users and have leveraged using group profiles.  We fully support group profiles around both access controls and masking. It is important to note that we do not use native object authority for our user access controls and masking. Instead we use a white-list approach that allows you to control and monitor QSECOFR and any user with All Object (*ALLOBJ) authority.

Are there any performance impacts of using encrypted data as indexes, as far as reads or chains, or other I/O functions? 

IBM has done a great job of implementing FIELDPROC in terms of how it gets called and when it gets called.  There is no particular performance impact for reads, as opposed to writes.  We have done tests with encryption and decryption and they are both very efficient and very effective.  There is a tiny measureable difference between encryption and decryption, and that has to do with key scheduling, but believe me, it is extremely insignificant.  I think you will find about equivalent performance with both encryption and decryption.

View our webinar “Automatic Encryption on the IBM i” for more information about FIELDPROC and how your organization can easily meet compliance regulations that require encryption – with no application changes!

Click me

Topics: IBM i, V7R1, FIELDPROC

FIELDPROC Questions: Performance Problems & Working With BI Tools

Posted by Luke Probasco on Dec 20, 2011 9:59:00 AM

automatic encryptionLast week we hosted a webinar titled “Automatic Encryption on the IBM i” and got some great questions!  Now that IBM i 7.1 (V7R1) has been out for almost two years, we are starting to see more and more companies upgrade their IBM i’s to this latest release of the OS.  As a result, questions and concerns about FIELDPROC have been rolling in.  This feature allows organizations to automatically encrypt their data with no application changes, making it easier than ever to meet compliance regulations with encryption (PCI DSS, HIPAA/HITECH, etc.). 

Previously, encryption was a big project that often brought fear into the eyes of the IBM i administrator.  Not only do we have a FIELDPROC encryption solution that avoids the need for development, but we feel it is the best available encryption for your organization.  Performance is a key differentiator among encryption providers, and we challenge you to find a faster solution.

Additionally, we have been getting questions on how FIELDPROC affects Business Intelligence (BI) tools.  Patrick Townsend, Founder and CTO, has taken a few minutes to address some of these questions from our recent webinar. 

I have heard bad things about FIELDPROC performance.  You seem to think it performs ok.  Can you talk about that?

I think some of the less than stellar things you have heard about FIELDPROC performance comes from people who have implemented poor FIELDPROC encryption solutions.  Different encryption libraries can have very different performance results.  We have tested our optimized encryption libraries, and when compared to others, have found a 100 times difference in the speed of our libraries – even when you are doing something like 256-bit AES encryption.  I think some people have had a bad experience with encryption and FIELDPROC, and I am sure you will have a different experience with our solution. 

We make it really easy to evaluate AES/400, our FIELDPROC encryption solution.  If you have had a bad experience around FIELDPROC, you should take a look at our solution.  I think we will convince you that we have the best FIELDPROC encryption solution available.

How does FIELDPROC encryption affect OLAP reporting tools like ShowCase and Cognos?

The implementation of FIELDPROC is going to work as long as you have a standard DB2/400 database on the IBM i platform and you are running V7R1.  If you have a Business Intelligence tool that runs on top of DB2/400, then FIELDPROC will work for you.  FIELDPROC is a facility that is implemented at the database level and not on the application level.  Personally, I think that if you have sensitive data in any Business Intelligence database, the user controls and masking controls that we have implemented in our FIELDPROC encryption solution should look very good to you because it gives you the ability to maintain the power of those Business Intelligence tools without accidentally exposing sensitive data and creating additional risk.  FIELDPROC, by itself, will not do masking or user controls for you, but our implementation of FIELDPROC in our Alliance AES/400 product will do that for you and will help you protect that data.

View our webinar “Automatic Encryption on the IBM i” for more information about FIELDPROC and how your organization can easily meet compliance regulations that require encryption – with no application changes!

Click me

Topics: automatic encryption, V7R1, Performance, FIELDPROC

IBM i FIELDPROC Surprises

Posted by Patrick Townsend on Nov 1, 2011 8:12:00 AM

IBM i automatic encryptionIn V7R1 of the IBM i (iSeries, AS/400) operating system, IBM introduced support for automatic, column-level encryption in the DB2 database call FIELDPROC (short for “Field Procedure”). For customers who are familiar with other automatic database encryption implementations such as Microsoft SQL Server Extensible Key Management (EKM) and Oracle Transparent Data Encryption (TDE), the new DB2 database implementation can be confusing. The encryption implementation in DB2 is quite different from other vendor implementations. Here are a few highlights of those differences:

FIELDPROC is not encryption, it is an exit point. What IBM is providing with FIELDPROC is the opportunity for you, the customer, to implement encryption at the column level. You have to enable the option, provide the IBM i AES encryption software, and do the implementation yourself. This is different from SQL Server and Oracle TDE where the database does the encryption for you.

Operations are on encrypted data. In SQL Server and in Oracle, the database is decrypted and then the SQL operations take place on the plaintext values. Not so in DB2 FIELDPROC. The necessary information is first encrypted, and the operation takes place using the encrypted value. This can lead to some surprises if you are not careful about your approach to AES encryption and Initialization Vectors.

Decryption might not be called on a read operation.  Some IBM i customers are surprised that FIELDPROC may not be called when doing a “read equal” type of operation. In SQL this can happen in a SELECT clause with a WHERE statement. In the RPG language this can be a CHAIN operation with a key value. The DB2 database will call the FIELDPROC application to encrypt the search value, but not call the FIELDPROC application if the search is satisfied. That will defeat your attempt to do data masking on decryption!

Database joins need special care. Database joins take place on the encrypted values, not the decrypted values. This means that identical values in different tables need to have the same encrypted value. This runs counter to normal encryption thinking in database tables.

FIELDPROC applications are dynamic calls.  The FIELDPROC applications that you or your vendor creates are going to be called dynamically from the database engine. This means that when you develop the FIELDPROC application you have to take special care that they perform exceptionally well, and that your encryption library is optimized (see next item).

Not all AES encryption libraries are equal. There are big performance differences between AES encryption libraries and it can mean a really big difference to your FIELDPROC application performance. We’ve noted before that AES encryption library performance can vary by a factor of 116. That difference can mean a batch job that takes 10 hours or 10 minutes. Be careful!

For further information view our webinar "Automatic Encryption on IBM i V7R1" and learn how Automatic Encryption is now possible on IBM V7R1 with AES/400.

Patrick

Click me

Topics: IBM i, automatic encryption, V7R1, AES Encryption

Enable Transparent Encryption on the IBM i

Posted by Chris Sylvester on Mar 17, 2011 8:48:00 AM
Transparent encryption for IBM iYour Encryption Project Just Get Easier!!

Automatic database encryption is possible with IBM i V7R1 and AES/400

No one wakes up in the morning and says they want to encrypt their data, other than those of us at The Encryption Company.   We   love to help companies get started with encryption and we love to talk about it.  Those facts aside, much of the IT world views encryption as an onerous project and one they will avoid until an auditor says they have to meet a compliance requirement for PCI, HIPAA,  etc.

The good news for IBM i shops is that the latest release of the O/S, V7R1, just made it easier for them to embrace an encryption project, instead of avoiding it.  The most significant update in V7R1 is the introduction of the FIELDPROC exit point, which provides for an exit point at the column level of the database.  We were so excited about what FIELDPROC does for IBM i customers that we updated our AES encryption solution, AES/400 to support FIELDPROC. This enhancement enables future and current AES/400 customers to implement automatic database encryption on the IBM i.

AES/400 version 6.0 allows administrators to apply instant field (or column level) encryption routines without impacting applications.  Administrators can also enforce what users and what applications are allowed access to the protected data.  Rather than rely on native IBM object level security, which is often not implemented correctly, simply specify which user and which program has access and exclude all others.  That’s it!   Around the office we are calling it push button encryption because it really is that simple to implement encryption at the database level.

To paraphrase Staples (a long-standing Townsend Security customer), Automatic encryption – that was easy! 

Request a demonstration today and let us show you how your company can be encrypting and decrypting data in a matter of hours rather than weeks.

Topics: IBM i, automatic encryption, V7R1, AES Encryption