Escolar Documentos
Profissional Documentos
Cultura Documentos
Marilyn Allmond
Trademarks
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
AIX* Database 2 MVS Resource Link
e-business logo* MVS/DFP
AIX/ESA* DB2* RMF
e(logo)server* MVS/ESA
C/MVS DB2 Connect S/390*
ESCON OS/2*
C/370 developerWorks* FICON* S/390 Parallel Enterprise Server
CICS* DFSMS/MVS* OS/2 WARP* WebSphere*
ibm.com* OS/390*Parallel Sysplex*
CICS/ESA* DFSMSdfp z/Architecture
IBMLink Processor Resource/Systems Manager
CICS/MVS* DFSMSdss z/OS*
MQSeries* PR/SM
COBOL/370 DFSMShsm Multiprise* z/VM*
* Registered trademarks of IBM Corporation RACF* zSeries*
* All other products may be trademarks or registered trademarks of their respective companies.
Notes :
Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will
experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore,
no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual
environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.
This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without
notice. Consult your local IBM business contact for information on the product or services available in your area.
All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance,
compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
04/04/06 1-2 of 15
zSeries Sales and Technical Education
Discussion Topics
04/04/06 3-4 of 15
zSeries Sales and Technical Education
Sarbanes-Oxley (SOX)
requires internal controls on information to ensure completeness,
correctness, and quick access
addresses the deliberate alteration or destruction of a record or document with
the intent to obstruct an investigation
requires that strict records retention policies and procedures exist
dictates publicly traded companies must have policies and controls in place to
secure, document, and process material information dealing with their financial
results
Health Insurance Portability and Accountability Act (HIPPA)
must guard “confidentiality, integrity & availability” of individual health data.
To accomplish this, each provider is required to meet three conditions:
Must “assess potential risks and vulnerabilities to the individual health data in its
possession” …
Must …“develop, implement, and maintain appropriate security measures”
Integrity
Availability
Confidentiality
Must insure these measures are “documented and kept current”
z9XX Crypto | MarilynAllmond | Wahington Systems Center © 2006 IBM Corporation
04/04/06 5-6 of 15
zSeries Sales and Technical Education
04/04/06 7-8 of 15
zSeries Sales and Technical Education
DB2 Version 8
Offers data encryption through built-in functions
Allows column encryption rather than row encryption
Requires change to column definitions for targeted data
May encrypt data using 2 methods
Defining encryption at the column level
Defining encryption at the value level
Encryption key is referred to as PASSWORD in DB2 Admin Guide
z9XX Crypto | MarilynAllmond | Wahington Systems Center © 2006 IBM Corporation
04/04/06 9-10 of 15
zSeries Sales and Technical Education
DB2 Databases
Implemented via EDITPROC exit
DECENC00 secure key implemented
DECENA00 clear key implemented
Specified in the EDITPROC clause of the SQL CREATE TABLE
statement
IMS Databases
Implemented via Segment/Compression exit
DECENC01 secure key implemented
DECENA01 clear key implemented
Specified in the DBD COMPRTN parameter
The DECENC0n routines exploit secure key crypto via ICSF
services, CSNBENC and CSNBDEC
The DECENA0n routines exploit clear key crypto (CPACF)
DB2 uses the problem state instruction (KMC)
IMS uses the ICSF APIs, CSNBSYE and CSNBSYD
z9XX Crypto | MarilynAllmond | Wahington Systems Center © 2006 IBM Corporation
04/04/06 11-12 of 15
zSeries Sales and Technical Education
Secure
CCF, CEX2
DB2KEY.....DATA PCIXCC
Clear DB2KEY.....CLRDES CPACF
64 bytes of label padded with blanks + 8 bytes of key type
Must have unique key label
z9XX Crypto | MarilynAllmond | Wahington Systems Center © 2006 IBM Corporation
04/04/06 13-14 of 15
zSeries Sales and Technical Education
04/04/06 15-16 of 15
zSeries Sales and Technical Education
IMS V6 or later
DB2 UDB Server for
S/390 DECENC01 DECENC00 CCF OS/390 V6 or later
ICSF
IMS V6 or later
zSeries DB2 UDB Server for
DECENC01 DECENC00 CCF OS/390 V6 or later
z900/800
ICSF
Address DR implications
Machine type impact (CPACF or secure key)
Key availability (CKDS key storage and CKDS accessibility)
Naming convention for key labels
Storage and archiving requirements
Accountability issues
Performance
z9XX Crypto | MarilynAllmond | Wahington Systems Center © 2006 IBM Corporation
04/04/06 17-18 of 15
zSeries Sales and Technical Education
Documentation
IBM Data Encryption for IMS and DB2 Databases User ’s Guide
V1R1, SC18-7336-02
For enciphered data to be processed else where the other
machine must have crypto capability and access to same key
value as used to encrypt that data
Tested in DB2 and IMS environments ensure compatibility
with all interfaces
IMS Encryption
Program passes a segment REPL, ISRT, or LOAD request to IMS
control region
IMS determines, using the DBD, that a Segment Edit/Compression
exit is required
IMS loads and calls the exit, passing it the unencrypted segment
Exit invokes ICSF services
IMS puts the encrypted segment into the database
IMS Decryption
IMS application program passes segment GET request to the IMS
control region
IMS determines, from the DBD, that a Segment Edit/Compression
exit is required
IMS loads and calls the exit, passing it the encrypted segment
Exit invokes ICSF services
IMS passes the decrypted segment back to the application
04/04/06 19-20 of 15
zSeries Sales and Technical Education
DB2 Encryption
DB2 application program passes a row to DB2.
DB2 determines, by presence of EDITPROC on the table, exit is
required
DB2 loads and calls the exit, passing it the unencrypted row
Exit invokes ICSF services
DB2 puts the encrypted row into the table
DB2 Decryption
DB2 application program requests data from DB2
DB2 determines, by presence of EDITPROC on the table, exit is
required
DB2 loads and calls the exit, passing it the unencrypted row
Exit invokes ICSF services
DB2 passes the decrypted row back to the application
04/04/06 21-22 of 15
zSeries Sales and Technical Education
IMS
Provides sample job DECIMSJB in PDS smphlq.SDECSAMP
DB2
Provides sample job DECDB2JB in PDS smphlq.SDECSAMP
Generic to either database
Replace the yyyyyyyyyy (at the end of the job) with encryption
key label built by the security analyst
Also, provides an alternate in the form of a panel interface to
create the user exit
ex ’smphlq.SDECCEXE(DECENC04)’’smphlq ’
For a more user-friendly key entry process allowing key
knowledge separation use
PRS189 ICSF Key Part Entry Sample Application for ISPF
Panels from www.ibm.com/support/techdocs
z9XX Crypto | MarilynAllmond | Wahington Systems Center © 2006 IBM Corporation
04/04/06 23-24 of 15
zSeries Sales and Technical Education
Summary
Not an integrated solution but well tested and is the best around
Replaces the EDITPROC code providing encryption that may
have been obtained earlier and was 'AS IS'
Requires no application changes
Data base changes may need to occur
Ensure targeted data will be protected may need to rearrange data
Adjustments for data base product restrictions or considerations
Understanding IBM Crypto will be crucial to adhering to the
regulations/requirements driving this solution
Weigh the options available
Not every segment or table needs to be encrypted
Evaluate need for
Encryption/decryption in cross-platform and/or sysplex
environments
Disaster Recovery
04/04/06 25-26 of 15