Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Meeting the mainframe encryption and compliance challenge.

Protegrity : 31 January, 2008  (Technical Article)
Ulf Mattsson, Protegrity's CTO, explains the best practice for securing data and meeting compliance requirements on mainframe computers.
Data wasn't always sexy, dangerous and madly desired by millions.

Not too long ago, the only people who were regularly mucking around with databases were the number crunchers, those nice folks who processed payroll and handled accounting chores. While we appreciated their efforts on our behalf most of us also thought that database work must be kind of dreary. Those days are gone and now virtually everyone interacts effortlessly with databases during their daily rounds.

Our devotion to manipulating, monetising and mining data has had some interesting consequences. Data has quickly become a most precious business asset and, logically, an object of intense desire for thieves. Suddenly everyone isn't fretting as much about emailed malware; our attention has shifted to protecting data from outside and inside threats.

Just to make things more interesting, many databases were launched in some company systems with little centralised planning or oversight. We're far more aware now of the need to consolidate the planning, deployment and management of data repositories, but enterprises still harbour hidden islands of information in isolated databases. And as data flows from and to the mainframe through ever more complex infrastructures, applications and data collection devices it is exposed to more eyes - authorised and unauthorised - than ever before.

Encryption across the enterprise is essential if a company wants to protect the value and integrity of its electronic records and comply with government and industry privacy regulations. It's important to remember that potential threats lurk both outside and inside the perimeter firewall. The best way to defend data is via a holistic security solution that comprehensively protects against threats no matter where they originate.

Obviously, the key part of any data protection solution is encryption, but all security applications work best when teamed with other layers of defence such as intrusion monitoring, application firewalls, role-based access, auditing and a carefully crafted and enforced security policy. But should all of these protections fail, encryption will be the last line of defence in a breached system - so it's important to get it right.

Best practices dictate that we must protect sensitive data at the point of capture, as it's transferred over the network (including internal networks) and when it is at rest. Protecting data only sometimes - such as sending sensitive information over wireless devices over the internet or within your corporate network as clear text -- defeats the point of encrypting information in the database. It's far too easy for information to be intercepted in its travels so the sooner the encryption of data occurs, the more secure the environment.

Comprehensive encryption doesn't complicate authorised access to the protected information -- decryption of the data can occur at any point throughout the data flow wherever there is a need for access. Decryption can usually be done in an application-transparent way with minimum impact to the operational environment.
Due to distributed business logic in application and database environments, organisations must be able to encrypt and decrypt data at different points in the network and at different system layers, including the database layer.

Encryption performed by the database management system can protect data at rest, but smart corporations will also require protection for data while it's moving between the applications and the database and between different applications and data stores.

One option for accomplishing this protection is to selectively parse data after the secure communication is terminated and encrypt sensitive data elements at a very granular level (usernames, passwords, and so on). Application-layer encryption and mature database-layer encryption solutions allow enterprises to encrypt granular data selectively into a format that can easily be passed between applications and databases without changing the data.

Some people try to pit encryption versus more traditional methods of protecting data such as, for example, DB2 teamed with Resource Access Control Facility (RACF) for z/OS environments. But the best defence comes from a layered approach to security, in our example that would be a combination of encryption and RACF.

DB2 and RACF work well together to ensure that only authorised users can access DB2 data. However, those security measures are ineffective against a person who can circumvent the operating system. One single security solution just doesn't offer the protection enterprises need in today's world, where demands for enhanced security have been growing as mainframes usage is expanding and as audit and compliance requirements are getting more stringent.

Security software, including encryption solutions, must also permit database administrators to do their work without impediment and shouldn't impose significant overhead on processing resources. It should allow managers to encrypt selected information by categorising it as sensitive, thus conserving system resources. One good approach is to build a protective layer of encryption around individual data items or objects to protect sensitive data wherever it's stored or processed.

Security solutions must also support various methods for authentication, including passwords, security diskettes, tokens, smart cards, biometrics and digital certificates. Such solutions should also allow technicians to implement and maintain the security environment from a single point of control. Security software should obviously also be highly scalable, with controls stored and executed locally at each target server.

We can't rely on applications to do all the work for us. Strong database security policies and procedures must be in place to accommodate the regulatory compliance environment. To comply with most privacy regulations you must protect, audit and segregate duties for sensitive data in databases. A mature encryption solution will offer automatic and enforced segregation of duties between DBAs and security officers. Thus enabling centralised management of security parameters, as well as a system of integrity checks and self-protection of individual modules, user accounts, and database extensions in distributed environments and across the leading relational databases, including web and internet-enabled database applications.

Businesses will want to look for solutions that offer centralised database management security to reduce cost, increase efficiency, reduce implementation complexity and comply with privacy regulations. 'Point' or manual solutions can't provide the proper levels of protection as the mainframe environment continues to grow and become more complex. But a recent study by the Ponemon Institute found that nearly 60% of U.S. businesses and government agencies still can't adequately deal with insider threats to their network, and 58% rely on manual controls to audit and manage user access to critical systems and databases.

Database auditing is another essential requirement for truly comprehensive security and privacy implementations. An integrated security programme that's continually audited and monitored provides the layers needed to maximise protection. Logs that track activities performed by security officers, records of user reads and updates, and unauthorised access attempts are critical. Managers can use this information to track trends, analyse potential threats, support future security planning, and assess the effectiveness of the solutions, policies and procedures already in place.

Auditing shouldn't be a huge data dump of every possible bit of information; to be useful it should be selective. Selective and granular auditing saves time and reduces performance concerns by focusing on sensitive data only. Ideally, the logs should focus on the most useful information for security managers; that is, activity around protected information. Limiting the accumulation of audit logs in this way means more critical security events are highlighted and reviewed. Effective audit trails are crucial to understanding what actions must be taken to protect sets of sensitive data. Logging events directly associated with the sensitive data in the database is essential.

Additionally any mature mainframe security programme must provide secure automated encryption management - including secure encryption key protection, aging, and replacement - across all platforms hosting critical information. The best solutions will minimise performance impact by monitoring only the information that's critical from a security point of view instead of entire databases. Privacy and security mandates and other business requirements will define which information requires this higher level of protection and audit. Focusing only on sensitive information optimises performance and maximises the usefulness of the protected security audit log. Companies should define their auditing strategies based on their knowledge of the application or database activity around sensitive data. The log should contain all relevant operations on critical data elements.

As we all know, companies, government agencies and health care providers - in fact, anyone who handles information about other people -- must follow industry-specific rules regarding data privacy and systems security, and guidelines regarding proper use and access to customer data. Privacy requirements for protecting personal information typically include selective encryption of stored data, separation of duties, and centralised independent audit functions.

Auditing your network is one of the first steps towards achieving compliance with whatever regulations impact your industry. But after you perform that assessment it may become alarmingly apparent that complete compliance does not dovetail neatly with existing business procedures. In many cases changes in practices and policies are required in addition to technological solutions to achieve full compliance.

It's easy to feel overwhelmed by compliance requirements but these regulations aren't something you can afford to ignore. Apart from businesses' implicit responsibility to protect consumer data, fines for non-compliance are steep - and costs for publicly reportable data breaches are punishing. All it takes is one successful attack to wipe out years of 'savings' on not implementing security. With security experts agreeing that online crime has become more sophisticated, more frequent, and better organised over the past several years, do you really want to risk your bottom-line as well as customer and investors' confidence on the hopeful idea that it just won't happen to you?

Last but not least it's important to remember the importance of creating a culture of security within the corporate environment, a culture where every employee - from the newest sales person to the MD or CEO -- understands the importance of data privacy and protection. When companies have an embedded culture, everything that people in that company do, naturally reflects that culture.

Simply following compliance guidelines to the letter ensures that your organisation may technically be in compliance, but that's not enough. Security measures that aren't understood and fully embraced across the enterprise can and will be circumvented. We can't count on software to protect our systems completely. Smart policies, procedures and people are just as important as choosing the right security solution.

Ulf Mattsson is chief technology officer at Protegrity and creator of the company's database security technology. His extensive IT and security industry experience includes 20 years with IBM as a manager of software development and a consulting resource to IBM's research and development organisation in IT architecture and IT security.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo