IBM i Solutions
IBM I data privacy solutions
Protecting the privacy of IBM i (AS/400) data is crucial to meeting compliance regulations and avoiding the negative impacts of data breaches on your organization’s reputation and revenue
Key technology for assuring data privacy
For more than 30 years, the IBM i (still often referred to as the AS/400) has been used by organizations in every industry. Known as a transaction processing powerhouse, IBM i systems are relied upon by organizations focused on retail, entertainment, manufacturing, financial services, and more.
Everywhere they are used, IBM i servers are trusted to run businesses’ most critical workloads and hold their most sensitive data. Effective data privacy technology for IBM i should keep sensitive data obscured even if a hacker or unauthorized internal user is able to break through all other lines of defense. Keeping data private, even if it falls into the wrong hands, relies on four critical elements: encryption, tokenization, anonymization, and secure file transfer.
In cryptography, encryption is the process of obscuring information so that it is unreadable without a special key to decode it. Encrypting data on IBM i systems is an essential security measure as it adds a layer of protection against data breaches if an unauthorized user should gain access to the system.
Data encryption is required by most regulations related to consumer data privacy and for industries that store or process sensitive data. Encryption combines the implementation of one or more publicly available algorithms with a secret piece of data called an encryption key. Together, the algorithm and the encryption key turn plain text into unreadable text or ciphers. Data is then returned it to its original form for users with the proper key.
Encryption can be used to protect IBM i data at rest in Db2 database fields, IFS files, spooled files or on backup tapes. Beginning with IBM i 7.1, a Field Procedure (FieldProc) was added to Db2 for IBM i to significantly simplify encryption and enable encryption of data at rest without application changes.
Assure Encryption from Precisely automates encrypting and decrypting your data with NIST-certified AES encryption that is optimized for performance. In addition, Assure Encryption provides additional security features such as built-in masking, an audit trail, and integration with OASIS KMIP-compliant encryption key managers.
Learn more about Assure Encryption and how it can help you ensure the privacy of your data.
An encryption key must be used by an encryption algorithm to transform the data into ciphertext. A key can be a number, a word or a string of random characters. Keys can also be of different lengths (e.g. 128, 192 or 256 bits). As long as both the person protecting and reading data know the key, they can each use it to encrypt and decrypt data.
Encryption isn’t new, and older algorithms are vulnerable to hackers, which is why it’s important to protect your IBM i systems with algorithms that meet the latest standards. Because encryption algorithms are publicly available, and only encryption keys are private, it’s also important to implement a reliable system for creating, distributing, and storing those keys. Encryption keys should have a managed lifecycle that includes creation, activation, use, rotation, expiration, retirement, and destruction after a set period.
Some regulations, such as PCI DSS, require encryption key management practices such as separation of duties and dual-control processes in which two or more people are involved with managing encryption keys.
Learn more about IBM i encryption and the importance of key management in Precisely’s IBM i Encryption 101 eBook.
A different approach to shielding sensitive data is to replace this data with non-sensitive substitute values called “tokens.” Tokenization (also referred to as pseudonymization) substitutes sensitive data such as credit card or bank account numbers with non-sensitive, format-preserving tokens that map back to the sensitive data. When the original data is retrieved from the vault for authorized viewers, it can be additionally protected through measures such as masking.
Both encryption and tokenization address the security of IBM i data at rest. However, unlike encryption, tokenization cannot be algorithmically reversed to find the original value. Because tokens have no relationship to the data they replace, they can’t be “cracked.” Rather, the original data is stored in a database called a token vault that must be isolated, encrypted and secured.
Because tokenization separates sensitive data from production databases via the token vault, it reduces the risk of this data being exposed should the production database be breached. This approach has significant benefits when it comes to meeting compliance regulations because the production server, on which the sensitive data is tokenized, won’t be required to demonstrate compliance to auditors since no sensitive data is kept on that server.
Anonymization (sometimes called de-identification or redaction) is similar to tokenization, except that it permanently replaces sensitive data at rest with token values, eliminating the token vault. Non-recoverable tokens can preserve the format of the original data field, but the original data can never be retrieved.
Required by consumer data privacy regulations such as the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR), anonymization is an effective means of removing personal information from data sets shared with third parties. It is also commonly used for development or test environments. Anonymization is generally not used in production environments.
Some anonymization solutions integrate with high availability or disaster recovery replication solutions so that an anonymized environment (e.g. a business intelligence environment) is fed in real time with new data whose sensitive fields have been replaced by non-recoverable tokens.
Learn more about how anonymization is used to meet data privacy regulations by reading What the California Consumer Privacy Act (CCPA) and Similar Regulations Mean for You.
The trusted method for protecting files as they move over internal and external networks is encryption. Secure file transfer solutions protect data using forms of encryption that encrypt data while “in motion.” However, it’s not always enough to encrypt the file while it’s being transferred. For complete file transfer security, the file should also be encrypted at the source and destination points, so its contents cannot be viewed by unauthorized users at any time before or after the transfer.
Whether executing transfers between business partners, government agencies, reporting bureaus, or intra-company departments, a full-featured secure file transfer solution also automates file transfer management capabilities. These capabilities include process automation, application integration, and a centralized, consistent method of handling every aspect of the file transfer process.
Managed, secure file transfer solutions enable administrators to be assured of data security and free developers to focus their valuable time and attention on strategic priorities.
Learn how Assure Secure File Transfer from Precisely can shield your data from view as it moves across networks, automate the transfer process, and integrate it into existing workflows and applications.
Stay compliant. Stay secure.
Data breaches come with serious costs and consequences. As regulations expand, along with the tangible and intangible costs of violations, an effective data privacy solution is critical to allow your organization to:
- Achieve and maintain compliance with the data security requirements of GDPR, CCPA, PCI DSS, HIPAA, SOX, and other state and industry regulations;
- Protect intellectual property as well as the data entrusted to you by customers, partners, and employees;
- Ensure the privacy of confidential data both at-rest and in-motion;
- Provide real segregation of duties;
- Implement security best practices.
Assure Security offers encryption, tokenization, anonymization, and secure file transfer capabilities for IBM i. These features can be licensed individually or as the Assure Data Privacy feature bundle. In addition, Assure Security offers IBM i access control, elevated authority management, multi-factor authentication, alerting and reporting on system and database activity and more, to prevent security breaches and assure compliance.