Contenu connexe Similaire à Z111806 strengthen-security-sydney-v1910a (20) Plus de Tony Pearson (20) Z111806 strengthen-security-sydney-v1910a1. Strengthen your security
posture! Getting started with
IBM Z Pervasive Encryption
Tony Pearson
IBM Master Inventor,
Senior IT Management Consultant,
TechU Content Manager
2019 IBM Systems Technical University
15-17 Oct 2019 | Sydney, Australia
2. Agenda
IBM Systems Technical University © Copyright IBM Corporation 2019 2
What is Pervasive Encryption?
Understanding IBM Z Crypto
How to Get Started with
z/OS Data Set Encryption
3. Data protection and compliance are business imperatives
13 Billion
4%
Of the
only
breached since 2013
were encrypted 3
records
$3.6MAverage cost of a data
breach in 2017 2
Likelihood of an
organization having a data
breach in the next 24
months 1
28%
“It’s no longer
a matter of if,
but when …”
Health
Insurance
Portability and
Accountability
Act (HIPAA)
European Union
General Data Protection
Regulation (GDPR)
Payment Card Industry Data
Security Standard (PCI-DSS)
1, 2 Source: 2017 Ponemon Cost of Data Breach Study: Global Overview -- http://www.ibm.com/security/data-breach/
3 Source: Breach Level Index -- http://breachlevelindex.com/
Extensive use of encryption is one of the most impactful
ways to help reduce the risks and financial losses of a data breach and help meet complex
compliance mandates.
IBM Systems Technical University © Copyright IBM Corporation 2019 3
4. Implementing Encryption can be complex
IBM Systems Technical University © Copyright IBM Corporation 2019 4
— Michael Jordan
— IBM Distinguished Engineer, IBM Z
Security
5. Focus on eliminating barriers:
• Decouple encryption from classification
• Extensive application changes
• Encryption of database indexes and/or
key fields
• High cost associated with processor
overhead
Protecting only enough data to
achieve compliance should be the
bare minimum, not a best practice.
Pervasive encryption: A paradigm shift in data protection
IBM Systems Technical University © Copyright IBM Corporation 2019 5
6. Unrivaled Data Protection
—No Application Changes
—No Impact to SLAs
IBM Z and LinuxONE are the
world’s most secure servers
Protect your data with
encryption in-flight and
at-rest with new capabilities
in hardware, OS, and
middleware.
IBM Systems Technical University © Copyright IBM Corporation 2019 6
7. How does encryption and decryption work?
Supply a cryptographic key
value and clear text to a
cryptography algorithm to
produce cipher text (i.e.
encryption)
Cipher TextClear Text
Encrypt
But what are cryptographic keys?
IBM Systems Technical University © Copyright IBM Corporation 2019 7
Supply a cryptographic key
value and cipher text to a
cryptography algorithm to
produce clear text (i.e.
decryption)
Cipher TextClear Text
Decrypt
8. Security Strength is based on Algorithm and
Number of Bits in Key
AES RSA ECC Years
1024 160 106
2048 224 109
128 3072 256 1015
192 7680 384 1033
256 15360 512 1051
Data*Data
Data Data
*
*
Symmetric Key (AES 256)
• Same key is used to encrypt/decrypt
• Fast, ideal for large amounts of data
• Must keep the key secret
Encryption “Public” Key
Decryption “Private” Key
Pairs of different keys are used to
encrypt & decrypt data
Encrypt with “Public” key; it may
be distributed widely available
without fear of compromise
Decrypt with “Private” key; must
keep this key secret
Asymmetric Key (RSA 2048)
ED
Key
Pair
Data
Data
E
DAES – Advanced Encryption Standard
RSA – Rivest Shamir Adleman
ECC – Elliptical Curve Cryptography
IBM Systems Technical University © Copyright IBM Corporation 2019 8
*
Data
Data
9. Two-Tier Encryption Scheme
Problem:
Realtors, Landlords, and
Apartment managers must
carry hundreds of keys, one
unique to each dwelling unit
Solution:
All units have their unique key kept
inside a locked box hanging on the
door knob.
Realtors, Landlords, and Apartment
managers carry a single master key
that opens every lockbox
Data
A
E
D
A
Data
B
B
Encryption:
Each flash, disk, or tape
assigned a unique symmetric
“Operational Data Key”
Data key itself is encrypted or
“wrapped”
with
Master
“encrypting key”
Decryption:
Operational Data key is decrypted with
Master “decrypting key”
Unique Operational data key is then
used as needed
IBM Systems Technical University © Copyright IBM Corporation 2019 9
10. Broadly protect Linux file systems and z/OS data sets using policy controlled encryption
that is transparent to applications and databasesData at Rest
Integrated Crypto
Hardware
Hardware accelerated encryption on every core, CPACF performance improvements of 7x
Crypto Express6S – PCIe Hardware Security Module (HSM) & Cryptographic Coprocessor
Protect z/OS Coupling Facility data end-to-end, using
encryption that’s transparent to applicationsClustering
Protect network traffic using standards based encryption from end to end, including encryption
readiness technology to ensure that z/OS systems meet approved encryption criteriaNetwork
Secure deployment of software appliances including tamper protection during installation and
runtime, restricted administrator access, and encryption of data and code in-flight and at-rest
Secure Service
Container
10
The IBM Enterprise Key Management Foundation (EKMF) provides real-time, centralized secure
management of keys and certificates with a variety of cryptographic devices and key stores
Key
Management
z14
Unrivaled data
protection
Protect IBM Z data with encryption in-flight and at-rest with capabilities in hardware, OS, and middleware.
IBM Systems Technical University © Copyright IBM Corporation 2019
Pervasive Encryption with IBM Z
Enabled through tight platform integration
11. z14 -- Designed for Pervasive Encryption
• CPACF – Dramatic advance in bulk symmetric encryption performance
• Crypto Express6s – Doubling of asymmetric encryption performance for TLS handshakes
• CFCC – Designed for CF data encryption (wrapped encryption key stored for recovery scenarios)
z/OS -- New approach to encryption in-flight and at-rest data
• z/OS data set encryption – Transparent encryption of data at-rest
• z/OS CF encryption –Transparent end-to-end encryption of CF data
• z/OS Communication Server - Intelligent Network Security discovery & reporting
Linux on z/LinuxONE -- Full Power of Linux Ecosystem combined with z14 Capabilities
• LUKS dm-crypt – Transparent file and volume encryption using industry unique CPACF protected-keys
• Network Security – Enterprise scale encryption and handshakes using z14 CPACF and SIMD
• Secure Service Container – Automatic protection of data and code for virtual appliance
Software-only elements expected on previous generation of z Systems with differentiated value for z14
Pervasive Encryption with IBM z Systems
IBM Systems Technical University © Copyright IBM Corporation 2019
Technical Foundation
11
12. Agenda
IBM Systems Technical University © Copyright IBM Corporation 2019 12
What is Pervasive Encryption?
Understanding IBM Z Crypto
How to Get Started with
z/OS Data Set Encryption
13. z14 Integrated Cryptographic Hardware
IBM Systems Technical University © Copyright IBM Corporation 2019 13
CP Assist for Cryptographic Functions
(CPACF)
• Hardware accelerated encryption on every
microprocessor core
• Performance improvements of up to 7x for
selective encryption modes
Suited for high speed bulk symmetric encryption
Crypto Express6S
• Next generation PCIe Hardware Security Module
(HSM)
• Performance improvements up to 2x
• Industry leading FIPS 140-2 Level 4 Certification
Design
Suited for high value transactions, key protection
and asymmetric acceleration
Why is it valuable:
• More performance = lower latency + less CPU
overhead for encryption operations
• Highest level of protection available for
encryption keys
• Industry exclusive “protected key” encryption
14. Protecting Operational Keys: Using Secure & Protected Keys
Operational keys should not be stored in the clear in the host environment. Secure keys are
strongly recommended for persistent key storage (e.g. key data sets). Protected keys are
recommended for storing keys in address space memory (e.g. Db2, DFSMS).
Only protected keys created
from secure keys should be used
for Pervasive Encryption.
Secure Key
Key values are encrypted under
a Master Key. Crypto operations
are performed only on a Crypto
Express adapter
Clear Key
Key values are not encrypted.
Crypto operations may be
performed in CPACF or on a
Crypto Express adapter
Protected Key
Key values are encrypted
under a CPACF wrapping key.
Crypto operations are
performed only using CPACF
Note: With z/OS data set
encryption, protected keys
are implicitly created from
secure keys.
IBM Systems Technical University © Copyright IBM Corporation 2019 14
15. What IBM tools are available to manage keys?
Enterprise Key Management Foundation (EKMF)
EKMF securely manages keys and certificates for
cryptographic coprocessors, hardware security
modules (HSM), cryptographic software, ATMs, and
point of sale terminals.
Supports Operational Keys
Trusted Key Entry (TKE) Workstation
TKE securely manages multiple Cryptographic
Coprocessors and keys on various generations
of IBM Z from a single point of control.
Supports Master Keys and Operational Keys
Security Key Lifecycle Manager (SKLM)
SKLM v2.7 provides key storage, key serving and key
lifecycle management for IBM and non-IBM storage
solutions using the OASIS Key Management
Interoperability Protocol (KMIP) and IBM Proprietary
Protocol (IPP).
Supports Operational Keys for Self Encrypting
Devices (SEDs)
Integrated Cryptographic Services Facility (ICSF)
ICSF provides callable services and utilities that
generate, store, and manage keys, and also perform
cryptographic operations.
Supports Master Keys and
Operational Keys
IBM Systems Technical University © Copyright IBM Corporation 2019 15
16. Enterprise Key Management Considerations
Encryption of data at enterprise scale requires robust key management
The current key management landscape can be characterized by clients who have …
… already deployed an enterprise key management solution
… developed a self-built key management solution
… not deployed an enterprise key management solution
• Policy based key generation
• Policy based key rotation
• Key usage tracking
• Key backup & recovery
Key management for
pervasive encryption must
provide …
The IBM Enterprise Key Management Foundation (EKMF) provides real-time, centralized
secure management of keys and certificates in an enterprise with a variety of
cryptographic devices and key stores.
EKMF
IBM Systems Technical University © Copyright IBM Corporation 2019 16
17. Agenda
IBM Systems Technical University © Copyright IBM Corporation 2019 17
What is Pervasive Encryption?
Understanding IBM Z Crypto
How to Get Started with
z/OS Data Set Encryption
18. The Encryption Pyramid
Multiple layers of
encryption for data at
rest provide robust
data protection
IBM Systems Technical University © Copyright IBM Corporation 2019 18
19. z/OS Data Set Encryption – Encryption keys
Key label: 64-byte label of a key in the ICSF Cryptographic Key
Data Set (CKDS)
• Required to access an encrypted data set
Encryption data key:
• Require AES-256 bit key
• Must be set up in CSFKEYS as a protected key
• Recommend secure keys (protected by Crypto Express AES Master Key)
Encryption mode:
• DFSMS uses XTS mode
IBM Systems Technical University © Copyright IBM Corporation 2019 19
20. z/OS Data Set Encryption – Client Value
IBM Systems Technical University © Copyright IBM Corporation 2019 20
Clients who are required to protect customer data can
leverage the IBM Z hardware encryption for data at rest
through existing policy management… without application
changes.
A.No application changes required
B.Data set level granularity
C. Supports separation of access control for data set
and encryption key label
D.Enabled through RACF and / or SMS policy
E. Audit readiness
Designed to take advantage of the processing power of the z14
21. A. Application transparency via access methods
IBM Systems Technical University © Copyright IBM Corporation 2019 21
— Supported access methods/data set types
• BSAM and QSAM
o Sequential extended format data sets
• VSAM and VSAM/RLS
o VSAM (KSDS, ESDS, RRDS, VRRDS, LDS) extended format data
sets
— Supported access methods/data set types new for z/OS 2.4
• BPAM, BSAM and QSAM
o PDSEs (data members)
Transparent! No application changes or awareness that sequential or VSAM data is
encrypted when accessed using the standard access method APIs.
Covers DB2, IMS, zFS, CICS/VSAM, Middleware, Logs, Batch, & ISV Solutions*. Refer to product documentation for
information regarding support.
(*) Note: For those applications that use the licensed Media Manager services, changes to Media Manager interfaces required to access
encrypted data sets.
22. B. Naming Conventions & Granular Access Control
PROD
MKPROD
App1
Data1
PROD.App1.Data1.VerX
App2
Data2
PROD.App2.Data2.VerX
AppN
DataN
PROD.AppN.DataN.VerX
PROD CKDS
PROD.App1.Data1.VerX
PROD.App2.Data2.VerX
PROD.AppN.DataN.VerX
*** *** ***
Leveraging naming conventions & z Security to enforce separation across application instances
Naming conventions can be used to segment applications,
data, and keys, e.g.
–Environment: PROD, QA, TEST, DEV
–Application: App1, App2,…, AppN
–Data-Type: Account, Payroll, Log
–Version: Ver1, Ver2,…,Verx
Application resources (data sets, encryption keys) can be
assigned names based on naming conventions, e.g.
–PROD.APP2.LOG.VER10
–PROD.APP1.PAYROLL.KEY.VER7
Security rules can be used to enforce separation with granular
access control for application resources and encryption keys
Flexible! Data set encryption is designed to be flexible in allowing as much granularity as desired when identifying key labels for data
sets. There is no limit as to how many key labels and encryption keys are used across the data sets…however, planning for key
management is critical.
Life of the data set is life of the key!
IBM Systems Technical University © Copyright IBM Corporation 2019 22
23. C. Access Control - Segregation of Duties
IBM Systems Technical University © Copyright IBM Corporation 2019 23
Data owners that must access content will need authority access to the data
set as well as access to the encryption key label
Storage administrators who only manage the data sets need access to the
data set but not access to the key label (thus protecting access to the
content)
Different keys can be used to protect different data sets – ideal for multiple
tenants or data set specific policies.
Prevent administrators from accessing the content
Many utilities can process data preserving encrypted form
COPY, DUMP and RESTORE
Migrate/Recall, Backup/Recover, Dump/Data Set Restore
PPRC, XRC, FlashCopy®, Concurrent Copy, etc.
Data owner
Manages the
content
Limit access to data in clear! Remove certain roles from compliance scope….by controlling access to
the data through SAF permissions.
System
administrator
Manages the
data set
24. D. Creating encrypted data sets via policy
IBM Systems Technical University © Copyright IBM Corporation 2019 24
— A data set is defined as ‘an encrypted data set’ when a key label is
supplied on allocation of a new data set of a supported data set type for
data set encryption
• sequential extended format
o Note: Allocated as extended format version 2, regardless of user's specification for version number
on DSNTYPE or the PS_EXT_VERSION keyword in IGDSMSxx member in PARMLIB.
• VSAM extended format
— A key label can be supplied in any of the following sources
(in order of precedence as follows):
• Security policy: RACF data set profile DFP segment
• Explicity: JCL, Dynamic Allocation, TSO Allocate, IDCAMS DEFINE
• SMS policy: Data class
o To allocate via ISPF 3.2, can specify a data class with key label
Ease of use! Easy to create an encrypted data set just by specifying a key label. Even easier when
enabled via RACF or SMS policy.
25. E. Audit readiness
IBM Systems Technical University © Copyright IBM Corporation 2019 25
Auditors can rely on system interfaces, not individuals, for compliance
Data set encryption attributes displayed in various system interfaces
–SMF records
–DCOLLECT records
–LISTCAT
–IEHLIST LISTVTOC
Simplifies compliance! Allows enhanced tooling to help simplify the audit process.
26. 1 2 3
Generate an
encryption key and
key label, store it in
the CKDS .
Setup RACF for use
of key label
Allow secure key to be
used as protected key
via ICSF segment
- SYMCPACFWRAP
- SYMCPACFRET
Grant access to key
label
Associate the key
label with the
desired data set(s).
In RACF, alter DFP
segment in data set
profile - DATAKEY()
In DFSMS, assign to
data class
– OR –
– AND –
DB2:
Online Reorg
IMS HA Database:
Online Reorg
zFS Container:
zfsadmin encrypt
VSAM or Seq data set:
1. Stop application
2. Copy data
3. Restart application
Migrate to
encrypted data
4
In RACF, permit access to new
resource in FACILITY class
Non-
disruptive
Non-
disruptive
Non-
disruptive
Defining a robust
key management
strategy is critical!
Storage Admin
Security Admin
DBASecurity AdminICSF Admin
User
Storage Admin
User
Create
new data
OR
User
Data set encryption – High Level Steps
Consider zDMF
IBM Systems Technical University © Copyright IBM Corporation 2019 26
27. 1. Prepare ICSF CKDS for use
— ICSF Admin must ensure encryption keys exist
• Secure AES256 data encryption keys/key labels defined in CKDS
o Use Crypto Express to protect keys in the CKDS as secure keys
— Various methods available to create keys, for example
• IBM Enterprise Key Management Foundation (EKMF)
• ICSF CKDS Keys Panel (HCR77C1)
• ICSF APIs (CSNBKGN, CSNBKRC2)
• ICSF KGUP
ICSF
Admin
Data keys must be accessible EVERYWHERE that the encrypted data sets
must be accessed.
IBM Systems Technical University © Copyright IBM Corporation 2019 27
28. Data set encryption – High Level Steps
IBM Systems Technical University © Copyright IBM Corporation 2019 28
1 2 3
Generate an
encryption key and
key label, store it in
the CKDS .
Setup RACF for use
of key label
Allow secure key to be
used as protected key
via ICSF segment
- SYMCPACFWRAP
- SYMCPACFRET
Grant access to key
label
Associate the key
label with the
desired data set(s).
In RACF, alter DFP
segment in data set
profile - DATAKEY()
In DFSMS, assign to
data class
– OR –
– AND –
DB2:
Online Reorg
IMS HA Database:
Online Reorg
zFS Container:
zfsadmin encrypt
VSAM or Seq data set:
1. Stop application
2. Copy data
3. Restart application
Migrate to
encrypted data
4
In RACF, permit access to new
resource in FACILITY class
Non-
disruptive
Non-
disruptive
Non-
disruptive
Storage Admin
Security Admin
DBASecurity AdminICSF Admin
User
Storage Admin
User
Create
new data
OR
User
Consider zDMF
29. 2. Prepare system to allow data set encryption
IBM Systems Technical University © Copyright IBM Corporation 2019 29
Security Admin must consider whether migration action should prevent creation of
encrypted data sets via resource in FACILITY class:
STGADMIN.SMS.ALLOW.DATASET.ENCRYPT
• Ensure all systems that may need to access the data have the CKDS with key
material required to decrypt the data sets AND are at the correct HW/SW
levels.
RDEFINE FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT UACC(NONE)
• To allow the system to create encrypted data sets when the key label is
specified via a method outside of the DFP segment in the RACF data set profile,
the user must have at least READ authority to the resource in the FACILITY
class.
PERMIT FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT ID(*)
ACCESS(READ)
Allows security admin to control who can create encrypted data sets.
Security
Admin
30. 2. Prepare system to allow data set encryption
IBM Systems Technical University © Copyright IBM Corporation 2019 30
Security Admin must consider whether allocation of non-extended format data sets
with key label should result in allocation failure via resource in FACILITY class:
STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC
• Default allows successful allocation for non-encrypted non-extended format
data sets. Info message is issued in this case.
RDEFINE FACILITY STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC UACC(NONE)
• To fail the allocation, the user must have at least READ authority to the
resource in the FACILITY class.
RALTER FACILITY STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC UACC(READ)
Allows security admin to control whether key label should be ignored for
unsupported data set types.
Security
Admin
31. 2. Set up access to key labels via CSFKEYS class
IBM Systems Technical University © Copyright IBM Corporation 2019 31
Security Admin sets up profiles in the CSFKEYS class based on installation requirements.
Any user that must access data in the clear must have access to the key label
• Must update the ICSF segment of the covering profile to allow ICSF to return a
protected key: SYMCPACFWRAP(YES) SYMCPACFRET (YES)
— Examples
• Define profile such that no one has access to the key label
RDEFINE CSFKEYS DATASET.keylabel.v1 UACC(NONE) ICSF(SYMCPACFWRAP(YES)
SYMCPACFRET(YES))
• Allow key label to be used by JOHN when accessed by any application
PERMIT DATASET.keylabel.v1 CLASS(CSFKEYS) ID(JOHN) ACCESS(READ)
• Allow key label to be used by MIKE only when accessed by DFSMS
PERMIT DATASET.keylabel.v1 CLASS(CSFKEYS) ID(MIKE) ACCESS(READ)
WHEN(CRITERIA(SMS(DSENCRYPTION)))
Allows security admin to control who can access data in the clear.
Security
Admin
32. Data set encryption – High Level Steps
1 2 3
Generate an
encryption key and
key label, store it in
the CKDS .
Setup RACF for use
of key label
Allow secure key to be
used as protected key
via ICSF segment
- SYMCPACFWRAP
- SYMCPACFRET
Grant access to key
label
Associate the key
label with the
desired data set(s).
In RACF, alter DFP
segment in data set
profile - DATAKEY()
In DFSMS, assign to
data class
– OR –
– AND –
DB2:
Online Reorg
IMS HA Database:
Online Reorg
zFS Container:
zfsadmin encrypt
VSAM or Seq data set:
1. Stop application
2. Copy data
3. Restart application
Migrate to
encrypted data
4
In RACF, permit access to new
resource in FACILITY class
Non-
disruptive
Non-
disruptive
Non-
disruptive
Storage Admin
Security Admin
DBASecurity AdminICSF Admin
User
Storage Admin
User
Create
new data
OR
User
IBM Systems Technical University © Copyright IBM Corporation 2019 32
Consider zDMF
33. 3. Creating encrypted data sets – supplying key labels
A data set is defined as ‘encrypted’ when a key label is supplied on create of a
sequential or VSAM extended format data set.
Options for assigning key label (with order of precedence):
• Security policy: RACF data set profile DFP segment
o Security Admin can update RACF DS profile to request encryption by
adding key label: DATAKEY
Note: Key label specified in the DFP segment is used regardless of the
ACSDEFAULTS(xx) setting specified in SYS1.PARMLIB(IGDSMSxx)
• JCL, Dynamic Allocation, TSO Allocate, IDCAMS DEFINE
o User can modify JCL or program to request encryption by adding key
label: JCL DSKEYLBL, Dynalloc DALDKYL, DEFINE KEYLABEL
• SMS policy: Data Class
o Storage Admin can update specific data class(es) via ISMF to request
encryption by adding: Data Set Key Label.
o Storage Admin can update ACS routines to select data classes
enabled for data set encryption.
Storage
Admin
User
IBM Systems Technical University © Copyright IBM Corporation 2019 33
Security
Admin
34. 3. Optionally, prepare for compressed format
A data set is defined as compressed format via COMPACTION option in data
class
Assigning COMPACTION
• SMS policy: Data Class
o Storage Admin can update specific data class(es) via ISMF to request
compressed format via COMPACTION option:
- Sequential extended format data sets support generic, tailored, or zEDC
compression
- VSAM extended format KSDS supports generic compression (Only KSDS can be
compressed format)
o Storage Admin can update ACS routines to select data classes enabled for
compression
IBM Systems Technical University © Copyright IBM Corporation 2019 34
Storage
Admin
35. Data set encryption – High Level Steps
1 2 3
Generate an
encryption key and
key label, store it in
the CKDS .
Setup RACF for use
of key label
Allow secure key to be
used as protected key
via ICSF segment
- SYMCPACFWRAP
- SYMCPACFRET
Grant access to key
label
Associate the key
label with the
desired data set(s).
In RACF, alter DFP
segment in data set
profile - DATAKEY()
In DFSMS, assign to
data class
– OR –
– AND –
DB2:
Online Reorg
IMS HA Database:
Online Reorg
zFS Container:
zfsadmin encrypt
VSAM or Seq data set:
1. Stop application
2. Copy data
3. Restart application
Migrate to
encrypted data
4
In RACF, permit access to new
resource in FACILITY class
Non-
disruptive
Non-
disruptive
Non-
disruptive
Storage Admin
Security Admin
DBASecurity AdminICSF Admin
User
Storage Admin
User
Create
new data
OR
User
IBM Systems Technical University © Copyright IBM Corporation 2019 35
Consider zDMF
36. 4. How can Auditors be sure the data is encrypted?
IBM Systems Technical University © Copyright IBM Corporation 2019 36
— Encryption attributes displayed in various system interfaces
• SMF records
• DCOLLECT records
• LISTCAT
• IEHLIST LISTVTOC
• Catalog Search Interface (CSI)
• ISITMGT
— To view encrypted data, can use DFSMSdss PRINT Tracks
37. zSecure Pervasive encryption support
Command Verifier: Command Verifier policy for DATAKEY
Admin: Easy administration DATAKEY on DFP segment
Audit: Report on non-VSAM and VSAM data sets key labels
• Extend existing report types DSN / SENSDSN
Audit: Report key protection CSFKEYS
• New report types ICSF_SYMKEY, ICSF_PUBKEY
Audit: Report which systems sharing DASD can decrypt ds
Audit: Extend report type SMF
• Type 14/15 non-VSAM and Type 62 VSAM keylabel use
• ICSF
• zERT records to show encryption strengths
zSecure also collects, formats and enriches data set encryption information that is sent
to SIEMs including IBM QRadar® for enhanced enterprise-wide security intelligence.
IBM Systems Technical University © Copyright IBM Corporation 2019 37
38. z/OS Data Set Encryption – Evaluate impact
IBM Systems Technical University © Copyright IBM Corporation 2019 38
zBNA Background:
• A no charge, “as is” tool originally designed to analyze batch windows
• PC based, and provides graphical and text reports
• Available on techdocs for customers, business partners, and IBMers
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5132
• Previously enhanced for zEDC to identify & evaluate compression candidates
zBNA Encryption Enhancements:
• Enhanced to help clients estimate encryption CPU overhead based on actual client workload
SMF data
• Ability to select z13 or z14 as target machine
• Support provided for
• z/OS data set encryption
• Coupling Facility encryption
z Batch Network Analyzer (zBNA)
zBNA 1.8.1
Note: z/OS Capacity Planning tool zCP3000 also updated to provide encryption estimates
http://w3-03.ibm.com/support/americas/wsc/cpsproducts.html
Use zBNA to evaluate candidates for encryption, and for estimated CPU overhead if
data sets converted to data set encryption.
Estimating CPU Cost of Data Protection
39. Final Thoughts
IBM Systems Technical University © Copyright IBM Corporation 2019 39
Pervasive Encryption reduces the
manual effort of deciding which
data is encrypted
IBM Z has hardware features to
minimize performance overheads
z/OS Data Set Level Encryption is a
simple way to get started
40. Thank you!
IBM Systems Technical University © Copyright IBM Corporation 2019 40
Tony Pearson
tpearson@us.ibm.com
+1-520-799-4309
Please complete the Session
Evaluation!
41. Resources
IBM Systems Technical University © Copyright IBM Corporation 2019 41
— Getting Started with z/OS Data Set Encryption Redbook
http://www.redbooks.ibm.com/redpieces/abstracts/sg248410.html?Open
— IBM Z pervasive encryption landing page
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.izs/pervasiveEncryption.html
— IBM Z pervasive encryption solution guide (Knowledge Center)
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.izs/izs.htm
— IBM Z pervasive encryption FAQ:
https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=ZSQ03116USEN
— IBM Crypto Education page:
https://ibm.biz/BdiAah
— zPET Test Reports:
https://www.ibm.com/developerworks/community/groups/service/html/communitystart?communityUuid=43
ea8e78-acbe-49f5-9290-379e4f4569cb
— MOP demo white paper:
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP102734
— Youtube Videos:
• Data Set Encryption: https://www.youtube.com/watch?v=zdSXRUSmkb4
• CF Encryption: https://www.youtube.com/watch?v=lTmsFWuJwJU
• zERT: https://www.youtube.com/watch?v=1CgEcCTX_o8
• MOP MPL Bank: https://www.youtube.com/watch?v=EP488nLdGts
43. Special Thanks
I would like to thank the following colleagues
who contributed charts, insights, and review
comments for these presentation materials
— Cecilia Carranza Lewis
— Barbara McDonald
— Eysha Powers
— Theresa Tai
IBM Systems Technical University © Copyright IBM Corporation 2019 43
44. About the Speaker
44
Tony Pearson is a Master Inventor, Senior IT Management Consultant, and Content Manager for the
IBM Systems Technical University events. Tony joined IBM Corporation in 1986 in Tucson, Arizona,
USA, and has lived there ever since. Tony presents briefings on storage topics covering the entire IBM
Storage product line, IBM Spectrum Storage software products, and topics related to Cloud Computing,
Analytics and Cognitive Solutions. He interacts with clients, speaks at conferences and events, and
leads client workshops to help clients with strategic planning for IBM’s integrated set of storage
management software, hardware, and virtualization solutions.
Tony writes the “Inside System Storage” blog, which is read by thousands of clients, IBM sales reps and
IBM Business Partners every week. This blog was rated one of the top 10 blogs for the IT storage
industry by “Networking World” magazine, and #1 most read IBM blog on IBM’s developerWorks. The
blog has been published in series of books, Inside System Storage: Volume I through V.
Over the past years, Tony has worked in development, marketing and consulting for various IBM
Systems hardware and software products. Tony has a Bachelor of Science degree in Software
Engineering, and a Master of Science degree in Electrical Engineering, both from the University of
Arizona. Tony is an inventor or co-inventor of 19 patents in the field of IBM Systems and electronic data
storage.
9000 S. Rita Road
Bldg 9032 Floor 1
Tucson, AZ 85744
+1 520-799-4309 (Office)
tpearson@us.ibm.com
Tony Pearson
Master Inventor
Senior Management
Consultant, IBM Systems
La Services
IBM Storage
IBM Systems Technical University © Copyright IBM Corporation 2019
45. My Social Media Presence
Blog*:
ibm.co/Pearson
LinkedIn:
https://www.linkedin.com/in/az990tony
Books:
www.lulu.com/spotlight/990_tony
IBM Expert Network on Slideshare:
www.slideshare.net/az990tony
Twitter:
twitter.com/az990tony
Facebook:
www.facebook.com/tony.pearson.16121
Instagram:
www.instagram.com/az990tony/
Email:
tpearson@us.ibm.com
* Not a typo. This is short URL for https://www.ibm.com/developerworks/mydeveloperworks/blogs/InsideSystemStorage/
IBM Systems Technical University © Copyright IBM Corporation 2019 45
46. Notices and disclaimers
— © 2019 International Business Machines Corporation. No part of
this document may be reproduced or transmitted in any form
without written permission from IBM.
— U.S. Government Users Restricted Rights — use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM.
— Information in these presentations (including information
relating to products that have not yet been announced by IBM)
has been reviewed for accuracy as of the date of
initial publication and could include unintentional technical or
typographical errors. IBM shall have no responsibility to update
this information. This document is distributed “as is” without
any warranty, either express or implied. In no event, shall IBM
be liable for any damage arising from the use of this
information, including but not limited to, loss of data, business
interruption, loss of profit or loss of opportunity.
IBM products and services are warranted per the terms and
conditions of the agreements under which they are provided.
— IBM products are manufactured from new parts or new and used
parts.
In some cases, a product may not be new and may have been
previously installed. Regardless, our warranty terms apply.”
— Any statements regarding IBM's future direction, intent or
product plans are subject to change or withdrawal without
notice.
— Performance data contained herein was generally obtained in a
controlled, isolated environments. Customer examples are
presented as illustrations of how those
— customers have used IBM products and the results they may have
achieved. Actual performance, cost, savings or other results in
other operating environments may vary.
— References in this document to IBM products, programs, or
services does not imply that IBM intends to make such products,
programs or services available in all countries in which
IBM operates or does business.
— Workshops, sessions and associated materials may have been
prepared by independent session speakers, and do not necessarily
reflect the views of IBM. All materials and discussions are provided
for informational purposes only, and are neither intended to, nor
shall constitute legal or other guidance or advice to any individual
participant or their specific situation.
— It is the customer’s responsibility to insure its own compliance
with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any
relevant laws and regulatory requirements that may affect the
customer’s business and any actions the customer may need to
take to comply with such laws. IBM does not provide legal advice
or represent or warrant that its services or products will ensure that
the customer follows any law.
IBM Systems Technical University © Copyright IBM Corporation 2019 46
47. Notices and disclaimers continued
— Information concerning non-IBM products was obtained from the suppliers
of those products, their published announcements or other publicly
available sources. IBM has not tested those products about this publication
and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-
IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of
any such third-party products to interoperate with IBM’s products. IBM
expressly disclaims all warranties, expressed or implied, including but
not limited to, the implied warranties of merchantability and fitness for a
purpose.
— The provision of the information contained herein is not intended to, and
does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
— IBM, the IBM logo, ibm.com and [names of other referenced
IBM products and services used in the presentation] are
trademarks of International Business Machines Corporation,
registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at:
www.ibm.com/legal/copytrade.shtml
IBM Systems Technical University © Copyright IBM Corporation 2019 47
48. This presentation uses the IBM Plex™ font
IBM Plex™ is our new typeface. It’s global, it’s versatile and it’s
distinctly IBM.
IBM Plex
Sans
The IBM company is freeing itself from the cold, modernist cliché
and replacing Helvetica with a new corporate typeface. Also
replaces Arial, Calibri, Lucida Grande, Trebuchet, etc.
IBM Plex
Mono
A little something for developers. Replaces
Courier New, Letter Gothic, Lucida Console, etc.
IBM Plex
Serif
A hybrid of the third kind (combining the best of Plex, Bodoni,
and Janson into a contemporary serif). Replaces Cambria,
Garamond, Lucida Bright, Times New Roman, etc.
IBM Plex is freely available as TrueType and OpenType at: https://github.com/IBM/plex/releases
and looks consistently good across Windows, Linux and Mac
IBM Systems Technical University © Copyright IBM Corporation 2019 48