The IBM® i operation system (formerly IBM i5/OS®) is considered one of the most secure systems in the industry. From the beginning, security was designed as an integral part of the system. The System i® platform provides a rich set of security features and services that pertain to the goals of authentication, authorization, integrity, confidentiality, and auditing. However, if an IBM Client does not know that a service, such as a virtual private network (VPN) or hardware cryptographic support, exists on the system, it will not use it.
In addition, there are more and more security auditors and consultants who are in charge of implementing corporate security policies in an organization. In many cases, they are not familiar with the IBM i operating system, but must understand the security services that are available.
Database security: Row and Column Access Control (RCAC)
Data is an asset. Some data is referred to as business critical because the company has an absolute need for the data to exist for the business to operate. Critical business assets merit a robust protection strategy. From a database perspective, clients consider topics like object access or table privileges to control who has the ability to access tables with the intent to read or the intent to change the data within the table. Row & Column Access Control (RCAC) capabilities provide DB2 for i clients additional constructs to limit the amount of data exposed to specific users. RCAC can be used once this Boss option is installed: 5770-SS1 Boss Option 47 - IBM Advanced Data Security for i.
RCAC provides several advantages:
Secure data at rest
Secure your data at rest with the IBM i operating system option 45, Encrypted ASP Enablement. Data is encrypted when written out to disk and decrypted when read from disk. This function provides protection for your data when you lose physical control of the disk drive such as disk replacement where a drive fails, data flowing to a SAN, and mirroring. With improvements in 7.1, you can now turn ASP encryption on and off and change the data encryption key for an existing user ASP or IASP.
Encrypted Backup Enablement
The IBM i operating system option 44, Encrypted Backup Enablement provides you with the ability to encrypt your data to a tape device. This function requires Backup, Recovery, and Media Services (BRMS). This encryption solution is hardware independent, meaning that you do not need to use an encrypting tape drive or other type of encryption device to encrypt the backup data. Encrypted backup can be used to encrypt data going directly out to tape or to virtual tape and also supports media duplication (unencrypted to encrypted duplication). The media duplication provides the ability to save in an unencrypted way and then duplicate to encrypted which won't impact the save window.
Column Encryption via Field Procedures
To enhance data security, column encryption may be accomplished by using a new database feature called field procedures, available in release 7.1. Field procedures are user written exit programs that run every time a column is read, changed or new values are inserted into the column. One use of a field procedure can be to implement encryption of the column data. The field procedure can be used to encrypt and decrypt data stored in the column by implementing the encryption and key management logic in the exit program. The field procedure provides the capability to encrypt data in a column without having to change the application programs that manipulate the data and without having to change field lengths and data type of the column itself. Encryption algorithms often times produce a different length output for the encrypted data as well as a requirement to store the data with a binary data format. Changing the column length and data type can have significant impacts to both applications and related interfaces such as a query. Field procedures eliminate the need for changing column lengths and data type of the DB2 table as these changes are managed by the DB2 OS support. For more information on Field Procedures see the SQL Programming Guide.
IBM Lab Services and Training
Is your business protected from the threats to IT infrastructure? Has adequate protection been built into new requirements and environments? Are systems and data secure? Secure enough? IBM Systems and Technology Group (STG) Lab Services and Training and its security consultants can help you find the answers to these questions through service offerings that assist in the development of general enterprise security or just to make sure your system settings maximize the protection you want and need to prevent your organization from being tomorrow’s headline! We can work with you to implement password elimination and SSO, data encryption, or a system security healthcheck. We can help you address general security aspects from managing the process of security in your enterprise to finding the most cost effective way of implementing your security policies.
|IBM i security solutions||Partner security solutions||IBM Systems Lab Services and Training|
|IBM i is positioned to help with the governance and compliance considerations that impact your business
||IBM i Business Partners offer a robust security solution portfolio
||Let us address the unique aspects and requirements of your security concerns|