IBM z/OS Security Enhancements
IBM z/OS has a huge breadth of security capabilities built into the base of the operating system at no extra cost. Many z/OS security functions, such as data encryption, encryption key management, digital certificates, password synchronization, and centralized authentication and auditing can be deployed as part of enterprise-wide security solutions. IBM z/OS, System z PR/SM and now RACF, have all been evaluated under Common Criteria (an ISO/IEC 15048 standard). z/OS V1.12 was evaluated at EAL 4+ , PR/SM was evaluated at EAL 5+. and RACF at EAL 5 meeting some of the industry's toughest security standards. For more details about protection profile testing see www.atsec.com. Security targets are also published on the www.bsi.bund.de (DE) website.
Several security enhancements have been made in the latest releases.
In z/OS V1.13, PKI Services support was added for DB2 9 for z/OS and later to store objects and certificates, enabling enterprise-class scale and resilient certificate management. In z/OS V1.12. PKI services have been extended with several usability enhancements. New cryptographic capabilities have been added such as support for new smart card formats and new standards and algorithms. Updates for IBM Tivoli Directory Server for z/OS in support of new password policy rules have been added. The z/OS Communications Server has new support for IKEv2 and Federal Information Processing Standard FIPS 140.2.
RACF now supports hardware-generated Elliptic Curve Cryptography (ECC) secure keys, for the extra advantage of Elliptic Curve security.
IBM Security zSecure suite
IBM Security zSecure suite provides cost-effective security administration, improves service by detecting threats, and reduces risk with automated audit and compliance reporting. IBM Resource Access Control Facility (RACF) is the security standard for mainframes running IBM z/OS. The suite consists of offerings that take advantage of the most recent zEnterprise and IBM Resource Access Control Facility (RACF) enhancements. A variety of product editions help ensure that everyday administrative capabilities are available across a variety of operating environments. The IBM Security zSecure suite can help customers centralize and consolidate security administration and leverage the mainframe as their enterprise security hub.
IBM Data Encryption Solutions
An important first step in taking control of information and helping to meet regulatory requirements is encrypting sensitive data. IBM now offers a comprehensive range of encryption solutions designed to meet your data protection requirements.
- Storage Systems Tape Data Encryption Solution
IBM introduced the industry’s first self-encrypting enterprise tape drive, the IBM System Storage TS1120, in 2006, followed by the IBM System Storage TS1130. The IBM System Storage DS8000 with Full Disk Encryption extends this market-proven encryption model to enterprise disk systems to support the security requirements of demanding enterprise environments in a practical and cost-effective manner.
Just as each tape drive has an embedded encryption engine, each disk drive also has an embedded encryption engine, and it, too, uses IBM’s encryption key management software to manage the keys associated with the solution.
As with the encrypting tape solution, the encrypting disk solution is designed to be transparent to the operating system, applications, databases, system administrators and users, making deployment much simpler than with specialized encryption appliances.
- Software Based Tape Data Encryption Solution
The Encryption Facility for z/OS, is a host based software solution designed to encrypt sensitive data before transferring it to tape for business partner exchange. The Encryption Facility for z/OS provides a highly flexible solution since your business partners may not need to purchase new storage hardware, have a mainframe or run z/OS. To decrypt the data they have the choice of utilizing a no-cost, web downloadable Java-based client, designed to run in any environment that supports Java. And now with the introduction of the Encryption Facility for z/OS, V1.2 with support for the OpenPGP standard, RFC 2440, this encryption capability is even more flexible allowing your business partners a number of options to choose from when decrypting and re-encrypting data. The Encryption Facility for z/OS is specially designed to help you protect your sensitive data during the data exchange process.
- Data Encryption for IMS and DB2 Database Solution
The IBM Data Encryption for IMS and DB2 Databases provides you with a data encryption tool for both IMS and DB2 for z/OS databases in a single product. This product is designed to enable you to protect sensitive and private data for IMS at the segment level and for DB2 at the row level. IBM Data Encryption for IMS and DB2 Databases is implemented via standard IMS and DB2 exits which invoke System z cryptography hardware to encrypt data for storage and decrypt data for application use. Click here to examine how IBM Data Encryption for IMS and DB2 Databases can help.
To provide our customers with open solutions that integrate; both the Encryption Facility for z/OS and the System Storage tape drives with encryption enabled (TS1120) are designed to leverage Centralized Key Management (provided by ICSF in z/OS) for the enterprise and provide support for a variety of system environments. To see which tape encryption solution best suits your needs check out our comparison chart below.
As you can see from this chart IBM's tape encryption solutions are designed to complement each other by providing capabilities to address a comprehensive range of data protection goals. And by utilizing the same key management (ICSF) in z/OS and hardware cryptography (PCIXCC, Crypto Express2) features, customers may benefit by leveraging mainframe features and function that are both flexible and integrated.
Depends on Customer Requirements
For advanced flexibility in the exchange of encrypted data, z/OS mainframe customers can use the Encryption Facility for z/OS. If performance is paramount, the TS1120 tape encryption solution is well suited for speedy creation of encrypted archival and backup tapes. And when your most concerned about protecting sensitive information in DB2 or IMS databases try out the Data Encryption for IMS and DB2 Database Tool. Or use all three solutions to provide data protection that reaches across your enterprise and beyond.
System z Security Portal
The System z Security Portal is intended to help customers stay current with security fixes, and improve security planning. Customers can subscribe to the System z Security Portal to receive the latest information on System z security.
Browse System z
Protect your critical data. Don't be the next headline.
z/OS V1.13 announcement letter
Powerful System z Solution Editions: Hardware, software and service, priced to win