As we discussed in a previous article - Calculating the Cost of a Data Breach in 2019, data breaches continue to be costlier and result in more consumer records being lost or stolen in 2018. Now let’s see how pervasive encryption makes a difference.
Extensive use of encryption is one of the most powerful ways to help reduce the risks of a data breach and help meet complex compliance mandates. Implementing encryption can be complex. Organizations always struggle with three key questions:
- What data should be encrypted?
- Where should encryption occur?
- Who is responsible for encryption?
IBM Z pervasive encryption marks a paradigm shift for security. Pervasive encryption provides a transparent and consumable approach to enable extensive encryption of data in flight and at rest to simplify and reduce the costs associated with protecting data and achieving compliance mandates.
To make this happen, IBM Z delivered several new capabilities through tight full-stack platform integration, in the hardware, OS, and middleware.
This diagram is from the presentation IBM z14 / Pervasive Encryption
As highlighted in this diagram, to protect in-flight network data and APIs, IBM z14 can encrypt incoming and outgoing network connections for true end-to-end data protection.
In general, z/OS supports three robust end-to-end security protocols:
- Transport Layer Security (TLS, including SSL) via System SSL and Java Secure Sockets Extension (JSSE)
- IPsec, which is built into z/OS Communications Server
- Secure Shell (SSH) via z/OS OpenSSH
Each protocol has its place and is suited for different types of traffic. Which protocol you select to protect each type of application traffic depends on a number of different factors. In most cases, you have a choice of protocols for any given application type. (See the attached table for a comparison of key protocols.)
Meanwhile, you need a tool to identify z/OS network traffic and protection. z/OS Encryption Readiness Technology (zERT), a core capability of pervasive encryption, does exactly that.
zERT provides intelligent network security discovery and reporting capabilities by monitoring TCP and Enterprise Extender traffic for TLS/SSL, IPsec and SSH protection, as well as cleartext. It also writes protection information to new SMF 119 records. Moreover, zERT Network Analyzer, a new web-based interface that is planned to be available in the future, will help you determine which z/OS TCP and Enterprise Extender traffic is or isn’t protected according to specific query criteria.
For more about zERT, see Things you should know about z/OS Encryption Readiness Technology (zERT).
---------------------------------------------------------------------------------------
Comparison of protocols: TLS, IPSec, and SSH using IBM-provided implementations
|
Attribute
|
TLS/SSL
|
IPsec
|
SSH-2
|
|
Traffic covered
|
TCP connections
|
All IP traffic (TCP, UDP (incl EE), ICMP, etc.)
|
TCP connections
|
|
Provides true end-to-end protection
|
Yes
|
Yes
|
Yes
|
|
Can protect specific network segments
|
No
|
Yes
|
No
|
|
Protection scope
|
Single TCP connection
|
Flexible (all traffic, by protocol, IP addrs, ports, etc)
|
One or more TCP sessions
|
|
Requires application layer changes
|
Yes (except basic AT-TLS)
|
No
|
No
|
|
Endpoints and authentication
|
Application to application
|
IP node to IP node
|
Host to Host
|
|
Auth credentials
|
X.509 certificates
|
X.509 certificates or pre-shared keys
|
public/private key
|
|
Auth frequency
|
Configurable
|
Configurable
|
Once at session startup
|
|
Session key refresh
|
Configurable based on time
|
Configurable based on data and time
|
Configurable based on data
|
|
Configuration
|
AT-TLS: Policy
System SSL direct: per application
JSSE: Java properties
|
Policy
|
OpenSSH configuration files as well as on command line invocation
|
|
Application transparency
|
AT-TLS: Yes (basic AT-TLS only)
System SSL direct: No
JSSE: No
|
Yes
|
Can be with port forwarding
|
|
SAF Keyrings
|
Yes
|
Yes
|
Yes (for keys only)
|
|
Secure Keys (CEXn)
|
Yes
|
Yes
|
No
|
|
Specialty engine (zIIP) support
|
JSSE only
|
Yes
|
No
|
|
System z hardware crypto
|
CPACF, CEXn
|
CPACF, CEXn
|
CPACF, CEXn (for random number generation)
|
-----------------------------------------------------------------------------------------------------------------------------
This blog was originally posted on Sep. 19, 2018 on IBM z/OS Communications Server developerWorks.