IBM Information Management System (IMS) - Group home

Data Privacy for Diagnostics: Securing Diagnostics for IMS

By Sanjay Kaliyur posted Tue December 15, 2020 07:21 PM

No software is perfect! Any well-oiled machine is bound to run into the occasional hiccup. Similarly, even an enterprise software product like IMS occasionally encounters issues or problems that require our clients to submit diagnostic data to IBM. In these instances, our clients know they can depend on our support team to help them resolve these issues. But in this era of privacy and data regulation, many of our clients may not be so comfortable sharing this critical information with us.

"[In the future] more and more enterprises will become selective about what data they give to their vendors, even if that choice makes the product or service they’re using less effective… [we] will see organizations choosing to opt-out of data sharing due to concerns about anonymization, privacy, and accidental disclosure."
 – Forrester Research, Predictions 2020: Cybersecurity

We take these concerns very seriously. Every day, it seems like the severity and frequency of data breaches are increasing. Data breaches can be devastating for every party involved. The need to secure your private information has never been higher.

Sometimes, diagnostic information that is sent to IBM contains sensitive data that our clients would prefer that we didn’t see. This information is often included in transaction message data, database buffers, and log records. The risk of losing control of private information is causing some of our clients to be apprehensive about sending us their diagnostic data. If this personal information is exposed, it can have catastrophic effects such as severe financial penalties and serious reputational harms for us and our clients.

We understand that our clients depend on our support staff to get them out of tricky situations and get their operations back to running smoothly. How can we make sure that IMS clients are comfortable giving us their diagnostic information so that our support team can help diagnose and resolve their issues?

We are excited to announce that IMS has taken part in a new initiative to offer an additional layer of security and privacy for our clients. IBM z/OS Data Privacy for Diagnostics is a z/OS capability that allows our clients to control what data is shared with their business partners and ecosystems. Through the power of the z15, our clients can rest easier knowing that dumps processed by z/OS Data Privacy for Diagnostics have certain large areas of 64-bit storage that could contain sensitive data removed from them.

The IMS team leveraged sensitive data-tagging APIs created by z/OS to classify the areas in 64-bit memory as either likely or not likely to contain data our clients would consider to be sensitive. This memory classification was critical in allowing z/OS Data Privacy for Diagnostics to tag and redact sensitive data from diagnostic dumps while ensuring that areas our support team would need to investigate in order to resolve our clients’ issues would remain unredacted. The areas in the dump tagged as “non-sensitive” are included in a redacted dump that is sent to external vendors like IBM. We will never have access to the private information that the tagging algorithm identified as “sensitive”. The best part is this tagging process does not impact dump times!

Here is a visualization of how z/OS Data Privacy for Diagnostics works. The original dump contains all of the storage areas that would normally be dumped by IMS, including areas tagged as sensitive. You can use the z/OS BLSJDPFD utility to make a redacted copy of the dump that has areas tagged as sensitive removed. The redacted dump containing fewer sensitive data areas can be sent to IBM. Note that you should always keep the original dump until the problem is solved, since there may occasionally be times where the redacted data is needed.

With z/OS Data Privacy in Diagnostics, you can be assured that we will be able to continue to serve your support needs. We will be able to give you aid while also reducing the exposure of personal information to unauthorized viewers.

IBM Z Data Privacy for Diagnostics is supported on IBM z15 running z/OS 2.3 or above with PTFs OA57570 and OA57633. IMS support is included in IMS version 15 or above with APAR PH14059.