your key to success for pervasive encryption and ... · ibm z pervasive encryption –encrypt data...
TRANSCRIPT
-
Your KEY to success for Pervasive Encryption and Multicloud Key Management
Isabel ArnoldIBM Denmark, CryptoCenter
November 2020Session 2AW
-
The safest door in the world becomes useless
If you lose your keys
-
Encryption made easy with IBM Z Pervasive Encryption
– Encrypt data automatically, immediately and efficiently at the time it is written
– Decouple encryption from data classification
• Reduce labor-intensive data classification work
• Reduce risks associated with incorrect classified or undiscovered sensitive data
– Achieve application transparent encryption
IBM Crypto Competency Center / © 2020 IBM Corporation 3
But where to keep your encryption keys?
-
Do I need a key management system?
Yes, if you want any of these:
More than 10 keys
Periodic, staggered key rotation
Avoid manual distribution
Easy overview of keys
Keystore backup and recovery of individual keys
Strong security and compliance for key management operations (e.g. dual control)
Enforced key naming conventions
Downsides of < 10 keys
Large amount of encrypted data affected if a single key is compromised
Less granular control of how to separate people from data
Difficult to stagger rotation periods for keys
IBM Crypto Competency Center / © 2020 IBM Corporation 4
You need good datasetnaming conventions!
PROD
App1
Data1
App2
Data2
AppN
DataN
PROD.APP2.LOG.VER10PROD.APP1.PAYROLL.VER7
-
EKMF Web for Pervasive Encryption on IBM Z
When implementing pervasive encryption it is very important that a robust key management system is in place.
IBM Enterprise Key Management Foundation (EKMF) has a proven record of meeting the key management requirements you find in large financial companies like banks and card processors.
IBM offers EKMF Web for Pervasive Encryption that helps you manage the keys involved in dataset encryption.
IBM Crypto Competency Center / © 2020 IBM Corporation 5
-
EKMF Web for PE features
Single central key repository
• Stores metadata (activation dates, usage, etc.)
• Single-point backup and recovery
Key Management
• Generation based on policies
• According to NIST recommendations
• Using Hardware Security Modules (HSM)
Pervasive Encryption Support
• Dataset dashboard
• Import and management of existing PE keys
• Central support for multiple z/OS systems
Security & Compliance
• Role-based access
• Dual control implemented using separation of privileges
• Audit logging
IBM Crypto Competency Center / © 2020 IBM Corporation 7
-
Web Browserwith EKMF Web
Hardware Security Modules
EKMF components
IBM Crypto Competency Center / © 2020 IBM Corporation
EKMFRepository
Central EKMF repository
Cloud key stores
Custom
Secu
re ro
om
EKMF Workstation
ü Can be placed in secure roomü Utilizes IBM 4767 HSMü Generate new keys by users
authenticated with smart cards or automatically based on requests
Browser-based key generation & management for ü Pervasive Encryptionü Cloud
(not in product version yet)
ü Contains keys and metadata for all cryptographic keys produced by EKMF
ü Easy backup and recovery of key material
4
FIPS140-2 Level 4
IBMCrypto Express
4 IBM 476x4
4
PCI
8
-
EKMF Web Architecture
IBM Crypto Competency Center / © 2020 IBM Corporation
z/OS
CEX4SCEX4SCryptoExpress
ICSF
EKMFagent
CKDS
Liberty
EKMFWeb
Cloud key stores
Master Catalog
EKMF datasets database
EKMF keyrepository
PE Dataset Scanner Job
Web Browser
9
-
EKMF Web prereqs
IBM Crypto Competency Center / © 2020 IBM Corporation
z/OS
CEX4SCEX4SCryptoExpress
ICSF
EKMFagent
CKDS
Liberty
EKMFWeb
Master Catalog
EKMF datasets database
EKMF keyrepository
Dataset Scanner Job
z/OS 2.3 or later with fixes
• Crypto adapter assigned to LPAR with fully initialized master key sets (AES, RSA, ECC)- TKE required
• IBM Z14 & CEX6 or later recommended to generate AES cipher keys
• IBM Z13 & CEX5 can only generate AES data keys
Configured to use variable key length tokens Required databases, tables, views must be
created in Db2 (V12 recommended)
HKMGAS0 (min. PTF level KMGS006) orHKMGAL0 (min. PTF level KMGL010)
Firefox or Chrome
Web Browser
10
-
Data-encrypting keys
AES CIPHER keys• Use symmetric variable-length key token • The key value is always encrypted. • Keyblocks contain attributes allowing for
detailed control of key usage and exchange options
• EKMF Web wrapping for AES Cipher keys based on AES encryption
AES DATA keys• Use symmetric fixed-length key token• Key value can be either encrypted or in the clear• Do not have associated key attributes - Export
of AES Data keys must be controlled by other means, such as RACF
• EKMF Web wrapping for AES Data keys based on RSA keys
IBM Crypto Competency Center / © 2020 IBM Corporation 11
Used to encrypt and decrypt data & can be 128-bits, 192-bits, or 256-bits in length
The use of AES Cipher keys for Pervasive Encryption is recommended for any system which supports their use.The minimum requirements for using AES Cipher keys for PE are z14 with CEX6 and ICSF HCR77C1.
-
EKMF Web Key Hierarchy
IBM Crypto Competency Center / © 2020 IBM Corporation 12
Master Key (AES)
Data KEK (RSA) Cipher KEK (AES)
Cipher Key (AES)Data Key (AES)
EKMF Web Recovery Key (AES)
-
EKMF Web for PEScreenshots DemoCreate a key to encrypt your first dataset
-
EKMF flow
IBM Crypto Competency Center / © 2020 IBM Corporation 14
-
IBM Crypto Competency Center / © 2020 IBM Corporation 15
-
IBM Crypto Competency Center / © 2020 IBM Corporation 16
-
IBM Crypto Competency Center / © 2020 IBM Corporation 17
-
These are the policies that define how your keys are created
IBM Crypto Competency Center / © 2020 IBM Corporation 18
-
IBM Z13 can only generate AES data keys.We recommend to use AES cipher keys, available from z14 with CEX6 or later.
IBM Crypto Competency Center / © 2020 IBM Corporation 19
-
IBM Crypto Competency Center / © 2020 IBM Corporation 20
-
IBM Crypto Competency Center / © 2020 IBM Corporation 21
-
IBM Crypto Competency Center / © 2020 IBM Corporation 22
-
What to do with the key
IBM Crypto Competency Center / © 2020 IBM Corporation
CKDS
Dataset profiles DFP DATAKEY User Access
BANKING.** BANKING.KEY.LABELREAD
READ
MORTGAGE.** MORTGAGE.KEY2.LABEL READ
BANKING.TEST
MORTGAGE.PROD
Profiles in CSFKEYS class User Access
BANKING.KEY.LABEL READ
MORTGAGE.KEY2.LABEL READ
BANKING.OLD
1. Define key profile to RACF2. Assign key to RACF dataset profile3. (Re-)allocate, existing datasets are
not encrypted (e.g. BANKING.OLD)4. User needs RACF access to
a) Keyb) Dataset
23
-
1 2 3 4
Setup for use of key label in RACF
Allow secure key to be used as protected keyvia ICSF segment- SYMCPACFWRAP- SYMCPACFRET
Grant access to key label
– AND –
PERMIT keylabel_nameCLASS(CSFKEYS) ID(user) ACCESS(READ) WHEN(CRITERIA(SMS(DSENCRYPTION)))
RDEFINE CSFKEYSkeylabel_nameUACC(NONE)ICSF(SYMCPACFWRAP(YES) SYMPACFRET(YES))
Associate the key label with the desired data set(s)
In RACF, alter DFP segment in data set profile - DATAKEY()
PERMIT ‘’ ID(groupid) ACCESS(READ)
In DFSMS, assign to data class
ALTDSD ‘’UACC(NONE)DFP(RESOWNER(owner)DATAKEY(keylabel_name))
– OR –
z/OS data set encryption – Detailed description
Migrate to encrypted data
DB2:Online Reorg
IMS HA Database:Online Reorg
VSAM or Seq data set:1. Stop application2. Copy data3. Restart application
zFS Container:zfsadmin encrypt
Non-disruptive
Generate an encryption key and key label, store it in the CKDS
CKDS
IBM Crypto Competency Center / © 2020 IBM Corporation 24
-
IBM Crypto Competency Center / © 2020 IBM Corporation 25
If you lose your key, EKMF Web
can restore it
-
Already started PE? No problem, import existing keys
IBM Crypto Competency Center / © 2020 IBM Corporation 26
-
27
A keytemplate for these types of keys must have been defined for your keystore you’re
importing from
-
Check dashboard for encryption details about datasets
IBM Crypto Competency Center / © 2020 IBM Corporation 29
-
Encrypted dataset with key details
IBM Crypto Competency Center / © 2020 IBM Corporation 30
-
Encryptable data sets
IBM Crypto Competency Center / © 2020 IBM Corporation 31
-
Not encryptable datasets
IBM Crypto Competency Center / © 2020 IBM Corporation 32
Will be
updat
ed soo
n
-
IBM Crypto Competency Center / © 2020 IBM Corporation 33
-
Filter and show details
IBM Crypto Competency Center / © 2020 IBM Corporation 34
-
Multicloud Key Orchestrator
-
EKMF Cloud support
37
EKMF Web supports key distribution to IBM Key Protect, Amazon KMS and Azure
Supported
AWS KMS IBM CloudKey Protect
Microsoft AzureKey Vault
Google CloudKMS
FutureSupportedSupported
Web Browserwith EKMF Web
EKMF Workstation
-
38
-
Define cloud keystores and key templates
IBM Crypto Competency Center / © 2020 IBM Corporation 39
-
IBM Crypto Competency Center / © 2020 IBM Corporation 40
-
IBM Crypto Competency Center / © 2020 IBM Corporation 41
-
AWS support in EKMF Workstation
IBM Crypto Competency Center / © 2020 IBM Corporation 42
-
Further reading
Announcement letter ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS220-108
EKMF Agent Installation and Configuration Guide publibfp.dhe.ibm.com/epubs/pdf/c2820240.pdf
EKMF Web Installation and Configuration Guide publibfp.dhe.ibm.com/epubs/pdf/c2820220.pdf
EKMF Web UI User's Guidepublibfp.dhe.ibm.com/epubs/pdf/c2820230.pdf
IBM Crypto Competency Center / © 2020 IBM Corporation 43
http://ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS220-108http://publibfp.dhe.ibm.com/epubs/pdf/c2820240.pdfhttp://publibfp.dhe.ibm.com/epubs/pdf/c2820240.pdfhttp://publibfp.dhe.ibm.com/epubs/pdf/c2820230.pdf
-
EKMF Web for PEVirtual WorkshopParticipants who attend this Virtual Workshop will learn about key management, Key management considerations, EKMF web Architecture and dataset encryption.Agenda:• 9:00 AM Overview Pervasive Encryption, Key
Management and EKMF Web• 10:15 AM TKE Demo• 10:30 AM Hands on Lab EKMF web and dataset
encryption• 12:30 PM Key Management considerations and
wrap up
Virtual Class requires students to connect to Webexand have access to internet via browser to connect to virtual desktop.
Contact [email protected] Crypto Competency Center / © 2020 IBM Corporation 44
-
IBM Crypto Competency Center / © 2020 IBM Corporation 45
Service Offerings• Cryptography-as-a-Service• Crypto Agility and Quantum readiness• Crypto APIs for payment processing industry• Enterprise key management solutions
• Pervasive Encryption key management• Multi-cloud key management
• Advanced XML signing solutions
Consulting & Implementation Services• Specialists in PCI compliant crypto solutions • Cross-industry experience
Encryption PKI - Digital Signatures& Certificates
Crypto APIs Enterprise Key Management
Policy Compliance
IBM Crypto Competence Center Copenhagen• 100+ clients, mainly in Financial Services
• 13 out of the 25 largest Banks in Europe• 25 years experience
Securing the world, one bit at a time
Crypto Analytics Tool
-
Please submit your session feedback!
Do it online at http://conferences.gse.org.uk/2020/feedback/2AW
This session is 2AW - Your KEY to success for Pervasive Encryption and Multicloud Key Management
http://conferences.gse.org.uk/2020/feedback/2AW
-
GSE UK Conference 2020 Charity
The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.
Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:
http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion
http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion
-
IBM Crypto Competency Center / © 2020 IBM Corporation 48
Thank you
© Copyright IBM Corporation 2020. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and ibm.com are trademarks of IBM Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available at Copyright and trademark information.
https://www.ibm.com/legal/copytrade
-
IBM Crypto Competency Center / © 2020 IBM Corporation 49