Enforcive Debuts Field-Level Encryption for IBM i
October 15, 2013 Alex Woodie
IBM i shops that find themselves needing an encryption solution may want to check out the new Field Encryption product unveiled by Enforcive last week. The addition to the company’s flagship Enterprise Security software suite allows IBM i security officers to encrypt data at the field level, as well as encrypt objects, which is useful for protecting tape backups. The new software also applies on-the-fly masking and scrambling to field-level data, and provides encryption key management capabilities, too.
There’s no shortage of reasons why an IBM i shop needs to encrypt its data. Besides just being a best practice for business these days (wink wink, nudge nudge), encryption is a mandate, depending on which industry an organization is in: HIPAA for healthcare organizations, PCI DSS for retailers, and GLBA for financial services firms. And if your company is publicly traded–or if it ever wants to be public or borrow money on the bond market–there’s good old Sarbanes-Oxley to worry about.
IBM made the implementation of field-level encryption easier with the addition of the so-called “field procedure,” (or FIELDPROC) exit point with the launch of IBM i 7.1 back in 2010. Enforcive (formerly BSafe Solutions) is using the FIELDPROC with its new Field Encryption offering, which eliminates the need to open up an application and make changes to the code. The restriction is that field-level encryption is only available with IBM i applications running on version 7.1; object encryption is available for all apps going back to i5/OS V5R4.
Enforcive says it’s easy for a security officer to implement field-level encryption with its new software. The process of applying encryption is managed from a GUI (see below) that gives the officer the choice to use multiple DES, TDES, or AES algorithms. Both alphanumeric and numeric fields are supported. Unauthorized users will not be able to see the encrypted data, even when they try to access it through journals, the company says.
“With the new Enforcive/Field Encryption for IBM i, it is possible to create an almost out-of-the-box encryption process,” Enforcive CEO Shimon Bouganim says in a press release. “We wanted to create a product that would make it easy to manage data protection and encryption while minimizing its impact on programming staff and ensuring maximum security of encryption keys.”
Field Encryption uses a two-tier key management system composed of master keys and data keys. A master key is required to generate a data key that encrypts data at the field level. The company also gives users the option to encrypt the data keys themselves. Keys can be kept either on the IBM i server that contains the encrypted data (which is not a best security practice) or on a remote server, which could be running IBM i or another operating system.
Security officers can choose to enter their own key strings, or have the software generate key strings automatically. When not even the security officer knows the key strings, it provides another level of protection, Enforcive says.
Field Encryption can be used to manage the assignment of encryption keys to individual users or to groups of users with similar roles. Keys can be used to encrypt and decrypt data at the user group level, eliminating the need to manage individual keys.
The masking and scrambling functionality can be useful for protecting the contents of database fields. The software also gives security officers the option to scramble numeric fields, which can be useful for application testing purposes.
Support for object encryption gives officers the capability to encrypt entire libraries. Object security is also useful for encrypting backups before they’re written to tape, providing another level of security for tape backups.
Field Encryption can be used on a standalone basis, or as part of Enforcive’s larger Enterprise Security suite. Enforcive says there are benefits to using the field-level encryption product with its suite, including full logging of encryption activities within its Central Audit module. The key creation process can also be handled as part of Enterprise Security’s larger role-based management capabilities.
Enterprise Security also provides exit point management, object authority management, and IP packet filtering, and managing encryption alongside those other security capabilities makes sense, the company says.
For more information, see Enforcive’s website at www.enforcive.com.