PSGi Offers Field-Level Encryption for IBM i Database
April 19, 2023 Alex Woodie
IBM i professionals who are concerned about the disclosure of sensitive data in their legacy applications may be interested in a new field-level encryption utility from Precision Solutions Group (PSGi). The software essentially functions as an easy-to-use wrapper for IBM’s native Field Proc for database encryption, delivering flexible data protection for legacy applications.
PSGi has made a name for itself by providing third-party maintenance and support for aging IBM i-based ERP systems. Customers running older applications like JD Edwards World, PRMS, PRISM, and KBM rely on PSGi to keep their ERP systems running well decades after they were first created.
As a third-party support provider and consultancy, PSGi has a front-row view into the application concerns of its customers. “At PSGi, we’re in the business of making sure people can get ROI from their legacy applications,” says PSGi President Larry Dube. “We want them to stay there. We don’t want to give them reasons to go.”
Security is a big and growing topic among these customers, and security audits are becoming more common, Dube says. In particular, IBM i shops are becoming concerned about the security of their data, especially as they open up their databases to access via interfaces other than the primary ERP system, he says.
“With the legacy applications now, all this processing is done outside of the application,” Dube tells IT Jungle. “There’s a lot of data moving around to BI tools, to interfaces of other products, to financials, to shopfloor systems. Everything is moving around, especially with best-of-breed applications.”
PSGi’s customers needed a way to protect this data as it resides in Db2 for i, where other users and applications have access to it. There are several methods to secure data, each working at different levels of the stack. At a system level, whole-disk encryption could be used. At the OS level, the administrator could implement restrictive user profiles, blocking read or read/write access to the entire database.
But none of these approaches would work with a production ERP system, Dube says. That’s because employees at times do need to access to data, including sensitive data. Using restrictive user profiles would protect the data, but at the cost of allowing access to data that’s necessary for getting work done, he says.
“They can certainly keep them from having read access to the file,” Dube says. “But that breaks the ERP.”
To pass security audits and ensure the integrity of data, companies needed a more fine-grained approach to protecting data, he says. Luckily, IBM provides such a method. The field encryption procedure, or Field Proc, debuted in 2010 with the launch of IBM i version 7.1.
The Field Proc was unique because, for the first time, it gave customers the ability to restrict access to data on a field-by-field basis. Instead of forcing customers between the blunt-force approach of restricting access to entire files, or requiring the equivalent of major heart surgery to implement field-level encryption directly in the application, IBM gave customers a much less invasive and more targeted approach to protecting field-level data with the Field Proc.
While the Field Proc is recognized in the IBM i community as being good technology, it does have its drawbacks. The biggest one is that it’s not exactly easy to work with. You need to be knowledgeable of SQL on the platform and know how to work with triggers and constraints to implement it. That restricts the potential pool of companies that might make use of the Field Proc, Dube says.
“We can do it from a consulting perspective,” Dube says. “But we’d also just like to allow companies that we’re working with, if they have staff, to take it on themselves and keep protecting it. Because like I said, our main goal is to make sure that these legacy applications stay out there for a long time.”
After surveying the market and seeing nothing that matched PSGi’s client needs, Dube and company decided to build their own utility. The name of the product is Field Level Security Management, and it’s now available at version 1.0.
“Essentially all our product does it put a wrapper around [the Field Proc] and make it a lot easier to deal with, so that anybody can use it,” Dube says. “You have to have some knowledge of the database. But you don’t have to be able to write SQL. You don’t have to be able to add triggers and constraints to the file.”
Field Level Security Management is a Web-based application that runs atop the IBM HTTP Server (the one powered by Apache). It was written in a mix of PHP and JQuery, and allows administrators to quickly set up encryption for group user profiles on a field-by-field basis.
During a demo, PSGi walked IT Jungle through the process of setting up field-level protecting through Field Level Security Management. The administrator starts out by selecting the field that they want to encrypt, such as the credit card number or Social Security number. The administrator is then given the option to obfuscate the entire value of the field, or perhaps just the first 20 characters of a 25-character field. That allows a user to see the last few digits of a Social Security or credit card number, but not see the entire value.
PSGi’s tool can also be used to prevent users from entering new values and overwriting old values. If a user tries to do that, a trigger built into the tool would prevent the user from updating the database, Dube says.
This approach gives users the ability to prevent employees from accessing sensitive pieces of data while preserving ERP function, Dube says. “They are allowed to go in and look at orders of customers, but they shouldn’t be able to see the prices of things,” he says.
PSGi achieves this, but without the headache of using Field Proc and without the need to open up the application itself, which won’t protect the database from outside threats, Dube says.
“We really wanted to make sure it was done at the database level, like it’s designed to do, rather than the legacy application itself,” Dube says. “In some of the more sophisticated legacy applications, they actually have some coding within the application that allow you to have field-level security, but then that doesn’t protect you from outside the application. It [Field Level Security Management] protects somebody from writing SQL or some other interface or just a query over the data.”
This is the first shrink-wrapped product from PSGi. But it won’t be the last. Stay tuned for more product development from this new software vendor in the future.