Simplify Field Encryption on IBM i

Monday, November 5, 2012 Posted by

Now that corporate applications are easier to access via remote and mobile channels, it’s even more important to determine which sensitive data is accessible and where possible breaches may occur. Unfortunately, legions of hackers with Wi-Fi and mobile hacking tools make it imperative that organizations prepare for and defend against potential attacks with even more pervasive security procedures.

One step in creating a stronger defense is to employ field or column-level encryption to protect sensitive data at rest.

Implementing a custom field encryption project on IBM i used to be a notoriously long and painful process.  Programming code changes for field level encryption required a steep learning curve, costly programming resources, and even more time in testing, validating and updating the changed application source code. Most companies simply could not justify the additional strain on their budgets for this level of project development requirements.

In response to this challenge, IBM released its OS version 7.1 with DB2 field procedure (FieldProcs) in April of 2010 that greatly simplified the field encryption process.  With the new FieldProcs technology, encryption projects can be streamlined because the field procedures are invoked at the database level, making it transparent to the applications. The FieldProcs can be coded to automatically encrypt the field on Inserts and Updates, and subsequently decrypt the field only for authorized users on Read operations.  Subsequently, FieldProcs have become very important to those businesses that have legacy applications and limited budgets.

FieldProcs are a great step for improving the viability of field level encryption projects. But even with this, many companies don’t have the resources to integrate and manage the FieldProcs which is why third-party software solutions, like Linoma Software’s Crypto Complete, are valuable.  Crypto Complete will generate and manage the FieldProcs on the fields within the files.

Crypto Complete also includes the key management, audit logs and access controls needed for PCI DSS and data privacy compliance. The value of using Crypto Complete for field encryption cannot be understated as it can greatly minimize the learning curve and reduce the implementation resource requirements from weeks to hours.

What Can We Learn from the LinkedIn Breach?

Thursday, June 21, 2012 Posted by

Today is another unfortunate reminder that no matter the size of a company or its industry, a data breach makes headlines.

Not only does it attract negative attention and erode customer confidence, an announcement that your company’s data has or may have been compromised can result in some steep financial penalties.  If fines associated with violating regulations like HIPAA or state privacy laws don’t get you, potential lawsuits might.

Take LinkedIn, for example.  Earlier this month, the social network of business professionals reported that nearly 6.5 million encrypted passwords had been leaked online.

Today, Mashable.com reports that LinkedIn is facing a $5 million civil lawsuit from a user claiming that LinkedIn’s security policy violated industry standards for database security.

There really are no lessons for the rest of us to learn from this latest breach, because most of us already know what we’re supposed to do.

  • Keep passwords secure, reasonably complex, and change them regularly.data breach
  • Ensure your company is using only the most secure encryption standards like AES or Open PGP.
  • Stay abreast of the latest news and techniques for keeping your company security policies and practices up to date and as impenetrable as possible.
  • Invest in solutions that streamline your data encryption processes, that include comprehensive auditing and reporting tools, and that ensure the security of your data at rest and in motion.

The question is how much longer can you postpone taking these steps to ensure that your company isn’t making news next week with an embarrassing and costly data breach?

Live Webinar Tomorrow: Beyond FTP — Securing and Automating File Transfers

Wednesday, June 13, 2012 Posted by

If you’d like to learn more about how you could benefit from simplifying, automating, and securing your file transfers, join us on Thursday, June 14 from 12:00-1:00 pm CDT for a free webinar that will outline the dangers of traditional FTP, and then focus on alternatives that not only keep your sensitive data more secure, but give you more control and better tracking of the entire file transfer process.

 

Beyond FTP: Automating and Securing File Transfers
Thursday, June 14, 2012
12:00-1:00 CDT

For more information or to register for this event,
please visit our webinar registration page.

 

For a real life example of the benefits of managed file transfer, check out this System i manager’s story.

Ernie Iannucci from AF&L Insurance Company describes how much time and headache his IT team saved when they transitioned from doing each transfer manually to implementing a managed file transfer solution.

 


Watch Ernie’s story now

 

Is Disk Encryption Really the Silver Bullet?

Thursday, May 24, 2012 Posted by

Disk encryption was introduced as a solution for simplifying the encryption requirements that most companies face for protecting sensitive data.  Now that the IT industry has gained a few years of experience, however, many have discovered that disk encryption is not an all-encompassing security solution.

disk encryption for laptop computersLaptops are one of the most popular targets for disk encryption.

[Download our white paper Defending Against Data Breach for details about the risks laptops and tablets present for IT staffs.]

However, companies have discovered that it requires a lot of planning and time to implement laptop encryption properly.

First of all, disk drives must be in good condition with no disk errors, and experts recommend that they be de-fragmented before installing the encryption software.

Once the time-consuming de-fragmentation task is completed, encrypting the drive will take an additional 2- 4 hours depending on the size of the drive.  Employing disk encryption for a large number of laptops in the organization will therefore result in some significant downtime for their users.

Some companies are touting disk encryption as their “end all” for meeting compliance requirements.  But it is not a silver bullet.  For instance, once a laptop is placed on the network, the data on the encrypted disks could potentially be accessed by savvy online hackers.  Once access is gained, all information on the compromised laptop could then be easily downloaded from the laptop by the hacker.

For those companies that deal with credit cards, PCI DSS compliance standards involve a complex series of requirements that disk encryption cannot solve on its own. Here are just two items from the PCI checklist:

  • A user’s access to protected data must be managed separately from his or her access to the operating system that the data resides on.  Therefore, if the secure data is stored on an MS Windows server, access control to the sensitive data must be managed by an application other than in Active Directory.
  • Cryptographic keys and cardholder data must be encrypted wherever it may be stored, including removable media such as USB drives, CDs, DVDs, or tape backups.  However, disk encryption does not encrypt data if it’s moved to other devices.

IT professionals are discovering that the best way to meet PCI DSS and other similar regulations is to keep sensitive data off of laptops whenever possible. Sensitive data can be more easily secured and controlled by IT professionals within centralized corporate database systems. The data can then be encrypted at the field level within these database systems.  Along with effective key management and audit trails, an effective database encryption solution will provide a much higher level of protection for this sensitive data.

To maximize their time and resources, many companies are turning to third party vendors, such as Linoma Software’s Crypto Complete, which provide an effective solution for field encryption without the need to make programming or database changes.

Keeping data secure is a constant battle, and given the high cost of data breach, it could be one of the most critical tasks a company tackles.  As hackers get more creative, relying on encryption best practices may be the best defense IT has.

1.800.949.4696  |  sales@linomasoftware.com  |  privacy policy
Copyright ©1994 - 2012 Linoma Software  |  All rights reserved