Automatic Encryption with FIELDPROC 46CN Automatic Encryption with FIELDPROC Patrick Townsend 724 Columbia Street NW, Suite 400 | Olympia, WA 98501 | 360.359.4400 | www.townsendsecurity.com

Automatic Encryption for IBM i in V7R1 and later FIELDPROC Encryption What is FIELDPROC and how does it work New security challenges Encryption key management Some practical considerations

What is FIELDPROC and How Does it Work? AUTOMATIC ENCRYPTION What is FIELDPROC and How Does it Work? Field Procedures New in V7R1, full support in 7.2 and 7.3 (“To infinity, and beyond!”) Exit point technology Implemented on IBM System z in DB2 v9 Implemented by customers or vendors

Encryption Before V7R1 It’s an Application Software Project AUTOMATIC ENCRYPTION Encryption Before V7R1 It’s an Application Software Project Identify all of the fields you want to encrypt Decide if triggers can work for you (partial solution) Identify all RPG or COBOL applications that must be changed Modify your applications Test, test, and test again

Encryption with V7R1-V7R3 FIELDPROC AUTOMATIC ENCRYPTION Encryption with V7R1-V7R3 FIELDPROC It’s a database change, not an application change Identify all of the fields you want to encrypt Install FIELDPROC exit point software Activate FIELDPROC protection Pretty cool, but there are some gotchas !!!

Your Encryption Project Just Got a Whole Lot Easier! AUTOMATIC ENCRYPTION Your Encryption Project Just Got a Whole Lot Easier! No database changes required - No field type or size changes - No problems with Zoned and Packed data Few (if any!) application changes required - Most applications can will run without changes - There are a few caveats (covered later) that may require minor application modifications

How Does It Work? AUTOMATIC ENCRYPTION Like most exit points you must register your exit point program (uses SQL) A SQL statement used to do this: ALTER TABLE ordmaster ALTER COLUMN cardno SET FIELDPROC prodlib/exitpgm CONSTANT ‘Unique-Value’ Now the DB will call your API program on every I/O operation YOUR FIELDPROC cardno ORDMASTER prodlib/exitpgm

How Do They Get Installed? AUTOMATIC ENCRYPTION FIELDPROC Programs How Do They Get Installed? FIELDPROC Registration Interface (SQL only!) CREATE TABLE orders ( custid CHAR (5), cardnum CHAR(16) FIELDPROC mylib/mypgm) ALTER TABLE orders ALTER COLUMN cardnum SET FIELDPROC mylib/mypgm FIELDPROC Removal DROP FIELDPROC

When Are They Invoked by DB2/400? AUTOMATIC ENCRYPTION FIELDPROC Programs When Are They Invoked by DB2/400? FIELDPROC Add/Update Events SQL Insert, Update, & Merge statements Native RPG record-level writes and updates Query searches: WHERE card number=‘1111222233334444’ “Writing” CL Commands: CPYF, RGZPFM, STRDFU, …. Trigger Processing - FIELDPROC processing occurs after BEFORE triggers - FIELDPROC processing occurs before AFTER triggers FIELDPROC Read Events SQL Select & Fetch Native RPG record-level reads “Reading” CL commands: CPYF, RGZPFM, DSPPFM, FTP … Trigger processing

Do I Have To Change My Database To SQL? AUTOMATIC ENCRYPTION FIELDPROC Programs Do I Have To Change My Database To SQL? No FIELDPROC works with files created with DDS. You don’t need to convert them to SQL tables. There are some benefits to SQL conversion, but it is not required. NOTE: There are limitations to DDS + RPGLE (more later)

FIELDPROC: What It Is and Isn’t AUTOMATIC ENCRYPTION FIELDPROC PROGRAM FIELDPROC Encryption Audit Database Table FIELDPROC: What It Is and Isn’t What it does: Provides a column level exit for insert/read/update operations on a database What it does not do: Does not provide encryption, audit, masking, or key management software You have to provide software for the Exit (an executable program) to handle encrypt/decrypt FIELDPROC does not provide security controls – that’s up to you! Does not log actions for compliance

New Security Concerns Who can see plaintext Who can see masked data AUTOMATIC ENCRYPTION New Security Concerns FIELDPROC Key Manager Who can see plaintext Who can see masked data Who can see partial data What happens when not authorized What about QSECOFR and *ALLOBJ users DB2

New Security Concerns The new FIELDPROC Exits creates new challenges! Once an exit point program is installed, it will be called regardless of the user application. Common utilities such as DFU, Display Physical File Member, and FTP can trigger automatic decryption of data. You will need: User access controls Encryption key access controls Automatic masking of data by policy Provide QAUDJRN logging of access DB2 Row and Column Access Controls (RCAC)

Everything You Need to Get FIELDPROC Right AUTOMATIC ENCRYPTION Everything You Need to Get FIELDPROC Right Easy-to-use management interface Exit point software for encryption (no SQL, multi-threaded) Key management User access controls by policy with Group Profile support Data masking Audit Industry standard AES encryption

Key Management Is Critical for Compliance AUTOMATIC ENCRYPTION Key Management Is Critical for Compliance Data Key AES is not a “secret” The key is the real “secret” Key Management SP800-57 Cryptographic Module Validation Program (CMVP) National Voluntary Laboratory Accreditation Program (NVLAP) FIPS 140-2 Protected Data

Key Management for Compliance AUTOMATIC ENCRYPTION Key Management for Compliance Dual Control Separation of Duties Split Knowledge Key rotation Separate keys from the data they protect

FIELDPROC and Key Management? AUTOMATIC ENCRYPTION FIELDPROC and Key Management? Key management is critically important to encryption The keys are the secret - they must be protected and managed A good key management system will… 1) Control access to keys 2) Manage keys through the life cycle 3) Log access to keys 4) Back up keys 5) Roll keys 6) Expire keys, etc

Enterprise Key Management AUTOMATIC ENCRYPTION Enterprise Key Management Critical infrastructure for multiple platforms Centralized key management reduces security exposure One key vault for all OSs – IBM i, Windows, Linux, Unix, IBM z, etc. One key vault for all platforms – Client, server, cloud, mobile, PureSystems, etc. One key vault for all applications IBM DB2 FIELDPROC SQL Server EKM Oracle 10g/11g SharePoint Tape, storage, etc.

Practical Issues - Performance AUTOMATIC ENCRYPTION Practical Issues - Performance Encryption will have an impact – how much? AES encryption libraries vary in performance POWER8 on-chip encryption won’t help much Key management can impact performance Multiple fields in one file add to performance impact SQL may perform index scan on certain operations

Practical Issues – Encrypted Indexes Are Supported (SQL) AUTOMATIC ENCRYPTION Practical Issues – Encrypted Indexes Are Supported (SQL) You can encrypt primary and secondary indexes IBM indexes based on encrypted value, not decrypted value Index lookups based on encrypted value, not plaintext value Some SQL JOIN and ORDER BY operations can be performance intensive when index scans are performed

Practical Issues – DDS Logical Files can be a problem AUTOMATIC ENCRYPTION Practical Issues – DDS Logical Files can be a problem DDS Join Logical files over 2+ Physical files with JFILE/JFLD Not valid over FieldProc encrypted fields FieldProc cannot start Join logical file cannot be created

Practical Issues – Encrypted Indexes for RPG a problem AUTOMATIC ENCRYPTION Practical Issues – Encrypted Indexes for RPG a problem For legacy RPG/COBOL sort sequence of encrypted indexes an issue Range-bound reads, some RPG operation impacts SETLL followed by READ, etc. RPG Primary/Secondary file processing (out of sequence errors) Empty or out-of-order reports Empty or out-of-order subfile lists There are third party solutions for RPG.

Practical Issues – Data masking AUTOMATIC ENCRYPTION Practical Issues – Data masking FieldProc data masking: Should be based on white-list approach Avoid object authority as basis for data masking Is not application sensitive DFU, FTP ,etc FieldProc cannot see the application program

Mitigation – What can you do? AUTOMATIC ENCRYPTION Mitigation – What can you do? Convert RPG applications to SQLRPGLE Change application logic (use other fields, non-encrypted indexes) Copy data (decrypt) to temporary library Implement fully native SQL application Locate 3rd party solution for FieldProc + encrypted indexes Do nothing and live with the constraint

Let’s have some fun and look into our Security Crystal Ball AUTOMATIC ENCRYPTION Let’s have some fun and look into our Security Crystal Ball

Looking into the Crystal Ball AUTOMATIC ENCRYPTION Looking into the Crystal Ball Artificial Intelligence (Cognitive Computing) will play a bigger role Security Apps and SIEMs are getting upgrades (IBM leading the way) Threat Intelligence will play a bigger role IBM X-Force is one example AlienVault Open Threat Exchange (OTX)

Looking into the Crystal Ball AUTOMATIC ENCRYPTION Looking into the Crystal Ball Blockchain Log source Event immutability Key management credential security Quantum computing Yes, quantum computing will affect encryption Not soon Probably not 256-bit AES (per NSA)

Any Questions about FieldProc Encryption? AUTOMATIC ENCRYPTION Any Questions about FieldProc Encryption? Delete Contact Townsend Security: patrick.townsend@townsendsecurity.com 800.357.1019 +1 360.359.4400