Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pervasive Encryption - z/OS Data Set Encryption Implementation

Published byJack Stokes Modified over 5 years ago

Similar presentations

Presentation on theme: "Pervasive Encryption - z/OS Data Set Encryption Implementation"— Presentation transcript:

1 Pervasive Encryption - z/OS Data Set Encryption Implementation
January 8, 2019 Cecilia Carranza Lewis, z/OS Data set encryption architect STSM, z/OS DFSMS Strategy and Architecture IBM®

2 Agenda Data set encryption - Review
Implementation of data set encryption Getting Started Resources

3 Pervasive Encryption with IBM Z Enabled through tight platform integration
Integrated Crypto Hardware Hardware accelerated encryption on every core, CPACF performance improvements of 7x Crypto Express6S – PCIe Hardware Security Module (HSM) & Cryptographic Coprocessor Broadly protect Linux file systems and z/OS data sets using policy controlled encryption that is transparent to applications and databases Data at Rest Clustering Protect z/OS Coupling Facility data end-to-end, using encryption that’s transparent to applications Network Protect network traffic using standards based encryption from end to end, including encryption readiness technology to ensure that z/OS systems meet approved encryption criteria Secure Service Container Secure deployment of software appliances including tamper protection during installation and runtime, restricted administrator access, and encryption of data and code in-flight and at-rest Key Management The IBM Enterprise Key Management Foundation (EKMF) provides real-time, centralized secure management of keys and certificates with a variety of cryptographic devices and key stores And we’re just getting started …

4 Multiple layers of encryption for data at rest Robust data protection
Complexity & Security Control App Encryption hyper-sensitive data Database Encryption Provide protection for very sensitive in-use (DB level), in-flight & at-rest data File or Data Set Level Encryption Provide broad coverage for sensitive data using encryption tied to access control for in-flight & at-rest data protection Full Disk & Tape Provide 100% coverage for at-rest data with zero host CPU cost Data protection & privacy provided and managed by the application… encryption of sensitive data when lower levels of encryption not available or suitable Granular protection & privacy managed by database… selective encryption & granular key management control of sensitive data Broad protection & privacy managed by OS… ability to eliminate storage admins from compliance scope Protection against intrusion, tamper or removal of physical infrastructure Coverage

5 Data Protection // z/OS Dataset Encryption
Protection of data at-rest z/OS CF abc DB2,IMS, zFS, etc... CPACF Storage System SAN Network *** *** z/OS Dataset Encryption: Application transparent & enabled by policy Encryption tied to fine grained access control Host encryption via CPACF as data written-to or read-from disk. Supports ext. format sequential & VSAM Includes HSM & DSS migration/backup of encrypted data sets Replicated data remains encrypted Supports: CICS®, DB2, IMS, Logger, & zFS In-memory system or application data buffers will not be encrypted Client Value Proposition: Reduced cost of encryption along with simple policy controls allows clients to enable extensive encryption to protect data in mission critical databases including DB2®, IMS™ and VSAM Text from IBM z/OS Version 2 Release 2 enhancements and statements of direction (IBM United States Software Announcement , dated October 4, 2016) IBM plans to deliver application transparent, policy-controlled dataset encryption in IBM zTM/OS. IBM DB2 for z/OS and IBM Information Management System (IMS) intend to exploit z/OS dataset encryption. As indicated above, IBM plans to support z/OS data set encryption for DB2, IMS and CICS (e.g. CICS VSAM) data, as well as sequential data (BSAM, QSAM) for batch workloads (see page 30 & 31 for more details). Data sets must be extended format BSAM, QSAM or VSAM. LinuxONE/Linux on z

6 z/OS Data Set Encryption – Client Value
Clients who are required to protect customer data can leverage the IBM Z hardware encryption for data at rest through existing policy management… without application changes. No application changes required Data set level granularity Supports separation of access control for data set and encryption key label Enabled through RACF and / or SMS policy Audit readiness 1 2 3 4 5 Designed to take advantage of the processing power of the z14

7 z/OS Data Set Encryption – Encryption keys
Key label: 64-byte label of a key in the ICSF Cryptographic Key Data Set (CKDS) Required to access an encrypted data set Encryption data key: Require AES-256 bit key Recommend secure keys (protected by Crypto Express AES Master Key) Must be set up in CSFKEYS as a protected key Encryption mode: DFSMS uses XTS mode Key management is critical for a robust security strategy

8 Application transparency via access methods
1 Application transparency via access methods Supported access methods/data set types BSAM and QSAM Sequential extended format data sets VSAM and VSAM/RLS VSAM (KSDS, ESDS, RRDS, VRRDS, LDS) extended format data sets Covers DB2, IMS, zFS, CICS/VSAM, Middleware, Logs, Batch, & ISV Solutions*. Refer to product documentation for information regarding support. (*) Note: For those applications that use the licensed Media Manager services, changes to Media Manager interfaces required to access encrypted data sets. Transparent! No application changes or awareness that sequential or VSAM data is encrypted when accessed using the standard access method APIs.

9 Naming Conventions & Granular Access Control
2 Naming Conventions & Granular Access Control Leveraging naming conventions & z Security to enforce separation across application instances Naming conventions can be used to segment applications, data, and keys, e.g. Environment: PROD, QA, TEST, DEV Application: App1, App2,…, AppN Data-Type: Account, Payroll, Log Version: Ver1, Ver2,…,Verx Application resources (data sets, encryption keys) can be assigned names based on naming conventions, e.g. PROD.APP2.LOG.VER10 PROD.APP1.PAYROLL.KEY.VER7 Security rules can be used to enforce separation with granular access control for application resources and encryption keys PROD MKPROD App1 Data1 PROD.App1.Data1.VerX App2 Data2 PROD.App2.Data2.VerX AppN DataN PROD.AppN.DataN.VerX PROD CKDS PROD.App1.Data1.VerX PROD.App2.Data2.VerX PROD.AppN.DataN.VerX *** *** *** Flexible! Data set encryption is designed to be flexible in allowing as much granularity as desired when identifying key labels for data sets. There is no limit as to how many key labels and encryption keys are used across the data sets…however, planning for key management is critical. Life of the data set is life of the key!

10 Access Control - Segregation of Duties
3 Access Control - Segregation of Duties Data owners that must access content will need authority access to the data set as well as access to the encryption key label Storage administrators who only manage the data sets need access to the data set but not access to the key label (thus protecting access to the content) Different keys can be used to protect different data sets – ideal for multiple tenants or data set specific policies. Prevent administrators from accessing the content Many utilities can process data preserving encrypted form COPY, DUMP and RESTORE Migrate/Recall, Backup/Recover, Dump/Data Set Restore PPRC, XRC, FlashCopy®, Concurrent Copy, etc. Limit access to data in clear! Remove certain roles from compliance scope….by controlling access to the data through SAF permissions.

11 Creating encrypted data sets via policy
4 Creating encrypted data sets via policy A data set is defined as ‘an encrypted data set’ when a key label is supplied on allocation of a new data set of a supported data set type for data set encryption sequential extended format VSAM extended format A key label can be supplied in any of the following sources (in order of precedence as follows): Security policy: RACF data set profile DFP segment Explicity: JCL, Dynamic Allocation, TSO Allocate, IDCAMS DEFINE SMS policy: Data class To allocate via ISPF 3.2, can specify a data class with key label Ease of use! Easy to create an encrypted data set just by specifying a key label. Even easier when enabled via RACF or SMS policy.

12 5 Audit readiness Auditor can rely on system interfaces, not individuals, for compliance. Encryption attributes displayed in various system interfaces SMF records DCOLLECT records LISTCAT IEHLIST LISTVTOC Simplifies compliance! Allows enhanced tooling to help simplify the audit process.

13 Considerations for data set encryption usage

14 Data set types Data set types supported by data set encryption
VSAM extended format Sequential extended format Data set types NOT supported by data set encryption VSAM non-extended format Sequential basic format Sequential large format PDS/PDSE BDAM Sequential tape data sets © Copyright IBM Corporation 2017

15 Extended format data set type
Allocated with DSNTYPE keyword JCL DSNTYPE=EXTREQ or EXTPREF SMS Data class DSNTYPE=EXTR or EXTP SMS-managed DASD data sets Can be compressed format SMS Data class COMPACTION Sequential: Generic, Tailored, zEDC VSAM KSDS: Generic Restrictions System data sets (such as Catalogs, SHCDS, HSM data sets) should not be created as extended format, unless otherwise specified. Cannot be opened for EXCP processing Sequential compressed format data sets cannot be opened for UPDATE processing Considerations Non-compressed format may take more increase storage requirements All physical blocks are same size (short blocks padded) 32-byte suffix appended to each physical block For additional details regarding extended format data sets, refer to publication z/OS DFSMS Using Data Sets After evaluating restrictions, OK to convert to extended format, compression and encryption at the same time.

16 Extended format data sets
Data sets that can be allocated as extended format include: Db2 (table spaces and logs) IMS (certain DBs, logs, trace data sets) CICS/VSAM zFS etc Note: Certain data sets cannot be extended format, for example Temporary data sets – not catalogued SORTWK data sets - accessed with EXCP Data sets accessed with EXCP application Review product documentation for details regarding data set encryption support © Copyright IBM Corporation 2017

17 Data set encryption restrictions
System data sets (such as Catalogs, SHCDS, HSM data sets) must not be encrypted, unless otherwise specified Data sets used before ICSF is started must not be encrypted Sequential (non-compressed) extended format data sets with a BLKSIZE of less than 16 bytes cannot be encrypted Encrypted data sets only supported on 3390 device types DFSMSdss REBLOCK keyword is ignored on COPY and RESTORE functions. DFSMSdss ADRREBLK installation exit will not be called for encrypted data sets DFSMSdss does not support VALIDATE processing when backing up encrypted indexed VSAM data sets. VALIDATE will be ignored. © Copyright IBM Corporation 2017

18 Consider enabling data set level compression
Encrypted data does not compress downstream of encryption Where possible, convert to compressed format data sets With data set level compression, the access methods handle compression before encryption Data class COMPACTION option Supported data set types and compression types Sequential extended format: Generic, Tailored, and zEnterprise Data Compression (zEDC) VSAM extended format (KSDS): Generic Consider potential impacts of not using data set compression with encrypted data sets: Creating encrypted data sets may impact expected savings with disk or tape device compression. Backup and migration of encrypted data sets may impact expected savings with disk or tape device compression. Replicated data that is being compressed in the SAN infrastructure by DWDM technology will no longer be effective trying to compress encrypted data In addition, if deduplication of data is supported, data in encrypted data sets can prevent deduplication from working. © Copyright IBM Corporation 2017

19 Sequential data compression with zEDC
Compresses data up to 4X, saving up to 75% of your sequential data disk space Up to 80% reduced CPU cost compared to tailored and generic compression options Uncompressed CMPSC Compression zEDC © Copyright IBM Corporation 2017

20 Backup, Migration and Replication
System services that manage the data set (as opposed to the data) ensure the data remains in encrypted form During DFSMSdss functions, COPY, DUMP and RESTORE During DFSMShsm functions, Migrate/Recall,Backup/Recover, Abackup/Arecover, Dump/Data Set Restore, FRBACKUP/FRRECOV DSNAME. During track based copy (PPRC, XRC, FlashCopy, Concurrent Copy, etc) operations since read track will get the track image which has the already encrypted data. Encrypting with data set encryption ensures security across all storage tiers, including cloud storage with Transparent Cloud Tiering Key material must be available on target systems to access encrypted data sets Storage admins (or others) DO NOT not require access to the key label to perform these system services.

21 Transmitting data System services services that transmit data will typically retrieve the data using the access methods, thus the data in encrypted data sets is decrypted within these services prior to transmit. When transmitting sensitive data, use the secure versions of these services Connect: Direct FTPS XMIT Storage/System admins (or others) DO require access to the key label to perform these functions. © Copyright IBM Corporation 2017

22 Implementing data set encryption

23 Implementing encryption at the data set level
Role ICSF Admin Security Auditor Systems Prog Storage (Data Mgr) User Owner) Objective Responsible for key mgmt. (defining keys, key labels), working with key mgmt. system; Manages ICSF and key changes Identify data sets that need to be encrypted; Tie encryption to user access; Responsible for creating RACF profiles, assigning access to key labels Update audit reports; Ensure audit and reporting compliance Ensures system (hw/sw) supports encryption; work with Security Admin to determine if migration action needed to allow encryption Assigns encryption to specific data classes; manage backup, migration and replication Automatically create encrypted data sets; Runs applications, submits jobs How Defines key labels in CKDS associated with secure AES256 keys Update key label in RACF data set profile; Modify user profiles with key labels and access permissions to files List the catalog, etc to display encryption status Ensure all systems that may need to access the data have the CKDS Set key labels for data class using storage mgmt. panels (ISMF); Updates ACS rtns Add key label to JCL or IDCAMS DEFINE CLUSTER; Benefit Manages key repository Encrypt sensitive data; Prevent unauthorized access to data based on profiles Determine encryption status to meet compliance Manages HW/SW level on systems to support encryption Manages SMS constructs that enable encryption Automate creation of encrypted files without code changes Not intended to be a complete list of responsibilities

24 Data set encryption – High Level Steps
1 2 3 4 Security Admin Storage Admin ICSF Admin Security Admin Storage Admin DBA User User User Generate an encryption key and key label, store it in the CKDS . Setup RACF for use of key label Associate the key label with the desired data set(s). Migrate to encrypted data OR Create new data DB2: Online Reorg Allow secure key to be used as protected key via ICSF segment SYMCPACFWRAP SYMCPACFRET In RACF, alter DFP segment in data set profile - DATAKEY() Non- disruptive IMS HA Database: Online Reorg Defining a robust key management strategy is critical! Non- disruptive – OR – – AND – zFS Container: zfsadmin encrypt In DFSMS, assign to data class Non- disruptive Grant access to key label VSAM or Seq data set: Stop application Copy data Restart application In RACF, permit access to new resource in FACILITY class

25 Prepare ICSF CKDS for use
ICSF Admin must ensure encryption keys exist Secure AES256 data encryption keys/key labels defined in CKDS Use Crypto Express to protect keys in the CKDS as secure keys Various methods available to create keys, for example IBM Enterprise Key Management Foundation (EKMF) ICSF CKDS Keys Panel (HCR77C1) ICSF APIs (CSNBKGN, CSNBKRC2) ICSF KGUP ICSF Admin Data keys must be accessible EVERYWHERE that the encrypted data sets must be accessed. © Copyright IBM Corporation 2017

26 Data set encryption – High Level Steps
1 2 3 4 Security Admin Storage Admin ICSF Admin Security Admin Storage Admin DBA User User User Generate an encryption key and key label, store it in the CKDS . Setup RACF for use of key label Associate the key label with the desired data set(s). Migrate to encrypted data OR Create new data DB2: Online Reorg Allow secure key to be used as protected key via ICSF segment SYMCPACFWRAP SYMCPACFRET In RACF, alter DFP segment in data set profile - DATAKEY() Non- disruptive IMS HA Database: Online Reorg Non- disruptive – OR – – AND – zFS Container: zfsadmin encrypt In DFSMS, assign to data class Non- disruptive Grant access to key label VSAM or Seq data set: Stop application Copy data Restart application In RACF, permit access to new resource in FACILITY class

27 Prepare for access method use of ICSF CKDS key provisioning service via CSFSERV class
This step is only required if CHECKAUTH(YES) is explicitly specified in the ICSF installation options data set. CHECKAUTH(NO) is the default. Security Admin sets up SAF access to the ICSF CKDS Key Record Read2 (CSNBKRR2) service Define the RACF profile such that no one has access to the ICSF services. For example, Allow everyone to have access to the callable service. For example, or RDEFINE CSFSERV * UACC(NONE) Security Admin RDEFINE CSFSERV CSFKRR2 UACC(READ) PERMIT CSFKKR2 CLASS(CSFSERV) ID(*) ACCESS(READ) © Copyright IBM Corporation 2017

28 Prepare system to allow data set encryption
Security Admin Prepare system to allow data set encryption Security Admin must consider whether migration action should prevent creation of encrypted data sets via resource in FACILITY class: STGADMIN.SMS.ALLOW.DATASET.ENCRYPT Ensure all systems that may need to access the data have the CKDS with key material required to decrypt the data sets AND are at the correct HW/SW levels. To allow the allow the system to create encrypted data sets when the key label is specified via a method outside of the DFP segment in the RACF data set profile, the user must have at least READ authority to the resource in the FACILITY class. RDEFINE FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT UACC(NONE) PERMIT FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT ID(*) ACCESS(READ) Allows security admin to control who can create encrypted data sets. © Copyright IBM Corporation 2017

29 Prepare system to allow data set encryption
Security Admin Prepare system to allow data set encryption Security Admin must consider whether allocation of non-extended format data sets with key label should result in allocation failure via resource in FACILITY class: STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC Default allows successful allocation for non-encrypted non-extended format data sets. Info message is issued in this case. To fail the allocation, the user must have at least READ authority to the resource in the FACILITY class. RDEFINE FACILITY STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC UACC(NONE) RALTER FACILITY STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC UACC(READ) Allows security admin to control whether key label should be ignored for unsupported data set types. © Copyright IBM Corporation 2017

30 Set up access to key labels via CSFKEYS class
Security Admin Set up access to key labels via CSFKEYS class Security Admin sets up profiles in the CSFKEYS class based on installation requirements. Any user that must access data in the clear must have access to the key label Must update the ICSF segment of the covering profile to allow ICSF to return a protected key: SYMCPACFWRAP(YES) SYMCPACFRET (YES) Examples Define profile such that no one has access to the key label Allow key label to be used by JOHN when accessed by any application Allow key label to be used by MIKE only when accessed by DFSMS RDEFINE CSFKEYS DATASET.keylabel.v1 UACC(NONE) ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES)) PERMIT DATASET.keylabel.v1 CLASS(CSFKEYS) ID(JOHN) ACCESS(READ) PERMIT DATASET.keylabel.v1 CLASS(CSFKEYS) ID(MIKE) ACCESS(READ) WHEN(CRITERIA(SMS(DSENCRYPTION))) Allows security admin to control who can access data in the clear. © Copyright IBM Corporation 2017

31 Data set encryption – High Level Steps
1 2 3 4 Security Admin Storage Admin ICSF Admin Security Admin Storage Admin DBA User User User Generate an encryption key and key label, store it in the CKDS . Setup RACF for use of key label Associate the key label with the desired data set(s). Migrate to encrypted data OR Create new data DB2: Online Reorg Allow secure key to be used as protected key via ICSF segment SYMCPACFWRAP SYMCPACFRET In RACF, alter DFP segment in data set profile - DATAKEY() Non- disruptive IMS HA Database: Online Reorg Non- disruptive – OR – – AND – zFS Container: zfsadmin encrypt In DFSMS, assign to data class Non- disruptive Grant access to key label VSAM or Seq data set: Stop application Copy data Restart application In RACF, permit access to new resource in FACILITY class

32 Creating encrypted data sets – supplying key labels
A data set is defined as ‘encrypted’ when a key label is supplied on create of a sequential or VSAM extended format data set. Options for assigning key label (with order of precedence): Security policy: RACF data set profile DFP segment Security Admin can update RACF DS profile to request encryption by adding key label: DATAKEY Note: Key label specified in the DFP segment is used regardless of the ACSDEFAULTS(xx) setting specified in SYS1.PARMLIB(IGDSMSxx) JCL, Dynamic Allocation, TSO Allocate, IDCAMS DEFINE User can modify JCL or program to request encryption by adding key label: JCL DSKEYLBL, Dynalloc DALDKYL, DEFINE KEYLABEL SMS policy: Data Class Storage Admin can update specific data class(es) via ISMF to request encryption by adding key label: Data Set Key Label. Storage Admin can update ACS routines to select data classes enabled for data set encryption. Security Admin User Storage Admin © Copyright IBM Corporation 2017

33 Creating encrypted data sets – choosing key label source
RACF Data set profile DFP segment Provides ability to support data set encryption via a security policy, beneficial for audit purposes Identifies data sets via a discrete or generic HLQ Enables security administrator to have control over protection of data, including which data sets are encrypted and which key label is used. JCL, Dynamic Allocation, TSO Allocate, IDCAMS DEFINE Provides ability for a specific job to identify specific data sets to be encrypted. Useful for initial testing Data Class Provides ability to support data set encryption via SMS policy The encryption data class could be explicitly specified for a data set, or it could be determined by defaults defined by an ACS routine. ACS routines are flexible such that the encryption data class could be determined for data sets according to allocation parameters, data set sizes, object or data set names, and other variables. The storage administrator should work with security administrator to understand which data sets are to be encrypted and which key labels are to be used. Security Admin User Storage Admin In choosing a source for key label, consider how to control which data sets are to be encrypted and which key labels are to be used. Many clients prefer to place this control under the role of the security administrator.

34 Creating encrypted data sets – supplying key labels
A data set is defined as ‘encrypted’ when a key label is supplied on create of a sequential or VSAM extended format data set. Options for assigning key label (with order of precedence): Security policy: RACF data set profile DFP segment Security Admin can update RACF DS profile to request encryption by adding key label: DATAKEY Note: Key label specified in the DFP segment is used regardless of the ACSDEFAULTS(xx) setting specified in SYS1.PARMLIB(IGDSMSxx) JCL, Dynamic Allocation, TSO Allocate, IDCAMS DEFINE User can modify JCL or program to request encryption by adding key label: JCL DSKEYLBL, Dynalloc DALDKYL, DEFINE KEYLABEL SMS policy: Data Class Storage Admin can update specific data class(es) via ISMF to request encryption by adding key label: Data Set Key Label. Storage Admin can update ACS routines to select data classes enabled for data set encryption. Security Admin User Storage Admin To only allow new encrypted data sets through RACF policy (and thus controlled by security admin), do not provide users read access to resource STGADMIN.SMS.ALLOW.DATASET.ENCRYPT © Copyright IBM Corporation 2017

35 Prepare for extended format
A data set is defined as extended format via DSNTYPE Options for assigning DSNTYPE (with order of precedence): JCL, Dynamic Allocation, TSO Allocate, IDCAMS DEFINE User can modify JCL or program: JCL DSNTYPE=EXTREQ or EXTPREF, Dynalloc DALDSNT, DEFINE with DATACLASS referencing DSNTYPE SMS policy: Data Class Storage Admin can update specific data class(es) via ISMF to request extended format via DSNTYPE option: SMS data class DSNTYPE=EXTR or EXTP Storage Admin can update ACS routines to select data classes enabled for extended format User Storage Admin Data set encryption requires extended format © Copyright IBM Corporation 2017

36 Optionally, prepare for compressed format
A data set is defined as compressed format via COMPACTION option in data class Assigning COMPACTION SMS policy: Data Class Storage Admin can update specific data class(es) via ISMF to request compressed format via COMPACTION option: - Sequential extended format data sets support generic, tailored, or zEDC compression - VSAM extended format KSDS supports generic compression (Only KSDS can be compressed format) Storage Admin can update ACS routines to select data classes enabled for compression Storage Admin © Copyright IBM Corporation 2017

37 Data set encryption – High Level Steps
1 2 3 4 Security Admin Storage Admin ICSF Admin Security Admin Storage Admin DBA User User User Generate an encryption key and key label, store it in the CKDS . Setup RACF for use of key label Associate the key label with the desired data set(s). Migrate to encrypted data OR Create new data DB2: Online Reorg Allow secure key to be used as protected key via ICSF segment SYMCPACFWRAP SYMCPACFRET In RACF, alter DFP segment in data set profile - DATAKEY() Non- disruptive IMS HA Database: Online Reorg Non- disruptive – OR – – AND – zFS Container: zfsadmin encrypt In DFSMS, assign to data class Non- disruptive Grant access to key label VSAM or Seq data set: Stop application Copy data Restart application In RACF, permit access to new resource in FACILITY class

38 Converting existing data set to data set encryption
Storage/System Admin or user can copy an existing data set to a new target data set allocated as encrypted. No utility currently available to perform a conversion without decrypting data from source and re-encrypting data onto target Standard utilities can be used to perform the copy, for example ISPF 3.3 Copy data set IDCAMS REPRO IEBGENER DB Admin: For high availability, Db2 and IMS provide non-disruptive migration to encryption with DB online reorg function Storage Admin User The above could also be used for re-keying an existing encrypted data set or DB to a new key. Storage/System admins (or others) DO require access to the key label to perform these functions. © Copyright IBM Corporation 2017

39 Accessing data in encrypted data sets
Users (data owners) can access data in encrypted data sets…transparently when Accessed via BSAM, QSAM, VSAM, or VSAM/RLS Data is encrypted on writes and decrypted on reads User Users DO require access to the key label to access data in encrypted data sets. © Copyright IBM Corporation 2017

40 How can I be sure the data is encrypted?
Encryption attributes displayed in various system interfaces SMF records DCOLLECT records LISTCAT IEHLIST LISTVTOC Catalog Search Interface (CSI) ISITMGT To view encrypted data, can use DFSMSdss PRINT Tracks © Copyright IBM Corporation 2017

41 Customer Experiences – Getting Started

42 z/OS Data Set Encryption - Getting Started
Choose an application Prepare test environment Enable encryption ( 4 steps) Test & verify Plan for production rollout Pervasive encryption client advocacy program

43 z/OS Data Set Encryption – Choose an application
CICS/VSAM application DB2 database IMS database Batch workload Log data sets (system logger) Questions: Is your enterprise driving a tops down encryption initiative? e.g. GDPR, PCI DSS, etc.. What do you expect to be the first use case for data set encryption? Note: Data set encryption supports extended format sequential and VSAM

44 z/OS Data Set Encryption – Prepare test environment
Hardware CPACF protected key (z196 or later for AES-XTS mode) Crypto Express3 or later required for secure key Recommend use of Crypto Express in test to validate crypto operational procedures (e.g. master key loading, master key change, etc…) Setup & Configure ICSF Load AES master key Recommend installing latest ICSF web deliverable (HCR77C1) (Can generate AES DATA keys using CKDS Browser) Install/Update Base Software DFSMS - z/OS service or z/OS 2.3 RACF – z/OS service or z/OS 2.3 ICSF – HCR77A0-B1 + service or HCR77C0-C1 Install/Update Exploitation Software DB2, IMS, logger… vendor products? Questions: Is anyone still running z/OS 2.1 or earlier?

45 z/OS Data Set Encryption – Enable Encryption (4 steps)
1 2 3 4 Generate an encryption key and key label, store it in the CKDS . Setup for use of key label in RACF. Associate the key label with the desired data set(s). Migrate to encrypted data Allow secure key to be used as protected key via ICSF segment SYMCPACFWRAP SYMCPACFRET DB2: Online Reorg Non-disruptive In RACF, alter DFP segment in data set profile - DATAKEY() IMS HA Database: Online Reorg Non-disruptive – OR – – AND – zFS Container: zfsadmin encrypt In DFSMS, assign to data class Grant access to key label Non-disruptive VSAM or Seq data set: Stop application Copy data Restart application

46 z/OS Data Set Encryption – Plan for production rollout
Configure ICSF & key store for high availability Configure ICSF & key store for DR Configure periodic logical back up of key store Deploy Enterprise Key Management system for backup & recovery Consider use of host based compression Plan key label naming convention and access control Evaluate encryption overhead Questions: Is ICSF environment configured for Parallel Sysplex? Is ICSF environment configured for DR? Is an Enterprise Key Management system deployed?

47 Enterprise Key Management Encryption of data at enterprise scale requires robust key management
The current key management landscape can be characterized by clients who have … … already deployed an enterprise key management solution … developed a self-built key management solution … not deployed an enterprise key management solution Key management for pervasive encryption must provide … Policy based key generation Policy based key rotation Key usage tracking Key backup & recovery The IBM Enterprise Key Management Foundation (EKMF) provides real-time, centralized secure management of keys and certificates in an enterprise with a variety of cryptographic devices and key stores. EKMF

48 Estimating CPU Cost of Data Protection
z/OS Data Set Encryption – Evaluate impact Estimating CPU Cost of Data Protection zBNA 1.8.1 z Batch Network Analyzer (zBNA) zBNA Background: A no charge, “as is” tool originally designed to analyze batch windows PC based, and provides graphical and text reports Available on techdocs for customers, business partners, and IBMers Previously enhanced for zEDC to identify & evaluate compression candidates zBNA Encryption Enhancements: Enhanced to help clients estimate encryption CPU overhead based on actual client workload SMF data Ability to select z13 or z14 as target machine Support provided for z/OS data set encryption Coupling Facility encryption Version Available on 8/31/2017 Use zBNA to evaluate candidates for encryption, and for estimated CPU overhead if data sets converted to data set encryption. Note: z/OS Capacity Planning tool zCP3000 also updated to provide encryption estimates

49 IBM Z pervasive encryption Performance

50 z14 CPACF - Performance Measurement Considerations
CPACF on chip encryption/decryption support has been greatly optimized on the z14 machine. Early primitive testing validates up to 7X faster Performance benefits for z14 are better when working with large blocks of data. Data set encryption will benefit from large block sizes Encryption overhead is expected to be low for most OLTP workloads. I/O generally avoided where possible (buffer pools, caching) Encryption overhead very small relative to the total workload CPU Encryption cost will be higher for extremely I/O Intensive workloads Lots of I/O (lots of data to encrypt/decrypt) Encryption overhead higher relative to total workload CPU

51 z14 CPACF - Initial Crypto Primitive Measurement Results AES-256 XTS Protected Key
AES-256 XTS mode with Protected Key used by Data Set Encryption z14 measurement of primitives show much better performance for both encrypt & decrypt Results show approaching 7x with larger blocks of data Similar results for GCM mode GigaBytes/Sec

52 z/OS Data Set Encryption – z14 vs z13 Comparison Percent CPU MIPS increase for enabling z/OS data set encryption - z z14

53 MIPS percentage overhead for data set encryption for different customers on z13 and z14
z14 overhead is generally <3-4% (average 2.6%) z13 overhead is generally < 12 – 18% (average 11.6%) zEC12 overhead is generally 2 times higher than z13 overhead

54 Use zEDC compression to enhance the efficiency of dataset encryption.
zEDC offloads most of the CPU cost of dataset compression zEDC can reduce dataset size by up to 5x, reducing the size of the data to be encrypted On z14, zEDC is so efficient that it reduces the CPU cost, even with encryption! Very Highly I/O Intensive Batch For sequential compressed format data sets, consider using zEDC to obtain significant savings in storage, CPU time, and elapsed time. February 4, 2018 Copyright © IBM Corporation 2018

55 Resources

56 Resources Getting Started with z/OS Data Set Encryption Redbook IBM Z pervasive encryption landing page IBM Z pervasive encryption solution guide (Knowledge Center) IBM Z pervasive encryption FAQ: IBM Crypto Education page: zPET Test Reports: MOP demo white paper: Youtube Videos: Data Set Encryption: CF Encryption: zERT:                 MOP MPL Bank: 

57 Thank You

Download ppt "Pervasive Encryption - z/OS Data Set Encryption Implementation"

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
What’s New: Windows Server 2012 R2 Tim Vander Kooi Systems Architect www.NetComLearning.com.

What’s New: Windows Server 2012 R2 Tim Vander Kooi Systems Architect
Profit from the cloud TM Parallels Dynamic Infrastructure AndOpenStack.

Profit from the cloud TM Parallels Dynamic Infrastructure AndOpenStack.
1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.

1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Introduction of z/OS Basics © 2006 IBM Corporation Chapter 5: Working with data sets.

Introduction of z/OS Basics © 2006 IBM Corporation Chapter 5: Working with data sets.
Introduction to the new mainframe: Large-Scale Commercial Computing © Copyright IBM Corp., 2006. All rights reserved. Chapter 4: Integrity and security.

Introduction to the new mainframe: Large-Scale Commercial Computing © Copyright IBM Corp., All rights reserved. Chapter 4: Integrity and security.
Advanced Databases Basic Database Administration Guide to Oracle 10g 1.

Advanced Databases Basic Database Administration Guide to Oracle 10g 1.
Implementing Failover Clustering with Hyper-V

Implementing Failover Clustering with Hyper-V
Chapter 9 Overview  Reasons to monitor SQL Server  Performance Monitoring and Tuning  Tools for Monitoring SQL Server  Common Monitoring and Tuning.

Chapter 9 Overview  Reasons to monitor SQL Server  Performance Monitoring and Tuning  Tools for Monitoring SQL Server  Common Monitoring and Tuning.
IBM TotalStorage ® IBM logo must not be moved, added to, or altered in any way. © 2007 IBM Corporation Break through with IBM TotalStorage Business Continuity.

IBM TotalStorage ® IBM logo must not be moved, added to, or altered in any way. © 2007 IBM Corporation Break through with IBM TotalStorage Business Continuity.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Module 10 Configuring and Managing Storage Technologies.

Module 10 Configuring and Managing Storage Technologies.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
Database System Development Lifecycle © Pearson Education Limited 1995, 2005.

Database System Development Lifecycle © Pearson Education Limited 1995, 2005.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Week 9 Objectives Securing Files and Folders Protecting Shared Files and Folders by Using Shadow Copies Configuring Network Printing.

Week 9 Objectives Securing Files and Folders Protecting Shared Files and Folders by Using Shadow Copies Configuring Network Printing.

Similar presentations

Ads by Google