Satisfy Stringent Requirements for Encryption and Key Management
Powertech Encryption for IBM i will help your organization meet compliance mandates through its integrated key management solution, and strong IBM i field encryption and backup encryption features. Powertech Encryption for IBM i utilizes AES and TDES encryption algorithms, both of which follow standard (non-proprietary) specifications as published by the United States National Institute of Standards and Technology (NIST). AES and TDES are widely used for protecting highly sensitive data and complying with PCI DSS, HIPAA, the GDPR, and state privacy laws. Powertech Encryption for IBM i also includes comprehensive auditing features, which makes compliance reporting faster and easier.
Continue reading to learn how Powertech Encryption for IBM i can help your organization secure critical data and meet compliance requirements.
PCI DSS and Powertech Encryption for IBM i
Specific sections in the PCI Data Security Standard (DSS) focus on the cryptology and key management requirements for organizations. The wording of these DSS sections is listed in the following pages. Below the text from the security standard, you'll see an explanation of how Powertech Encryption for IBM i addresses that particular requirement.
PCI DSS 3.3
3.3 Mask PAN (Primary Account Number) when displayed (the first six and last four digits are the maximum number of digits to be displayed).
Using Powertech Encryption for IBM i’s granular authority controls, you can indicate which users (or groups) have access to the full PAN and which users have access only to the masked PAN. When defining the PAN’s field settings in Powertech Encryption for IBM i, you can specify the formatting of its masked value. For example, a mask can be specified to show only the last four digits (e.g. ************1234) or first six digits (e.g. 485620**********) of the PAN. All other digits can be substituted with a special character such as an asterisk.
PCI DSS 3.4
3.4 Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs) by using any of the following approaches:
- One-way hashes based on strong cryptography
- Index tokens and pads (pads must be securely stored)
- Strong cryptography with associated key management processes and procedures.
The MINIMUM account information that must be rendered unreadable is the PAN.
Powertech Encryption for IBM i provides strong cryptology (encryption) for protecting data on IBM i. The popular cryptology standards of Advanced Encryption Standard (AES) and Triple Data Encryption Standard (TDES) are provided in Powertech Encryption for IBM i.
The AES and TDES standards are widely used throughout the corporate and government sectors for encrypting sensitive data. The National Institute of Standards and Technology (NIST) also approves the AES and TDES standards for protecting top secret information within the federal government.
Although PCI DSS does not specifically state the cryptology standards which must be utilized, most organizations are using AES cryptology to protect credit card information. AES is the latest encryption standard (approved by NIST in 2001) and offers strong protection (using keys up to 256 bits in length) with good performance.
Powertech Encryption for IBM i also includes a comprehensive key management solution for IBM i. This key management solution allows organizations to do the following:
- Establish policy settings on how Symmetric Keys can be created and utilized
- Indicate which users can create and manage Symmetric Keys
- Randomly generate strong Symmetric Keys
- Protect Symmetric Keys using Master Encryption Keys
- Protect the recreation of a Master Encryption Key by requiring passphrases from up to 8 users
- Organize Symmetric Keys into one or more Key Stores
- Restrict access to Key Stores using i5/OS object authority
- Restrict the retrieval of the actual Symmetric Key values
- Provide separation of duties (i.e. the creator of a Symmetric Key can be restricted from using the Key to encrypt and/or decrypt data)
- Control which users can utilize Symmetric Keys to encrypt and decrypt data
PCI DSS 3.5
3.5 Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse.
3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary
3.5.2 Store cryptographic keys securely in the fewest possible locations and forms
Powertech Encryption for IBM i includes a comprehensive key management solution for IBM i. This solution allows an organization to indicate the Key Officers (Custodians) which are authorized to create and manage Master Encryption Keys (MEKs) and Data Encryption Keys (DEKs).
A Master Encryption Key (MEK) is a special Symmetric Key used to protect (encrypt) the Data Encryption Keys (DEKs). An organization can create up to eight MEKs per environment on the IBM i. A MEK is generated by the product using passphrases entered by designated users. Depending on the organization’s key policy, up to eight different passphrases can be required to be entered (by different users) in order to generate a MEK.
The encrypted Data Encryption Keys (DEKs) are contained within Key Stores. Each Key Store is created as a *VLDL (Validation List) object on the IBM i.
An organization can control access to the Key Store *VLDL object using i5/OS object security. Object *Change authorities can be granted only to those users that are allowed to manage the keys within the Key Store. Object *Use authority can be granted only to those users that are allowed to use the keys (for encrypting/decrypting data) within the Key Store.
PCI DSS 3.6
3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following:
3.6.1 Generation of strong cryptographic keys
Powertech Encryption for IBM i allows the creation of strong symmetric keys using the AES and TDES encryption standards. For AES, the key length can be specified up to 256 bits to offer the highest protection.
By default, keys are randomly generated by Powertech Encryption for IBM i to offer the best security. Depending on the Key Policy settings specified in Powertech Encryption for IBM i, the actual value of the Key will never be known to the user or applications. The Keys will simply be referred to by a user-defined label.
Depending on the Key Policy, a Key can additionally be generated based on a user-entered passphrase, salt and iteration count using the PBKDF2 standard (pseudorandom key function as detailed in RFC2898).
3.6.2 Secure cryptographic key distribution
Powertech Encryption for IBM i stores Data Encryption Keys (DEKs) within Key Stores, which are created as *VLDL (Validation List) objects on the IBM i. The DEKs within the Key Stores are encrypted with Master Encryption Keys (MEKs).
The Key Store *VLDL objects can be distributed to other systems over non-secure connections. The targeted systems will only be able to utilize the Data Encryption Keys (DEKs) within the Key Stores if they implement the same Master Encryption Keys (MEKs). MEKs can only be regenerated by entering the exact passphrase values as were entered on the original system.
The GDPR and Powertech Encryption for IBM i
Encryption is the main technological solution that helps ensure a huge fine is not levied in the event of a data breach under the GDPR. How? The GDPR specifies that technological solutions must be in place to ensure data is protected, though it does not specify a particular solution apart from encryption and pseudonymisation.
There are a number of benefits to using Powertech Encryption for IBM i to encrypt data, but one in particular makes it a makes it a must-have to meet the GDPR regulation.
The GDPR states that, in the event of a data breach or a suspected data breach, the supervisory authorities must be notified AND if there is a high risk to the people whose data has been breached then those individuals must also be notified.
However, the GDPR goes on to state that if the data is encrypted or pseudonymised, and the keys are not stored with the data, then the individuals do NOT need to be notified because their data is deemed unusable.
The GDPR and Encryption
Article 32: Security of processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
Article 34: Communication of a personal data breach to the data subject
The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational protection measures, and that those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
Powertech Encryption for IBM i is a comprehensive solution for protecting sensitive data through strong encryption technology, integrated key management, and audit trails.
Powertech Encryption for IBM i was designed to simplify encryption, which has traditionally been difficult and time-consuming for organizations to implement. Every effort has been made to minimize the application changes needed, allowing an organization to implement encryption successfully for less time and money, while providing a high degree of protection.
NY DFS Cybersecurity Regulation (23 NYCRR 500) and Powertech Encryption for IBM i
In response to the ever-growing threat posed to information and financial systems, the New York State Department of Financial Services has passed regulation for organizations in the financial industry. Regulated entities are responsible for implementing cybersecurity programs that can match the relevant risks and keep pace with technological advances. A regulated entity’s cybersecurity program that must ensure the safety and soundness of the institution and protect its customers.
Several components of the regulation are imposed to prevent data from ever being exposed, but the regulation also requires encryption of non-public information to ensure that institutional and customer data is protected in the event of a breach.
Section 500.15 Encryption of Nonpublic Information.
(a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.
(1) To the extent a Covered Entity determines that encryption of Nonpublic Information in transit over external networks is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity’s CISO.
(2) To the extent a Covered Entity determines that encryption of Nonpublic Information at rest is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity’s CISO.
(b) To the extent that a Covered Entity is utilizing compensating controls under (a) above, the feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.
Powertech Encryption for IBM i meets the recommendations provided by NY DFS to protect sensitive data with strong encryption. Powertech Encryption for IBM i is designed to simplify encryption for organizations, something that hasn’t always seemed feasible to many IBM i organizations.
Powertech Encryption for IBM i uses IBM Field Procedures to securely encrypt your data at rest and uses IBM Authorization Lists to determine who can see the data. We can show the full data, partially masked or fully masked. This is even true for users with *ALLOBJ authority.