Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Your KEY to success for Pervasive Encryption and Multicloud Key Management
Isabel ArnoldIBM Denmark, CryptoCenter
November 2020Session 2AW
The safest door in the world becomes useless
If you lose your keys
Encryption made easy with IBM Z Pervasive Encryption
– Encrypt data automatically, immediately and efficiently at the time it is written
– Decouple encryption from data classification
• Reduce labor-intensive data classification work
• Reduce risks associated with incorrect classified or undiscovered sensitive data
– Achieve application transparent encryption
IBM Crypto Competency Center / © 2020 IBM Corporation 3
But where to keep your encryption keys?
Do I need a key management system?
Yes, if you want any of these:
More than 10 keys
Periodic, staggered key rotation
Avoid manual distribution
Easy overview of keys
Keystore backup and recovery of individual keys
Strong security and compliance for key management operations (e.g. dual control)
Enforced key naming conventions
Downsides of < 10 keys
Large amount of encrypted data affected if a single key is compromised
Less granular control of how to separate people from data
Difficult to stagger rotation periods for keys
IBM Crypto Competency Center / © 2020 IBM Corporation 4
You need good datasetnaming conventions!
PROD
App1
Data1
App2
Data2
AppN
DataN
PROD.APP2.LOG.VER10PROD.APP1.PAYROLL.VER7
EKMF Web for Pervasive Encryption on IBM Z
When implementing pervasive encryption it is very important that a robust key management system is in place.
IBM Enterprise Key Management Foundation (EKMF) has a proven record of meeting the key management requirements you find in large financial companies like banks and card processors.
IBM offers EKMF Web for Pervasive Encryption that helps you manage the keys involved in dataset encryption.
IBM Crypto Competency Center / © 2020 IBM Corporation 5
EKMF Web for PE features
Single central key repository
• Stores metadata (activation dates, usage, etc.)
• Single-point backup and recovery
Key Management
• Generation based on policies
• According to NIST recommendations
• Using Hardware Security Modules (HSM)
Pervasive Encryption Support
• Dataset dashboard
• Import and management of existing PE keys
• Central support for multiple z/OS systems
Security & Compliance
• Role-based access
• Dual control implemented using separation of privileges
• Audit logging
IBM Crypto Competency Center / © 2020 IBM Corporation 7
Web Browserwith EKMF Web
Hardware Security Modules
EKMF components
IBM Crypto Competency Center / © 2020 IBM Corporation
EKMFRepository
Central EKMF repository
Cloud key stores
Custom
Secu
re ro
om
EKMF Workstation
ü Can be placed in secure roomü Utilizes IBM 4767 HSMü Generate new keys by users
authenticated with smart cards or automatically based on requests
Browser-based key generation & management for ü Pervasive Encryptionü Cloud
(not in product version yet)
ü Contains keys and metadata for all cryptographic keys produced by EKMF
ü Easy backup and recovery of key material
4
FIPS140-2 Level 4
IBMCrypto Express
4 IBM 476x4
4
PCI
8
EKMF Web Architecture
IBM Crypto Competency Center / © 2020 IBM Corporation
z/OS
CEX4SCEX4SCryptoExpress
ICSF
EKMFagent
CKDS
Liberty
EKMFWeb
Cloud key stores
Master Catalog
EKMF datasets database
EKMF keyrepository
PE Dataset Scanner Job
Web Browser
9
EKMF Web prereqs
IBM Crypto Competency Center / © 2020 IBM Corporation
z/OS
CEX4SCEX4SCryptoExpress
ICSF
EKMFagent
CKDS
Liberty
EKMFWeb
Master Catalog
EKMF datasets database
EKMF keyrepository
Dataset Scanner Job
z/OS 2.3 or later with fixes
• Crypto adapter assigned to LPAR with fully initialized master key sets (AES, RSA, ECC)- TKE required
• IBM Z14 & CEX6 or later recommended to generate AES cipher keys
• IBM Z13 & CEX5 can only generate AES data keys
Configured to use variable key length tokens Required databases, tables, views must be
created in Db2 (V12 recommended)
HKMGAS0 (min. PTF level KMGS006) orHKMGAL0 (min. PTF level KMGL010)
Firefox or Chrome
Web Browser
10
Data-encrypting keys
AES CIPHER keys• Use symmetric variable-length key token • The key value is always encrypted. • Keyblocks contain attributes allowing for
detailed control of key usage and exchange options
• EKMF Web wrapping for AES Cipher keys based on AES encryption
AES DATA keys• Use symmetric fixed-length key token• Key value can be either encrypted or in the clear• Do not have associated key attributes - Export
of AES Data keys must be controlled by other means, such as RACF
• EKMF Web wrapping for AES Data keys based on RSA keys
IBM Crypto Competency Center / © 2020 IBM Corporation 11
Used to encrypt and decrypt data & can be 128-bits, 192-bits, or 256-bits in length
The use of AES Cipher keys for Pervasive Encryption is recommended for any system which supports their use.The minimum requirements for using AES Cipher keys for PE are z14 with CEX6 and ICSF HCR77C1.
EKMF Web Key Hierarchy
IBM Crypto Competency Center / © 2020 IBM Corporation 12
Master Key (AES)
Data KEK (RSA) Cipher KEK (AES)
Cipher Key (AES)Data Key (AES)
EKMF Web Recovery Key (AES)
EKMF Web for PEScreenshots DemoCreate a key to encrypt your first dataset
EKMF flow
IBM Crypto Competency Center / © 2020 IBM Corporation 14
IBM Crypto Competency Center / © 2020 IBM Corporation 15
IBM Crypto Competency Center / © 2020 IBM Corporation 16
IBM Crypto Competency Center / © 2020 IBM Corporation 17
These are the policies that define how your keys are created
IBM Crypto Competency Center / © 2020 IBM Corporation 18
IBM Z13 can only generate AES data keys.We recommend to use AES cipher keys, available from z14 with CEX6 or later.
IBM Crypto Competency Center / © 2020 IBM Corporation 19
IBM Crypto Competency Center / © 2020 IBM Corporation 20
IBM Crypto Competency Center / © 2020 IBM Corporation 21
IBM Crypto Competency Center / © 2020 IBM Corporation 22
What to do with the key
IBM Crypto Competency Center / © 2020 IBM Corporation
CKDS
Dataset profiles DFP DATAKEY User Access
BANKING.** BANKING.KEY.LABELREAD
READ
MORTGAGE.** MORTGAGE.KEY2.LABEL READ
BANKING.TEST
MORTGAGE.PROD
Profiles in CSFKEYS class User Access
BANKING.KEY.LABEL READ
MORTGAGE.KEY2.LABEL READ
BANKING.OLD
1. Define key profile to RACF2. Assign key to RACF dataset profile3. (Re-)allocate, existing datasets are
not encrypted (e.g. BANKING.OLD)4. User needs RACF access to
a) Keyb) Dataset
23
1 2 3 4
Setup for use of key label in RACF
Allow secure key to be used as protected keyvia ICSF segment- SYMCPACFWRAP- SYMCPACFRET
Grant access to key label
– AND –
PERMIT keylabel_nameCLASS(CSFKEYS) ID(user) ACCESS(READ) WHEN(CRITERIA(SMS(DSENCRYPTION)))
RDEFINE CSFKEYSkeylabel_nameUACC(NONE)ICSF(SYMCPACFWRAP(YES) SYMPACFRET(YES))
Associate the key label with the desired data set(s)
In RACF, alter DFP segment in data set profile - DATAKEY()
PERMIT ‘’ ID(groupid) ACCESS(READ)
In DFSMS, assign to data class
ALTDSD ‘’UACC(NONE)DFP(RESOWNER(owner)DATAKEY(keylabel_name))
– OR –
z/OS data set encryption – Detailed description
Migrate to encrypted data
DB2:Online Reorg
IMS HA Database:Online Reorg
VSAM or Seq data set:1. Stop application2. Copy data3. Restart application
zFS Container:zfsadmin encrypt
Non-disruptive
Generate an encryption key and key label, store it in the CKDS
CKDS
IBM Crypto Competency Center / © 2020 IBM Corporation 24
IBM Crypto Competency Center / © 2020 IBM Corporation 25
If you lose your key, EKMF Web
can restore it
Already started PE? No problem, import existing keys
IBM Crypto Competency Center / © 2020 IBM Corporation 26
27
A keytemplate for these types of keys must have been defined for your keystore you’re
importing from
Check dashboard for encryption details about datasets
IBM Crypto Competency Center / © 2020 IBM Corporation 29
Encrypted dataset with key details
IBM Crypto Competency Center / © 2020 IBM Corporation 30
Encryptable data sets
IBM Crypto Competency Center / © 2020 IBM Corporation 31
Not encryptable datasets
IBM Crypto Competency Center / © 2020 IBM Corporation 32
Will be
updat
ed soo
n
IBM Crypto Competency Center / © 2020 IBM Corporation 33
Filter and show details
IBM Crypto Competency Center / © 2020 IBM Corporation 34
Multicloud Key Orchestrator
EKMF Cloud support
37
EKMF Web supports key distribution to IBM Key Protect, Amazon KMS and Azure
Supported
AWS KMS IBM CloudKey Protect
Microsoft AzureKey Vault
Google CloudKMS
FutureSupportedSupported
Web Browserwith EKMF Web
EKMF Workstation
38
Define cloud keystores and key templates
IBM Crypto Competency Center / © 2020 IBM Corporation 39
IBM Crypto Competency Center / © 2020 IBM Corporation 40
IBM Crypto Competency Center / © 2020 IBM Corporation 41
AWS support in EKMF Workstation
IBM Crypto Competency Center / © 2020 IBM Corporation 42
Further reading
Announcement letter ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS220-108
EKMF Agent Installation and Configuration Guide publibfp.dhe.ibm.com/epubs/pdf/c2820240.pdf
EKMF Web Installation and Configuration Guide publibfp.dhe.ibm.com/epubs/pdf/c2820220.pdf
EKMF Web UI User's Guidepublibfp.dhe.ibm.com/epubs/pdf/c2820230.pdf
IBM Crypto Competency Center / © 2020 IBM Corporation 43
http://ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS220-108http://publibfp.dhe.ibm.com/epubs/pdf/c2820240.pdfhttp://publibfp.dhe.ibm.com/epubs/pdf/c2820240.pdfhttp://publibfp.dhe.ibm.com/epubs/pdf/c2820230.pdf
EKMF Web for PEVirtual WorkshopParticipants who attend this Virtual Workshop will learn about key management, Key management considerations, EKMF web Architecture and dataset encryption.Agenda:• 9:00 AM Overview Pervasive Encryption, Key
Management and EKMF Web• 10:15 AM TKE Demo• 10:30 AM Hands on Lab EKMF web and dataset
encryption• 12:30 PM Key Management considerations and
wrap up
Virtual Class requires students to connect to Webexand have access to internet via browser to connect to virtual desktop.
Contact [email protected] Crypto Competency Center / © 2020 IBM Corporation 44
IBM Crypto Competency Center / © 2020 IBM Corporation 45
Service Offerings• Cryptography-as-a-Service• Crypto Agility and Quantum readiness• Crypto APIs for payment processing industry• Enterprise key management solutions
• Pervasive Encryption key management• Multi-cloud key management
• Advanced XML signing solutions
Consulting & Implementation Services• Specialists in PCI compliant crypto solutions • Cross-industry experience
Encryption PKI - Digital Signatures& Certificates
Crypto APIs Enterprise Key Management
Policy Compliance
IBM Crypto Competence Center Copenhagen• 100+ clients, mainly in Financial Services
• 13 out of the 25 largest Banks in Europe• 25 years experience
Securing the world, one bit at a time
Crypto Analytics Tool
Please submit your session feedback!
Do it online at http://conferences.gse.org.uk/2020/feedback/2AW
This session is 2AW - Your KEY to success for Pervasive Encryption and Multicloud Key Management
http://conferences.gse.org.uk/2020/feedback/2AW
GSE UK Conference 2020 Charity
The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.
Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:
http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion
http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion
IBM Crypto Competency Center / © 2020 IBM Corporation 48
Thank you
© Copyright IBM Corporation 2020. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and ibm.com are trademarks of IBM Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available at Copyright and trademark information.
https://www.ibm.com/legal/copytrade
IBM Crypto Competency Center / © 2020 IBM Corporation 49