The purpose of this blog is to explain the IBM i encryption options and factors to help the reader determine when IBM i data-at-rest encryption is cost-justified.
Disclaimer: IBM i is an operating system. iSeries and AS400 are servers. I use these terms interchangeably to make it easy for folks this information with web searches.
Security is a priority for business. We all want our sensitive and critical data to be safe from “bad guys.”
As a hosting provider, we take client security seriously.
More frequently, we hear more prospective clients requesting data-at-rest encryption for IBM i hosting.
2 IBM i Encryption Options – Data-At-Rest And Field-Level Encryption
Since IBM i V6.1, IBM has provided several options for clients to get data-at-rest encryption. The Product 5770SS1 Option 45, Encrypted ASP enablement, allows for encryption of data that is stored on the disk. This encryption only protects your system from theft of the disk. It does not encrypt data in flight or data existing in files or tables.
The system ASP cannot use the encryption and therefore requires that you move critical data to another ASP. This would require some application changes.
The second type of encryption is called field level encryption. This type encrypts the actual sensitive data such as Social Security number, credit card number, security code number and customer numbers. Knowledge of the application is required to determine which fields would need to be encrypted and what impact it may have on the applications.
Have Someone Who Knows IBM i And Your Application Setup Data-At-Rest
Whether you work with the IBM i OS tools or a software solution to more easily implement field-level encryption, it still takes an application expert to understand your application database encrypt the sensitive fields.
When completed, only authorized users with the appropriate user name and profile can access those specific encrypted fields.
You Can Also Encrypt Your Storage For Data-At-Rest Encryption – And You Still Need An Applications Expert
If you want to your storage to have data-at-rest encryption, it still requires an expert with your applications and IBM i. That is because you need to segregate the IBM i OS, IBM System Base (QLIBR), and user profile keys separately from the applications database.
Be aware that such a setup also has a performance impact as your server codes and de-codes your protected data-at-rest encryption.
Expect To Pay Big Buck For IBM i Data-At-Rest Disk Encryption
It takes IBM i and application expertise to implement IBM i data-at-rest encryption. Every encryption project is unique based on the specific client’s software and needs.
What can you expect to pay?
I have heard $5,000 – $100,000 for starts.
Is IBM i Data-At-Rest Encryption Really Worth It?
Ultimately, this is your call.
Before you decide, let’s be clear what IBM i data-at-rest protects. If someone can break into your data center and remove a disk drive, the person stealing the disk cannot read the data on the drive.
So what?
IBM i architecture is single-level storage. In essence, IBM i stripes your database across multiple disk units in the array. This also means that if a thief removed a disk unit that is not encrypted, the thief cannot read the data because the disk does not contain a complete sequence of data. The data on the disk is OUT OF CONTEXT from the rest of the database.
With single-level storage architecture, the theft would have to remove ALL of your drives and re-install them in the same sequence.
In short, I believe you are very safe that no one will enter your data center and steal one or more of your drives. In addition, if they could they could not read the data because of the single-level striping across multiple disk units.
My Opinion
Given how IBM i single-level storage already works compared to the complexity and cost of implementing IBM i data-at-rest encryption, I would recommend against data-at-rest encryption for IBM i.
On the other hand, I would recommend clients to spend more energy on
1) Firewall protection,
2) Using strong passwords (and keeping them closely guarded), and
3) Assess and fix applications vulnerabilities (i.e. exit points)
…before spending money on data-at-rest encryption
Need Help?
Call me at 714-593-0387 or email me at blosey@source-data.com. Let us know how we can help!
To learn more about us, and view our customer testimonials, please visit our website: www.Source-Data.com and see our other links:
1) IBM I on POWER (iSeries/AS400)
https://www.source-data.com/ibm-i-on-power-server/
2) IBM I (iSeries/AS400) Cloud Hosting
https://www.source-data.com/cloud-400/
3) IBM I (iSeries/AS400) Disaster Recovery Options
https://www.source-data.com/cloud400-disaster-recovery/
4) IBM I (iSeries/AS400) Version Upgrade
Leave a Reply