Partner TechTip: Encrypting Business Data Stored on Computer Media

Address

6533 Flying Cloud Dr Suite 200 , Eden Prairie, MN, USA, 55344

Phone

952-933-0609

E-mail

Website

http://www.mcpressonline.net/buyers-guide/companies/help/systems-inc./visit.html

Products

Help/Systems develops, markets, and supports automated operations and business intelligence software for the IBM System i. We devote 100% of our research and development to operations automation and business intelligence for System i computers, so we always will be here for the System i user.

If you lose a computer tape and it falls into the wrong hands, how safe is the data on the tape? Can anyone with a little knowledge restore the data? Is your OS/400 or i5/OS data excluded from this concern? Do rules and legislation require you to report lost tapes, and are fines associated with this? The answers: not very, yes, no, and yes.

It's scary to think that your OS/400 data is not safe once it's put on tape, but the reality is that anyone with another OS/400 can restore any of your tapes. All they need to access your data is a little OS/400 background. Anyone with *ALLOBJ or Save/Restore authority on another system can take one of your business data tapes and restore your data.

Recently, privacy laws and legislation like Sarbanes-Oxley have forced companies to take notice of this issue. Several companies already have been fined as a result of lost business data on tapes. You don't want to be the next IT professional responsible for losing business data.

What Can You Do?

Number One: Don't send your data off-site; keep it all in-house. Some companies are reverting to all-electronic backups so their data never moves to tape. This requires high availability (HA) programs that can accommodate a full disaster scenario. Personally, I'm not comfortable without at least one good periodic backup to tape. Click here for the easiest solution.

Number Two: Invest in cryptographic hardware that resides between the operating system and your backup device. These solutions provide encryption at the hardware level as the data is placed on tape. One drawback is that you need the same hardware at your hot site or anywhere else where you might need to restore the data. In addition, hardware encryption can be a very expensive solution, and it impacts the speed of your backups. And it requires all data to be encrypted. IBM does provide some hardware solutions. See the IBM Information Center for more information.

Number Three: Use OS/400 APIs to encrypt the data in save files and save them to tape. This may sound easy, but you need to build a solution for managing the encryption keys used to unlock the data. Do you have enough time to build the elaborate system your security auditors require? This solution also impacts the speed of saves and can consume large amounts of disk space. See the IBM Information Center and search on Cryptography.

Number Four: Buy a software solution that can encrypt SAVF objects. There are several on the market that can do this. They are not necessarily cheap and probably don't have built-in automation for tracking tapes, running restricted state backups, and all of the other tasks you take for granted in an automated backup/recovery software package. These solutions also have a bad habit of storing the encrypted keys in the OS in text format. Just go to Google and search on iSeries Encryption.

Number Five: Deploy Robot/SAVE Version 11 as a standard for encrypting your i5/OS and OS/400 business data. No programming is necessary to develop your plan for protecting your critical business data. Robot/SAVE supports AES 128 or 256, DES encryption, and granular backups. The system administrator defines the desired encryption level at system setup (see Figure 1).

Figure 1: Define the level of encryption at system setup. (Click images to enlarge.)

Robot/SAVE provides great flexibility as to what can be encrypted. Its setup panels let you establish the libraries or objects to be encrypted as they're saved to your desired media (see Figure 2).

Figure 2: Save encryption is optional at the object level.

At a hot site, just restore the operating system and Robot/SAVE, and you're ready to go. Robot/SAVE decrypts the data for you—automatically. If necessary, a special subset of the Robot/SAVE restore commands allows you to restore encrypted data on another system that doesn't have Robot/SAVE installed. (In this case, you must know the encryption key to decrypt the data.)

Robot/SAVE to the Rescue

As many of our customers have learned, Robot/SAVE helps you take the final step toward data security. Whether you need data encryption for competitive or legal reasons, give Robot/SAVE a free 30-day trial. You won't be disappointed. Learn more about Robot/SAVE by clicking here. And check out Help/Systems' other offerings in the MC Showcase Buyer's Guide.

Tom Huntington is Vice President of Technical Services for Help/Systems, Inc. He can be reached at 952.563.1606 or at tom.huntington@helpsystems.com.

Tom Huntington
		About the Author:
		Tom Huntington is Vice President of Technical Services for Help/Systems, Inc. Contact Tom at 952.563.1606 or at tom.huntington@helpsystems.com. See Tom Huntington's blog at http://www.helpsystems.com/blog/tomh.
	Read More >>

Articles by this Author:

View all articles by this author

< Prev		Next >

Last Updated on Thursday, 22 March 2007 18:00

MC Press Web Site Staff

** This thread discusses the Content article: Partner TechTip: Encrypting Business Data Stored on Computer Media0

bharder@nlrha.ab.ca

Sorry, but I cannot agree with Point 1, "Number One: Don\'t send your data off-site; keep it all in-house." The gold standard for reliable, enterprise level backup systems includes off-site storage for at least some of the backup data. This wasn\'t arrived at through some arbitrary decision making process. In the real world, off-site data is more likely to be available for restoration. It protects you against many more plausible hazards, including fire, water, gas leaks and site contamination. If the organization is big enough to have multiple sites, then that will do nicely. However even if the data is transported over a network link, then that link is vulnerable to snooping and probably needs to be encrypted. That\'s my larger point. Off-site storage is necessary. Transporting data securely by practically any means requires encryption. Problem, solution. Don\'t be lulled into thinking, \'we don\'t transport data, we don\'t need encryption, and we are safe against all plausible threats.\'

Please login to make comments.

01/20/2012 - Partner TechTip: Our System Administrator Did WHAT?
12/16/2011 - Partner TechTip: What's Your Compliance Score?
11/04/2011 - Partner TechTip: Don't Let Security Events Occur Unnoticed!
09/23/2011 - Partner TechTip: Automatic Audit Reports Are as Easy as 1-2-3
08/12/2011 - Partner TechTip: Command Access Can Bring Unexpected Consequences

News on IFSTOOL (2563 views)
AS/400 RPG Programmer Analyst - Tampa, FL (Contract) (2133 views)
I need to transfer a spool file(i.e. compile listing) to a PC file for editing (1870 views)
Latest news on HSSFCGI (1680 views)
Batch file in as400 (1470 views)
Trigger bombing on program library (1229 views)
Zip/Unzip now, don't wait for 7.1 (882 views)
PHFA - 2 new Software Developer positions available (IBM i RPG ILE/Microsoft Dotnet) (527 views)
The International Freedom of Expression Forum (499 views)
A6005004 - Can't find console (347 views)

MC-STORE.COM

Help/Systems, Inc.

What Can You Do?

Robot/SAVE to the Rescue

MOST POPULAR

ARTICLES

BOOKS

FORUMS