Townsend Automates IBM i Encryption with ‘Field Proc’

May 3, 2011 Alex Woodie

Implementing field-level database encryption on the IBM i server is about to get a whole lot easier, according to the folks at Townsend Security Solutions. The company today is announcing the general availability of AES/400 version 6, which adds new features that automate the implementation of encryption and decryption processes with DB2/400 data using the so-called “field procedure” function that was released with IBM i 7.1.

Implementing field- or column-level encryption on DB2/400 was a long and painful task prior to the release of the FIELDPROC exit point with IBM i 7.1 a year ago. Due to intricacies of DB2/400 and how it exposes data to programs, companies typically had to make extensive modifications to their IBM i programs or their databases in order to encrypt certain fields in their DB2/400 database records, such as credit card numbers or Social Security numbers.

The time and effort required to implement encryption was greatly simplified with the field procedure exit point in IBM i 7.1. The field proc–which actually addresses the difficulties of automating the decryption of data in DB2/400 more than encryption, which was easier to automate–is a brilliant piece of database programming, says Townsend Security president and CEO John Earl.

“This is the biggest change to the database in my memory,” Earl says. “More than hiding the complexity of encryption, it enables something that simply wasn’t possible before without doing a big application or database architecture change. … I think they have done an outstanding job.”

Townsend Security was one of two security software vendors that announced their intention to support the field proc when IBM i 7.1 was unveiled a year ago. Today, the Olympia, Washington-based company is expected to announce that it has delivered full support for the field proc with AES/400 version 6, which became available at the end of May.

While the field proc technology made encryption and decryption processes more automated, most IBM i shops will choose a third-party solution like AES/400 to implement encryption and key management procedures because of the reduced complexity.

Implementing field- and column-level encryption with AES/400 6.0 is simplified to the point where it’s “push-button” easy, Earl says.

“Essentially we take you to a screen where you pick your field and say ‘I want to do field proc with that field,'” he says. “Once I enroll the field with field proc, AES/400 6.0 goes through and encrypts all of those fields in the entire database, so you don’t have to have a conversion process.”

Instead of spending a couple of weeks implementing encryption, IBM i administrators could complete a small encryption project in a matter of hours, Earl says. “Our tag line on this product is ‘Your encryption project just got easier,'” he says. “What we’ve worked on with this release is simplifying the whole effort, to make it easier and faster to implement, and to lower the stress level in the IT shop, so they can do encryption without having to become encryption geniuses. Just push the button and let it happen.”

Data masking is another area of improvement with AES/400 6.0. Support for data masking policies enables IBM i administrators to specify whether a particular user or group of users will be able to see the full value of a field, or whether parts of the value will be replaced by asterisks.

Support for external key stores, which is part of the “dual control” mandate of PCI and HIPAA security guidelines, is another new feature in 6.0, Earl says. Best practices require that keys be stored on a different platform than where the encrypted data is stored. It also requires that the person who is responsible for data also does not posses the decryption keys.

Earl puts it this way: “If I’m QSECOFR or somebody with ALLOBJ authority on that particular AS/400, and my keys are there, then I’m going to have complete access to the encrypted credit card data and the keys that will decrypt that data,” he says. “PCI says, that doesn’t work. You’ve got to have separation of duties … so that it requires collusion by two different people in order to compromise the data.”

Companies can still store their encryption keys on the same IBM i server that houses encrypted data. But it’s not a recommended long-term approach, Earl says.

While Townsend isn’t the first to deliver field proc support in an IBM i encryption product, Earl is confident that it has the right mix of software and credentials to find success. “We still have the only NIST certified database encryption tool on the i. IBM has done validation on every other platform except for the i. Nobody else has done this, so it’s kind of a great place to be.”