2363 TechXchange quantum safe encryption on IBM Z.pdf

1、October 21-24,2024Mandalay Bay Convention CenterLas Vegas,Nevada2363Rebecca Levesque21CS,Chief Revenue OfficerQuantum-Safe Data Set Encryption on z/OS:Now More Important Than Ever#IBMTechXchange22Copyright 2024 IBM Corporation#IBMTechXchangeUSD 300+million3Average cost of a“mega breach”involving 30M

2、-40M records*See https:/ for the full“Cost of Data Breach Report 2024”#IBMTechXchange4Why is the time to act now?Encrypted data lost during a data breachData communications over TLS that have been harvestedSnapshots of encrypted cloud data Media that is not encrypted with quantum-safe encryption met

3、hods and is improperly disposed or lostEncryption systems using blackened(wrapped)encryption keys that are publicData must be protected with strong encryption algorithms like AES using 256-bit keys to be considered quantum-safe Data is being stolen today with the intent of exposing it tomorrowCopyri

4、ght 2024 IBM Corporation#IBMTechXchangeCPACFCrypto Express 8S(CEX8S)TKE WorkstationHigh performance key calculationsHigh security key calculationsSimplified&secure Master Key usageQuantum-safe encryption componentsCopyright 2024 IBM Corporation 5#IBMTechXchangeCrypto Express 8S(CEX8S)ICSF support of

5、 CRYSTALSCopyright 2024 IBM Corporation CRYSTALS-Dilithium was first introduced on the z15,but as the NIST evaluation of quantum-safe algorithms continues,new“rounds”of the submitted algorithms are introduced.When the CRYSTAL-Dilithium algorithm progressed to“Round 3”of the evaluation,updates to the

6、 key generation algorithms were added.The CEX8 coprocessor added support for the new Round 3 keys,and also added a(8,7)key size in addition to the(6,5)key size previously available.CRYSTAL-Kyber is a new key type available on the z16 with the CEX8 Coprocessor.When used in combination with Elliptic C

7、urve Diffie-Hellman,it is now possible to use a hybrid approach for exchanging secret keys between business partners using quantum-safe techniques.ICSF support for enhanced quantum-safe algorithms as provided by the Crypto Express8(CEX8)Coprocessor:CRYSTALS-Dilithium keys are used for digital signat

8、ure operationsCRYSTALS-Kyber keys are used for key exchange6#IBMTechXchange7Quantum-Safe clarificationsCopyright 2024 IBM Corporation z/OS Data Set Encryption is considered Quantum-Safe(AES-256)Quantum-Safe digital certificates definition pendingQuantum-Safe network encryption definition pending Thi

9、s Quantum-Safe journey is a natural continuation of Pervasive Encryption#IBMTechXchange Utilizes zERT stats in-memory(not in SMF)Determination made after handshake completes Cancels the connection when minimum not met Unlike Policy Agent,not limited to AT-TLS usage Auditable minimum network encrypti

10、on strength!What makes zERT Enforcement so special?8zERT Enforcement(z/OS 2.5)Copyright 2024 IBM Corporation Payment Card Industry Data Security StandardVersion 4.0,Requirement 3.5.1.2Is disk encryption enough?Is disk encryption enough?“While disk encryption may still be present on these types of de

11、vices,it cannot be the only mechanism used to protect PAN stored on those systems.Any stored PAN must also be rendered unreadable per Requirement 3.5.1for example,through truncation or a data-level encryption mechanism.Full disk encryption helps to protect data in the event of physical loss of a dis

12、k and therefore its use is appropriate only for removable electronic media storage devices.”“This requirement is a best practice until 31 March 202531 March 2025,after which it will be required and must be fully considered during a PCI DSS assessment.”9Copyright 2024 IBM CorporationEnhancement to Ar

13、chived Keys(z/OS 2.5)General insight:”Never throw away a key”Ensures data is not lost if key rotation is incomplete Migrated data may become out of scope Archive keys instead New decrypt-only configuration option for Archived Keys Supported by ICSF and by z/OS data set encryption in 2021 Mitigates r

14、isk of a“moving target”of data sets encrypted with an old key Facilitates key rotationXFACILIT profile CSF.KDS.KEY.ARCHIVE.DATA.DECRYPTCopyright 2024 IBM Corporation 10#IBMTechXchangeEncrypted VSAM data set support in RACF“IBM intends to enhance pervasive encryption through RACF support for the use

15、of an encrypted VSAM data set as its data base in specific configurations.”Why VSAM?Enables data set encryption Integrates well with RACFs existing serialization Consistent with RACFs current database architecture Provides the ability to utilize existing diagnostics Leverages standard z/OS skills Le

16、verages current and future I/O infrastructure improvementsRACF statement of direction realized!11Copyright 2024 IBM Corporation#IBMTechXchangeTrusted Key Entry(TKE)WorkstationMaster KeysUnified Key Orchestrator for IBM z/OS(was EKMF Web)Operational KeysGuardium Key Lifecycle Manager(GKLM)Self-encryp

17、ting Device Keys12Copyright 2024 IBM CorporationKey Management#IBMTechXchange13Statement of Direction:Tape Data SetsCopyright 2024 IBM CorporationIBM intends to enhance pervasive encryption to perform encryption within the access methods for tape data sets.It is expected to be transparent to the app

18、lication program unless it uses EXCP.This new data set encryption support is intended to be independent of any encryption that occurs in the tape subsystem.”https:/ Pain Point 1:Pain Point 1:z/OS data set key rotation requires a scheduled outage for most applications.Pain Point 2:Pain Point 2:It can

19、 be difficult to determine data sets associations with applications.Pain Point 3:Pain Point 3:z/OS data set key rotation is largely a manual effort.14Copyright 2024 IBM CorporationAs-Is Scenario#IBMTechXchange15Statement of Direction:Data Set Key RotationCopyright 2024 IBM CorporationIBM also plans

20、to provide a software solution that simplifies z/OS data set encryption,encrypting and re-encrypting data at scale for both key rotation and initial encryption,and leveraging analytics to minimize application downtime.This is designed to simplify adherence to expanded compliance regulations such as

21、PCI DSS v4.0.https:/ 15#IBMTechXchangeAnalyze Data SetsPattern 1:Single key,single applicationPattern 1:Single key,single applicationEvery encrypted data set has an associated key label.The analytics engine:The analytics engine:locates all data sets matching the specified key label analyzes data set

22、 availability over time determining when data sets are typically open or closedXIMENA.DATA.AXIMENA.DATA.BXIMENA.DATA.CDATASET.XIMENA.DATA.ENCRKEY.001Application 116Copyright 2024 IBM Corporation#IBMTechXchangeAnalyze Data SetsPattern 2:Single key,multiple applicationsPattern 2:Single key,multiple ap

23、plicationsEvery encrypted data set has an associated key label.The analytics engine:The analytics engine:locates all data sets matching the specified key label analyzes data set availability over time determining when data sets are typically open or closedXIMENA.DATA.AXIMENA.DATA.BXIMENA.DATA.CDATAS

24、ET.XIMENA.DATA.ENCRKEY.001Application 1Application 217Copyright 2024 IBM CorporationAnalyze Data SetsAnalyze Data SetsPattern 3:Single application,multiple Pattern 3:Single application,multiple keyskeysEvery encrypted data set has an associated key label.XIMENA.DATA.AXIMENA.DATA.BXIMENA.STAT.ZDATASE

25、T.XIMENA.DATA.ENCRKEY.001Application 1DATASET.XIMENA.STAT.ENCRKEY.00118Copyright 2024 IBM Corporation#IBMTechXchangeData Set Key RotationData Set Key Rotationpowered by data set analyticsANALYZE data sets associated with key labelStep 1PREDICT non-disruptive key rotation windowsStep 2CLUSTER data se

26、ts into key rotation windowsStep 3APPROVE change windowsStep 4ROTATE data sets prior to due dateStep 5NOTIFY if manual schedule requiredStep 619Copyright 2024 IBM Corporation#IBMTechXchangeIBM Z DSKR Dashboard20Copyright 2024 IBM CorporationCreate a new rotation schedule21Copyright 2024 IBM Corporat

27、ion#IBMTechXchangeKey Rotation Inspection and menu options22Copyright 2024 IBM Corporation#IBMTechXchangeKey Rotation Inspection Inspect Data Sets in Groups23Copyright 2024 IBM Corporation#IBMTechXchangeKey Rotation Inspection Modify Schedule24Copyright 2024 IBM Corporation#IBMTechXchange25z14 Timef

28、rameCPACF&CryptoExpress6S Extended Format Data Set Encryption,zFS Encryption,CF Encryption,zERT Network Encryption Logging,zSecure&zBNA Support Hyper Protect Virtual Serversz15 TimeframeCPACF&CryptoExpress7S Pervasive Compression,PDSE Encryption,zNA,zDMF DSE Migration,Fiber Channel Endpoint Security

29、,EKMF Web,JES Spool Encryption,Basic&Large Format Data Set Encryptionz16 TimeframeCPACF&CryptoExpress8S EKMF Web Cloud Key Provisioning,zERT Enforcement,Data Set Encryptions Archived Key support,encrypted RACF DBCopyright 2024 IBM CorporationPervasive Current Roadmap#IBMTechXchange26Redbook assistan

30、ce”Transitioning to Quantum-Safe Cryptography on IBM Z”https:/ Started with Data Set Encryption”https:/ IBM RedbooksCopyright 2024 IBM Corporation#IBMTechXchange27Online ResourcesIBM Z Pervasive Encryptionhttps:/ Safe Solution Briefhttps:/ 2024 IBM Corporation#IBMTechXchange28Questions?2022 IBM CorporationRebecca Levesque21CS,Chief Revenue OfficerR#IBMTechXchangeThank You!29 2022 IBM CorporationTrademarks 2024 IBM Corporation31See URL:http:/ for a list of trademarks.