Powertech Encryption for IBM i protects sensitive data using strong encryption, tokenization, integrated key management and auditing. Powertech Encryption allows organizations to encrypt database fields, backups and IFS files quickly and effectively with its intuitive screens and proven technology. This innovative solution is vital for protecting confidential information and expediting compliance with:
- PCI DSS standards
- Federal regulations (e.g. HIPAA, Sarbanes-Oxley)
- State privacy laws
Powertech Encryption can be installed within a few minutes and requires no source code changes for encryption. The commands in Powertech Encryption have comprehensive on-line help text and are accessible through intuitive native IBM i menus.
Powertech Encryption includes an advanced Key Management system which resides natively on the IBM i. This Key Management system is seamlessly integrated with Powertech Encryption’s policy controls, encryption functions and auditing facilities to provide a comprehensive data protection solution. Together with the integrated security on IBM i, organizations can strictly control access to Key maintenance/usage activities and meet compliance requirements such as PCI DSS.
- Provides policy settings for compliance requirements (e.g. dual control, separation of duties)
- Allows controlling which users are authorized to manage Keys
- Generates strong Key values up to 256 bits in length
- Organizes Keys into one or more Key Store objects
- Encrypts storage of Keys using Master Encryption Keys (MEK)
- Controls access to Keys by user profile, group profile and/or authorization lists
- Prohibits the retrieval of underlying Key values
- Produces detailed audit logs on all Key management activities
Powertech Encryption also provides interfaces for securely sharing Keys with other systems such as point-of-sale (POS) systems, Windows, Linux and AIX.
Powertech Encryption is a software-based solution that allows IBM i customers to encrypt backups using their existing tape devices. Backups can be protected using Keys from Powertech Encryption’s Key Management System to provide strong security. Commands are provided to encrypt/backup any user data on the IBM i including libraries, objects and IFS files.
- Utilizes AES (Advanced Encryption Standard) for encryption
- Encrypts and saves to existing tape drives
- Incorporates into existing backup processes (e.g. CL programs, BRMS, schedulers)
- Saves disk space and time by not generating intermediate save files
- Protects backups with either passphrases or Keys
- Stores Key labels with encrypted backups to simplify restores
- Optionally backs up to the Integrated File System (IFS)
- Reduces disaster recovery costs since no special devices are required
Straightforward commands are provided to restore and decrypt libraries, objects and IFS files which were saved using Powertech Encryption’s backup processes. These commands can be restricted to authorized users only
Powertech Encryption will protect sensitive database fields on IBM i using strong encryption algorithms of AES or TDES. You can encrypt almost any database field with Powertech Encryption including:
- Credit card numbers (PAN)
- Health-related information
- Social security numbers
- Drivers license number
- Bank account numbers
- Financial data
With Powertech Encryption’s innovative Field Encryption Registry, you can simply indicate the database fields to encrypt. When a field is “activated” in the registry, Powertech Encryption will perform a mass encryption of the current values for that field. Powertech Encryption can then automatically encrypt the field values on an ongoing basis as new database records are added and when existing field values are changed. This automated feature saves significant time and money for customers, since applications do not need to be changed for data encryption.
Access to data can be tightly controlled at the field/user level. Only designated security administrators can grant authority to the decrypted or masked values. Decryption of any data can be fully audited in Powertech Encryption, which will log the user id, date, time, job information and key utilized.
Tokenization should be considered when sensitive data is stored on multiple systems throughout an organization. Tokenization is the process of replacing sensitive data with unique identification numbers (e.g. tokens) and storing the original data on a central server, typically in encrypted form.
By centralizing sensitive data onto a single system, tokenization can help thwart hackers and minimize the scope of compliance audits such as PCI. Tokenization can be used to protect any sensitive data including credit card numbers (PAN), bank account numbers, social security numbers, drivers license numbers and other personal identity information.
“Powertech Encryption has been doing its job quietly for a couple of months now. Just a couple of weeks ago I needed to add the encryption of a field in a new file and the process was easily added. The software is well-designed. There are not a lot of software products that impress me, but I have to say that I really like the way Powertech Encryption works. It was easy to implement and allowed us to meet all the requirements for securing our data to get PCI compliant.” – Will Crowe, Love’s Travel Stops and Country Stores
- Centralizes key management and policies on a single server
- Supports tokenization of data from diverse systems including IBM i, Windows, Linux, AIX, etc.
- Provides remote connections to token functions through secure HTTPS protocol
- Auto-assigns token identifiers from the central token server
- Encrypts and stores tokenized data into scalable DB2 physical files
- Allows securing data elements by User Profile, Group Profile and/or Authorization Lists
- Provides centralized audit logs and message alerts
Powertech Encryption includes comprehensive auditing for meeting the most stringent security requirements. Audit log entries are generated for the following events:
- When any Key Policy settings are changed
- When Key Officers are added, changed or removed
- When Master Encryption Keys (MEKs) are loaded or set
- When Key Stores are created or translated
- When Data Encryption Keys (DEKs) are created, changed or deleted
- When any functions are denied due to improper authority
- When data is encrypted or decrypted with a key that requires logging of those events
- The audit log entries can be displayed and printed using a variety of selection criteria, including date/ time range, user and audit type. Alert messages can also be sent to QSYSOPR, QAUDJRN, email and SYSLOG.