You must use Computer Audio• This session is being conducted using
Audio Broadcast – it is not possible to join by phone
• Attendees do not have microphone capability
Use the Q&A panel to ask questions
The call will be recorded and replay posted on the TechU Talks web page.https://www.ibm.com/services/learning/events/techutalks
Click the arrow
Type your question in
the box – hit “Send”
AUDIO WILL COMMENCE WHEN THE MEETING BEGINS
1
2
3
If you do not see Q&A, click the icon with 3 dots, and
select Q&A
Audio quality is highly dependent on individual’s internet bandwidth. If you experience audio issues, we recommend you :
1) Turn off your company VPN connection2) Check if you have applications running in the background –
anti-virus can completely cut audio3) If your computer is connected to a virtual environment, it
can effect quality – connect from a PC w/out virtual environment if possible
IBM Systems TechU (c) Copyright IBM Corporation 2020 1
Introducing IBM z15 Data Privacy Passports
Michael JordanIBM Distinguished Engineer IBM Z Security
2020 IBM Systems TechUApril 9, 2020
Topics
3
—Current landscape
—Data Privacy Passports Introduction
—Use Cases
—Recap
IBM Systems TechU (c) Copyright IBM Corporation 2020
4
The Data Dilemma
Data
Data Breaches
Data privacy
regulations
Journey to Cloud
5G and IOT
Business Data
Exchange
Data Analytics
IBM Systems TechU (c) Copyright IBM Corporation 2020
5IBM Systems TechU (c) Copyright IBM Corporation 2020
Data Security
—Keeping data safe
Data Privacy
—Appropriate use of data
IBM Systems TechU © Copyright IBM Corporation 2020
Encryption and decryption occurs at each point as data traverses the network. Any data stored at endpoints and intermediate points
must be explicitly encrypted.
Data itself is encrypted at the starting point and remains encrypted until it reaches the end
point. Data stored at endpoints and intermediate points is implicitly encrypted and
managed through centralized policy
Data Centric - end-to-endSiloed - point-to-point
Protection that remains in place when the data moves and allows the data to play an active roll in its own protection.
The Emergence of Data Centric Protection
IBM Systems TechU (c) Copyright IBM Corporation 2020 6
Coverage
Co
mp
lex
ity
Full disk, tape & SANAt-rest data with zerohost CPU cost
File and data setsSensitive data tied to access control for in-flight and at-rest data
DatabasesSensitive in-use, in-flight and at-rest data
Applications
Hyper-sensitive data
Security Control
Typical Data Centric Solutions
• Typical application level protection can be extremely costly and only protects a small number of fields• Can you have security control with broader coverage and less complexity?
Achieving Data Centric Protection
7IBM Systems TechU (c) Copyright IBM Corporation 2020
Protect individuals’ identity in a digitized world with IBM Data Privacy Passports
IBM Systems TechU (c) Copyright IBM Corporation 2020 8
Current State
Data protected through siloed products
Desired State
Data protected for the life of the data with 1 product
Desired State: Trusted Data Objects
End-to-end protection via “Trusted Data Objects”
Desired State: Enforced Data
Controlling the usage of data and auditability of data
• Protection – Encryption and Revocation
• Privacy – Controls and Consent
• Proof – Audit and Record Keeping for Compliance
3rd Parties
Public Cloud
Private Cloud
Desired State
Starting from
IBM Z®
or any system
of record
* Trusted Data Object is provided back to the Passport Controller and has been transformed from protected data into enforced data.
*DPP
IBM Data Privacy Passports leveraging IBM Hyper Protect Virtual Servers
IBM Systems TechU (c) Copyright IBM Corporation 2020 9
Point-to-point protection of sensitive mission critical data with granular privacy control across the enterprise and broader hybrid cloud ecosystem
IBM Data Privacy Passports IBM Hyper Protect Virtual Servers
Extends data access controls beyond the system of record through policies which enforce data control throughout the data lifecycle.
Offers a virtual server for highly secure compute resources to meet data privacy regulations.
Passport Controller Trusted Data Object
• Passport Controller provides an intercept point to transform “raw” data into “trusted data objects” or enforce data protection
• The policy that governs the protection and usage of the data is maintained in the Passport Controller
• Needs to be deployed on IBM Z for protection and/or enforcement of data
• Contains data that is protected and portable between multiple environments.
• A Trusted Data Object is the encrypted data element plus metadata. The data element is encrypted using a specific key and all required instructions on how to open and identify the Trusted Data Object are included in the metadata.
IBM Systems TechU (c) Copyright IBM Corporation 2020 10
Components of Data Privacy Passports
Data Protection States
11
— Enforced Data (irreversible)
• Data elements are transformed (masked) at the time of consumption
• Transformations based on a user’s need to know
• Can be performed on Protected Data or raw data
11
Protected Data (reversible)
• Data elements are encrypted into Trust Data Objects (TDO) before leaving the platform
• Data can be shown in different views based on the user’s need to know using a Passport Controller
Bob Smith
Bob Smith Bob Smith
IBM Systems TechU © Copyright IBM Corporation 2020
IBM Systems TechU (c) Copyright IBM Corporation 2020
Where is the protected or enforced data stored?
IBM Systems TechU (c) Copyright IBM Corporation 2020 12
Enforced Data • Can be stored in a table with the same schema as
the source table• Data can be enforced in a way where it remains
compatible with the original source schema • Provides application transparent consumption transformed data
Protected Data • Data elements can be packaged into
Trusted Data Objects (TDO) using the Passport Controller• The TDOs are NOT the same size as the source data,
it is an encrypted package with additional metadata• Meta data is cryptographically bound to the cipher
text in the TDO• The target tables needs to be able to store data with a
different schema than the source table• This structured data source with a JDBC connection can
be on any system and does not need to be stored by the same database as the original source table
What are the flows for enforcement on data?
IBM Systems TechU (c) Copyright IBM Corporation 2020 13
Raw data can be enforced• Eligible source data remains in the clear and clients connect to a
proxy which will enforce data based on policy• No changes needed to the original SQL database that is accessed
through a JDBC connection
Data can be protected then enforced• Eligible source data is encrypted into Trusted Data Objects (TDO) and
then insertedinto a new protected table
• New protected table elements are stored as Trusted Data Objects• Clients connect to the new protected table and based on policy are
presented an enforced view of the data
13
• The data is protected at the point of
extraction and is enforced at the point
of consumption
• Move data from IBM Z to distributed as
Trusted Data Objects – Supports SQL
data sources accessed via JDBC
• Passport Controller* is deployed into
Hyper Protect Virtual Servers
• Dynamically update the policy to revoke
user access to data through the
passport controller
• Create a single protected table to
provide multiple views of data
according to defined policy
Clear Text TableDb2®
Passport
Controller*
Administrator
Administrative Commands
Keys Policy
Logic
Clear Text TableDb2
VSAM or Sequential Data
x86 / Power® /
Linux on Z
IBM DVM
JDBC
JDBC
JDBC
Postgres
Db2 for z/OS
Data Lake
JDBC
sftp
Pro
tecte
d w
ith P
erv
asiv
e E
ncry
ptio
nUse case – Protecting data as it moves in the enterprise (ETL)
14
External
Identity
Management
JDBCz/OS® LPAR
*IBM Hyper Protect Virtual Servers V1.2 (5737-I09) is required.** Current version only supports SQL structured data sources accessed via JDBC
Use case – Consuming IBM Z data in the enterprise
IBM Systems TechU (c) Copyright IBM Corporation 2020 15
• Enforce with client defined policies when TDOs are consumed using Passport Controller
• Dynamically update the policy to revoke user access to the data through the Passport Controller
• Identity can be managed on IBM Z (i.e. z/OS)
• Connection to Passport Controller is through industry standard Apache Hive drivers
Passport Controller
Protected Table
Data Copy
Data Scientist
Data Owner
Regulator
Virtual Table
SQL Queries
Keys Policy
LogicExternal Identity
Management
POLL
IBM Systems TechU (c) Copyright IBM Corporation 2020 16
Which DPP capability interests you the most (check all that apply)?
a) Protection using Trusted Data Objects
b) Ability to create a single protected table to provide multiple enforced views of data according to defined policy
c) Ability to dynamically update the policy to revoke user access to data through the passport controller
Use case: Single Data Source for Multiple Views
IBM Systems TechU (c) Copyright IBM Corporation 2020 17
Business problem
— An insurance company needs to share details about their customers to a Data Scientist, the customer themselves via a web portal, and a Regulator.
Solution
— IBM Data Privacy Passports can create a single protected table of data from policies that allow multiple views of data varying by needs.
IBM Systems TechU (c) Copyright IBM Corporation 2020 18
ProtectedDatabases
SoR
Enforced Dataor Adhoc Queries
Pa
ssp
ort
Co
ntr
oll
er
JDBC
SoR
SoR Data Sources
IIDR SQLTDOs
TDO is not opened
JDBC
• Eligible source data is encrypted into Trust Data Objects (TDO) protecting it atthe point of extraction prior to the data moving from IBM Z.
• Personas connect to the new protected tables, the policies are enforced by ausers’ identity
• Data can be masked, encrypted or returned in the clear for individual fields,depending on policy
Use case: Data Revocation by Policy
IBM Systems TechU (c) Copyright IBM Corporation 2020 19
Business problem
— A business unit has shared information with the analytics division of their company to complete a 6-month market research assignment. After the project is complete the analytics division should no longer have access to the eligible data.
Solution
— IBM Data Privacy Passports provides data revocation by policy of data shared to the analytics division and requires a trip to the Passport Controller to be viewed.
IBM Systems TechU (c) Copyright IBM Corporation 2020 20
ProtectedDatabases
SoR
Enforced Dataor Adhoc Queries
Pa
ssp
ort
Co
ntr
oll
er
JDBC
SoR
SoR Data Sources
IIDR SQLTDOs
TDO is not opened
JDBC
• Eligible source data is encrypted into Trust Data Objects (TDO) protecting it atthe point of extraction prior to the data moving from IBM Z.
• Clients connect to the new protected tables and based on policy are presentedan enforced view of the data. Opening the data requires a return trip to thePassport Controller. Requests to open data are audited.
• Policy for enforcement can be changed dynamically to revoke or entitle users todata access through the Passport Controller.
Use case: Data Access Control for Data Privacy
IBM Systems TechU (c) Copyright IBM Corporation 2020 21
Business problem
— A corporation operating a data warehouse SaaS service has established monitoring and defensive controls to keep data operations by applications and users restricted. Some of the information in their data warehouse is sensitive data.
— To date they have setup stringent environmental regulations for which the data can be viewed, but they need to embrace a more open network.
Solution— IBM Data Privacy Passports provides
documentation and logging as data is accessed. Data access and use of eligible data is controlled by centrally managed policy. Protection and enforcement requests made through Passport Controller are audited.
IBM Systems TechU (c) Copyright IBM Corporation 2020 22
— Batched base replication of data can be used via JDBC to push whole tables, or IBM InfoSphere Data Replication (IIDR) can provide a way to replicate data based on changes.
— Providing replicated copies from a System of Record is an existing model for many clients who do not wish to impact performance.
ProtectedDatabases
SoR Enforced Dataor Adhoc Queries
Pa
ssp
ort
Co
ntr
oll
er
JDBC
SoR
SoR Data Sources
IIDR SQLTDOs
Enforce
JDBC
• Eligible source data is encrypted into Trust Data Objects (TDO) protecting it atthe point of extraction prior to the data moving from IBM Z.
• Clients connect to the new protected tables and based on policy are presentedan enforced view of the data. Opening the data requires a return trip to thePassport Controller. Requests to open data are audited.
• Policy for enforcement can be changed dynamically to revoke or entitle users toprotected data. Changes are audited.
Audit
Use case: Data Segmentation and Brokering
IBM Systems TechU (c) Copyright IBM Corporation 2020 23
Business problem
— A large multi-national corporation has a disjoint human resource systems in each of its geographic locations and wishes to allow for new analytics on employee retention, motivation, and job satisfaction across the entire global workforce.
Solution
— IBM Data Privacy Passports allows the organization to segment which users have access to view data in the unencrypted form.
IBM Systems TechU (c) Copyright IBM Corporation 2020 24
• IBM Data Privacy Passports can control which parties can use and combinewhich data.
• No one persona has access to all of the data within the enterprise.• Opening the data requires a return trip to the on-premise Passport Controller,
where policy enforces the permitted view of the data by persona.
ProtectedDatabases
SoR
Data Scientist
Pa
ssp
ort
Co
ntr
oll
er
JDBCSoR
SoR Data Sources
IIDR SQL TDOs
Enforce
JDBC
Product Deployment V1.0
IBM Systems TechU (c) Copyright IBM Corporation 2020 25
Passport Controller is deployed in a Hyper Protect Virtual Server
Manual policy management
All data accessed through Passport Controller is audited
Announce date: March 10, 2020General availability: March 20, 2020
Data Privacy Passports - Protected, Private, Provable
IBM Systems TechU (c) Copyright IBM Corporation 2020 26
• Create a single protected table with multiple policy defined views of data
• The eligible data is protected at the point of extraction and is enforced at the point of consumption
• Move eligible data from IBM Z to distributed as Trusted Data Objects or enforced data
• Data requests that are made through the Passport Controller are audited
• Policy access can be changed dynamically to revoke a users access and is applied to a data copy passed through the Passport Controller
IBM Systems TechU (c) Copyright IBM Corporation 2020 27
—
z14
z15Protection
Cross Enterprise / Hybrid CloudIBM Z
Protection Privacy Proof+ +
Replay availability!
Michael Jordan
IBM Distinguished Engineer IBM Z Security
ibm.com
• Please feel free to send Questions you were unable to ask in the live call to my email: [email protected]
• The replay, pdf of presentation and Q&A transcript will be available on the TechU Talks page. https://www.ibm.com/services/learning/events/techutalks
IBM Systems TechU (c) Copyright IBM Corporation 2020 28
Notices and disclaimers
— © 2019 International Business Machines Corporation. No part of this document may be reproduced or transmitted in any form without written permission from IBM.
— U.S. Government Users Restricted Rights — use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
— Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. This document is distributed “as is” without any warranty, either express or implied. In no event, shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted per the terms and conditions of the agreements under which they are provided.
— IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.”
— Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
— Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those
— customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
— References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
— Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
— It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer follows any law.
IBM Systems TechU (c) Copyright IBM Corporation 2020 29
Notices and disclaimers continued
— Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products about this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM expressly disclaims all warranties, expressed or implied, including but not limited to, the implied warranties of merchantability and fitness for a purpose.
— The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
— IBM, the IBM logo, ibm.com and [names of other referenced IBM products and services used in the presentation] are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml
IBM Systems TechU (c) Copyright IBM Corporation 2020 30