Home » Blog


Posts Tagged with "FIELD ENCRYPTION"

Linoma Software products are not affected by Heartbleed bug

Heartbleed bug graphic from heartbleed.comIf you are a Linoma Software customer using any of our products such as the GoAnywhere suite (Director, Services, Gateway, Open PGP Studio), Crypto Complete, Surveyor/400 or the RPG Toolbox, we are pleased to report that our products are NOT vulnerable to the Heartbleed bug.

The CVE-2014-0160 exploit, or Heartbleed bug, has made big headlines over the last 48 hours. The Heartbleed bug exploits vulnerabilities in the popular OpenSSL server software potentially allowing the memory of SSL/TLS encrypted systems to be compromised. The bug essentially allows access to the memory of the SSL/TLS protected systems and attackers can potentially steal and read formerly encrypted information such as usernames and passwords, credit card numbers and other sensitive data. To learn more about the Heartbleed bug please visit Heartbleed.com. Additional resources allow you to check and see if your website or server is affected by the Heartbleed bug: Heartbleed Test and LastPass Heartbleed Checker.

GoAnywhere Suite (Director, Services, Gateway, Open PGP Studio) GoAnywhere does not use native libraries for SSL/TLS and relies on the JSSE libraries of the JVM that GoAnywhere is running on. This exploit does not exist in the JSSE implementation of SSL/TLS. While Tomcat does, however, have the ability to utilize native SSL/TLS capabilities for its HTTP/S connections with the APR Connectors, GoAnywhere does not employ this functionality. GoAnywhere Secure File Transfer mobile apps: For Apple devices: The GoAnywhere Apple app uses the Secure Transport implementation of SSL/TLS and is not affected by Heartbleed. For Android devices: The GoAnywhere Android app uses the JSSE implementation of SSL/TLS and is not affected by Heartbleed.

Surveyor/400: Surveyor/400 does not use native libraries for SSL/TLS and relies on the JSSE libraries of the JVM that Surveyor/400 is running on. This exploit does not exist in the JSSE implementation of SSL/TLS.

Crypto Complete: Crypto Complete does not use SSL/TLS for Field or Backup encryption and is not affected by Heartbleed.

RPG Toolbox: Our RPG toolbox does not use any encryption and is not affected by Heartbleed.

DB2 Field Encryption Has Been Simplified

Compliance regulations like HIPAA and PCI DSS have us all looking for more efficient and secure ways to keep sensitive data protected, especially the personal information fields we've all come to rely on: social security numbers, credit card numbers, birth dates, driver's license numbers, insurance policy ID numbers, etc.

Register for DB2 FieldProcs WebinarFortunately, IBM is working hard to meet the growing demands of companies who must store and share private information and compliance auditors who govern how it must be done. When it released IBM i 7.1, it included a feature for encrypting DB2 form fields to give IT staffs more control.

Surprisingly, not everyone is taking full advantage of these DB2 FieldProcs either because they're not aware of their benefit, or because they're waiting for an even more comprehensive approach.

If you fall into either of these groups, then we've got good news. The Linoma Software team is hosting a webinar next week to share tips for how to maximize the DB2 FieldProcs feature in IBM i 7.1. In addition, we'll provide some options that could give your processes even more functionality, making things more efficient.

We invite you to grab some lunch and join us for "IBM i Field Procedures Simplified with DB2 Field Procedures" on June 13 at noon central. There will be lots of opportunities to ask questions, and we'll also record the webinar so you can share it with your colleagues.

Hope you'll be able to join us!

Simplify Field Encryption on IBM i

Now that corporate applications are easier to access via remote and mobile channels, it's even more important to determine which sensitive data is accessible and where possible breaches may occur. Unfortunately, legions of hackers with Wi-Fi and mobile hacking tools make it imperative that organizations prepare for and defend against potential attacks with even more pervasive security procedures.

One step in creating a stronger defense is to employ field or column-level encryption to protect sensitive data at rest.

Implementing a custom field encryption project on IBM i used to be a notoriously long and painful process. Programming code changes for field level encryption required a steep learning curve, costly programming resources, and even more time in testing, validating and updating the changed application source code. Most companies simply could not justify the additional strain on their budgets for this level of project development requirements.

In response to this challenge, IBM released its OS version 7.1 with DB2 field procedure (FieldProcs) in April of 2010 that greatly simplified the field encryption process. With the new FieldProcs technology, encryption projects can be streamlined because the field procedures are invoked at the database level, making it transparent to the applications. The FieldProcs can be coded to automatically encrypt the field on Inserts and Updates, and subsequently decrypt the field only for authorized users on Read operations. Subsequently, FieldProcs have become very important to those businesses that have legacy applications and limited budgets.

FieldProcs are a great step for improving the viability of field level encryption projects. But even with this, many companies don't have the resources to integrate and manage the FieldProcs which is why third-party software solutions, like Linoma Software's Crypto Complete, are valuable. Crypto Complete will generate and manage the FieldProcs on the fields within the files.

Crypto Complete also includes the key management, audit logs and access controls needed for PCI DSS and data privacy compliance. The value of using Crypto Complete for field encryption cannot be understated as it can greatly minimize the learning curve and reduce the implementation resource requirements from weeks to hours.

Linoma Starts Off the Year with Several Product Releases

When things get hectic and life gets crazy, let's face it, we could all use a release. All puns aside, Linoma Software has been busy the past 5 months issuing several releases which provide our current and future clients the business edge they need in this ever changing market. Linoma released updates for Surveyor/400, Crypto Complete, GoAnywhere Services and last but not least GoAnywhere Director.

In February, Linoma released Surveyor/400 3.7. Surveyor/400 allows users to easily query and download data from IBM i to their desktops and network servers. Version 3.7 provides support for Excel 2007 with custom formatting options to create professional-looking spreadsheets. Surveyor/400 additionally supports earlier versions of Excel, as well as CSV, fixed width text, HTML and XML documents. Surveyor/400 conveniently provides over 20 IBM i tools in one application.

In addition to Surveyor/400, Linoma also released Crypto Complete 2.20 in February. The new release of Crypto Complete 2.20 incorporated tokenization. Tokenization should be considered when sensitive data is stored on multiple systems. Tokenization is the process of replacing sensitive data with unique identification numbers (e.g. tokens) and storing the original data on a central server in encrypted form. By centralizing sensitive data, tokenization helps to thwart hackers and minimize the scope of compliance audits such as PCI. Additionally, Crypto Complete 2.20 offers faster encryption for backups while eliminating the need for intermediate save files.

Let's fast-forward to June; Linoma released GoAnywhere Services 1.3.0. Version 1.3.0 adds enhanced security features with IP Filtering, Syslog feeds and additional Trigger actions, along with other updates and usability options. GoAnywhere Services is a secure file server that provides internal and external trading partners with a secure connection to your system for exchanging files within a fully managed and audited solution.

Also in June, Linoma released a new version of GoAnywhere Director. GoAnywhere Director 3.2.0 provides a connector for sending data using the AS2 version 1.2 standards. This includes support for multiple file attachments within a single AS2 message, synchronous MDN receipts and message integrity verification. AS2 messages can be sent over an SSL tunnel, making it a secure option for the transfer of sensitive data. Version 3.2.0 also includes Syslog server integration, advanced scheduling options, enhanced server certificate handling and FTP checksum validation options. GoAnywhere Director is a managed file transfer solution for the enterprise.

If you need any additional information about any of our product releases or if you need a solution and aren't sure what is the best product for your circumstance, give us a call. If we don't have the product your business needs, we can point you in the right direction.

It has been a great start to 2010 and we would like to say thanks to all of our clients for their continued support.

SQL Field Procedures in IBM i 7.1

Field Encryption on the IBM i just got easier.

SQL Field Procedures are a new DB2 feature in version 7.1 that allows a user-specified "exit" program to be called whenever data is read from, inserted into, or updated in a field (column). This is somewhat similar to database column triggers; however there are two distinct advantages:

  1. Field Procedures allow data to be modified on a Read operation, which allows the exit program to automatically decrypt the field value before it is returned to the customer's application.
  2. Field Procedures provide a separate internal space to store the encrypted version of the field value. This allows organizations to encrypt numeric fields such as packed decimal, signed decimal and integer data types without having to store the encrypted values in a separate file.
While IBM provided the hooks into the database with Field Procedures, they rely on 3rd party vendors like us to provide the encryption functions and key management. Linoma worked closely with IBM to test the new Field Procedures and provide feedback to their development team during the early release beta program for 7.1. This also allowed Linoma sufficient time to fully integrate Field Procedures into Crypto Complete for readiness when i 7.1 ships.

We're excited about Field Procedures since it will allow customers to implement column-level encryption on the IBM i without modifying their applications. This is especially important if a customer is running a canned application and/or does not want to modify their source code.

Massachusetts Has Set the Bar for Securing Personal Data; Is Your Company Compliant?

Personal data privacy is one of the greatest concerns individuals have when doing business over the web and in person. It seems it is commonplace for a company to notify their customers that their personal and/or account information has been compromised by a hacker or a disgruntled employee (e.g. TJ Maxx, Wells Fargo, Bank of America). While you'd think businesses would do everything they can to protect their customers' personal information, they will weigh the risks and likelihood of a data breach happening versus the cost and time to implement such security measures. Knowing this, the payment card industry (PCI), government agencies and many states have put together a list of requirements that businesses must follow in order to do business with them or in their state. The problem is they often don't enforce these regulations and fines are only imposed after a data breach happens.

I just returned from Framingham, Massachusetts where we exhibited at the Northeast User Group conference. Massachusetts has a very strict data privacy law. Not only do businesses in Massachusetts need to protect their customers' personal information but so do businesses who have in their database the personal identifiable information of people from Massachusetts. One of the requirements says organizations must:

"Encrypt all transmitted records and files containing personal information that will travel across public networks."

Several of our customers mentioned our products have helped them meet the Massachusetts' data privacy requirements. They have implemented field encryption using Crypto Complete and are using our GoAnywhere Director to encrypt file transfers. They have minimized the risk of a data breach happening at their company by using both solutions. Unfortunately, I also had many other individuals stop by Linoma's Booth who said their management does not want to allocate any resources (time or money) towards securing personal and confidential data. They know they should do it and are required to do so, but it's just not high on their priority list right now. I'm afraid this mindset may be more popular than we think, which is concerning.

Is the company you work for securing personal data? Is your company looking for a solution to secure data? Find out today how we can help your company avoid sending the inevitable letter that your confidential information has been breached. Not only can we help you avoid facing public humiliation, our products can help save you time and money by streamlining the secure data transfer process.

If you are interested in seeing how Linoma's solutions can encrypt your data at rest and when it's transferred, don't hesitate to contact us at 800-949-4696.

Brian Pick

Sales Manager