GDPR Data Protection for IBM i iSeries AS400

General Data Protection Regulation GDPR data protection law applies to any company that transmits, store or process personal data of individuals living in countries in the European Union, such as insurance, healthcare, financial, retail and like B2C industries. This GDPR article addresses data protection recommendations for the IBM i (iSeries AS400) platform, and why encryption should be your company's highest priority These commonsense data protection guidelines are written for the IBM i platform, but these safeguards in general can be used for any platform. The EU GDPR data protection and privacy regulation documentation can be downloaded in your preferred language here: https://eur-lex.europa.eu/eli/reg/2016/679/oj

The GDPR law does not specify which data protections mechanisms must be used to protect personal data, it only states companies must implement appropriate technical and organizational measures to ensure personal data is secure. In the event personal data is compromised, lost or stolen, the degree and or effort put forth by the company to protect the personal data exposed will be the primary factors determining if a fine will be imposed, or how large the fine will be, according to GDPR Chapter 8 Remedies, Liability and Penalties.

First, what does GDPR consider "personal data" that requires protection? The GDPR definition could not be vaguer and specific at the same time. It clearly states "any" personal information that can be used as an identifiable attribute of a particular person. Although this includes the obvious identifying information such as name, address, phone, account/license/ID numbers, and similar expected data, it also includes generic descriptive characteristics of a person, such as appearance attributes that can identify a person. Deviate from the "any" criteria of personal data attributes at your own risk.

Below are our security recommendations for IBM i iSeries AS400 data protection and commonsense safe guards that should be implemented for GDPR compliance, in order from strongest (most effective) to weakest.

Implementing appropriate GDPR personal data protections

1. IBM i AES ENCRYPTION FOR SENSITIVE DATA 
Using AES encryption for sensitive DB2 fields, tables and any other IBM i files containing personal data solves the most critical GDPR requirements for both data at rest and in transit. Encryption is the most critical and important data protection measure every company should implement that has GDPR or has any other sensitive data to protect for compliance. IBM i encryption protects private data no matter how it is accessed, used or where it is moved, and protects from both internal and external threats. IBM i AES encryption options are not only the most effective protection mechanism, it is usually the quickest, easiest and most affordable data security option to implement. Any personal data not encrypted will likely incur the costliest GPDR penalties if an incident were to occur. Considering the very low cost and effort required to encrypt DB2 data, it makes little sense not to use encryption as a first line of defense.

Companies that prefer not to have production systems under a microscope or have all their data scrutinized for compliance, may want to consider using tokenization for the personal data on their IBM i. Tokenization adheres to the anonymization requirement of the GDPR law, and works similarly to encryption. Tokenization puts tokens with the same characteristics of the source data, in place of the sensitive data in IBM i DB2 database fields. The original sensitive data then gets stored in a token vault not on the production IBM i. Tokenization does not use secrete keys like encryption, but user policies work in a very similar fashion, including masking all or only parts of data according to user permissions. Tokens must be safe guarded just like encryption keys, because if they are not stored or are lost, the data becomes anonymized forever.

2. IBM i MFA MULTI-FACTOR AUTHENTICATION
One of the key reasons for the creation of the GDPR regulation, is the concern of cybersecurity criminals getting access to personal data stored on the system due to week passwords or poor authentication practices. MFA for iSeries is another quick, simple and cheap solution that should be implemented to drastically reduce the likeliness of a cybersecurity breach compromising personal data.

3. IBM i ACCESS CONTROLS VIA EXIT PROGRAMS
Enforce control policies for all access to personal data using exit programs on a "as needed" basis. No user should be authorized to read or download personal data unless they have a business need to do so. Menu level application security does not work, nor would it be considered an acceptable compensating control for protecting personal data. Exit programs are the most logical means for implementing user access controls for applications that access the system via the network, such as ODBC/JDBC, FTP, File Transfer and like 3^rd party application that can connect to the system through exit points.

4. IBM i DB2 FILE PROTECTION
File protection is another means to enforce access control policies using exit programs, but without segregating authorities for each application. File protection rules can be implemented for green screen users and 3^rd party applications that access the system generically via exit points. Meaning, you can define permission rules to a file containing personal data at a very high level, versus implementing permissions to each action type of every exit program.

5. ENCRYPTION OF CONNECTIONS (DATA IN TRANSIT)
Personal data should only be transmitted over a secure connection, whether it involves web application communications, telnet, FTP or when other transfer methods are used. Encrypting the communication channel is the only way to prevent cybercriminals from capturing, reading and compromising the personal data in transit. Encrypting connections is likely the most affordable safe guard an iSeries shop can implement. Although some communication channels like web applications require the purchase of an SSL certificate, most can be secured with a little research and technical know how.

6. ENCRYPTION OF BACKUPS
If you do not implement field level encryption of personal data, encrypting your backups would at least protect the data in the event your tapes are lost or stolen. There is a few hardware based solutions available such as Cybernetics VTL and LTO encryption that can provide backup encryption for your tape media.

7. RECOMMENDED SYSTEM VALUES
Assess your Password and Sign-on system values to determine if any can be changed to ensure better security. IBM provides a list of recommended settings various system values you can use as a guide (look up "VXRX System management")

There are  other security measures you can take to increase the security posture of your iSeries system. Please contact us with any questions you have regarding securing your iSeries date for GDPR or other regulatory compliance requirements. The next article on EU GDPR regulation will address auditing requirements.