For Your Eyes Only
How to Keep your IBM i Environment Secure and Future-Proof it
IBM i modernization projects are complex. Multiple issues need to be considered with modernization. How ‘deep’ you go in refactoring the code is one example. Another point is the length and breadth of the database modernization. An additional issue is the user interface/user experience (UI/UX).
Fortunately, these are the common issues involved with a modernization project, and while complicated, are known and can be addressed. These issues are some of the reasons Fresche Solutions should be engaged when taking on a modernization journey.
But I want to talk about a different issue, and one that may not be as apparent. First, some acronyms and definitions:
PII – Personally Identifiable information
PHI – Protected Health Information
PAN – Primary Account Number
HIPAA – Health Insurance Portability and Accountability Act (US)
GDPR – General Data Protection Regulation (EU)
Yikes! Alphabet soup. But as developers and admins in the IT industry, we know these terms. In fact, the ideas behind these acronyms are critical to the success of IT and of the company as a whole. These concepts revolve around security, data protection, and fiduciary responsibility.
Understanding our data and processes, and protecting the data and processes has become one of the most important issues in IT. Unfortunately, we don’t need to wait long for the next data breach to show up on the evening news or in your Twitter feed.
Personally Identifiable Information (PII) may be the most critical of the data vulnerabilities. Information such as social security number or social insurance number, coupled with driver’s license number or home address, can be enough to enable a hacker to create a credit account in someone’s name. With instant credit, a hacker could run up hefty charges. Could these charges be removed? Sure, but think of the hassle one of your co-workers (or worse yet, one of your customers) would have to go through to fix this. And think of the black eye your company would receive if employees or customers experienced that identify theft.
Protected Health Information (PHI) is similar to PII, and may be lumped into the same category. But health information is different. We may encounter credit cards opened up in our name in the event of a PII breach. But a PHI breach could expose potentially embarrassing personal health data. Another concern is that the misuse of PHI could cause increased insurance premiums, or being denied credit, employment, or housing.
Primary Account Number (PAN) is the credit card number. This is the 15 or 16-digit card number that we use for purchases. It would be surprising in this day and age to see PAN stored in files and being actively used. This has been a red flag for many years, though I can guarantee some companies still store it actively. But even if it’s not intentionally stored, what about old work files? Or PAN stored in files where the PAN isn’t actively being used? Or perhaps work files created for testing in an Extract, Test, Load scenario?
HIPAA and GDPR are two wide ranging regulations that provide for penalties (both financial and legal) for misuse of personal information. These regulations are encompassing, even outside of their locations. In other words, companies around the world adhere to the provisions of the US-based HIPAA because those companies do business in the US, while US companies are beginning to embrace GDPR practices because they do business in the EU. It just makes sense for companies that do business world-wide to include these stringent practices rather than having different standards for different areas.
Secure the Watch! (OK, an Obscure Navy Reference)
So, it’s important to have a secure computing environment. We need to safeguard our customer data and our employee data. A new system would (should) have data security as a hallmark of the system. In fact, I would suggest that if security is not highly touted (and verified) in a new software system, I would take a hard pass.
But what about our existing systems? The systems that we’re modernizing to meet the demands of increased business, increased flexibility…and increased hackers. Perhaps security had been built in from the ground up, and you have no exposure risk for PII, PHI, and PAN data. But…are you sure? Are you sure that your modernization plan won’t just bring along the security exposures into the modernized software? Let’s discuss a strategy that you could employ to identify and remediate data exposures.
Modernization is what Fresche Solutions is all about. Our Fresche View and Fresche Advisor products will enable you to really see the interaction between your programs, database, and other objects in an IBM i environment. You can see a representation of your data stores and the programs that add, read, or update the data.
X-Analysis diagrams showing file and program relationships:
But Fresche Advisor (or Fresche View) can do much more than just show the relationship between objects on the system. These products can also be used to ‘tunnel’ down into a file or program and show the actual fields (columns) in the file (table). You can also see how the field is being accessed (read, write, update) in the different programs.
Since you can identify the field (column), you can begin to understand the meaning of the field and its contents. You’ll hopefully have a good naming convention so you can determine that a field named CMCC#1 is the first credit card field in the Customer Master file (yes, this is from experience). And if you have that name, you can search all the programs for every instance of that field. This enables you to build a list of programs that need attention.
The data side will be similar. You can perform a ‘wild card’ search for *CC* to search all files and programs for fields that have CC in the name. You’ll come up with false positives, so examine the generated list to further refine the search. Imagine being able to come up with all the instances of fields that look like they could contain a credit card number or PAN. This technique will work with any field name, such as *SS* for social security number or *DL* for driver’s license number.
You may have different naming conventions. You probably do if you’ve had different developers and haven’t had a strong set of standards over the years. This will necessitate multiple searches of data and fields to determine if you have suspect fields. Fresche Advisor makes it easy to generate lists and refine them as you learn more about your data.
An important part of modernization is converting the data store from a series of files to a truly relational database. The Fresche X-DB Modernize and X-DB Transform products are tools that migrate DB2 DDS-based databases to new relational DB2 DDL-based databases. The tool is highly configurable and can expose and handle the unique challenges of DDS conversions and database transformations.
You use these tools to transform your data files into a true database. But you don’t want to convert PII, PHI, or PAN data stored in files to your newly modernized database. Take the time to analyze and sanitize your data before you perform a DDS-to-DDL conversion.
How do you accomplish these tasks while modernizing your legacy system? You’re in the right place – Fresche Solutions’ Staff Augmentation is the solution. We have highly skilled, experienced IBM i developers and database analysts that can help analyze and convert your data and programs. Your Account Manager or Sales Representative can outline Fresche Solutions’ offerings to supplement your existing staff.
Be aware of the data you have on your system. Analyze and sanitize before you modernize!