Get your mainframe ready for GDPR!

What is GDPR?

GDPR is new EU regulation which intend to enhance and unify current data protection laws in place across the European Union (EU) member states. In GDPR, there are general obligation to implement technical and organizational measures to show that you have considered and integrated data protection into processing activities.

GDPR enhances level of protection for data subjects providing:

• Higher standards for privacy notices and for obtaining consent
• Easier access to personal data by a data subject
• Enhanced right to request the erasure of their personal data
• Right to transfer personal data to another organization (portability)
• Right to object to processing now explicitly includes profiling.

GDPR requires enhanced obligations on data controllers and processors:

• Operationalization of a Data Protection by Design and by Default Process
• Appointment of a Data Protection Officer (DPO)
• Implementation of technical and organizational security measures appropriate to the risks presented
• Breach notification obligations
• Increased obligations for data processors

How and when will GDPR take effect?

The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for implementing legislation by specific country government. It has international reach, applying to controllers and processors, both inside and outside the EU, whose processing activities relate to the offering of goods or services to EU data subjects.

Data Protection Authorities have the power to impose significant fines on organizations for non-compliance with the rules, scalable to €20 million or 4% of the organization’s global annual turnover per incident, whichever is greater. Regulation has been formally adopted and will take effect as of May, 2018.

What about mainframe?

IBM Mainframes are considered to be secure by default.  They have built in protection, including security in the processor, operating system, storage and applications. However, increasing number of regulations from industry and government such as GDPR pushes IT industry to adapt in order to be compliant. And IBM mainframes are not exception.

So, how does IBM mainframes support GDPR regulations? Supports it in three different areas:

1. Data protection that includes encryption and pseudomynization or data masking

GDPR Article 32 , Security of processing – “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including… the pseudonymisation and encryption of personal data;”

The only technical controls mentioned in GDPR are encryption and pseudonymization (de-identifying data with a mechanism to re-identify if necessary).

IBM mainframes traditionally support encryption. Encryption is supported on all levels, including network traffic, datasets, tapes, databases. However, it is not enabled by default.

Additional advantage of IBM mainframe systems is use of specialized cryptographic hardware that provides advanced cryptographic functions and also speeds processing to provide high performance.

For pseudonymisation or data masking there are IBM Optim solutions that can be used to mask sensitive data propagated outside your production environment, such as national IDs, credit card numbers, or email addresses.

Related products:

• z/OS Communication Server: Ipsec/IKE/AT-TLS
• IBM Security Guardium Data Encryption for DB2 & IMS
• IBM Security Guardium Data Protection for Databases
• Optim Data Masking- z/OS PKI Services
• z Systems Crypto hardware

2. Identity and resource access management

GDPR Article 32, Security of processing – “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”

GDPR article that shows that security measures appropriate to the risk shall be implemented in general. Of course, that could be anything, but for sure includes access control management which is fundamental part of security.

IBM RACF traditionally provides identity and access management for IBM mainframes.  It can be extended to use other credential types, other than passwords or passphrase, like tokens or biometric data.

In complex environment, where multiple RACF  databases exists zSecure can be used to manage  RACF databases more efficiently and to monitor security activities.

Related products:

• IBM RACF
• IBM Security zSecure Suite
• IBM Multi-Factor Authentication for z/OS
• IBM Security Identity Governance and Intelligence

3. Centralized logging, auditing and alerting

GDPR Article 33, “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.”

Both processors and controllers have responsibilities to report breaches in a timely manner, or risk substantial fines.  Organizations may struggle with coordinating the people, process, and information needed to report and respond to a breach within the 72-hour window.

IBM mainframes traditionally collects information from various subsystems and products that can be used for reporting, monitoring, analysis.

IBM mainframes can detect security exposures, unauthorized access in real time using zSecure and Guardium solutions.

Even more, mainframe can be connected to centralized security intelligence platform, IBM Security QRadar, that is used to monitor and detect security threats and issues across entire infrastructure.

Related products:

• System Management Facility (SMF)
• SMF Digital Signature
• IBM Security Guardium Data Protection for Databases
• IBM Security zSecure Suite (Audit / Alert)
• IBM Security zSecure adapter for QRadar
• IBM Security QRadar

How can CROZ help?

Are you ready for GDPR? …do not forget, it is coming in May 2018.

CROZ can help you to:

• Identify areas of their business which will be impacted by obligations under the GDPR
• Design and plan technical and organizational measures
• Implement and support IBM solutions to be compliant with GDPR

Contact us on the e-mail address gdpr@croz.net.