A guide for creating a more secure, efficient managed file transfer methodology



Similar documents
Secure your data. Wherever it is, Wherever it goes, However it gets there...on all major platforms. For every user.

Tools for Managing Big Data Analytics on z/os

Contingency Access to Enterprise Encrypted Data

End-to-End Enterprise Encryption:

Smartcrypt Encryption Key Management

Secure Database Backups with SecureZIP

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Sharing Secrets Using Encryption Facility

Spotlight on Mainframe Security: Privacy in the Data Center

Protecting Data-at-Rest with SecureZIP for DLP

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Online Backup Plus Frequently Asked Questions

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

DMZ Gateways: Secret Weapons for Data Security

SafeNet DataSecure vs. Native Oracle Encryption

EMC DATA DOMAIN ENCRYPTION A Detailed Review

Storage Guardian Remote Backup Restore and Archive Services

Only 8% of corporate laptop data is actually backed up to corporate servers. Pixius Advantage Outsourcing Managed Services

Online Backup Frequently Asked Questions

Deduplication and Beyond: Optimizing Performance for Backup and Recovery

Big Data Storage in the Cloud

How To Use Attix5 Pro For A Fraction Of The Cost Of A Backup

CA Deliver r11.7. Business value. Product overview. Delivery approach. agility made possible

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

IBM's Strategic Approach to System- Centric MFT with Sterling Connect:Direct and WebSphere MQ Advanced

CA Cloud Overview Benefits of the Hyper-V Cloud

Virtual Tape Systems for IBM Mainframes A comparative analysis

HOW ENCRYPTION WORKS. Introduction to BackupEDGE Data Encryption. Technology Overview. Strong Encryption BackupEDGE

IBM Tivoli Storage Manager

Microsoft SQL Server 2008 R2 Enterprise Edition and Microsoft SharePoint Server 2010

Service Overview CloudCare Online Backup

Online Transaction Processing in SQL Server 2008

REDCENTRIC MANAGED BACKUP SERVICE SERVICE DEFINITION

Complying with PCI Data Security

Three significant risks of FTP use and how to overcome them

Enterprise Backup Overview Protecting Your Most Important Asset

Frequently Asked Questions (FAQs) United Computer Group, Inc. VAULT400 System i (AS/400) Agent

Configuring and Tuning SSH/SFTP on z/os

Data-centric Security: Encryption Essentials for Modern, Efficient Protection

IBM Global Technology Services September NAS systems scale out to meet growing storage demand.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

TSM (Tivoli Storage Manager) Backup and Recovery. Richard Whybrow Hertz Australia System Network Administrator

Enterprise Job Scheduling: How Your Organization Can Benefit from Automation

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

SecureZIP User Guide

Things You Need to Know About Cloud Backup

DIRECT DATA FLOW CHANNEL (SECURE FILE TRANSFER)/ IBM CONNECT:DIRECT GUIDE

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

BANKING SECURITY and COMPLIANCE

Mule Enterprise Service Bus (ESB) Hosting

CA Workload Automation Agents for Mainframe-Hosted Implementations

Alliance AES Encryption for IBM i Solution Brief

Frequently Asked Questions

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

EMC Data Domain Boost for Oracle Recovery Manager (RMAN)

Service Level Agreement (SLA) Arcplace Backup Enterprise Service

Disk-to-Disk-to-Offsite Backups for SMBs with Retrospect

Technical White Paper BlackBerry Enterprise Server

Tributary Systems Storage Director Provides Superior ROI. By Ed Ahl, Director of Business Development

Output Management. VPS Solutions for Document Delivery Throughout the Enterprise

MySQL Security: Best Practices

Client side. DESlock + Data Encryption

Whitepaper: Back Up SAP HANA and SUSE Linux Enterprise Server with SEP sesam. Copyright 2014 SEP

DRAFT Standard Statement Encryption

White paper: Unlocking the potential of load testing to maximise ROI and reduce risk.

HIPAA Security Matrix

efolder White Paper: HIPAA Compliance

UniFS A True Global File System

The Application Front End Understanding Next-Generation Load Balancing Appliances

CA XCOM Data Transport- Secure, Reliable File Transfer for Heterogeneous Environments

Discover how and why file transfer is changing

Metalogix Replicator. Quick Start Guide. Publication Date: May 14, 2015

Backup and Recovery FAQs

UPSTREAM for Linux on System z

DATA BACKUP & RESTORE

Evolution from FTP to Secure File Transfer

IBM Virtualization Engine TS7700 GRID Solutions for Business Continuity

Windows Server 2008 R2 Hyper-V Live Migration

Cloud Backup Service Service Description. PRECICOM Cloud Hosted Services

VMware Virtual SAN Backup Using VMware vsphere Data Protection Advanced SEPTEMBER 2014

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

We look beyond IT. Cloud Offerings

EMC Retrospect 7.5 for Windows. Backup and Recovery Software

HA / DR Jargon Buster High Availability / Disaster Recovery

Energy Efficient Storage - Multi- Tier Strategies For Retaining Data

Features Security. File Versioning. Intuitive User Interface. Fast and efficient Backups

WHITE PAPER WHY ORGANIZATIONS NEED LTO-6 TECHNOLOGY TODAY

CA Tape Encryption Key Manager

BMC Control-M Workload Automation

What You Need to Know About Cloud Backup: Your Guide to Cost, Security, and Flexibility

Simplify Your Windows Server Migration

BMC Mainframe Solutions. Optimize the performance, availability and cost of complex z/os environments

Four keys to effectively monitor and control secure file transfer

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

Running a Workflow on a PowerCenter Grid

SQL-BackTrack the Smart DBA s Power Tool for Backup and Recovery

FUJITSU Backup as a Service Rapid Recovery Appliance

Transcription:

Sterling Connect:Direct & SecureZIP A guide for creating a more secure, efficient managed file transfer methodology JOE STURONAS CHIEF TECHNOLOGY OFFICER, PKWARE FORREST RATLIFF SOLUTIONS ENGINEER, PKWARE

Contents INTRODUCTION... 3 UNDERSTANDING IBM STERLING CONNECT:DIRECT... 4 GETTING MORE OUT OF IBM STERLING CONNECT:DIRECT... 4 Enhancing Security... 5 Improving File Transfer Time... 6 Lowering your Processing Spend... 6 USE CASES... 7 Eliminating Missed SLAs... 7 Cutting Down Transmission Times... 8 Automating Hardened Security... 9 Using Crypto to Achieve Federal Compliance... 9 Reducing Transmission Failures on a Distributed Platform... 9 Facilitating Efficient File Transfer in a Rapidly Growing Partner Network...10 SUMMARY...11 2

Introduction There s one thing certain about today s business data: it doesn t stay in one place too long. It is transferred. It is shared with partners. It is batched and moved offsite. Data transfer happens in many ways; via networks, data center platforms, and FTP to name a few. Data center managers are constantly asked to do more with less, which means figuring out ways to move data faster and more efficiently without increasing costs. IBM s Sterling Connect:Direct is a commonly used file transfer tool that includes a basic layer of compression and security. Its popularity is due in part to its reputation as a reliable alternative to the typical FTP process. While Connect:Direct provides consistent delivery of data through automated scheduling, checkpoint restart and automatic recovery mechanisms, organizations using it still struggle to meet SLAs and ensure compliance as their data moves beyond the enterprise perimeter. By combining the file transfer strengths of Connect:Direct with the compression and strong encryption capabilities of SecureZIP, organizations can maintain a direct job flow, while providing the most secure and cost effective transportation for files on the move. 3

Understanding Connect:Direct IBM Connect:Direct has been in the marketplace since the late 80s and has been referred to as Network Data Mover (NDM), Sterling Connect:Direct and most recently IBM Sterling Connect:Direct. It was originally designed for managing the automated transfer of mainframe files from location to location utilizing SNA and eventually TCP/IP (over dedicated private lines primarily for security purposes). Connect:Direct is available for most major enterprise platforms and is generally used for automated high-performance file transfer, automated error handling and audit trail. A Connect:Direct client is used to communicate with a Connect:Direct server regarding the work that will be performed using one of the following client interfaces: Web browser Graphical user interface (GUI) Command line client (CLI) Connect:Direct can be utilized in a number of ways including: Automated file transfer via scripting and scheduling Automated file transfer via watch directories (directories that are scanned for files, with transfer processing that starts after files are found) On-demand file transfer via proprietary command language Each data transfer involves local and remote Sterling Connect:Direct servers (also referred to as nodes). The two servers work together in a peer-topeer fashion. The server initiating the connection is the primary node (PNODE) for the connection, and the server receiving the connection is the secondary node (SNODE). Connect:Direct offers up basic user authentication and user proxies to provide a degree of security for the basic product. For an additional cost, Connect:Direct Secure Plus allows the customer to select one of three security protocols for use during electronic transmission. These security protocols expose the organization to risk because they don t protect against man-in-the-middle attacks. Getting More Out of Connect:Direct SecureZIP combines ZIP compression and strong encryption to deliver data-centric security that helps organizations protect sensitive data, meet compliance requirements, and reduce overall costs. Adding SecureZIP into the Connect:Direct workflow enables organizations to maintain all the best features of Connect:- Direct (automated file transfer, error handling and auditing) while maximizing efficiency and security for data as it moves. This provides a better way to transfer secure files and utilizes other enhancements you already have in-house. SecureZIP works in a cooperative nature within the Connect:- Direct environment in these three critical categories: Enhanced Security Increased Performance Reduced Cost 4

Connect:Direct Connect:Direct Client Client SECUREZIP ENCRYPTS DATA AT THE FILE LEVEL SO THAT IT IS SECURE AS IT MOVES DURING THE TRANSFER PROCESS. ENHANCING SECURITY SecureZIP complements the authentication and user proxy security of Connect:Direct by providing a layer of data-centric security that encrypts data at the file level so that as data moves during the transfer process it is secure. It is important to note that because Connect:Direct does not support hardware crypto through ICSF or provide end-to-end data protection, complementary data-centric security is required to achieve compliance with major government and industry regulations, as well as protect against the risk associated with a data breach. Security Advantages of Using Connect:Direct and SecureZIP Complement existing security investments: Can be used with passphrase, public/private key pairs utilizing X.509 certificates or OpenPGP Keys for encryption/decryption, using either the ZIP or OpenPGP security format. Takes full advantage of System z hardware crypto such as CPACF CryptoExpress cards through ICSF. Digital signing/authentication: Encryption capabilities that utilize hardware crypto through ICSF assure that files have not been altered. Strong encryption: Data is protected with 3DES or AES (128, 192, or 256-bit) encryption algorithms. Maintain control of data: A contingency key provides administrative access to any encrypted data processed within the environment. Hardened policy lock-down: Use SAF to establish strictly enforced security controls. 5

IMPROVING FILE TRANSFER TIME Due to the nature of the Connect:Direct process, file bottlenecks can occur. The IBM documentation states that the compression ratios utilized in Connect:Direct may reach up to 50%. SecureZIP compresses files COST by SAVINGS up to 95% percent and can reduce transmission times by 40% or more. More data can be managed in the same amount of time allowing batch processing to complete faster. This compression approach allows organizations to include thousands of files in a single.zip container, eliminating the need for multiple jobs (and multiple opportunities for failure). Performance Advantages of Using Connect:Direct and SecureZIP System integration: Directly write to, and read from, UNIX/Linux and Windows file systems. Application integration: After an application completes processing, it streams the data to SecureZIP for encryption unprotected data is never staged to disk. Exchanges files with other platforms without disruption: Streamlines the EBCDIC/ASCII conversion process. LOWERING YOUR PROCESSING SPEND For many organizations, IT budgets are the same or even less than they were the previous year. At the same time, processing throughput is expected to rise. Companies need to improve efficiency in order to stretch existing budgets. Connect:Direct allows organizations to add automation to the daily movement of files between locations and adds a layer of security in the process. However, since compression and encryption aren t Connect:Direct s core competencies, those functions increase the processing load and cause a negative effect on the entire system (particularly with response time). Cost Saving Advantages of Using Connect:Direct and SecureZIP Reduce file size: ZIP compression allows you to reduce file size up to 95%, saving time and valuable system resources. Support for ziip: Offload processing to IBM z Integrated Information Processors (ziip) to free up general computing capacity and lower overall total cost of computing for select workloads (Connect:Direct does not support ziip for compression). Support for zedc: Direct compression workload to the zedc cards frees up general CP resources. 6

SQL SQL Extract + SQL Import = Client ADDING SECUREZIP TO THE CONNECT:DIRECT ENVIRONMENT IMPROVES TRANSFER, REDUCES CPU UTILIZATION AND ENCRYPTS DATA. DECRYPT & DECOMPRESS ENCRYPT & COMPRESS Connect:Direct Use Cases At PKWARE, we ve worked with several organizations that have benefited from adding SecureZIP for z/os to their Connect:Direct environment. These use cases illustrate real-world examples and benefits. USE CASE: ELIMINATING MISSED SLAS A retailer was consistently missing deadlines for SLA reports sent to their partners. They were utilizing a z10-bc W05 with a ziip specialty engine. They had a three-hour SLA to move 100 files, totaling 5GB using Connect:Direct. The costs associated with the ongoing missed SLAs were beginning to pile up. The retailer was spending more than $10,000 each month to cover the contractual penalty for missing these SLAs. To make matters worse, their machines were running at peak capacity during the transfer due to the rigorous nature of the Connect:Direct process. The company added SecureZIP for z/os to their Connect:Direct environment. Because SecureZIP for z/os offloads the compression workload to the existing ziip specialty engine, the company was able to alleviate 90% of the processing load from the general CP. Their elapsed processing times dropped to about 15 minutes, and transfer times dropped to 10 minutes. Both were drastic reductions from the previous three-hour window. 7

The retailer was able to effect this change by adding a step to the job stream in fact, only a few lines of JCL were modified without any application programming changes. Their Connect:Direct configuration remained the same. They were able to reap the benefits of a faster, more efficient process which utilized significantly fewer CPU cycles and avoided the $10,000 in monthly missed SLA penalties they were previously paying. USE CASE: CUTTING DOWN TRANSMISSION TIMES A retailer was sending transactional credit card data collected at store locations to their corporate headquarters for processing on an IBM i midrange system. Their backup requirements consisted of daily object mirroring from the production box to the development machine for business continuity via Connect:Direct over a T1 line. They also ran nightly tape backups of sensitive customer data for offsite storage. Processing times for backups were a continuous challenge and as data volume increased, it was becoming more difficult to meet the times required for the processing window. They were utilizing Connect:Direct to handle the file transfer management schedule but they were just not getting the most efficient throughput of the files. Due to a flat networking budget, the retailer couldn t increase bandwidth. They were also required to meet PCI compliance, which is the norm for companies processing financial credit card data. The retailer choose SecureZIP for IBM i as a complementary addition to their Connect:Direct job flow. SecureZIP combined the compression, encryption and SAVF file creation into one step, keeping CPU consumption to a minimum. It also allowed them to connect to their development box over the network instead of through a T1 line, which reduced costs. The IBM i PKWARE Save/Restore Application (ipsra) reduced time requirements and disk space by allowing SecureZIP to compress/encrypt IBM i save files directly to a file in a ZIP archive, essentially skipping the intermediate step. The ipsra assisted with reducing the save data as well as with securing the data for offsite storage. This prevents the dependency on specific hardware technology that may not be available and compatible with the intended recipient or custodian of your information. The ipsra process can execute multiple save operations with one compression run, making it unnecessary to run repeated individual save commands. The retailer has cut its nightly FTP file transmission time in half, reducing it to 5.5 hours, while at the same time utilizing the Connect:Direct scheduling feature to maintain the automated production job stream. 8

USE CASE: AUTOMATING HARDENED SECURITY A credit card processing company was handling millions of files each day. A significant amount of those files originated on the mainframe and were then sent to a number of partners using Connect:Direct. The data being exchanged needed to be secure during transport as well as while at rest in their data center. The company s partners used various methods for securing their data. Some used passphrase, some used X.509 certificates and others used OpenPGP. The credit card processing company chose SecureZIP because it allows them to use any of those three security formats as well as administer policy to automatically encrypt files based upon where the data was going. They were able to consistently apply hardened, locked down security to their outbound data at its creation point in their production job streams on a consistent and automatic basis. USE CASE: USING CRYPTO TO ACHIEVE FEDERAL A payments processing company that does work with the U.S. federal government deals with a lot of sensitive information using Connect:Direct. Working with the U.S. government required them to encrypt everything in accordance with the federal standard, FIPS 140-2. On its own, Connect:Direct is not FIPS 140-2 compliant. The company had acquired an zec12 with a Crypto Express 4S card configured as a co-processor. They were running in Secure Key Mode and used only AES 256-bit encryption, and because of that, they did all the encryption work with the Crypto Express 4S card. Connect:Direct does not support hardware crypto through ICSF so the company used SecureZIP for z/ OS to take full advantage of System z hardware crypto such as CPACF and CryptoExpress cards through ICSF. By configuring SecureZIP for FIPS 140-2 mode, the company created a FIPS 140-2 compliant workload. This drastically reduced the amount of processing required on the more expensive general CPs while achieving FIPS 140-2 compliance. It also created the smallest data footprint to ever pass through their Connect:Direct node. USE CASE: REDUCING TRANSMISSION FAILURES ON A DISTRIBUTED PLATFORM One of our clients transmitted a large number of files using Connect:Direct on the distributed platform. They were contractually obligated to a very stringent six-hour SLA from midnight to 6 a.m. for distribution of data to a number of their customers. They were continually missing their SLA deadlines because networking issues caused bottlenecks in their production runs from job failures with clients less robust network connections. Jobs would queue up as failures would occur during the transmit phase of their operation, 9

which required multiple job restarts to successfully previously 10 GB and taking more than two hours to transmit the data. process were now sent successfully in approximately The company implemented SecureZIP into their Connect:Direct workflow by adding a job step into existing JCL. This allowed them to aggregate numerous files into a single file which was significantly compressed during the job process prior to reaching the transmit stage of the Connect:Direct transfer. Files that were 12 minutes over the very same network infrastructure. The client was able to process the entire job stream in less time than it had taken to transmit a single job. Additionally, the number of transmission failures was drastically reduced due to the reduced number of transmissions that were made. USE CASE: FACILITATING EFFICIENT FILE TRANSFER IN A RAPIDLY GROWING PARTNER NETWORK One of our financial customers processes millions of encrypted files daily. They were constantly in a state of spend and looking for a way of doing more with less. Their problem was two-fold: they were hitting peak processing states numerous times throughout the day and the time required to onboard new clients (with their disparate computing platforms) required weeks or even months, resulting in lost revenue. They were already utilizing Connect:Direct to automate the file transfer process, but because their clients encryption methodologies and hardware platforms varied so greatly, each new client required a unique setup. This presented a dilemma; if they continued to grow their business and bring on additional clients, they would need to significantly increase their mainframe spend or risk additional financial penalties on an already heavily utilized box. They were also incurring the additional personnel costs associated with the client onboarding process. SecureZIP provided the ability to create new processing efficiencies that enabled the company to maintain response times and to create a single, repeatable process regardless of the new client and platform being onboarded. As part of the procurement process for SecureZIP, a benchmark analysis was performed, measuring the transfer time for files of various sizes using SecureZIP versus IBM Encryption Facility for z/os. The analysis revealed exceptional results; when using IBM Encryption Facility, elapsed time was six times longer and CPU utilization was 14 times higher than when using SecureZIP for encryption. By using SecureZIP for z/os, the company was able to avoid a $6.6 million investment in additional processor capacity, which it would have needed to maintain its system utilization and maximize throughput utilizing Connect:Direct. SecureZIP allowed them to utilize OpenPGP, X.509 certificates and passphrases that their new clients contracts required. Additionally, because SecureZIP works on all major hardware computing platforms, the company s business units used a repeatable onboarding process that allowed them to bring new clients up to speed within a matter of days. Resources that were previously tasked with onboarding new clients were redirected to other revenue generating projects. 10

Summary As IT budgets continue to shrink and security threats grow, organizations need to constantly evaluate their security and performance strategies. While Connect:Direct provides reliable mainframe transfer capabilities, organizations using it should also consider security, performance and cost. Adding SecureZIP to the Connect:Direct workflow ensures that data is secure at the endpoint and during transfer while at the same time delivering performance improvements that drive down data center costs. SecureZIP s file level methodology maintains the compression and encryption of files throughout the life cycle of the data being processed and moved, all while maintaining the automated nature of the process creating the files in the batch environment. Files created with SecureZIP have the smallest footprint (up to 95% compression) while being encased in an encrypted (up to AES 256-bit) ZIP or OpenPGP container. This creates the most efficient and secure means for file transmission via Connect:Direct while utilizing the least amount of CPU during processing of compression and encryption. CORPORATE HEADQUARTERS 648 N. Plankinton Ave. Suite 220 Milwaukee, WI 53203 1.800.219.7290 UK / EMEA Building 3 Chiswick Park Chiswick High Road, London W4 5YA United Kingdom +44 (0) 208 899 6060 Copyright 2014 PKWARE, Inc. and its licensors. All rights reserved. PKWARE is a registered trademarks of PKWARE, Inc. Trademarks of other companies mentioned in this documentation appear for identification purposes only and are property of their respective companies. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information