Mainframe as a service: Myth Buster 006 - HASSEM PRAG
A lot has been said about cryptography, the algorithms that support it and the mechanisms to deliver data securely without any compromises. This becomes a far reaching exercise when financial transactions require the best form of security to ensure data cannot be compromised.
Mo, Hassem, Mohammed, IT, CIO, Fintech, Advisory, Consulting, Leadership, Technology, Tech, IT, ISFAP,Jay Prag,Farieda Mayet,Jayesh,Bank Zero,mainframes,IBM,software development,cyber security,
16814
portfolio_page-template-default,single,single-portfolio_page,postid-16814,ajax_leftright,page_not_loaded,,qode-title-hidden,qode-content-sidebar-responsive,qode-theme-ver-16.7,qode-theme-bridge,qode_advanced_footer_responsive_1000,wpb-js-composer js-comp-ver-5.5.2,vc_responsive,elementor-default,elementor-kit-16169

Myth006 Part1 – Cryptography and far-reaching implications

 

A lot has been said about cryptography, the algorithms that support it and the mechanisms to deliver data securely without any compromises. This becomes a far reaching exercise when financial transactions require the best form of security to ensure data cannot be compromised. There has been many organizations that were hacked or defrauded as a result of compromises in cryptography and/or related security frameworks. Cryptography as a subject matter covers a vast array of topics and this article would not do justice to all the various algorithms and processes needed to guarantee your data is secure. I really do mean guarantee.

So at its basic level Cryptography can be divided into two spheres, symmetric and asymmetric. Asymmetric uses a public/private key pair to encrypt and decrypt messages. This public/private key pair is usually generated using secure processes via a valid authority. Symmetric, on the other hand uses a key generated and shared with specific sets of partners. The general rule is to ensure there is a secure zone between you and the entity you want to transact with. So, why am I discussing this? Well it is important to understand that you just don’t take something off the shelf and it becomes your silver bullet to secure your data and guarantee end-to-end security of such data. There has to be a clear thought process as to how you are going to achieve multi-layered security.

Our experiences have shown that cryptography must be embedded as part of application design and be available at all levels to guard the secrets of your organization. There has to be a combination of both symmetric and asymmetric encryption/decryption used end-to-end to ensure your data and information is secure over and above any network or firewall related security.

So Part 1 will cover what we need in place to ensure both symmetric and asymmetric can be implemented in your organization. At a high-level you need the following:

  1. FIPS level 4 certified Crypto hardware. Anything lower will work but FIPS level 4 is regarded as an industry standard. So there are quite a few manufactures that are FIPS level 4 certified on their hardware.
  2. Understand the algorithms you will be using and research how and what you will be doing with them. Our experiences favour stronger techniques but embedded with our secret sauces.
  3. For symmetric you will need a key management tool that will assist you with managing the very complex sets of keys you need to generate and keep safe
  4. For asymmetric you will need a valid cert authority or an institution that can perform this activity securely. There are many free vendors so be careful here.
  5. The process flow on how cryptography will be embedded into your frameworks and applications.
  6. The skills and varied roles needed to manage these processes.

 

This forms the basis of your cryptography journey. In Part 2 we discuss the differences in running off-host vs on-host cryptography and discuss what you should be designing to enable cryptography within your organization. So whilst the myth that cryptography is a tool you buy that will enable everything magically is definitely untrue. You really need to understand the end goal so designs are embedded into your frameworks and systems in a manner that obfuscates anyone from understanding what is actually happening. We certainly have had some real world experiences here.