| Author |
Message
|
| RocknRambo |
 Posted: Fri Oct 16, 2009 11:42 am Post subject: Security and Encryption |
 |
|
Partisan
Joined: 24 Sep 2003
Posts: 355
|
Can anyone share some ideas on implementing data encryption for the in-rest messages in MQ/MB solutions?
Currently, we are analyzing the design for message flows for PCI/HR related data. One of the requirement is, data should be encrypted while its in rest (eg: in queue to be processed or failure message in a queue). One of the possible option we are seeing is MQ Extended Security Edition.
Any pointing are appreciated.
-RR |
|
| Back to top |
|
 |
| sridhsri |
| Posted: Fri Oct 16, 2009 11:48 am Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
WebSphere MQ ESE is definitely that product of choice for this. It is the best solution for end-to-end application security.
Remember in MQ ESE you can only encrypt when an application puts a message on the queue and decrypt when an application reads it. |
|
| Back to top |
|
|
| RocknRambo |
| Posted: Fri Oct 16, 2009 11:55 am Post subject: |
|
|
Partisan
Joined: 24 Sep 2003
Posts: 355
|
Any limitations or performance hecups on the MQ ESE? How does Capitalware's MQ Instant Secure Data work on this requirement?
-RR |
|
| Back to top |
|
|
| sridhsri |
| Posted: Fri Oct 16, 2009 12:01 pm Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
I can't compare this with Capitalware ( I haven't used it). I can definitely say this that ESE is being used with some very large customers of IBM and they are quite happy with it.
With enhanced security there is a price to pay with performance - which should be expected. Do you have any other security requirements - besides encryption at rest ? If you don't, then there are no limitations.
p.s: ESE uses a few other products like TAMBI and LDAP to work. ESE ships with Tivoli Directory Server (LDAP). But you don't have to use it. We could easily use any of the other supported LDAPs like active directory. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Oct 16, 2009 12:50 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi RocknRambo,
MQ Instant Secure Data (MQISD) was designed to encrypted messages so that the data was protected during transmission. My thought was make it super easy to install and use and people would select it over SSL.
MQISD uses TEA Variant to encrypt the data. The TEA Variant is a fast block cipher algorithm with a 128-bit key. The algorithm is simple, fast and secure.
MQISD is extremely fast and puts minimal demands on the CPU for the encryption / decryption processing.
MQISD has not been as successful as it could have been for the following reasons:
1) Certain company's security people say no to "TEA Variant" because it is not FIPS certified
2) MQISD includes, for free, Instant Secure Data API, so that application's can encrypt the messages before putting the messages to the queue. Hence, the "data at rest" would be encrypted. But some companies do not want to alter their applications.
So, in the near future, there will be a "version 2" of MQISD.
(1) MQISD will use AES for encryption / decryption since it has been certified by FIPS. Obviously, AES is not as fast as TEA Variant but I have been told certification is FAR more important than speed.
(2) MQISD will include an API Exit. Hence, "data at rest" will be encrypted and sending / receiving applications will not require any changes.
We offer free trials of MQISD (including free support). Please let me know if you have any questions or comments.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RocknRambo |
| Posted: Fri Oct 16, 2009 1:09 pm Post subject: |
|
|
Partisan
Joined: 24 Sep 2003
Posts: 355
|
Roger, Thanks much for providing insight on the MQISD.
I was reading the data sheet on MQISD on IBM site which states one of the benefit as 'No application changes required', and is contradicting to your comment below on 'Instant Secure Data API'.
Am I missing anything here ?
-RR |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Oct 16, 2009 1:33 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| RocknRambo wrote: |
I was reading the data sheet on MQISD on IBM site which states one of the benefit as 'No application changes required', and is contradicting to your comment below on 'Instant Secure Data API'.
Am I missing anything here ? |
MQISD was designed as a competitor / replacement for SSL. Its primary purpose is to encrypt / decrpyt in-flight (in-transit) messages.
Hence, you do not need to change your application if you want "in-flight message encryption".
As a secondary feature, an application can use Instant Secure Data API (ISD API) to encrypt data before putting it to the queue (i.e. data-at-rest is encrypted). This is not really MQISD but rather ISD API doing the encryption / decryption.
Hope that helps.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Oct 16, 2009 1:34 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
To use MQISD for link level encryption (data flowing over channels) does not require app changes.
But to encrypt data so it is protected while on the queue requires the MQISD API, and using an API by definition requires changes.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| sridhsri |
| Posted: Fri Oct 16, 2009 1:35 pm Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
IBM shouldn't be commenting on Capitalware's capabilities. Roger would be the best person to answer any questions on Capitalware.
I can say that with MQ ESE, you don't need any application changes. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Oct 16, 2009 1:43 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| sridhsri wrote: |
| IBM shouldn't be commenting on Capitalware's capabilities |
Don't worry, they haven't in this thread.
You are aware that IBM and Capitalware are business partners?
_________________
Peter Potkay
Keep Calm and MQ On
Last edited by PeterPotkay on Fri Oct 16, 2009 2:27 pm; edited 1 time in total |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Oct 16, 2009 1:52 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| sridhsri wrote: |
| IBM shouldn't be commenting on Capitalware's capabilities. |
Capitalware is an "IBM Industry Optimized Advanced-Level Business Partner".
MQISD is available in IBM's sales channel, so IBM Sales Reps. better be talking about it!!
From what IBM PartnerWorld associates tell me, the IBM Sales Reps are supposed to present both IBM and IBM Partner solutions to their clients.
So sridhsri, if you know or were told something different then please let me know.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RocknRambo |
| Posted: Fri Oct 16, 2009 3:26 pm Post subject: |
|
|
Partisan
Joined: 24 Sep 2003
Posts: 355
|
Thanks for the clarification on MQISD, was able to put a pro/con's for myself. If I were to list the options so far,
1. IBM MQ ESE
2. Capitalware MQISD
3. Custom development
Any other suggestions on 'buy' options, We are not so much biased on custom development.
-RR |
|
| Back to top |
|
|
|
|
