A guide for creating a more secure, efficient managed file transfer methodology

(1)

managed file transfer methodology

COMPLIANCE COST SAVINGS SPEED

+

=

JOE STURONAS CHIEF TECHNOLOGY OFFICER, PKWARE FORREST RATLIFF SOLUTIONS ENGINEER, PKWARE

COMPLIANCE COST SAVINGS

SPEED

(2)

+

=

Introduction

There’s one thing certain about today’s business data: it doesn’t stay in one place too long. It is transferred. It is shared with partners. It is batched and moved offsite. Data transfer happens in many ways; via networks, data center platforms, and FTP to name a few. Data center managers are constantly asked to do more with less, which means figuring out ways to move data faster and more efficiently without increasing costs.

IBM’s Sterling Connect:Direct is a commonly used file transfer tool that in-cludes a basic layer of compression and security. Its popularity is due in part to its reputation as a reliable alternative to the typical FTP process. While Con-nect:Direct provides consistent delivery of data through automated schedul-ing, checkpoint restart and automatic recovery mechanisms, organizations using it still struggle to meet SLAs and ensure compliance as their data moves beyond the enterprise perimeter.

By combining the file transfer strengths of Connect:Direct with the com-pression and strong encryption capabilities of SecureZIP, organizations can maintain a direct job flow, while providing the most secure and cost effective transportation for files on the move.

(4)

+

=

Understanding Connect:Direct

IBM Connect:Direct has been in the marketplace since the late ‘80s and has been referred to as Network Data Mover (NDM), Sterling Connect:Direct and most recently IBM Sterling Connect:Direct. It was originally designed for managing the automated transfer of mainframe files from location to location utilizing SNA and eventually TCP/IP (over dedicated private lines primarily for security purposes). Connect:Direct is available for most major enterprise platforms and is generally used for automated high-performance file transfer, automated error handling and audit trail. A Connect:Direct client is used to communicate with a Connect:Direct server regarding the work that will be performed using one of the following client interfaces:

›

Web browser

›

Graphical user interface (GUI)

›

Command line client (CLI)

Connect:Direct can be utilized in a number of ways including:

›

Automated file transfer via scripting and scheduling

›

Automated file transfer via “watch” directories (directories that are scanned for files, with transfer processing that starts after files are found)

›

On-demand file transfer via proprietary command language

Each data transfer involves local and remote Sterling Connect:Direct servers (also referred to as nodes). The two servers work together in a “peer-to-peer” fashion. The server initiating the connection is the primary node (PNODE) for the connection, and the server receiving the connection is the secondary node (SNODE).

Connect:Direct offers up basic user authentication and user proxies to provide a degree of security for the basic product. For an additional cost, Connect:Direct Secure Plus allows the customer to select one of three security protocols for use during electronic transmission. These security protocols expose the organization to risk because they don’t protect against man-in-the-middle attacks.

Getting More Out

of Connect:Direct

SecureZIP combines ZIP com-pression and strong encryption to deliver data-centric security that helps organizations protect sensitive data, meet compliance requirements, and reduce overall costs.

Adding SecureZIP into the Con-nect:Direct workflow enables organizations to maintain all the best features of Connect:-Direct (automated file transfer, error handling and auditing) while maximizing efficiency and security for data as it moves. This provides a better way to transfer secure files and uti-lizes other enhancements you already have in-house.

SecureZIP works in a coopera-tive nature within the Connect:-Direct environment in these three critical categories:

›

Enhanced Security

›

Increased Performance

(5)

+

=

SecureZIP complements the authentication and user proxy security of Connect:Direct by providing a layer of data-centric security that encrypts data at the file level so that as data moves during the transfer process it is secure. It is important to note that because Connect:Direct does not support hardware crypto through ICSF or provide end-to-end data protection, complementary data-centric security is required to achieve compliance with major government and industry regulations, as well as protect against the risk associated with a data breach.

Security Advantages of Using Connect:Direct and SecureZIP

›

Complement existing security investments: Can be used with passphrase, public/private key pairs utilizing X.509 certificates or OpenPGP Keys for encryption/decryption, using either the ZIP or OpenPGP security format. Takes full advantage of System z hardware crypto such as CPACF CryptoExpress cards through ICSF.

›

Digital signing/authentication: Encryption capabilities that utilize hardware crypto through ICSF assure that files have not been altered.

›

Strong encryption: Data is protected with 3DES or AES (128, 192, or 256-bit) encryption algorithms.

›

Maintain control of data: A contingency key provides administrative access to any encrypted data processed within the environment.

›

Hardened policy lock-down: Use SAF to establish strictly enforced security controls.

SECUREZIP ENCRYPTS DATA AT THE FILE LEVEL SO THAT IT IS SECURE AS IT MOVES DURING THE TRANSFER PROCESS.

Connect:Direct

Client

Connect:Direct

(6)

+

=

IMPROVING FILE TRANSFER TIME

Due to the nature of the Connect:Direct process, file bottlenecks can occur. The IBM documentation states that the compression ratios utilized in Connect:Direct may reach up to 50%. SecureZIP compresses files by up to 95% percent and can reduce transmission times by 40% or more. More data can be managed in the same amount of time allowing batch processing to complete faster.

This compression approach allows organizations to include thousands of files in a single .ZIP container, eliminating the need for multiple jobs (and multiple opportunities for failure).

Performance Advantages of Using Connect:Direct and SecureZIP

›

System integration: Directly write to, and read from, UNIX/Linux and Windows file systems.

›

Application integration: After an application completes processing, it streams the data to SecureZIP for encryption—unprotected data is never staged to disk.

›

Exchanges files with other platforms without disruption: Streamlines the EBCDIC/ASCII conversion process.

LOWERING YOUR PROCESSING SPEND

For many organizations, IT budgets are the same or even less than they were the previous year. At the same time, processing throughput is expected to rise. Companies need to improve efficiency in order to stretch existing budgets.

Connect:Direct allows organizations to add automation to the daily movement of files between locations and adds a layer of security in the process. However, since compression and encryption aren’t Connect:Direct’s core competencies, those functions increase the pro-cessing load and cause a negative effect on the entire system (particularly with response time).

Cost Saving Advantages of Using Connect:Direct and SecureZIP

›

Reduce file size: ZIP compression allows you to reduce file size up to 95%, saving time and valuable system resources.

›

Support for zIIP: Offload processing to IBM z Integrated Information Processors (zIIP) to free up general computing capacity and lower overall total cost of computing for select workloads (Connect:Direct does not support zIIP for com-pression).

›

Support for zEDC: Direct compression workload to the zEDC cards frees up general CP resources.

(7)

+

=

Use Cases

At PKWARE, we’ve worked with several organizations that have benefited from adding SecureZIP for z/OS to their Connect:Direct environment. These use cases illustrate real-world examples and benefits.

USE CASE: ELIMINATING MISSED SLAS

ADDING SECUREZIP TO THE CONNECT:DIRECT ENVIRONMENT IMPROVES TRANSFER SPEED, REDUCES CPU UTILIZATION AND ENCRYPTS DATA.

A retailer was consistently missing deadlines for SLA reports sent to their partners. They were utilizing a z10-BC W05 with a zIIP specialty engine. They had a three-hour SLA to move 100 files, totaling 5GB using Connect:Direct.

The costs associated with the ongoing missed SLAs were beginning to pile up. The retailer was spending more than $10,000 each month to cover the

contrac-during the transfer due to the rigorous nature of the Connect:Direct process.

The company added SecureZIP for z/OS to their Con-nect:Direct environment. Because SecureZIP for z/OS offloads the compression workload to the existing zIIP specialty engine, the company was able to alleviate 90% of the processing load from the general CP. Their elapsed processing times dropped to about 15

min-DECRYPT & DECOMPRESS SQL Import Connect:Direct

SQL

Client SQL Extract ENCRYPT & COMPRESS

(8)

+

=

The retailer was able to effect this change by adding a step to the job stream—in fact, only a few lines of JCL were modified—without any application programming changes. Their Connect:Direct configuration remained the same.

They were able to reap the benefits of a faster, more efficient process which utilized significantly fewer CPU cycles and avoided the $10,000 in monthly missed SLA penalties they were previously paying.

USE CASE: CUTTING DOWN TRANSMISSION TIMES A retailer was sending transactional credit card data collected at store locations to their corporate head-quarters for processing on an IBM i midrange system. Their backup requirements consisted of daily object mirroring from the production box to the development machine for business continuity via Connect:Direct over a T1 line. They also ran nightly tape backups of sensitive customer data for offsite storage.

Processing times for backups were a continuous challenge and as data volume increased, it was becom-ing more difficult to meet the times required for the processing window. They were utilizing Connect:Direct to handle the file transfer management schedule but they were just not getting the most efficient through-put of the files. Due to a flat networking budget, the retailer couldn’t increase bandwidth. They were also required to meet PCI compliance, which is the norm for companies processing financial credit card data.

The retailer choose SecureZIP for IBM i as a comple-mentary addition to their Connect:Direct job flow. SecureZIP combined the compression, encryption and

SAVF file creation into one step, keeping CPU consump-tion to a minimum. It also allowed them to connect to their development box over the network instead of through a T1 line, which reduced costs.

The IBM i PKWARE Save/Restore Application (iPSRA) reduced time requirements and disk space by allowing SecureZIP to compress/encrypt IBM i save files directly to a file in a ZIP archive, essentially skipping the inter-mediate step. The iPSRA assisted with reducing the save data as well as with securing the data for offsite storage. This prevents the dependency on specific hardware technology that may not be available and compatible with the intended recipient or custodian of your information. The iPSRA process can execute multiple save operations with one compression run, making it unnecessary to run repeated individual save commands.

The retailer has cut its nightly FTP file transmission time in half, reducing it to 5.5 hours, while at the same time utilizing the Connect:Direct scheduling feature to maintain the automated production job stream.

(9)

+

=

A credit card processing company was handling millions of files each day. A significant amount of those files originated on the mainframe and were then sent to a number of partners using Connect:Direct. The data being exchanged needed to be secure during transport as well as while at rest in their data center. The compa-ny’s partners used various methods for securing their data. Some used passphrase, some used X.509 certifi-cates and others used OpenPGP.

The credit card processing company chose SecureZIP because it allows them to use any of those three secu-rity formats as well as administer policy to automatical-ly encrypt files based upon where the data was going. They were able to consistently apply hardened, locked down security to their outbound data at its creation point in their production job streams on a consistent and automatic basis.

USE CASE: AUTOMATING HARDENED SECURITY

USE CASE: USING CRYPTO TO ACHIEVE FEDERAL COMPLIANCE A payments processing company that does work with

the U.S. federal government deals with a lot of sensi-tive information using Connect:Direct. Working with the U.S. government required them to encrypt everything in accordance with the federal standard, FIPS 140-2. On its own, Connect:Direct is not FIPS 140-2 compliant. The company had acquired an zEC12 with a Crypto Express 4S card configured as a co-processor. They were running in Secure Key Mode and used only AES 256-bit encryption, and because of that, they did all the encryption work with the Crypto Express 4S card.

Connect:Direct does not support hardware crypto through ICSF so the company used SecureZIP for z/ OS to take full advantage of System z hardware crypto such as CPACF and CryptoExpress cards through ICSF. By configuring SecureZIP for FIPS 140-2 mode, the company created a FIPS 140-2 compliant workload. This drastically reduced the amount of processing required on the more expensive general CPs while achieving FIPS 140-2 compliance. It also created the smallest data footprint to ever pass through their Connect:Direct node.

USE CASE: REDUCING TRANSMISSION FAILURES ON A DISTRIBUTED PLATFORM One of our clients transmitted a large number of files

using Connect:Direct on the distributed platform. They were contractually obligated to a very stringent

continually missing their SLA deadlines because net-working issues caused bottlenecks in their production runs from job failures with clients’ less robust network

(10)

+

=

One of our financial customers processes millions of encrypted files daily. They were constantly in a “state of spend” and looking for a way of doing more with less. Their problem was two-fold: they were hitting peak processing states numerous times throughout the day and the time required to onboard new clients (with their disparate computing platforms) required weeks or even months, resulting in lost revenue.

They were already utilizing Connect:Direct to automate the file transfer process, but because their clients’ encryption methodologies and hardware platforms varied so greatly, each new client required a unique setup. This presented a dilemma; if they continued to grow their business and bring on additional clients, they would need to significantly increase their main-frame spend or risk additional financial penalties on an already heavily utilized box. They were also incurring the additional personnel costs associated with the client onboarding process.

SecureZIP provided the ability to create new processing

process regardless of the new client and platform being onboarded. As part of the procurement process for SecureZIP, a benchmark analysis was performed, measuring the transfer time for files of various sizes using SecureZIP versus IBM Encryption Facility for z/OS. The analysis revealed exceptional results; when using IBM Encryption Facility, elapsed time was six times longer and CPU utilization was 14 times higher than when using SecureZIP for encryption.

By using SecureZIP for z/OS, the company was able to avoid a $6.6 million investment in additional processor capacity, which it would have needed to maintain its system utilization and maximize throughput utilizing Connect:Direct. SecureZIP allowed them to utilize OpenPGP, X.509 certificates and passphrases that their new clients’ contracts required. Additionally, because SecureZIP works on all major hardware computing platforms, the company’s business units used a re-peatable onboarding process that allowed them to bring new clients up to speed within a matter of days. USE CASE: FACILITATING EFFICIENT FILE TRANSFER IN A RAPIDLY GROWING PARTNER NETWORK

which required multiple job restarts to successfully transmit the data.

The company implemented SecureZIP into their Con-nect:Direct workflow by adding a job step into existing JCL. This allowed them to aggregate numerous files into a single file which was significantly compressed during the job process prior to reaching the transmit stage of the Connect:Direct transfer. Files that were

previously 10 GB and taking more than two hours to process were now sent successfully in approximately 12 minutes over the very same network infrastructure. The client was able to process the entire job stream in less time than it had taken to transmit a single job. Additionally, the number of transmission failures was drastically reduced due to the reduced number of transmissions that were made.

(11)

+

=

Summary

As IT budgets continue to shrink and security threats grow, organizations need to constantly evaluate their security and performance strategies. While Connect:Direct provides reliable mainframe transfer capabilities, organiza-tions using it should also consider security, performance and cost. Adding SecureZIP to the Connect:Direct workflow ensures that data is secure at the endpoint and during transfer while at the same time delivering performance improvements that drive down data center costs.

SecureZIP’s file level methodology maintains the compression and encryp-tion of files throughout the life cycle of the data being processed and moved, all while maintaining the automated nature of the process creating the files in the batch environment.

Files created with SecureZIP have the smallest footprint (up to 95% com-pression) while being encased in an encrypted (up to AES 256-bit) ZIP or OpenPGP container. This creates the most efficient and secure means for file transmission via Connect:Direct while utilizing the least amount of CPU during processing of compression and encryption.

A guide for creating a more secure, efficient managed file transfer methodology

managed file transfer methodology

+

=

Contents

+

=

Introduction

+

=

Understanding Connect:Direct

›

›

›

›

›

›

Getting More Out

of Connect:Direct

›

›

+

=

›

›

›

›

›

Connect:Direct

Client

Client

Connect:Direct

+

=

›

›

›

›

›

›

+

=

Use Cases

SQL

+

=

+

=

+

=

+

=

Summary