Data privacy

Option 8, Data Privacy, enables you to disguise extracted data from IMS databases and works in conjunction withFile-AID/Data Solutions andData Studio’s Data Privacy. BMC recommends to install the current GA versions of both products to take advantage of recent enhancements. Using the Dynamic Privacy Rules (DPR) created with the Data Studio’s Data Privacy component of the Data Studio, still requires File-AID/Data Solutions.

Using File-AID for IMS with BMC AMI DevX File-AID Data Privacy

Data Studio’s Data Privacy is a component of the Data Studio and provides the ability to easily create Data Privacy rules for your Enterprise files or databases.

Data Studio’s Data Privacy protects your data by concealing sensitive information while maintaining data integrity, table relationships, and data format during processing. For example, a female employee name field can be replaced by a recognizable fictitious female name or a nonsensical set of characters. Data Studio’s Data Privacy:

• Builds rules used to disguise data for a defined collection of fields.
• Provides a graphical means for applying data encryption to fields for the File-AID/EX supported data connections.
• Allows you to replace field values with consistent valid data via key encryption (using an encoding key value) or via substitution with meaningful readable data.
• Allows you to age dates by adding or subtracting from the date or replacing the date with a specific date.

Data Studio’s Data Privacy is BMC's solution for addressing all of your data privacy needs whether you have files or databases on distributed machines or on a mainframe computer. Data Studio’s Data Privacy allows you to protect your data by concealing sensitive information while maintaining data integrity, table relationships, and data format during processing. You can:

• Build rules to disguise data for a defined collection of fields.
• Replace field values with consistent valid data via key encryption or via substitution with meaningful readable data.

See Data Studio’s Data Privacy documentation on how to define Dynamic Privacy Rules that can be applied to File-AID for IMSextracts. Once the Dynamic Privacy Rules have been defined, you can disguise data during an extract using File-AID for IMS Option 4 Extract (see also Data Base Extract - Disguise Extract) or File-AID for IMS Option 8 P Privacy - DPR: Disguise Existing Extract File (see also DPR: Disguise Existing Extract File).

Using File-AID for IMS with File-AID/Data Solutions

File-AID for IMS provides the relationship information for the objects to be extracted and propagates the disguised data to the related objects.

File-AID/Data Solutions provides the functionality to disguise data fields through aging, encryption, translation, and field exits. For each data field being disguised, disguise criteria must be defined with the specific details of the disguise action. With File-AID/Data Solutionsinstalled and configured, disguise criteria can be defined for objects comprising data residing in IMS databases.

The process of defining what data is sensitive and how each field is to be disguised requires careful planning and should be handled by someone in a privacy administration role. Once the disguise criteria have been defined they can be stored in the Disguise Criteria File. Disguise criteria and information regarding where it is stored is also included in the Disguise Control File (DCF). The Disguise Control File can be made available to all users of the product who choose to use that Disguise Control File. As part of creating an extract, you have an option to disguise the extract. When the disguise option is selected and a Disguise Control File specified, all disguise criteria defined for objects included in the extract will be applied.

What Is Disguise?

There are many different ways to disguise data. The File-AID/Data Solutions product provides disguise functionality and groups three functions together as disguise functions: encryption, aging and translation. Encryption is really character substitution where a numeric position is replaced with a numeric position and an alphabetic position is replaced by an alphabetic position. Aging is used to disguise date fields by incrementing or decrementing the original date. Translation is replacing the original data with other data stored in a translate table. There are several different ways to determine which data from the translate table is used as the replacement value. Translate always uses some data as input to determine which entry is selected from the translate table and then replaces the data in the requested fields with data stored in the translate table.

In addition to the three functions identified within File-AID/Data Solutions as disguise techniques, field exits are also available to disguise data. Field Exits are user written exit routines that can take whatever action is required to disguise the data.

The Data Generator feature can be used to replace existing fields in extracts of existing IMS segments with new data. It cannot be used to create new IMS fields or segments. Generated data will overlay any data that existed, or would have existed, in the fields without the application of Data Generation. You can generate random values for a field, or sequential numeric values; you can apply pattern masking, or select values from a table.

Which disguise function to use is determined by the three R's of disguise: repeatable, reversible, and readable. Repeatable means that the same input value must always return the same value or set of values; the same data from multiple objects or files must be disguised the same way. Reversible means that there must be a way to get back to the original data value. Readable means that the data must look valid to the human eye; name fields should contain name information, not just random strings of characters.

Planning Disguise Strategy

Disguise is much more than a new product feature. Being successful will require careful planning and understanding your related data and disguise requirements.

The first part of this process is deciding what data is considered sensitive data and determining how it should be disguised. Once the sensitive data fields have been identified it is not always a small task to locate all the database segments in which the sensitive data exists. The File-AID for IMS Relationship File can assist you to identify the related objects and fields.

Most likely, you will define disguise criteria for a specific purpose. For example, you might establish disguise rules that are to apply whenever data is moved from production to any test region. Once a strategy has been defined and disguise criteria created, many users would likely share the criteria; every user extracting data from the production environment would be directed to use the defined disguise rules. Any File-AID for IMSuser can create disguise criteria as long as they have authority to write to a Disguise Control File and a Disguise Criteria File.

File-AID for IMSand File-AID/Data Solutions are tools for implementing a data protection strategy; before any disguise criteria can be defined, you have to design a data protection strategy. File-AID for IMS assumes that work has been done and supports the implementation of the strategy.

When related fields are considered sensitive data there are additional planning considerations. It is your responsibility to choose a disguise method that will produce appropriate results for the related field. If the related field is a key field, it is likely that the replacement value will need to be unique. You must choose a technique that produces unique values; encryption and some translate methods will fulfill this requirement.

Enforcing Disguise

File-AID for IMS does not place restrictions on who is authorized to extract and disguise data. However, the user running the extract must be able to read the data in order to run the extract. If they can read the data to extract, they can likely read the data in other ways as well.

It will be a user's responsibility to request the extract file be disguised and to provide the appropriate Disguise Control File, Disguise Criteria File, and record layouts. If the Disguise Control File does not include criteria for an object being extracted, no disguise will be applied to that object.

Creating Disguise Criteria

You cannot disguise IMS database segments using criteria created outside of File-AID for IMS. You cannot use criteria you created using the DB2 interface or any other non-IMS interface to File-AID/Data Solutions. If your IMS databases contain some of the same fields as your DB2 tables and MVS files, and you want to disguise the IMS data using the same rules you use for your DB2 and MVS data, you must first redefine those rules through Option 8 of File-AID for IMS.

File-AID for IMS provides a central point of control for defining disguise criteria and will provide the necessary layout information to File-AID/Data Solutions. The actual panel on which the criteria are entered will be a File-AID/Data Solutions panel but the criteria will be stored in a file provided for File-AID for IMS.

Criteria creation is always done by object. Each object must be uniquely identified. In the simplest case, each segment definition within each IMS database is an object. If there are multiple types for a segment, that is, multiple layouts describing the same segment, then each possible layout constitutes a unique object. If you have the same segment name in two different databases, then the two segments are two distinct objects. The full definition of a unique IMS object is composed of DBD name plus Segment Name plus Layout name plus the first field name, that is, the name of the first data field found within the record layout.

Each object contains field names, sometimes called column names. The field names are assigned in the record layouts, which you provide. You can apply different disguise rules to different fields within a segment.

There are three general types of disguise criteria rules: Related, Unrelated, and Associated. When you select a field to be disguised, File-AID for IMS will determine which of the three types is applicable.

Unrelated Criteria

Unrelated criteria are straightforward, and apply to a single object and must be defined for any field in the object that is to be disguised. Unrelated criteria always apply to a single object and cannot be shared.

Related Criteria

Related criteria can be more complex because they are defined once and automatically propagated to related fields in other objects. The propagation is based on the relationships defined in the Application Relationship file.

Associated Criteria

Associated criteria are always defined on a single unrelated field and then applied to additional fields in different objects; identification of the additional data locations and application of the associated rule to each one is a manual process.

Simple and Complex Disguise Criteria

Simple disguise criteria are entirely determined by the contents of a single field, and are repeatable. If the value of "ABC" is replaced with "123" once, and the same disguise rule is applied again, it will yield the same value, "123", every time.

Any disguise criteria that are not repeatable, or that are not entirely determined by the contents of a single field, are called complex criteria. This includes any disguise rule for a field based on the contents of another field. It also includes the use of a partial column in a relationship when the disguise of one part is based on the contents of another part. It also includes the use of the File-AID/Data Solutions Data Generator because the value generated for the current column is affected by the value generated for the previous column. Also any rule that involves randomization is complex, because it is not repeatable across multiple objects.

Disguise Control File and Disguise Criteria File

The Disguise Control File (DCF) determines which disguise criteria are applied to each object. The actual criteria created by File-AID/Data Solutions will be stored in the Disguise Criteria File that the Disguise Control File points to. The Disguise Control File is VSAM. The Disguise Criteria File must be a PDS. These data sets can be created using File-AID for IMS/ISPF options 8.4 and 8.5. File-AID for IMS generates the member names for related and unrelated criteria; for associated criteria, the user can provide names or accept the generated names.

The Disguise Control File will control all disguise actions and will allow the same set of disguise specifications to be used with different Relationship Files.

A Disguise Control File contains a set of disguise rules for specific objects. Maintaining multiple Disguise Control Files provides flexibility in how you choose to manage the disguise process. You may choose to define different sets of disguise criteria for the same objects by storing them in different Disguise Control Files. For example, one set of disguise criteria could be defined for production data being moved to the training subsystem and a different set of disguise criteria could be defined for production data being moved to the offshore test subsystem. The disguise rules for data being loaded for training purposes may be much less extensive than the disguise rules required if the data is to be sent offshore for testing. Multiple Disguise Control Files allow you to define protection that is appropriate for the environment where the data will be loaded.

The related, associated and unrelated disguise criteria is stored separately in the Disguise Criteria File. This allows the correct disguise criteria to be applied for each object and also allows the same disguise criteria to be applied to multiple objects for related and associated criteria. At extract time, you specify the DCF and all disguise criteria defined for the objects being extracted will be applied as defined in the DCF.

Suggested Disguise Approach

To ensure consistent disguise results, it is recommended that you have a Privacy or Security Administrator identify:

• The objects that contain sensitive data that needs to be disguised
• The data fields in those objects that need to be disguised
• The Application Relationship file that defines relationships connecting one IMS database with another.
• One Disguise Control File that will contain the disguise information for all objects to be disguised. (Only use multiple Disguise Control Files when the same objects need to have different disguise criteria for different situations.)
• Disguise Criteria and Business Rules files
• The Record Layout libraries containing your COBOL or PL/I Record Layouts
• The DBD libraries
• The IMS XREF file that associates COBOL or PL/I record layouts with IMS database segments.

Then the Privacy or Security Administrator can:

• Build the object list of all objects to be disguised
  • Use ObjectIn and Related commands to add other objects to be disguised
• Use the most suitable disguise method and criteria for each field to be disguised
• Create secondary data (translate tables, encryption exits etc.)
• Create Related, Associated, or Unrelated Disguise rules for each object and field to be disguised
• Test the disguise criteria with test extracts
• Refine the disguise criteria where necessary
• Verify disguised extract results using the Disguise Summary Report and Disguise Audit Trail files

• Make the Disguise Control File available for regular File-AID for IMS users. Establish security for the Disguise Control file using the System Security package (such as RACF¹ , or an equivalent product) so only authorized users can make changes, and regular File-AID for IMS users can then use it to execute extracts with disguise or to disguise already existing extract files.

  Important

  ¹: If RACF is being used, the Privacy or Security Administrator, or anyone using Option 8.1 (Create and Modify Disguise Criteria), requires UPDATE or greater RACF authority to the Disguise Control File. A “Regular” File-AID for IMS user requires READ or greater RACF authority to execute the disguise function in batch.

This section provides information about the following topics: