Tandemworld eNewsletter for August 2016 Platinum Sponsor is
Gold Sponsor Silver Sponsor
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Tandemworld eNewsletter
for August 2016
Contents
Introducing the Omnis –
OmniPayments’ Modular, Flexible Approach to Payments Solutions
The NTI Matrix
BITUG
NEWS
Ascert Releases New Version of China UnionPay Driver for VersaTest
Gravic
Publishes Solution Brief “Shadowbase Data Protection”
Register Now for the MATUG Fall Users Meeting
NonStop Technical Boot Camp
2016
DataExpress NonStop COBOL Software
Quality Analysis
CSP Announces: "We are NonStop X Ready"!
Availability Digest Says if Data Centers Were a Country...
Get Ready for GDPR, PSD2: Here's What You Should Know
XYPRO - Breaches are from Mars, Security is from Venus
Register for Upcoming NonStop Events
HPE’s The Machine: What It Means for NonStop
XYPRO -
Implementing Tokenization & Access Control – Don’t Let it all Hang Out!
What
to Expect at Boot Camp
Tokenization on HPE NonStop
–
Just Do It! XYPRO
- What is a NonStop Server? – Building Bridges
comForte at events near you in 2016
XYPRO looks forward to seeing you throughout 2016 TCM Solutions
Musings on NonStop! -
August, ‘16 Current Subscribers 15102 Introducing the Omnis – OmniPayments’ Modular, Flexible Approach to Payments Solutions
“When we say savings, we mean it. OmniPayments now sells NonStop hardware at $0 profit.”
The OmniPayments Financial Transaction Switch is a component-based software design that permits the creation of flexible business services, the kind that users can develop and deploy quickly to enhance the customer experience. The core of OmniPayments is a set of Business Logic Modules, or BLMs. As a whole, they comprise the OMNIs, whose open architecture (SOA) allows our building blocks and business modules to interact not only with each other but also with existing in-house systems and third-party solutions.
While all components are included within OmniPayments, some can be purchased separately.
The Omnis comprise both transaction and infrastructure services.
Transaction Omnis
OmniATM provides ATM terminal driving and broad support for the industry’s most popular ATMs. ATMs can be driven in their native modes, thereby optimizing their capabilities. They also can be uniquely loaded and controlled from a centralized location. We currently support over 14,000 ATMs.
OmniPOS is available for financial institutions that desire the ability to directly control a POS terminal network and provide merchant settlement and reporting. The module serves as a front end and mediates communication between the POS terminal network and the authorization application(s).
OmniSwitch interrogates acquiring and issuing transaction messages, performs required actions, and applies rules and routing decisions both on-us and not-on-us according to financial institutions’ unique configurations. It currently accommodates more than 50 national and international interchanges.
Infrastructure Omnis
The primary function of OmniPayments is to route financial transactions to issuing banks for authorization. However, OmniPayments currently offers additional services to support credit-card and debit-card use. These services are provided via our flexible Business Logic Modules (BLMs), each tasked with enabling a specific function. For instance, OmniAuth provides authorization services, OmniOffender is an interactive performance monitor, and OmniHub coordinates end-of-day settlement processing. OmniPayments’ structured design permits the ongoing addition of new BLMs that can support new features and business functions as the market demands.
OmniPayments is a switching solution for the financial and retail industries. It is deployed on NonStop for the highest availability and offers all the requisite functionality to manage credit/debit-card transactions. It manages multiple devices, hosts application interfaces, and interoperates with third-party products or other systems if required. OmniPayments easily expands to provide additional functionality when needed and supplies complete security functions for every financial transaction handled, including encryption-at-rest and encryption-in-flight. Available around the clock, OmniPayments will survive any single fault, requires no downtime for maintenance or upgrades, and supports a range of disaster-recovery solutions.
OmniPayments can be installed either as a complete, off-the-shelf solution or can be enhanced with customer-requested modifications and features to improve cost-effectiveness, efficiency, and risk mitigation. Our team of 100-plus NonStop specialists are skilled at rapid project turnarounds and meeting deadlines.
OmniPayments also distributes OmniCloudX on NonStop X. OmniCloudX hosts numerous OmniPayments instances at a pay-for-use price so attractive that mid-size retailers and financial organizations now can enjoy the benefits of having their own high-capacity transaction switches. Starts at only $5,000 USD per month.
The OmniPayments Preauthorization Engine is used by financial institutions in conjunction with the OmniPayments Financial Transaction Switch or as a seamless interface to other providers’ switches via a custom support module (CSM). We call it the Fraud Blocker!
OmniPayments systems in production today process 700 million transactions per month, generated by point-of-sales terminals and over 14,000 ATMs. A single OmniPayments system supports up to 10,000 transactions per second. Multiple OmniPayments systems can cooperate to provide any capacity required by an application. From our seven worldwide locations, we serve as a 24×7 managed services provider for remote production monitoring.
To learn more about OmniPayments, attend our presentations and visit with our staff at the following events in September and early October.
VNUG – Viking NonStop User Group (13/14 September) – Stockholm, Sweden HPE NonStop Education Day (21 September) – Berkley Heights, New Jersey (USA) ATUG – Atlanta HPE NonStop User Group (29 September) Atlanta, Georgia (USA) DUST – Desert Users of Tandem (4 October) Scottsdale, Arizona (USA) PKF - Payments Knowledge Forum (4 October) - London, England
OmniPayments customers and others interested in our solutions are invited to join the new OmniPayments Discussion Group on LinkedIn at http://bit.ly/2bB1AGh.
For further information, contact Yash Kapadia at +1 408-446-9274 or at yash@omnipayments.com.
The NTI Matrix
This past weekend I watched the 1999 movie “The Matrix”. If you haven’t seen it the movie introduces us to the concept of a waterfall of data that surrounds us. They call it the matrix. There is so much data that it can be impossible to make any sense of it. In the movie we see a waterfall of bits falling across a green screen. Keanu Reeves plays the part of Neo, the one person who can see and understand the matrix. While I find this movie cool I’m not here to waste your time with a movie review. Instead let’s play the “Six degrees from Kevin Bacon” game. The theory is that for any two random people on earth you can connect them with six or fewer acquaintance links. The game is commonly played by linking a random actor to the actor Kevin Bacon. In this case I am going to try to link Keanu Reeves to NTI in 6 or fewer steps. I am going to try to draw a line thru history connecting Morpheus & Trinity & Neo to a new project NTI has on the concept board.
· 1973 Tandem is born and introduces us to the Unaudited Enscribe file system. Very fast but no relational features (RDBMS would not be born for another decade).
· 1975 thru 1985 products like Base24 and Connex were born. Built on Unaudited Enscribe, these products were the foundation that Tandem’s success was built upon.
· 1987 Tandem introduced NonStop SQL. This was designed to run effectively on parallel computers, adding functionality for distributed data, distributed execution, and distributed transactions.
· 1989 Tandem added the ability to run queries in parallel. This was the only RDBMS on the market that scaled almost linearly with the number of processors in the machine: adding a second CPU to an existing NonStop SQL server will almost exactly double its performance. They added /MP to its name, for Massively Parallel.
· 1995 HP created SQL/MX. Built for the NT desktop hardware line, this was an attempt to compete with Oracle. MX for NT was never released.
· By 2002 Tandem had been acquired by Compaq, and Compaq had been acquired by Hewlett-Packard.
· In 2002 Tandem picked up the shelved MX NT code and introduced SQL/MX for NonStop. MX promised speed, fault tolerance, and ansi compatibility.
I remember giving a talk at the Tampa SunTUG event and asking the crowd if anyone had plans to start using MX. You could hear crickets chirp in the room. Nobody was interested. Nobody was going to redesign a mission critical system (currently using Unaudited Enscribe) to use a new relational database with no business drivers behind it.
· HP saw an opportunity in the Enterprise Data Warehousing (EDW) space for NonStop SQL/MX technology, so in 2007 they introduced the HP Neoview data warehouse and business intelligence computer server line.
And here is where I think they made a strategic mistake. They forked the code stack. One team took MX down the Neoview path, fixing & enhancing & investing. One team took MX down the NonStop path and compiled long lists of bugs that never got fixed. Every time I go into a cheese shop and walk by the Limburger I’m reminded of that first version of SQL/MX.
· At the end of 2010, after just 3 years, they quietly shot Neoview. *BANG*
Now here comes a problem. HP had rolled out Neoview across its internal support systems. The business ran on a warehouse product that they just killed off. No worries. Work had been going on to port the HP Neoview software stack to clustered Linux. This solution, code named “SeaQuest”, went into operation in 2012 and has since replaced all of HP-IT’s Neoview systems.
· In 2014, with funding from HP Labs, the SeaQuest team ported the engine on top of HBase. This project was released open source under the name Trafodion. Trafodion is an enterprise-class transactional and operational SQL-on-Hadoop solution. It has now been accepted as an Apache incubation project.
· By 2015 many of the Tandem database team had been together for over 27 years. It was time to write their own future. 30 of the members of the Neoview/SeaQuest team left HP and formed Esgyn. Their mission is to continue to evolve Trafodion as they build a commercial case.
What the heck does Keanu Reeves have to do with all of this? How is this related to what NTI is working on?
Step 1 - In 1999 “The Matrix” was released introducing us to NEO and the MATRIX. Keanu Reeves was the one person who could see the matrix and understand the data.
Step 2 - One of the members of the Tandem data warehouse team thought the movie was so cool he named the new product after the main character. NEOVIEW.
Step 3 - At NTI we see the Tandem as a waterfall of data. We see this data flowing into a DATA LAKE. We see value in building and accessing and understanding this MATRIX.
I know my connections were a stretch, but hopefully you found this info fun and a bit quirky. In the coming months I will be writing more about the NTI MATRIX. For now I will end this article with my usual shameless plug.
DRNet is the coolest replication product on the planet. If you are not already a user you should call me so I can fix that.
DRNet® is world class NonStop Data Replication technology. · Real-time Active/Active Data Replication · Real-time Tandem to OPEN Data Replication · Real-time File Synchronization · Refreshingly Real-Time Support from Real Engineers
Cheers
+1 (402) 968 3674
BITUG NEWS Coming soon: · Autumn Newsletter - will be issued in October 2016 - make sure you register for your copy by joining the BITUG mailing list at www.bitug.com· Little Sig – 8th December 2016 - This event will take the form of an education/training session in the morning from 09:00, a user and HPE presentations in the afternoon, BITUG AGM and a social evening.Do Not Miss Out - Mark Your Diary Now Thursday 8th December 2016 at Barclays, Canary Wharf Little Sig agenda, registration and timings will be published on the BITUG web pages in the next couple of weeks. Space is limited and registration will close a few days before the event, you will need photo ID on the day of the event, so look out for further detail and grab your place at this free event for BITUG members. · The European NonStop Conference and Exhibition and the BIG SIG rolled into one major event (eBITUG):
Do Not Miss Out - Mark Your Diary Now 9th and 10th MAY 2017 at the DoubleTree Hotel – Tower Of London For the latest information on all BITUG activity and to ensure you are first to know when event registration is open for the above events (there will be limited spaces – so registration will be on a first come, first served basis) please visit http://www.bitug.com and join the BITUG mailing list. Any questions please email chairman@bitug.com Kevin Poultney Chairman, BITUG. BrightStrand International Limited
Ascert Releases New Version of China UnionPay Driver for VersaTest
To meet the growing demand to test UnionPay International credit services, Ascert has enhanced the testing and simulation capabilities of its driver to include various mobile payment options.
Ascert has released a new version of its VersaTest Driver for China UnionPay (CUP) to support the latest mandates for the protocol. The driver supports both functional and performance testing and is available for standalone use with VersaTest Simulator, or with VersaTest Automator, for more complex, integrated testing environments.
“We’ve had a large number of new subscribers to the new version of the Union Pay Host Driver over the last several months,” said Mike Wainwright, Business Development Director in Ascert’s EMEA operation. “Its continued growth worldwide with an emphasis in Southeast Asia has been a driving demand factor for testing.”
Union Pay continues it exponential growth in 2016 with over 58 million cards issued in 40 countries outside of mainland China. The advent of Apple Pay and Samsung Pay utilizing UnionPay’s QuickPass technology in China has enabled the company to recapture market share and has contributed to the increased popularity of the brand. The new UnionPay Driver from Ascert has been included in the rapidly expanding VersaTest library of drivers for use on-premise and in the Ascertified cloud based testing service. The new driver assists merchants and service providers to test transactions in preparation for certification.
To find out more about the VersaTest China UnionPay Simulator, visit http://www.ascert.com or contact one of the Ascert offices.
About Ascert:
Off-the-shelf simulators include solutions for EFT testing, POS testing, stress testing, ATM testing, Fraud testing, IFX testing, EMV/chip card testing, ISO8583 testing and 3270 & 6530 terminal testing. Ascert’s custom simulators have been used for testing air traffic control systems and biometric payment systems. Ascert delivers flexible solutions that are either customer site installed or accessed via Ascert’s Remote Testing Services. Ascert's products assist testing professionals across industry segments to better manage their testing processes and environments through an end-to-end tool set.
For inquiries in the America’s and Asia-Pacific:
For inquiries in Europe, Middle East, and Africa:
Gravic Publishes Solution Brief “Shadowbase Data Protection” Gravic recently published a new solution brief, Shadowbase Data Protection. Data is one of a company’s most valuable assets, and cyber thieves want it. Whenever data is moved between systems, a window of opportunity for data theft opens, which opportunistic hackers will be quick to exploit. But whether it is data at rest, or data in motion, Shadowbase replication encryption provides protection so that window of opportunity for data theft remains firmly closed. Take advantage of the capabilities of Shadowbase replication solutions for business continuity, data and application integration, real-time business intelligence, and more, without having any concern that your data security could be compromised in the process. To speak with us about your data replication and data integration needs, please visit us at www.ShadowbaseSoftware.com, email us at SBProductManagement@gravic.com, or call us at +1.610.647.6250. Hewlett Packard Enterprise directly sells and supports Shadowbase Solutions under the name HPE Shadowbase. For more information, please contact your local HPE account team or visit our website.
Please Visit Gravic at these Upcoming 2016 Events
Please Visit Gravic at these Sites
Register Now for the MATUG Fall Users Meeting
Please register via EventBrite for the Mid-Atlantic Tandem User Group (MATUG) meeting scheduled for 8am-5pm on Tuesday, October 18, 2016 at the HPE Headquarters, Herndon, VA USA. (Click https://eventbrite.com/event/16902004350/ for more information.) The MATUG meeting is open to all HPE NonStop customers, partners, users, consultants, or interested parties. Members are usually from the following states: Pennsylvania, New Jersey, Maryland, Delaware, Virginia, Washington, D.C., and West Virginia, although anyone can attend. MATUG provides members with the opportunity to participate in quality informational sessions, learn about new HPE products and services, and interact with fellow HPE NonStop users. Please share this information with others in your organization who may be interested in attending.
NonStop Technical Boot Camp 2016
Click here to LEARN MORE AND REGISTER NOW: Registration Information:
EARLY BIRD:
$1295 (before 9/29/16)
Pre-Conference
Seminar Registration: $150 Call for Papers is OPEN: Learn
more and
submit your paper here. Example HPE Sessions:
Kathy Wood NonStop Partner SIG/Vendor Chair kwood@blackwood-systems.com
DataExpress Integration – it is always on the minds of NonStop systems managers; DataExpress makes integration easy! In the middle of the Formula One
(F1) season, as soon as August arrives, the teams shut down for a month
of no racing and even as the F1 teams are compelled to take two-week
factory shutdown, the period provides an ideal holiday time for fans and
drivers alike. No testing or repairs are allowed in those two weeks and
definitely no time allowed integrating new parts or trying out something
different. All teams are constantly looking for that little extra to
propel them into victory lane but come August, it’s all a case of one
big uninterrupted snooze.
DataExpress, Inc.
sales@dataexpress.com
N onStop COBOL Software Quality Analysis new feature of ITP-PANORAMA
This new feature of ITP-PANORAMA is making it easier for executives to manage their software. It shows per program, section and paragraph the result of fifty-five quality analyses which is displayed with twenty-six statistic values. Result is a value between 1 and 10 shown also in colors red, yellow and green. From critical parts of the software a developer is only a mouse-click away from the relevant part in the program listing where corrections or improvements have to be made.
The video that explains how valuable the COBOL Quality Analysis is for your Application Portfolio Management is now available on our website: http://www.itp-panorama.com/index.php?videos-about-itp-panorama For more information and a White Paper about the performed quality checks contact Juergen.Overhoff@itp-panorama.com
CSP Announces: "We are NonStop X Ready"!
At CSP, we strive to be at the forefront of new technology. This is why we are excited to announce that we just took delivery of one of the first NonStop X systems in Canada! The addition of our new, in-house, NS3 X system to our existing network of NonStop servers, will allow us to continue the support of our extensive range of security solutions into the new NonStop X era. This will ensure a seamless transition for CSP customers as they begin migrating to NonStop X. Meet our team at these upcoming events as we introduce our new and exciting security solutions for hardening SAFEGUARD and OSS against both insider and outsider attacks: Ø VNUG, Stockholm SE - September 13 & 14, 2016 Ø ATUG, Atlanta, GA – September 29, 2016 Ø CTUG, Mississauga, ON – October 19, 2016 Ø GTUG Bad Homburg, DE – October 26 & 27, 2016 Ø NonStop Technical Boot Camp, San Jose, CA – Nov. 13 to 16, 2016 Ø eBITUG, London, UK - May 9 & 10, 2017 For more information please visit www.cspsecurity.com. For complimentary access to CSP-Wiki®, an extensive repository of NonStop security knowledge and best practices, please visit wiki.cspsecurity.com.
Regards, Vernette O'Neill - President & CEO
Availability Digest Says if Data Centers Were a Country, They Would be the 12th Largest Electricity Consumer Data centers as one entity use more electricity than do most countries in the world. In 2013, data centers consumed an estimated 91 billion kilowatt hours of electricity, more than twice that of all households in New York City. By 2020, data-center energy consumption is estimated to increase by more than 50%. So what’s the problem? Who cares? The concern is that aging power infrastructures are proving unable to keep up with the explosion of digital content, big data, e-commerce, and Internet traffic. Businesses finally are recognizing that power availability is not increasing quickly enough to support their future cloud, cluster, and supercomputer demands. In “Data Centers Consume Inordinate Amounts of Energy,” the Availability Digest discusses what data centers can do to become energy efficient with methods that some experts say can slash electricity consumption easily by 40%. In addition to “Data Centers Consume Inordinate Amounts of Energy,” read the following articles in the Availability Digest’s August 2016 issue: Southwest Airlines’ Router Grounds 2,300 Flights – The world’s largest low-cost air carrier was grounded in July by a partial router failure that went undetected by the backup system. No failover took place, and the result was the worst data-processing outage in the airline’s history. In his apology to customers, Southwest’s CEO said that the circumstances under which the router failed were so rare that the company could not have prepared for it. Is that really the case? Failsafe – In the 1964 Cold War thriller “Failsafe,” U.S. bombers heading to Moscow do not receive a recall directive due to a technical glitch. One of the movie’s characters says, “Machines we make are so fast, so accurate, and the mistakes they make are so subtle, very often humans just can’t know whether the machine is lying or telling the truth.” Fifty years later, that statement is still true. High Performance IT Services – this just-published book by Dr. Terry Critchley is an extensive but easy-to-read explanation of IT system performance issues. Unlike similar books that dwell heavily on the mathematics, Dr. Critchley explains topics in simple English supported by numerous figures. @availabilitydig – The Twitter Feed of Outages - Our article highlights some of our numerous tweets that were favorited and retweeted in recent days. The Availability Digest offers one-day and multi-day seminars on High Availability: Concepts and Practices. Seminars are given both onsite and online and are tailored to an organization’s specific needs. We also offer technical and marketing writing services for a variety of industries as well as consulting services on risk assessment and system architecture. We ghostwrite for others and have years of experience in writing patent disclosures. Published monthly, the Digest is free and lives at www.availabilitydigest.com. Please visit our Continuous Availability Forum on LinkedIn. We’re at 770 members and counting. Follow us as well on Twitter @availabilitydig.
Get Ready for GDPR, PSD2: Here's What You Should Know
Imminent new security and data privacy regulations require a rethinking of traditional approaches to enterprise architectures. Here is some insight on GDPR, PSD2.
Rethinking current practices is particularly relevant to administrators
and architects of HPE NonStop systems, which enable many of the world’s
most critical transactions and therefore process many types of sensitive
data covered by regulations. NonStop systems are currently deployed
across many industries, ranging from financial services and retail to
telecommunications and energy.
Read the full story.
XYPRO - Breaches are from Mars, Security is from VenusThere is quite a large disconnect in the way security breaches are evolving versus how security solutions and resources are keeping up to address them, much like the book from John Gray covering relationships and the different motivations, of men and women. Unlike the book though, we’re not trying to come to a happy medium – we’re trying to keep the war like Mars at bay. As a security strategist, I’m constantly evaluating what is possible to help identify gaps and opportunities. The one thing I have learned over the course of my career is: The only thing constant in cyber security is that attackers’ methods will continue to evolve. They get smarter, more resourceful and are impressively ever patient. The HPE Integrity NonStop server is not only a foundation of the HPE Server business, it is also central to countless mission-critical environments globally. For the longest time, security of these powerful systems and the “Mission Critical” applications they run remained mostly static and under the radar while high profile attacks on other platforms have taken the spotlight. That hasn’t lessened the risk and exposure of the NonStop server. It’s actually created a gap. With globalization and introduction of new technologies for the NonStop server, this security gap will only increase if not addressed. Interestingly enough, the NonStop server isn’t the only mission critical enterprise solution in this situation. There are some colorful parallels that can be drawn between applications running on the NonStop server and those running in SAP environments. Both are in highly mission-critical environments and vital to the revenue generation of an organization, and they frequently run payments applications like ACI’s BASE24 and other homegrown applications. This creates some interesting security challenges. In a recent The Connection Magazine Article, Jason Kazarian, Senior Architect at HPE described legacy systems as “complex information systems initially developed well in the past that remain critical to the business in spite of being more difficult or expensive to maintain than modern systems”. His article went on to point out the security challenges of legacy applications. In summary some of these types of applications can tend to be unsupported, security patches aren’t readily available and if they are, they aren’t applied in a timely fashion because of fear of disruption, and they don’t have a lot of the security features modern applications would have. This makes detecting and addressing security risk and anomalies a greater challenge than it already is.
MIND THE GAP How can this problem be addressed? Protect what you can. As a first step, be it system, application or data – push the risk down the stack to an area that is more controllable by typical security. For example, tokenizing data used by a legacy application will send an attacker to go search for that data through another method, preferably one better suited for detection. Have a risk based, layered approach. This will swing the odds in your favor. OK, maybe not completely in your favor, but this approach will provide you with the arsenal you previously did not have: It will create those choke points, provide the visibility needed and help reduce mean time to detection and response. With the way threats are evolving, those of us responsible for security need to constantly evaluate and assess our capabilities. Let’s take a dive into each layer to explore the benefits they provide in an overall security strategy.
Steve
Tcherchian, CISSP Register for Upcoming NonStop Events
If you live in the northeast region of the US, make sure you have registered to attend the upcoming events in your area! We have great agendas and networking opportunities lined up for both of these events. Limited space is available, so don't wait to claim your spot! Register today.
Register for Greater NY/NJ Area HPE & Partner NonStop Education Day here:
Register for NENUG here: https://www.eventbrite.com/e/nenug-2016-tickets-26644503427
HPE’s The Machine: What It Means for NonStop
HPE’s The Machine made an appearance in Paramount Pictures’ new Star Trek movie. What does it mean for the NonStop community? Here is some insight.
The association between HPE and Paramount Pictures is the commercial
debut of HPE’s major project, “The Machine.” The project has shared news
lately with the surprising announcement about HPE CTO Martin Fink’s
imminent retirement. As the head of HP Labs, Fink was the driving force
behind and public face of The Machine. Read the full story.
XYPRO - Implementing Tokenization & Access Control – Don’t Let it all Hang Out!
In recent years there has been an emergence of several new technologies to protect sensitive data, including Format Preserving Encryption (FPE) and Secure Stateless Tokenization (SST), such as those provided by HPE Security’s SecureData product. These products provide excellent capabilities to assist HPE NonStop users in protecting data within their application environments. Both HPE FPE and HPE SST provide strong protection against the exposure of sensitive data but they should not be used alone or to replace traditional access controls. Data protection methods such as FPE and SST need to be carefully considered and planned alongside traditional access controls to ensure all application data is comprehensively protected both from authorized and unauthorized exposure. This article will give a high-level overview of how to implement a best-of-breed HPE NonStop security framework; protecting all sensitive application files and tables using comprehensive access controls, and also selectively protecting the highly sensitive and valuable data those files may contain, such as credit card (PAN) data or personally identifiable information (PII). Mission critical applications such as those typically found on the HPE NonStop Server are composed of programs and files or tables. There are multiple levels of access requirements for both programs and files. For instance, only certain programs running as certain users should be able to access tables containing application data. This simple access control rule can be challenging to implement on the HPE NonStop Server, as standard HPE Nonstop security controls do not include the granularity features necessary to implement the desired security. For example, using the requesting object file as an attribute that can be used to control file access is not an option. Standard HPE Nonstop security can only control file access by the user running the program. In addition to the emergence of data protection technologies like FPE and SST, XYGATE Object Security (XOS), which uses the Safeguard Authorization Security Event Exit Process (SEEP), can be used to achieve the desired access controls for application security. This solution can use the requesting object file, among others, as an attribute when making access decisions, thus introducing more granularity into the access control matrix. Other partner products, including those from Greenhouse Software, also support the Safeguard Authorization SEEP. Encryption and Tokenization Options
In addition to controlling the access rights of users and programs to application data, it is often also necessary to encrypt or tokenize sensitive data in tables to prevent its exposure to non-authorized parties. This may be due to regulations, such as PCI-DSS, industry/corporate regulations, or just a result of the sensitive nature of the data itself. This can create a complex multi-tiered environment, which no single security product can fully address. Two data protection methods have recently received a lot of focus in the NonStop space: disk (or volume) level encryption and application level encryption/tokenization. As a side note, file encryption is not considered for the purposes of this article as encrypting entire, live application files is generally either impractical, or involves extensive application redesign. Disk level encryption, known as VLE on HPE NonStop, is generally transparent to any logged-on users and therefore only protects against the disk drive being taken off-site and accessed. Due to this constraint, disk level encryption is no longer considered sufficient protection for PAN data, according to the PCI-DSS. Application level encryption also protects against disk drive removal but in addition also protect the data from being accessed by anything other than authorized users or programs. There are typically two variations of application level encryption:
Integrated application level encryption/tokenization is implemented by modifying the application programs to encrypt/tokenize and decrypt/detokenize sensitive columns. This can be a very expensive proposition depending on how many programs need modifying. It may also require the application programmers to have encryption programming knowledge, for instance how to manage keys. Also, this method typically precludes the ability, if required, for operating system utility programs to be able to see unencrypted data, since those programs cannot be easily modified. Using integrated application level encryption can make it difficult to share encrypted data with off box applications because those off-box applications would also have to be modified in the same way. HPE offers the HPE SecureData product for customers which want to use the integrated approach – and companies such as XYPRO, comForte and HPE are able to provide consulting services to assist with implementation if that approach is taken. Transparent application level encryption/tokenization involves attaching a library to each program that needs to access the protected data. The library intercepts all I/O calls, and, based on its configuration, encrypts and decrypts specified fields or columns for specified programs running as specified users. The library can also be attached to operating system utility programs if required, and then those utilities can see unencrypted data. If this library uses underlying encryption technologies that are available on multiple platforms, sharing data with off-box applications is relatively easy. HPE offers two transparent application level encryption/tokenization products; XYGATE Data Protection (XDP) and cF Data Security. Both products provide these features and address these needs, using industry-leading HPE SecureData as the underlying ‘layer’ for encryption and tokenization. Adding Access Controls into the Mix
When using transparent application level encryption, granular access controls are also important. The encrypting of data has to be combined with the ability to configure which processes, running as which users, running which object files, can access the sensitive data in an unencrypted format. For example, the process running the object file that is used to verify PANs should be granted the authority to see the unencrypted PANs. A process running any other object file should not see unencrypted PANs. An encryption scheme that encrypts and decrypts PAN data for processes running any object file accessing the data provides no better protection than disk level encryption. Let’s look at some examples of how access control to a tokenization system can be implemented in the XDP encryption library.
The above configuration entry says for any file called CRDTBL on the system, there is a 16 digit PAN starting at position 6 in the record that needs to be encrypted with Format Preserving Encryption. This entry only applies to object files named CRDFPROG run by user APPL.USER. All access is audited and can be captured and/or forwarded to a SIEM using XYGATE Merged Audit. While the above entry controls how the PAN column is encrypted, and which program can see the unencrypted data, it does not control overall access to the file. Access should be controlled to the file so that only those programs that need to access the file are able to. This is important because the file may contain other information that needs to be protected, not just the encrypted/tokenized PAN. This could be implemented with an XOS entry like the following:
The above entry says that for the file $*.*.CRDTBL, which is owned by user APP1.USER, the APP1.USER can perform any file system operations on the file when running a $*.*.CRDPROG or $*.*.ALTPROG program. Note that in combination with the XDP entry above, while ALTPROG can access the file, it will only see encrypted PAN data. Two applications, one file?
Being able to control the security of a file based on the requesting object also helps in the situation where two different applications need to share a file when the applications run as different users. Assume that there is a primary application and a secondary application that both need access to one file owned by the primary application. Typically the security to access the shared file would need to be granted to both applications UserIDs. However, this means that any program running as one of the secondary applications UserIDs would be able to access the data. Having a security scheme that includes the object file as one of the access controls means that the one program in the secondary application that needs to access the primary applications file will be the only program that can access it. Any other program running as the secondary application’s UserID will not be able to access the data. The above scheme could be implemented with an XOS configuration entry like the following:
The above entry says that for the file $DATAA.APP1.TXFR, which is owned by user APP1.USER, the APP1.USER can perform any file system operations on the file when running the $APP1.OBJ.WRTETXFR program, and that the APP2.USER, when running the $APP2.OBJ.PROCTXFR program, can Read or Write the TXFR file. HPE NonStop servers and most modern computing platforms have always benefited from a layered approach to security – there is no point locking your windows when your front door is wide open. Newer technologies like HPE Format Preserving Encryption and HPE Secure Stateless Tokenization provide another layer in the security administrator’s arsenal and can be very powerful when deployed in conjunction with more traditional security mechanisms. Just make sure to plan out your complete implementation so that all users and applications get just the access they need, and nothing more. As an added benefit, you’ll also address both PCI-DSS Requirement 7 “Restrict access to cardholder data by business need to know” and Requirement 3 “Protect Cardholder Data”.
Andrew Price
Scott Uroff
What to Expect at Boot Camp
The Connect NonStop Technical Boot Camp is fast approaching. NuWave's Mandi Nulph takes a look at what happened last year and what we can expect to see this year out in San Jose. Read the article on the NonStop Innovations blog.
Tokenization on HPE NonStop
–
Just Do It!
Some assumptions - Having done multiple proof of concept (POC) studies
with NonStop users in various verticals, as well as
just having won the biggest deal in our
company history, we have
learned one thing: Every customer has different requirements. While the
overall goals are typically rather similar (e.g., improve security,
achieve compliance, reduce compliance cost, etc.), the project specifics
can be very different, even among customers from the same vertical and
business background. · You are running ACI Worldwide’s Base24™ classic software. · You are processing only ATM transactions. · You are processing what are called “on-us” cards, meaning some of the data you process will be settled in-house, in most cases on an IBM host.
This is a typical system we have seen a lot, and while there are simpler
scenarios (for example, no processing of “on-us” cards), there are also
scenarios which are much more complex.
Read the full story. XYPRO - What is a NonStop Server? – Building Bridges
I had a proud moment the other day. Kind of like when you get to brag about your children (or grandchildren): I was enjoying a beverage with a group of Mainframe support team members. We had just completed a long day of meetings on HPE NonStop topics. Only one of the Mainframe team had attended. At some point, the question was asked “What is a NonStop server and why do we have them?” The company has had their servers for decades. Everyone knows about the machines, but like so many other places, no one ever asks. To my utter amazement, the answer straight from the Mainframe guy was: “It is a mainframe system. HPE makes them. They run application x”. Unprompted, without influence, an old school IBM Mainframe systems person tossed this out. The look on my face must have been an odd mixture of happiness and confusion as I have NEVER heard anyone who wasn’t raised on NonStop calling my systems a main frame. We spent the next few hours educating each other on the benefits (and difficulties) of managing our chosen systems. What I wish I could reproduce at any gathering of plat form advocates, whether it be Windows, Mainframe, Linux or NonStop is that spark of understanding. We all enjoy what we do (at least I hope we do) and there is a certain devotion/dedication and pride that goes along with it. At the end of this discussion, we all laughed an really appreciated what the others go through every day. The next time you run into someone who isn’t as savvy as you are on the subject of our favorite platform, take the time to bring them up to speed. While you are at it, try and build a bridge by trying to see why they love what they do as much as you. You never know where the next convert may be.
Rob Lesan
Originally published in The Connection Magazine comForte at events near you in 2016
Please contact us if you would like to arrange meetings with our team at any of these events.
XYPRO looks forward to seeing you throughout 2016
VNUGSeptember 13, 2016 September 14, 2016 Stockholm, Sweden
HPE Protect 2016September 13, 2016 September 16, 2016 Fort Washington, MD, USA
PCI North America 2016September 21, 2016 September 22, 2016 Las, Vegas, NV
Greater New York/New Jersey Area HPE & Partner NonStop Information Day September 21, 2016
ATUG 2016September 29, 2016 September 29, 2016 Atlanta, GA
DUST – October 2016 October 4, 2016 October 4, 2016
PCI Europe 2016October 19, 2016 October 20, 2016 Edinburgh, Scotland
CTUG 2016October 19, 2016 June 20, 2016 Mississauga, Ontario, Canada
NonStop Technical Boot Camp – 2016 November 13, 2016 November 16, 2016 San Jose, CA, USA
TCM Solutions The good news is that we quickly passed the “100 members” level of membership in our new LinkedIn group - TCM Solutions (HPE NonStop / Tandem Services and solutions). My instinct tells me we will have even more members join this group in the coming months – if this is still news to anyone, please accept my cordial invitation to join with those who are in already by simply following the link above or cutting and pasting this link:
https://www.linkedin.com/groups/8546566
For those not as familiar with TCM as perhaps others are, TCM helps the NonStop community by providing remote systems management services – something we are acutely aware of is a growing segment within the NonStop user base. The arrival of NonStop X systems has returned NonStop to companies list of strategic systems and here at TCM we find that encouraging. Not that the flood gates have opened, mind you, as like other members of the NonStop community, we would like to see even greater usage of NonStop within many more markets, but the early signs continue to be positive. This is the long way around to introducing the subject of this article. Who will be left to manage these additional NonStop systems as they find homes at sites where access to NonStop skills may be limited or even non-existent? The landscape for managed services is changing and this was something I touched on in last month’s article to Tandemworld. It is a truism, backed up by many years of observation, that today’s NonStop systems do not need anywhere near the staff to supervise when compared to the competition. And it begs the question, first aired in last month’s article and coming from HPE NonStop advocate, Gerhard Schwartz, “Can institutions still afford to run those currently prevailing standards-based IT systems requiring significantly more manpower?” No matter how you look at this changing landscape, it’s all about the people and even though NonStop requires less care than other systems, we cannot ignore the fact that good people are still required and that good NonStop people are getting harder to find. Some of you have good people. HPE has good people too. And yes, we have built up TCM through the years by having good people. Every institution we know of that relies on NonStop understands the importance of mission critical, and have done so for as many years as I care to recall, and that’s at the very root of why they continue to run HP NonStop systems 24 X 7 as they do. Continuing to tap into a pool of NonStop expertise unfortunately is much like the hair on many of our heads – it’s beginning to thin noticeably. Along with our hair, as good NonStop resource have gotten thinner on the ground, new skills hard to find, training new staff taking a good few years, training courses difficult to schedule and all of us getting older, we are seeing some challenges to the in-house solution. However, this is not the biggest realisation being faced today as we now see a number of great HPE NonStop Systems Managers becoming disillusioned with the environment they are working in where the HPE Nonstop may not be the core IT solution, is not fully understood or fully appreciated for what it actually is and what is gives to the organisation - does this lack of understanding rub off on the System Managers who are expected to quietly look after these systems 24 x 7, sometimes without the recognition they deserve and does this now introduce an understandable risk? In other words, can an encroaching casual attitude carry with it potentially catastrophic outcomes? Turn this around and consider the case where NonStop becomes fully understood and truly appreciated, a strategic server on which the institution utterly depends, can a switch be flipped where former casual attitudes are quickly reversed? When giving the potential for such a change – all good mind you – adding in-house staff may not be the sole solution that needs to be considered. I suspect not and this is at the very heart of where TCM provides value. Appreciating NonStop for all that it provides will bring with it a need for absolute and full control over these critical systems which in turn means closer management with lots of internal, closely managed resources available in order to provide the day to day systems management of NonStop. And yes, it’s then easy to see that, in true Nonstop fashion of course, this means a level of “resource fault tolerance” to ensure adequate cover is available through work peeks, holiday periods, etc. This is costly but the systems are critical - so working with a managed services provider is the only safe solution - right? If only this was the case then the NonStop community would be a lot better off and we would see the pool of expertise grow significantly. Restoring hair to healthy growth has always been the stuff of mystics and charlatans but on the other hand, when it comes to NonStop, it is possible to change the landscape for resources right along with the changing landscape for NonStop. As Richard Buckle wrote in his most recent post to the LinkedIn blog, Pulse, referencing comments I made to him earlier in the month, I believe that the NonStop community is slowly starting to recognize many of the issues above as we are starting to see an understanding that the in-house solution may not be the way forward. Institutions are now realizing that they actually have far more control over an outsourced solution, delivered by a dedicated and experienced HPE NonStop provider, where SLAs are strictly adhered to, measured and reported, where NonStop is the outsourcers core business (who understands HPE NonStop better than most, with hundreds of years of experience) and where further concerns about having to rely on just one or two staff members could be put to rest. This too the NonStop community is coming to appreciate and even as the landscape is most definitely changing we at TCM are encouraged with what we are seeing, we anticipate becoming even more involved in the remote management of even more NonStop systems in the very near future. Don’t forget to check out our LinkedIn group and make sure you become a member so you can join the discussions on remote systems management, as I am sure every institution turning to NonStop will benefit from what we can provide. Kind Regards Tony Craig Managing Director
TCM House, Saltire Centre, Pentland Park, Glenrothes, Fife, KY6 2AG
Musings on NonStop! August, ‘16
The
opinions expressed here are solely Even though there have been days
spent out of the office there was still time enough to continue writing
blog posts and commentaries. While it is summer here in North America
and, even though working Americans are reluctant to take vacations,
Margo and I did take a bizcation. Think of staycation, but with time
away from home although for me, the biz definitely dominated the
‘cation. It was a time though when we parked the RV and trailer at
different places on the Atlantic coast including both North and South
Carolina. Much of this has been captured in my most recent commentaries and posts published in July and what follows are links to the coverage I provided on NonStop across all the media channels I support. Real Time View: ATMmarketplace:
Banking Technology: LinkedIn blog / Pulse: LinkedIn Groups / TCM
Solutions: Striim:
IR
Tandemworld (Musings on
NonStop): http://www.tandemworld.net/newsletter_jul16.html Buckle-Up-Travel: All of this has been posted to the LinkedIn blog, Pulse and if you have missed this update as well as previous months, you can always find them referenced on the LinkedIn group, Real Time View The big news next month? With the post of August 20, 2016 I will kick-off my tenth year of blogging!
Pyalla Technologies, LLC
Find out more about us at www.tandemworld.net
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+44 (0) 20 8304 7979 We would like to thank the sponsors of the August 2016 eNewsletter
Platinum Sponsor is
Gold Sponsor Silver Sponsor
To enquire about Sponsorship opportunities for the Tandemworld Newsletter please click here. Current Subscribers 15102 Our company, Tandemworld, accepts no
liability for the content of this email, or for the consequences of any
actions taken on the basis of the information provided. |