Do you have application integrations that exchange data that needs to be protected in order to comply with GDPR?
In that case, a technology like IBM MQ Advanced Message Security (AMS) can help you to protect those integrations. IBM MQ AMS makes sure that your data is protected from end-to end by implementing encryption and signing of messages that are exchanged between applications.
IBM MQ Advanced Message Security provides additional security to what is provided by base MQ and it doesn’t replace the security functions of base MQ (like authorization controls and SSL/TLS encryption for channels etc.).
IBM MQ AMS provides message level protection and a security policy defines what protection should be applied to messages. IBM MQ AMS intercepts the messages at the end-points (the MQ API’s) and applies the security policy that is associated with the opened MQ queue.
IBM MQ AMS offers the following three qualities of protection for application messages:
Integrity protection is provided by digital signing of messages. Digital signing provides assurance on who created the message, and that the message has not been altered or tampered with.
Privacy protection is provided by a combination of digital signing and encryption. Encryption ensures that the message data is only viewable to the intended recipient(s).
- Confidentiality (only available from IBM MQ version 9.0)
Confidentiality protection is provided by encryption only (no digital signing).
To implement secure messaging with IBM MQ AMS, your existing MQ application code does not need to be changed or relinked!
The only changes needed to enable secure messaging with IBM MQ AMS are:
1. Install and enable the IBM MQ AMS component on the MQ queue manager(s) that your application connects to.
2. Setup an application keystore and order/create certificates (public/private key pairs).
3. Exchange public keys for the applications you integrate with.
4. Define a MQ security policy for the MQ queues that should be protected.
IBM MQ AMS is an optional component of IBM MQ that needs to be enabled and it requires separate licensing.
Encryption and signing of data comes with a cost in terms of performance, like with all encryption technologies, and by that it can also affect the throughput of messages in your integration backbone, especially if you intend to encrypt large message volumes and/or big messages.
It is therefore important to carefully design, plan and implement IBM MQ AMS in a way that allows you to only secure the necessary integrations and leave the rest as they are, and by that have a flexible integration backbone that offers good performance in combination with a high level of security.
Do you have questions or thoughts about IBM MQ Advanced Message Security or need help with planning and implementing IBM MQ AMS, please contact me.
Mats Erkenstam, Senior Architect, Enfo Integration