Security

Pervasive encryption: The new standard in data protection

Share this post:

Virtually every business faces the daunting challenges of protecting of their customers’ trust and their data, complying with increasingly stringent regulatory and compliance requirements, managing challenging IT environments, and keeping costs down.

IBM Z offers the most secure platform, and with carefully-defined security policies your data can be kept very safe.  Even so, there may be risks that you have not anticipated or hidden gaps that remain in your security policy.

Encryption of data

One of the best ways to protect data is to keep it encrypted.  Only 2 percent of corporate data within data centers is encrypted, contrasted with more than 80 percent of data on mobile devices according to a recent Solitaire Paper.   With the stakes so high, why don’t more companies encrypt more of the data within their enterprise?  The short answer is that it is often expensive and complex to do so.

Selective encryption in the application is very high cost, requires ongoing changes and maintenance, and is difficult to plan.  Pervasive encryption has much lower people costs and simplifies maintenance, but can drive up CPU capacity requirements and software license charges.

IBM’s solution – z/OS dataset encryption

IBM has provided z/OS customers with a number of powerful security enhancements, including encryption of data to/from the coupling facility, but dataset encryption is the most critical to a pervasive encryption strategy at low cost.  With dataset encryption, your system administrators can make the necessary changes quickly and easily to ensure that all data associated with entire applications and databases is protected without the high cost of application development and testing.

IBM Z and z/OS are designed to work with huge amounts of data.  Data is often read and written in large blocks.  Databases carefully buffer data to avoid recurrent I/O requests.  Dataset encryption is optimized to work well in this environment.  Data is encrypted within z/OS before it is written to disk and decrypted after it is read from disk using CP Assist for Cryptographic Function (CPACF).  CPACF works very efficiently with the large block sizes and provides the added security of protected key technology.

Cost: Huge improvements with z14

We have analyzed data from some clients to estimate the additional MIPS needed during their peak 4-hour window to encrypt all datasets.  On the z13 machine, some clients would need 30 percent more MIPS, but on z14 most of these clients would need less than 5 percent more MIPS.  I/O intensity is a key factor.  For workloads like I/O intensive batch, the cost of encryption will be higher.  For workloads like online transaction processing, the cost of encryption will generally be lower.

additional MIPS needed for encryption of all datasets

IBM has provided tools to help estimate the cost of dataset encryption:

  • Use zBNA to provide a detailed estimate of the cost of dataset encryption.
  • Contact IBM to request a zCP3000 study for a high-level estimate of the dataset encryption cost.

Conclusion

IBM offers dataset encryption as a necessary component of a pervasive encryption strategy.  Dataset encryption enables you to meet your data security goals and compliance requirements without application changes and with simpler maintenance and lower cost.

IBM z14 provides huge reductions in the CPU cost of dataset encryption.

Contact your IBM account team for a zCP3000 study and use the zBNA tool to estimate the additional CPU capacity needed to enable dataset encryption.

If you are not on a z14 yet, be sure to get an estimate of how much the z14 can reduce your capacity requirements for dataset encryption.

Click here to learn more about how to optimize your enterprise encryption strategy.

Senior Technical Staff Member – IBM Z Performance

More Security stories

Open source project Zowe: Fast, simple, familiar z/OS development

The IT landscape is evolving at a fast pace. Organizations continue to digitally transform to better serve the demands of their customers and differentiate themselves from their competitors. Many of these businesses have a mainframe as an essential asset at the heart of their digital transformation, and to drive the business. IBM Z mainframe strengths […]

Continue reading

Client agility improved with continuous delivery & IBM z/VM

For years, IBM z/VM® virtualization technology has provided high levels of extreme scalability and security, providing a robust foundation for infrastructure as a service on IBM Z and IBM LinuxONE servers. While cloud computing has become the standard use model for IT services, an IT infrastructure is always the foundation for every IT service. Realizing […]

Continue reading

POWER9 Scale-Up servers designed to fuel innovation

Today is a big day for IBM Power Systems. Our initial rollout of POWER9 servers is now complete with our latest offerings. These enterprise-class scale-up servers combine simplified cloud management with leadership performance, scale, availability and security. Did you know that 80 percent of the Fortune 100 have IBM Power Systems? Across the globe, top […]

Continue reading