Security

Pervasive encryption: The new standard in data protection

Share this post:

Virtually every business faces the daunting challenges of protecting of their customers’ trust and their data, complying with increasingly stringent regulatory and compliance requirements, managing challenging IT environments, and keeping costs down.

IBM Z offers the most secure platform, and with carefully-defined security policies your data can be kept very safe.  Even so, there may be risks that you have not anticipated or hidden gaps that remain in your security policy.

Encryption of data

One of the best ways to protect data is to keep it encrypted.  Only 2 percent of corporate data within data centers is encrypted, contrasted with more than 80 percent of data on mobile devices according to a recent Solitaire Paper.   With the stakes so high, why don’t more companies encrypt more of the data within their enterprise?  The short answer is that it is often expensive and complex to do so.

Selective encryption in the application is very high cost, requires ongoing changes and maintenance, and is difficult to plan.  Pervasive encryption has much lower people costs and simplifies maintenance, but can drive up CPU capacity requirements and software license charges.

IBM’s solution – z/OS dataset encryption

IBM has provided z/OS customers with a number of powerful security enhancements, including encryption of data to/from the coupling facility, but dataset encryption is the most critical to a pervasive encryption strategy at low cost.  With dataset encryption, your system administrators can make the necessary changes quickly and easily to ensure that all data associated with entire applications and databases is protected without the high cost of application development and testing.

IBM Z and z/OS are designed to work with huge amounts of data.  Data is often read and written in large blocks.  Databases carefully buffer data to avoid recurrent I/O requests.  Dataset encryption is optimized to work well in this environment.  Data is encrypted within z/OS before it is written to disk and decrypted after it is read from disk using CP Assist for Cryptographic Function (CPACF).  CPACF works very efficiently with the large block sizes and provides the added security of protected key technology.

Cost: Huge improvements with z14

We have analyzed data from some clients to estimate the additional MIPS needed during their peak 4-hour window to encrypt all datasets.  On the z13 machine, some clients would need 30 percent more MIPS, but on z14 most of these clients would need less than 5 percent more MIPS.  I/O intensity is a key factor.  For workloads like I/O intensive batch, the cost of encryption will be higher.  For workloads like online transaction processing, the cost of encryption will generally be lower.

additional MIPS needed for encryption of all datasets

IBM has provided tools to help estimate the cost of dataset encryption:

  • Use zBNA to provide a detailed estimate of the cost of dataset encryption.
  • Contact IBM to request a zCP3000 study for a high-level estimate of the dataset encryption cost.

Conclusion

IBM offers dataset encryption as a necessary component of a pervasive encryption strategy.  Dataset encryption enables you to meet your data security goals and compliance requirements without application changes and with simpler maintenance and lower cost.

IBM z14 provides huge reductions in the CPU cost of dataset encryption.

Contact your IBM account team for a zCP3000 study and use the zBNA tool to estimate the additional CPU capacity needed to enable dataset encryption.

If you are not on a z14 yet, be sure to get an estimate of how much the z14 can reduce your capacity requirements for dataset encryption.

Click here to learn more about how to optimize your enterprise encryption strategy.

Senior Technical Staff Member – IBM Z Performance

More Security stories

Shhh… Meet the no-cost IBM secret

There’s something really gratifying about stumbling upon a secret; something about conquering the unknown and unlocking “upgrades” and “hacks” that benefit you both in the here and now and in the long run. These secrets are 100% worth sharing. That being said, there’s a secret I’d like to share with you. Something that I want […]

Continue reading

3 paradigm shifts for IT operations on IBM Z to support digital enterprise

Good news! IBM Z is perfectly equipped to be at the center of your digital enterprise; 80 percent of corporate structured data and 55 percent of all enterprise transactions reside on IBM Z with only 6.2 percent of total corporate server expenditure[1]. It is the only platform capable of encryption of 100 percent of your […]

Continue reading

The latest on IBM Z and LinuxONE: Learn more at IBM TechU

The market is abuzz with the latest IBM Z and LinuxONE announcements.  The new single frame 19-inch z14 and LinuxONE are here, with air flow, storage and system integrated into a standard rack. That means the ability to process over 850 million fully encrypted transactions in a single system that takes up the space of […]

Continue reading