Pervasive encryption: The new standard in data protection
By Bob St. John | 2 minute read | December 20, 2017
Virtually every business faces the daunting challenges of protecting of their customers’ trust and their data, complying with increasingly stringent regulatory and compliance requirements, managing challenging IT environments, and keeping costs down.
IBM Z offers the most secure platform, and with carefully-defined security policies your data can be kept very safe. Even so, there may be risks that you have not anticipated or hidden gaps that remain in your security policy.
Encryption of data
One of the best ways to protect data is to keep it encrypted. Only 2 percent of corporate data within data centers is encrypted, contrasted with more than 80 percent of data on mobile devices according to a recent Solitaire Paper. With the stakes so high, why don’t more companies encrypt more of the data within their enterprise? The short answer is that it is often expensive and complex to do so.
Selective encryption in the application is very high cost, requires ongoing changes and maintenance, and is difficult to plan. Pervasive encryption has much lower people costs and simplifies maintenance, but can drive up CPU capacity requirements and software license charges.
IBM’s solution – z/OS dataset encryption
IBM has provided z/OS customers with a number of powerful security enhancements, including encryption of data to/from the coupling facility, but dataset encryption is the most critical to a pervasive encryption strategy at low cost. With dataset encryption, your system administrators can make the necessary changes quickly and easily to ensure that all data associated with entire applications and databases is protected without the high cost of application development and testing.
IBM Z and z/OS are designed to work with huge amounts of data. Data is often read and written in large blocks. Databases carefully buffer data to avoid recurrent I/O requests. Dataset encryption is optimized to work well in this environment. Data is encrypted within z/OS before it is written to disk and decrypted after it is read from disk using CP Assist for Cryptographic Function (CPACF). CPACF works very efficiently with the large block sizes and provides the added security of protected key technology.
Cost: Huge improvements with z14
We have analyzed data from some clients to estimate the additional MIPS needed during their peak 4-hour window to encrypt all datasets. On the z13 machine, some clients would need 30 percent more MIPS, but on z14 most of these clients would need less than 5 percent more MIPS. I/O intensity is a key factor. For workloads like I/O intensive batch, the cost of encryption will be higher. For workloads like online transaction processing, the cost of encryption will generally be lower.
IBM has provided tools to help estimate the cost of dataset encryption:
- Use zBNA to provide a detailed estimate of the cost of dataset encryption.
- Contact IBM to request a zCP3000 study for a high-level estimate of the dataset encryption cost.
IBM offers dataset encryption as a necessary component of a pervasive encryption strategy. Dataset encryption enables you to meet your data security goals and compliance requirements without application changes and with simpler maintenance and lower cost.
IBM z14 provides huge reductions in the CPU cost of dataset encryption.
Contact your IBM account team for a zCP3000 study and use the zBNA tool to estimate the additional CPU capacity needed to enable dataset encryption.
If you are not on a z14 yet, be sure to get an estimate of how much the z14 can reduce your capacity requirements for dataset encryption.
Click here to learn more about how to optimize your enterprise encryption strategy.