Share this post:
The ability to encrypt all of the data for an entire application or database has been an unfulfilled dream of IT for quite some time. After all, nobody wants to be the next big name splashed across news headlines when a data breach takes place, or stiff regulatory penalties are assessed. These possibilities drive many CIOs and CTOs to look seriously at increasing their use of encryption, particularly on mainframe systems in their IT infrastructure. Unfortunately, they haven’t always liked what they’ve seen.
Barriers to widespread mainframe data encryption
While deploying encryption on a device such as a mobile phone is relatively easy, encrypting data at the enterprise level can be extremely complex. Organizational leaders have to go through terabytes or petabytes of data to locate sensitive information and classify different data sources—or even different fields within a database—from the standpoint of security importance. This largely manual process is error-prone, time-consuming and costly, especially as organizations keep more data in large data lakes or in cloud-based repositories.
Point solutions such as application-level encryption provide only limited coverage. And the more someone deploys these solutions, the more disjointed their encryption strategy becomes and the increased encryption-decryption processing can take a toll on overall system and workload management performance. That degradation in performance and its consequences on the user experience has been a key challenge to deploying encryption more pervasively. As a result, barely over 2 percent of enterprise data in data centers is encrypted, leaving a large number of targets for cybercriminals.
The new view of data encryption
But that’s yesterday’s mode. Today, we’re moving from a paradigm of selective encryption to pervasive encryption as the new standard. A system that encrypts virtually all data all of the time makes it much more difficult for cybercriminals to find targets. To be effective, the encryption has to extend practically anywhere—across any data, networks and external devices.
Our new IBM Z (z14) mainframe is designed to meet these requirements. For the first time, IBM Z enables organizations to pervasively encrypt data—either in flight or at rest—that is associated with an entire application, cloud service or database. All of this comes with no changes to the applications. It’s powered by the world’s most powerful and secure transaction system, capable of running more than 12 billion encrypted transactions per day. The customer experience doesn’t suffer.
The encryption keys are protected by a tamper-responding hardware security module, ensuring that they are never visible in memory to the operating system, hypervisor, or application. IBM Z provides another safeguard by enabling organizations to encrypt application programming interfaces (APIs), an essential capability as they build disruptive applications such as blockchain, and use APIs to connect them back to system-of-record data.
Pervasive encryption at favorable cost
Of course, because CIOs and CTOs need to pencil out potentially cost-effective solutions, IBM commissioned a study by Solitaire Interglobal that modeled the cost of using x86 systems of different sizes to selectively encrypt data. The same report mentioned previously concluded that in IBM Z and x86 systems configured to support the same overall level of business performance, the IBM Z encryption system delivered 8.5 times the security protection, ran 18.4 times faster, and at only one-twentieth of the cost.
For enterprises that want to protect more than just a small percent of their corporate data, this result may well spell the end of inefficient, piecemeal encryption. Learn more about IBM Z and the latest enhancements in the IBM z14 mainframe.