Where to find help on your pervasive encryption journey
By Didier André | 5 minute read | January 20, 2020
The threat of data breaches remains very real — we hear about it often in the newspaper headlines and on TV. Security is a high-priority issue for businesses, and as technology continues to evolve, you need security solutions that can keep you one step ahead of the threats.
IBM z15 was recently released, and I’m expecting it to be a game changer in the security industry. With IBM z14, IBM introduced pervasive encryption, a consumable approach to enable extensive encryption of data in-flight and at-rest. With IBM z15 and with IBM Data Privacy Passports, IBM Z is designed to help clients get transparent, end-to-end data protection and data privacy — even when the data moves off of IBM Z. With these features, IBM Z offers a security-rich environment for your data.
Pervasive encryption: Are you ready?
Pervasive encryption has been available since 2017, taking advantage of the synergy between the IBM Z software stack and the incredible encryption capabilities of IBM z14. Two years after its release, some clients are still asking, “How do I know if I’m ready to implement pervasive encryption?” and “How does it work?” If you’re are still asking those questions, the Pervasive Encryption Readiness Assessment (PERA) from IBM System Lab Services could be an enormous help. After a short data collection, we provide a one-day, onsite workshop (with all the teams involved in the project) that includes deep-dive education, an assessment of your readiness and a suggested implementation roadmap. Lab Services has delivered this offering to 20 clients in North America so far, and now they all know the next steps on their path to pervasive encryption.
Tools and features to support your pervasive encryption journey
The main component of pervasive encryption is z/OS data set encryption. With z/OS data set encryption, you can encrypt data sets automatically, with no application changes and a minimum overhead on z14 or z15. There are some technical requirements: The data sets need to be in extended format to be eligible for encryption. If you don’t know how many of your data sets are in extended format, IBM z Systems Batch Network Analyzer (zBNA) can help. This no-cost tool helps you assess how many of your data sets are eligible for z/OS data set encryption. Even better, it gives you the expected CPU overhead once encryption is turned on for these data sets.
Do you know that if you enable IBM zEnterprise Data Compression (zEDC) (you need zEDC cards on z14 or the in-core compression of z15), you can probably offset a big part of the encryption “cost”? Again, zBNA can help you simulate this and make the right decision. And if you don’t want to run it yourself, Lab Services can help you.
With z/OS data set encryption, when implementation time comes, you have to reallocate the data sets to enable the encryption. It can take time if you have to implement a process to force the reallocation of the data sets if they’re not “naturally” reallocated. And when it comes to files allocated to your online processes (like VSAM files in CICS file-owning regions), if you’re using a long manual process, you want this re-allocation to complete as quickly as possible.
Have you heard about IBM zOS Data Set Mobility Facility (zDMF)? With this product, you can encrypt hundreds of files without writing any manual processes. And your online files can be encrypted in seconds. This tool is so powerful that, after we recommended it to a client, one system programmer said he’s now able to encrypt all the files that require encryption in his company’s IT environment without assistance.
Help and advice from the professionals
If you feel ready for pervasive encryption but still don’t know how to move forward and need some help, IBM Systems Lab Services can help you all the way from a “proof of concept” to assistance throughout your implementation. Lab Services can help clients with z/OS and Linux implementations. If we look at the North America clients where we delivered a Pervasive Encryption Readiness Assessment, 40 percent of them have engaged or are engaging IBM Systems Lab Services in the journey to pervasive encryption. And this assistance can include all the components you might need to secure this deployment, from basic “bricks” to key management solutions.
One piece of advice while you’re thinking about data security: Don’t forget to check your z/OS security baselines. There’s no point in encrypting all your data if you have weaknesses in your security baselines and any skilled hacker could sneak into your systems and steal the encrypted data anyway … or worse, encrypt it, get the key and then offer it back to you in exchange for lots of money. There’s no known story of ransomware on IBM Z so far, and we don’t want to hear one anytime in the future. Again, Lab Services can help you to assess your baselines. It’s also a good idea, if you haven’t yet done so, to implement real-time monitoring of your IBM Z environments. The synergy between products like zSecure (which can also make security health checks easier) and QRadar makes it possible with ease.
Data privacy today
Now, let’s talk about data privacy. Have you heard of the characters Alice and Bob, created by Ron Rivest, Adi Shamir and Leonard Adleman, the RSA encryption algorithm inventors, in 1978? These characters wanted to exchange private messages using encryption.
Today, the world has changed, and with the privacy challenges in social media and elsewhere, along with new regulations protecting citizens’ data, we need data privacy. The Alice of today wants to exchange private messages with Bob but she also wants to have full control of her data and its usage. IBM Data Privacy Passports is the IBM answer to these challenges. Clients can protect data and enforce permitted use of that data when it is shared off-platform with IBM Data Privacy Passports, a data-centric audit and protection (DCAP) solution built on IBM Z security. With it, users like Alice will be able to control who has access to their data at a granular level and have full control of the data lifecycle — even when the data leaves IBM Z to go to a cloud environment, for example.
IBM Data Privacy Passports is available as a “beta” to clients that want to participate in this new, exciting journey toward data protection and privacy on IBM Z. And again, IBM Systems Lab Services will be there to help you. Isn’t is an exciting future in front of us?