Most organizations agree that encryption must be part of their overall strategy for protecting and securing sensitive data. They also recognize that protecting only the data that is required to achieve compliance is a minimum threshold and that a move from selective encryption (protecting only specific types of data) to pervasive encryption (encrypting all data) is needed. Likewise, many barriers that are encountered today with current enterprise data protection policy and strategy can be removed with pervasive encryption, such as:
- Decoupling encryption from data classification; this allows organizations to implement their encryption strategy independent of any challenges they might face while identifying and classifying sensitive data. It also reduces the risk of unidentified or mis-classified data.
- Using encryption without interrupting business applications or affecting service level agreements (SLAs); changes to the application are not required if data is encrypted after it leaves the application and decrypted before it reaches the application.
- Reducing high costs that are associated with processor overhead; the cost of encryption is minimized by encrypting data in bulk, by using encryption accelerators with high performance and low latency.
Pervasive encryption on IBM Z platforms covers extensive encryption of data at-rest and data in-flight. Data at-rest is data that is written to and stored on devices, such as disk and tape; data in-flight is data that is sent over the network to a user or another platform, or over a storage area network to disk and tape devices.
IBM Z pervasive encryption is attained through tight platform integration of hardware, firmware, and software. It simplifies the implementation of data encryption and reduces the cost that is associated with protecting data and achieving compliance. Specifically, z/OS data set encryption provides broad coverage for sensitive data residing in supported data set types by using encryption that is tied to access control for both in-flight and at-rest data protection.
z/OS data set encryption is enabled through policies and profiles. Data can be encrypted in bulk with low overhead, while allowing for varying levels of granularity. Operating system components and Z hardware integrated cryptographic engines deliver industry exclusive protected key encryption with high performance and high security, including:
- z/OS Integrated Cryptographic Services Facility (ICSF) to manage encryption keys and the key labels that are associated with the encryption keys that are in the Cryptographic Key Data Set (CKDS).
- SAF or RACF profiles and SMS policies to control allocating encrypted data sets by associating key labels to those data sets. In addition, SAF or RACF profiles can control access to individual data sets or groups of data sets, and the key labels.
- The Central Processor Assist for Cryptographic Function (CPACF) provides high-speed cryptographic acceleration through a set of instructions that are available in hardware on every processor unit.
- The Crypto Express adapter provides cryptographic function through high-security, tamper-responding hardware security modules (HSMs) to safeguard encrypted data by protecting encryption keys.
z/OS data set encryption is also transparent to applications and allows for the separation of duties within an organization. Because data remains encrypted (even during operational procedures), z/OS data set encryption can remove the need to include storage administration as part of the compliance scope. The use of more compliance controls might not be needed because the data remains encrypted when it is written.
The data set types that are supported by z/OS data set encryption are extended-format sequential data sets and extended format VSAM data sets, which can then be used by z/OS zFS, IBM Db2, IBM IMS, middleware, logs, batch, and Independent Software Vendor (ISV) solutions. Applications or middleware that use extended-format data that is accessed with VSAM, QSAM, or BSAM access methods also can take advantage of z/OS data set encryption.
The figure below shows how z/OS data set encryption works, including the flow between the hardware, firmware, and software components. This example involves input processing of an encrypted data set. It uses secure encryption data keys that are protected by Crypto Express and stored in the CKDS. The data key that is used to encrypt and decrypt the data is wrapped as a secure key or protected key during the process. Note that the data key material is never visible to the operating system or application.
The left portion of the figure shows the following steps that occur during the data set open process:
1. DFSMS receives the key label that is associated with data set from the catalog and calls RACF to verify the user’s access to the key label.
2. DFSMS calls ICSF with the key label.
3. ICSF obtains the secure key from CKDS and calls the Crypto Express6S to unwrap the key.
4. With assistance from the firmware, Crypto Express6S decrypts the secure key and rewraps with a transport key.
5. The wrapped key is sent to CPACF. With assistance from Z firmware, CPACF unwraps the wrapped key with the transport key to make available the data key.
6. The data key is wrapped with the CPACF wrapping key to create the protected key.
7. The protected key is sent to ICSF, where it is cached in protected memory for future callers. ICSF sends the protected key to DFSMS to encrypt and decrypt data.
The right portion of figure shows the steps that occur during the data set read/get process:
A. DFSMS reads the encrypted data from data set and initiates CPACF. The protected key is then passed.
B. CPACF decrypts data by using the protected key.
C. Decrypted data is sent as clear text to the application through DFSMS.
For more information about planning, implementing, and maintaining a z/OS data set encryption environment, see "Getting Started with z/OS Data Set Encryption", SG24-8410
About the Author: