Overview of IBM Z Crypto Discovery & Inventory
The topics in this chapter provide an overview of the major features and architecture of IBM Z Crypto Discovery & Inventory and explain the key terms and concepts.
IBM Z Crypto Discovery & Inventory (5698-CDI) is designed to help your installation discover cryptographic assets on the Z platform. By analyzing and consolidating relevant crypto statistics from your jobs and applications, IBM zCDI can help your organization understand its cryptographic posture, assess risks and compliance, plan for post-quantum migration, and respond to security incidents and evolving cryptography standards.
Migration to post-quantum cryptography is expected to be a multiyear effort. Beginning the quantum-safe journey requires an organization to understand where cryptography is being used in its environment and to build a "cryptographic inventory" —a holistic, reusable inventory asset to help uncover potential vulnerabilities and help with creating a risk-based prioritized migration roadmap. IBM zCDI is designed to simplify the process of how your organization discovers uses of cryptography within your Z infrastructure by analyzing and consolidating crypto relevant statistics from several data sources.
Currently, the process of identifying the vulnerable cryptography across applications and environments is a tedious and manual process, which requires multiple tools for data collection and analysis. Lack of visibility into vulnerable cryptography conceals the security risks of cyberattacks, data breaches, and potential future threats posed by quantum computing.
Figure 1 shows a sample display of cryptographic data collection from IBM zCDI. The display indicates the number of jobs that use allowed cryptography (in purple), versus the number of jobs that do not (in green).
- Consolidate multiple data sources and create a single view of cryptography usage to quickly identify potential vulnerabilities
- Automate the manual tasks of correlating information across multiple tools and within systems and applications and discovering cryptography usage
- Identify cryptographic technical debt; uncover vulnerabilities across keys, certificates, applications to aid stakeholders with their remediation plans and compliance audits.
- Mitigate security risks of future data exposures with enhanced visibility into vulnerabilities, which allows your organization to respond quickly to cybersecurity challenges.
- National Institute of Standards & Technology (NIST) SP 800-131A r2
- National Institute of Standards & Technology (NIST) SP 800-131A r2 plus Quantum Safe
- Commercial National Security Algorithm Suite (CNSA) 1.0
- Commercial National Security Algorithm Suite (CNSA) 2.0
In IBM zCDI, you can see a graphical view of your current cryptography status from a single dashboard. Your organization can use the solution to validate selected systems for the risks that arise from weak cryptography. You can view the results of the scans for each set of systems (scope) that you define. To view the results, you require sufficient authorization from your administrator who administers IBM zCDI.
Based on these results, your I/T staff, such as administrators and security personnel, can act to strengthen the cryptography in use on your systems. With such issues addressed, your organization can use the dashboard to generate updated reports for use with security audits.
IBM zCDI does not perform real-time monitoring. However, you can schedule regular scans to collect, validate, and report on the current cryptography status.
For descriptions of the key terms that your organization should know when using IBM zCDI, see Getting started with IBM zCDI.