Protect sensitive data against future threats posed by quantum computing
Quantum-safe security for IBM Z® involves the use of cryptographic methods designed to protect data from future quantum computer threats.
Quantum-safe security, built into the IBM Z platform, uses cryptographic methods that protect against attacks from both classical and quantum computers, helping ensure long-term data safety. As quantum computing advances, traditional encryption might be at risk. This makes quantum-safe security crucial for industries like banking, healthcare and defense.
The IBM PCIe Cryptographic Coprocessors (CEX8S), on IBM z17 supports the 2024 NIST PQC algorithms ML-KEM and ML-DSA.
Pervasive encryption offers a comprehensive solution for extensively encrypting both data in-flight and data-at-rest, significantly simplifying the adoption of quantum-safe encryption.
Integrated with your pervasive encryption framework, quantum-safe encryptions give you added security to your encryption framework. Protect your data against both current and future threats. This approach not only reduces the costs related to data protection but also enhances the mitigation of risks associated with emerging quantum threats.
What you can do
As you prepare to adopt new quantum-safe standards, there are several key milestones to follow. Each step is explained in chapter 2 of the IBM Redbooks®, "Transitioning to Quantum-Safe Cryptography on IBM Z".
Start by classifying the value of your data and understanding compliance requirements. This helps you create a data inventory.
Once you have classified your data, you will need to identify how your data is encrypted, as well as other uses of cryptography to create a crypto inventory that will help you during your migration planning. Your crypto inventory will include information like encryption protocols, symmetric and asymmetric algorithms, key lengths, crypto providers, etc.
The transition to quantum-safe standards will be a multiyear journey as standards evolve and vendors move to adopt quantum-safe technology. Use a flexible approach and be prepared to make replacements. Implement a hybrid approach as recommended by industry experts by using both classical and quantum-safe cryptographic algorithms. This maintains compliance with current standards while adding quantum-safe protection.
Replace vulnerable cryptography with quantum-safe cryptography. Secure your organization against attacks from both classical and quantum computers, helping ensure that your information assets remain protected even in the era of large-scale quantum computing.
Allow IBM expert lab services to conduct a holistic quantum risk assessment by creating a comprehensive inventory of cryptographic materials, including keys, certificates and algorithms. This helps identify and mitigate vulnerabilities like weak encryption and poor key management. The following domains are covered by the assessment:
- Infrastructure encryption services
- z/OS® ICSF encryption services
- Key Management Services
- Network encryption services
- Data at rest encryption services
- Application encryption services
IBM z16 offers several tools to help you discover how cryptography is used in applications and can help with migration and modernization planning.
As you create your crypto inventory, IBM z16 provides new instrumentation that can be used to track cryptographic instruction execution in the CP Assist for Cryptographic
Functions (CPACF). CPACF accelerates the execution of cryptographic operations, such as encryption and decryption, by offloading them from the main processor. This helps improve the speed and efficiency of data security tasks on the system.
ADDI can discover where and how cryptography is used in applications. It enhances quantum-safe readiness by assessing and modernizing applications to support advanced encryption methods. ADDI identifies applications needing updates, analyzes compatibility and maps out risks, helping ensure smooth integration of quantum-safe technologies and strategic modernization. This prepares your systems to effectively handle emerging security challenges.
UKO for IBM Z enhances quantum-safe readiness by providing centralized, streamlined key management that supports advanced encryption standards. It simplifies the deployment and management of quantum-safe encryption keys across the IBM Z environment, helping ensure robust and compliant data protection. By facilitating efficient key operations and integration with quantum-safe algorithms, UKO helps organizations transition smoothly to future-proof security measures.
A feature in IBM z/OS that enhances quantum-safe readiness by providing tools and features designed to support the transition to quantum-safe encryption standards. It helps ensure that data encryption mechanisms are up-to-date and capable of addressing future quantum threats, facilitating seamless integration of advanced cryptographic solutions into the z/OS environment and helping organizations stay ahead of emerging security challenges.
A software component of IBM z/OS that enhances quantum-safe readiness by providing advanced cryptographic services essential for securing data against emerging quantum threats. It supports quantum-safe algorithms and key management via CEX8S, enabling organizations to transition to new encryption standards seamlessly. ICSF’s robust capabilities help ensure that data protection and encryption practices remain resilient and compliant with evolving security requirements.
An optionally priced feature that is obtained through a services contract and
is part of the IBM UKO that was developed to help provide up-to-date monitoring of
crypto-related information on IBM Z in the enterprise. It collects security-relevant information to assist in building your cryptographic inventory and use the graphical client for easy analysis of security information.
Authentication verifies identity or authorship, helping ensure the integrity of data, software or firmware. Techniques like code signing confirm that only legitimate vendor-supplied code is executed. Strengthen your authentication with the IBM PCIe Cryptographic Coprocessor (HSM in CEX8S) and ICSF, which seamlessly integrate with IBM Z systems for robust, secure data protection.
As quantum-safe algorithms are integrated into industry standards, core banking applications benefit from enhanced security. For example, AES encryption is now supported for PIN point-of-sale transactions and PIN block protection. With the Integrated Cryptographic Service Facility and the IBM 4770 Cryptographic Coprocessor, IBM Z can handle essential tasks like PIN translation, PIN verification and unique key management, helping ensure secure and compliant payment processing.
