New and Established IBM Offerings Meet Enterprise Data Protection Needs
With all of the massive, high-profile data breaches that large enterprises have experienced over the past several years, businesses of all sizes have responded by erecting heavy digital fortifications around their data.
Or maybe they haven’t.
“What’s kind of alarming is that while a lot of clients understand the risk with the need to protect data, only about 4 percent of the enterprises out there are actually encrypting their data,” notes Diana Henderson, offering manager for IBM Z* and LinuxONE*, with a specialization in security.
It’s not that they don’t want to do so, she adds. Enterprises are well aware that they need to guard their data, particularly since much of it originates from clients and vendors. Thieves are innumerable, they operate worldwide and their weapons continually grow more powerful. Simultaneously, many industries face new national and international cybersecurity regulations driving further need to guard the data.
The problem is that security is very hard work. “What many of our clients have told us is that it takes a significant amount of effort to manage techniques like encryption,” Henderson says.
As more enterprises move their data to private and public clouds, they realize that cloud computing can help them more effectively and efficiently manage their data, workloads, applications and the systems that contain them. But how can organizations make sure those clouds are secure? As cybersecurity requirements become more demanding, the IBM Z platform has introduced and updated a number of features that make securing the cloud less daunting.
Cybersecurity Is Essential
There’s no doubt about it: Enterprise organizations are under attack, Henderson says. And those attacks, she notes, are getting more intense—the number of attacks, how they originate, their reach and who orchestrates them.
And let there be no doubt that cybersecurity is essential to any enterprise. Even smaller ones that think they’re not on hackers’ radars can find themselves under attack. Small organizations, after all, often work with larger ones—banks, for instance—and thus provide a kind of back door into those larger firms’ treasure troves.
What’s more, many of the tools that cybercrooks use to gain access into an organization, such as ransomware and phishing emails, are used in tandem. “Phishing, for instance, could be used to gain access,” Henderson says. “Then coupled with malware, they try to capture and export data or take control of the system.”
If sensitive customer and vendor data falls into these thieves’ hands, that can result in extortion for financial gain. Falling victim to identity theft can degrade customer confidence in an organization, she notes, which can jeopardize its reputation, impeding the ability to conduct business.
Enterprises also face new and strengthened regulations and guidelines to protect corporate and citizen data. The financial services industry has been particularly affected. And new frameworks like the European Union’s General Data Protection Regulation (GDPR), which goes into effect this May, “will emerge as more prominent regulations driving institutions to ensure that all their data is protected,” Henderson says. More stringent cybersecurity requirements are spanning multiple geographies—in the United States, China and other countries. (Read about how IBM offers a framework to prepare for the GDPR.)
Again, most enterprises know cybersecurity has become a critical business task. “The challenge is discovering and classifying all of the data that should be protected,” Henderson says, a process she describes as particularly cumbersome: “You have to go through all of the data and determine which data needs to be protected.
“Having to go and cherry-pick is really time consuming, it’s error-prone—it’s something organizations don’t want to risk getting wrong.”
Organizations need protection for any type of work they need to perform, and for any type of data they need to protect. And IBM’s cloud capabilities can help them lower their risks more effectively and efficiently.
Cloud Castles for Data Protection
“Strong passwords and credentials are often the first line of defense in an organization,” Henderson notes. This makes sure that the proper employees have access solely to the data they need to perform their jobs. On z/OS*, authentication has traditionally used passwords and passphrases. Unfortunately, such credentials can be vulnerable to theft if they are common across login platforms, if character lengths are relatively short or if the passphrases are predictable.
“As enterprises embrace the cloud—along with microservices application development and multidata center environments to host their workloads—security has become a shared responsibility between clients and their service providers.”
—Diana Henderson, offering manager for IBM Z and LinuxONE, IBM
To address this, authentication for z/OS now incorporates multiple authentication factors for users during the login process. IBM Multi-Factor Authentication for z/OS, in combination with z/OS Security Server RACF*, allows z/OS users to authenticate with multiple factors: something they know (e.g., a password), something they are (e.g., a fingerprint) and something they have (e.g., an ID badge).
In helping determine which data to encrypt, this past July, IBM introduced pervasive encryption for IBM z14*. With pervasive encryption, Z users can encrypt all of the data and not worry about picking out the data that might need protection.
“In some cases, organizations might not know where all of their data lies,” Henderson says. Pervasive encryption, she adds, provides a full-stack view when you look at the hardware, OS and the middleware. This is very much a collaborative approach. Pervasive encryption can also be used to encrypt data sets on z/OS.
“As enterprises embrace the cloud—along with microservices application development and multidata center environments to host their workloads—security has become a shared responsibility between clients and their service providers. Enterprises often bring their own tools, processes and licenses to support their cloud workloads and classify their most sensitive data. Pervasive encryption can make this much easier,” Henderson says. It also can help reduce the amount of data that might require an enterprise’s review for audit or compliance.
Pervasive encryption enables clients to avoid that complexity of classification and discovery and simply encrypt all of their data.
Protecting customer data can also extend to the analytics and cognitive capabilities for IBM Z. Henderson notes that clients are seeking real-time analytic insights from their data to drive better business outcomes. By keeping data on the platform, clients can run analytics where the data resides, avoid data deduplication and the latency associated with data movement, maintain data currency and leverage pervasive encryption to encrypt all data when combined with data-in-place capabilities like IBM Open Data Analytics for z/OS.
Other Tools
IBM Z also has boosted an enterprise’s ability to maintain security across its entire cloud network. “Previously, there was no way for a network administrator or an auditor to determine how network traffic was detected,” Henderson says. “But now IBM has made improvements in security that enable that.”
In addition, the IBM Secure Service Container “is a key capability for Linux* on IBM Z and LinuxONE,” Henderson says. With Secure Service Containers, clients and ISVs can securely build and deploy applications that are built as appliances. The data and application code that’s running in the Service Container are protected from unauthorized users. “The confidentiality of the encoded data is maintained through encryption, and the appliance code is validated through a trusted boot process in order to reduce the risk of tampering or malware and ensure that it originates from a trusted source,” Henderson says.
Yet another security capability is encryption key management. The network’s overseer can look at the keys when they’re on disk using the IBM Crypto Express card, a tamper-proof hardware security model. And when the encryption keys are put in the memory, they can be protected with the IBM CP Assist for Cryptographic Function wrapping key.
Stay Proactive
With today’s digital dangers, “data protection is a boardroom topic impacting all industries and all geographies,” Henderson says.
Cloud computing can help make the job easier—if its many security capabilities are put to work. The IBM Z platform’s tools and technologies have been sharpened to better fend off the cyberpillagers seeking to plunder enterprises’ precious data treasure.
Gene Rebeck is a freelance writer based in Duluth, Minnesota.