Competitively Priced Data Security
New tools are making encryption much easier, and improved technology is reducing the cost of encryption.
By Alex Feinberg11/30/2018
Protecting data with encryption is perceived as complex and computationally expensive. That’s why we seem to hear about another record-setting breach of unencrypted data every few weeks. But new tools are making it much easier, and more importantly, improved technology is reducing the cost of encryption to such an extent that it no longer needs to be reserved for just the crown jewels of your data.
GDPR Compliance Through Selective Encryption
A primary driver for this trend is the EU’s General Data Protection Regulation (GDPR), which enhances and extends individual rights, broadens the scope of personal data, and can impose huge fines for non-compliance, so securing customer data is an imperative. Achieving compliance with GDPR and other regulations using a selective encryption approach requires locating and classifying each instance of every sensitive data element, which is both expensive and error-prone.
Even when all sensitive data has been properly identified, changes to applications need to be hand coded, requiring a significant DevOps effort—including design, code, test and support, and all of the administrative overhead. It also requires ongoing maintenance as data proliferates and moves, and as regulations change. The overhead associated with these ongoing efforts can be substantial, and there are many opportunities for mistakes.
This was indeed the case just a few years ago, but with z14, the computational cost of data set encryption has been reduced to a negligible level. A survey of customers’ performance data shows that on z13, the overhead associated with data set encryption would have been more than 10 percent, but on z14 that overhead is, on average, just 2.6 percent. As a result, the overall cost of data set encryption for a typical basket of z/OS MLC products on z14 is just 20 percent of what it was on z13, and only 10 percent of what it cost on zEC12. With the dramatically lower computational overhead of encryption on z14, encrypting data sets pervasively is now more economical than attempting to encrypt selectively. For a visual representation of this data, see the three blue lines in Figure 1.
With all of this in mind, selective encryption seems penny wise and pound foolish. When the relatively small incremental costs of data set encryption on z14—including the one-time encryption of existing data—is compared to the costs associated with crafting a hand-coded solution, the hand-coded solution can be 10 to 20 times more expensive, depending on the size and complexity of the installation as measured in MIPS. This is illustrated by the red line in Figure 1.
Data in flight is not only encrypted, but encrypted to adequate standards. Each processor core has symmetric key cryptographic co-processing with CPACF, which fully implements AES cryptography in several modes. Common Criteria EAL5+ certified isolation provided by the type-1 hypervisor, PR/SM, defends against side-channel attacks on workloads. The hardware security module, Crypto Express6S, is designed to meet FIPS 140-2 level 4. That provides, as part of its comprehensive feature set, the highest possible level of protection for cryptographic keys. In addition, tools are provided to measure the impact of pervasive encryption before it’s implemented. As a result, z14 and LinuxONE are uniquely qualified to secure enterprise data.
Alex Feinberg is a senior IT architect and master certified IT specialist on IBM's IT Economics and Research Team. More →
Sponsored ContentAchieve Compliance Without Impacting Productivity
Post a Comment
Note: Comments are moderated and will not appear until approvedcomments powered by Disqus