Security Blog Shield

Bookmark and Share

Recent Posts

Competitively Priced Data Security

November 30, 2018

Protecting data with encryption is perceived as complex and computationally expensive. That’s why we seem to hear about another record-setting breach of unencrypted data every few weeks. But new tools are making it much easier, and more importantly, improved technology is reducing the cost of encryption to such an extent that it no longer needs to be reserved for just the crown jewels of your data.

GDPR Compliance Through Selective Encryption 

Implementation strategies which encrypt selectively to achieve compliance present challenges, including identifying, locating and classifying critical data. In fact, in the 2018 Ponemon “Global Encryption Trends” study, 67 percent of respondents said that discovering where sensitive data resides was their most difficult challenge, which is up from 59 percent just one year earlier. In addition, 34 percent of respondents cited data classification as a difficult challenge.
A primary driver for this trend is the EU’s General Data Protection Regulation (GDPR), which enhances and extends individual rights, broadens the scope of personal data, and can impose huge fines for non-compliance, so securing customer data is an imperative. Achieving compliance with GDPR and other regulations using a selective encryption approach requires locating and classifying each instance of every sensitive data element, which is both expensive and error-prone.
Even when all sensitive data has been properly identified, changes to applications need to be hand coded, requiring a significant DevOps effort—including design, code, test and support, and all of the administrative overhead. It also requires ongoing maintenance as data proliferates and moves, and as regulations change. The overhead associated with these ongoing efforts can be substantial, and there are many opportunities for mistakes.

Bulk Encryption 

The alternative to a selective encryption approach is to encrypt entire data sets. With this approach, you’re sure to catch all sensitive data without ongoing maintenance as data and regulations change. But for mainframe customers, bulk encryption immediately raises the concern of increased monthly license charges (MLCs). Many fear that the overhead associated with encrypting and decrypting data sets could significantly increase millions instructions per second (MIPS), and as a result, costs.
This was indeed the case just a few years ago, but with z14, the computational cost of data set encryption has been reduced to a negligible level. A survey of customers’ performance data shows that on z13, the overhead associated with data set encryption would have been more than 10 percent, but on z14 that overhead is, on average, just 2.6 percent. As a result, the overall cost of data set encryption for a typical basket of z/OS MLC products on z14 is just 20 percent of what it was on z13, and only 10 percent of what it cost on zEC12. With the dramatically lower computational overhead of encryption on z14, encrypting data sets pervasively is now more economical than attempting to encrypt selectively. For a visual representation of this data, see the three blue lines in Figure 1.


Figure 1

With all of this in mind, selective encryption seems penny wise and pound foolish. When the relatively small incremental costs of data set encryption on z14—including the one-time encryption of existing data—is compared to the costs associated with crafting a hand-coded solution, the hand-coded solution can be 10 to 20 times more expensive, depending on the size and complexity of the installation as measured in MIPS. This is illustrated by the red line in Figure 1.

Pervasive Encryption

The pervasive encryption approach, which is built into z14 and LinuxONE, ensures that all enterprise data is secured because all data is encrypted—including data at rest and in flight. In addition to eliminating the need to locate and classify data, these systems address concerns of cost by enabling the encryption of data without modification to applications, and without impact to service-level agreements (SLAs).
Data in flight is not only encrypted, but encrypted to adequate standards. Each processor core has symmetric key cryptographic co-processing with CPACF, which fully implements AES cryptography in several modes. Common Criteria EAL5+ certified isolation provided by the type-1 hypervisor, PR/SM, defends against side-channel attacks on workloads. The hardware security module, Crypto Express6S, is designed to meet FIPS 140-2 level 4. That provides, as part of its comprehensive feature set, the highest possible level of protection for cryptographic keys. In addition, tools are provided to measure the impact of pervasive encryption before it’s implemented. As a result, z14 and LinuxONE are uniquely qualified to secure enterprise data.

Alex Feinberg is a senior IT architect and master certified IT specialist on IBM's IT Economics and Research Team

Posted November 30, 2018| Permalink

comments powered by Disqus