IBM z14 Pervasive Encryption Protects All Data

IBM z14 pervasive encryption
Illustration by Phil Wheeler

More than 9 billion data records have been lost or stolen since 2013, according to digital security company Gemalto’s Breach Level Index ( ). Only 4 percent of those breaches were “secure,” meaning the data was encrypted. A report by Solitaire Interglobal Ltd. and sponsored by IBM, “Pervasive Encryption, A New Paradigm for Protection” ( found that only 2.13 percent of enterprise data within data centers is encrypted.

“The reality is that encryption is largely absent from corporate data centers,” says Nick Sardino, program director, IBM Z* Offering Management. “The low rate for encryption is extremely shocking and disappointing.”

The new IBM z14* mainframe is poised to change that. Protecting only the data required to achieve compliance should be viewed as a minimum threshold, not a best practice. This is why IBM moved from selective encryption to pervasive encryption, where all data is encrypted. With z14, clients can encrypt data at scale without having to change their applications.

“With the new capabilities in hardware, OS and middleware, we have the delivery system to allow clients to have pervasive encryption at a price and performance that has not been possible until now,” he adds.

Data and Application Protection

If encrypted data is stolen, it’s useless without the encryption key, which gives businesses an extra layer of protection in the event of a breach. Naturally, hackers might begin to target the encryption keys themselves. On x86 systems, encryption keys could be exposed in the clear within memory. However, the z14 system uses protected keys that allow for on-chip cryptographic acceleration using keys that are protected by a tamper-responding hardware security module.

“In Z, the encryption keys are never exposed to the hypervisor, OS or application,” Sardino says. “If that protected key gets exposed to the hacker, it’s worthless because it can’t be used to decrypt the data. This is something that only Z can do.”

By making pervasive encryption easier and less expensive than ever with z14, IBM has removed challenges to implementation. The Central Processor Assist for Cryptographic Function (CPACF), available on every z14 core, features both the cryptographic suite and performance characteristics that enable bulk encryption of data.

“With z14, you get the value of encryption for the lowest possible cost. Plus you can encrypt at scale,” Sardino says. “Clients can now protect all application and database data without interrupting business applications or operations. Encryption can be implemented without changing applications, and organizations can transition from unencrypted to encrypted databases without stopping the application. That’s a huge benefit.”

While it might be possible to encrypt data at scale on other systems, the advantages and cost savings available with z14 make it the optimal solution. “We’ve made a 400 percent increase in the on-chip circuitry dedicated to encryption. We’ve also optimized the encryption algorithms in the hardware,” Sardino notes. “From IBM z13* to z14, the CPU required is going to be significantly lower.”

The z14 pervasive encryption solution offers:

  • Hardware-accelerated encryption on every core that’s 7x faster than z13
  • Bulk encryption at the OS level for simple implementation, transparent exploitation and optimized performance
  • More than 18x faster encryption at 5 percent of the cost of alternative solutions
  • A secure service container that delivers tamper-resistant installation and runtime, restricted administrator access, and encryption of data and code
  • End-to-end encryption of the z/OS* Coupling Facility data that’s transparent to applications
  • Encryption of all incoming and outgoing network connections for true end-to-end protection
  • A more secure cloud by encrypting APIs up to 3x faster than x86 systems

A Renewed Need for Encryption

A slew of recent high-profile breaches have kept data security in the headlines. Organizations realize that attacks on their data are inevitable. At the same time, the data compliance landscape has also changed radically. For example, the General Data Protection Regulation (GDPR), the European Union compliance standard regarding data protection that takes effect in May, could impose fines of up to 4 percent of an organization’s global revenues for a data breach ( ). (Read more about how clients can prepare for GDPR compliance in “Worldwide Preparation,”.)

“Regulations are getting more aggressive in terms of their requirements and their fines,” Sardino says. “Organizations are spending tremendous amounts of time and money to meet these increasingly complex compliance mandates and are looking for new ways to reduce that burden.”

Encryption is one of the technologies that enables organizations to reduce the cost, impact and even likelihood of a breach, Sardino says. He notes that encrypting data can help companies meet the stringent mandates of the GDPR, HIPAA and other mandates.

“If breached data has been made unidentifiable by techniques such as encryption, organizations might not have to report the breach,” he says. “Encryption is extremely effective in helping organizations reduce the cost of data breaches and also meet regulatory requirements. So you’d think based on that, encryption would be a no-brainer, that everybody would just be using it. But they’re not.”

In today’s business climate, where the question is no longer if a hack will occur but rather when, organizations are compelled to find effective and cost-efficient data security solutions, Sardino says. “We’ve taken encryption, understood our clients’ pain points and put together a comprehensive solution to make it very easy for clients to implement at scale. It makes encryption so easy that there’s no reason not to do it.”

“In Z, the encryption keys are never exposed to the hypervisor, OS or application. If that protected key gets exposed to the hacker, it’s worthless because it can’t be used to decrypt the data. This is something that only Z can do.”
—Nick Sardino, program director, IBM Z Offering Management

Pain Points Resolved

Traditionally, encryption has been a complex process. Organizations struggled to determine which data to encrypt, where encryption should occur and who was responsible for it. The process often required changes to applications. Performing encryption at scale also required a significant investment. Pervasive encryption decouples the process of identification and classification from encryption because all data can be encrypted, thereby reducing the risk of unidentified or misclassified data.

“Encryption has been around for a long time. Clients experienced the pain points that it’s been expensive and slows down performance,” Sardino says. “Organizations today are implementing selective encryption. They only encrypt the data needed to meet the minimum threshold for compliance regulations, which is usually only the most sensitive data. With z14, pervasive encryption is the new standard.”

With pervasive encryption, IBM overcomes traditional challenges to make encryption affordable and scalable without impacting service-level agreements (SLAs), he says. “Our clients are particularly sensitive to system performance. However, with pervasive encryption, organizations can encrypt data at enterprise scale without impacting SLAs such as transactional throughput or response time.”

The Solitaire Interglobal report found that the IBM pervasive encryption solution requires less overhead than other systems. Organizations that deploy pervasive encryption on IBM Z can reduce overall processing overhead by as much as 91.7 percent, according to the report. The report also found a lower total cost of ownership for IBM Z security implementations, by as much as 83.7 percent than for other platforms.

Comprehensive Security Strategy

IBM Z faces security threats from a variety of sources, Sardino warns. No single solution can prevent them all.

“Pervasive encryption is the foundation of a larger data security and protection strategy,” he explains. “Different solutions protect against different types of threats. Pervasive encryption is a good way to protect data at-rest and in-flight, but an attacker using the stolen credential of an authorized user may still be able to see unencrypted data.”

Sardino advises organizations to integrate pervasive encryption as a fundamental component of a strategic security plan. That should include multi-factor authentication and data activity monitoring to identify who is accessing data. Security intelligence is also critical, using detailed audit records and user behavior analytics to spot anomalies.

Pervasive encryption can also simplify and accelerate the process of working with a compliance auditor.

“When clients are doing selective encryption and sit down with the auditor, they have to show how they decided what data to encrypt. They have to show the application changes needed to do the encryption and where those changes were made. This can be a long, drawn-out process,” Sardino points out. “If they can easily show the auditor that they’ve encrypted all the data across all applications, this is an extremely powerful statement that shows they have met and improved the compliance capability of the organization.”

Time for Encryption

Total encryption may be a seismic shift for some organizations, yet it offers unparalleled advantages. Some companies are worried about breaches because of the damage to their brand, potential lawsuits, loss of intellectual property and the erosion of customers’ trust. Other organizations are wrestling with meeting increasingly stringent compliance mandates. Despite having so much at stake, many organizations haven’t started their data protection initiatives, Sardino says.

“With z14, IBM is really delivering a comprehensive set of capabilities that make pervasive encryption of at-rest and in-flight data possible for the first time, including compliance reporting and key management,” he says.

Businesses should examine applications where critical data is stored, then start encryption there. After that, companies can roll it out on an application-by-application basis until all data is encrypted.

“The goal is to get everything encrypted across all workloads and applications,” he says. “The real value is when encryption is pervasive.”

Brett Martin is a freelance writer based in Shakopee, Minnesota. He’s been writing about business and technology for more than a decade.



2018 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Application Integration With PCI

The problematic nature of PCI-compliance application integration makes research, analysis and planning important. It can also greatly simplify and reduce the effort involved.

Upgrade Your Mainframe with Operational Business Intelligence

Companies race to transform their businesses by delivering operational insights to their employees

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters