Saving With Data Set Encryption

Using the new feature on z14 lowers costs and streamlines processes

Data Set Encryption

The z/OS OS is known for its world-class security. It needs to be secure because some of the world’s most valuable data is stored on IBM Z. As we consider the newest z/OS offering from IBM, let’s start with some background about security best practices and the current capabilities behind z/OS.

Good security practices should already be a part of your environment. Clear policies, regularly applied and clearly laid out audit processes, identity management, access controls and key management are necessary components of data security.

All of these are enabled by the powerful capabilities in z/OS, and that won’t change. Encryption is another important element in your data protection strategy—and z/OS has recently been enhanced to strengthen that component. One example is data set encryption, which moves encryption functionality deeper into the fundamental data management components of the OS.

Data Set Encryption: A Better Approach

Traditional approaches to data encryption were piecemeal. In the past, the emphasis was on identifying important pieces of data and ensuring that they were properly protected. That required a careful process that could identify important data, establish a set of policies or processes to protect and ensure continued protection of that data.

In some cases, protection with encryption required actual program code in applications to follow a pattern of “read, decrypt, process, encrypt.” Of course, confirming that this pattern was maintained while ensuring continuous data protection involved examining every step in the development lifecycle. Especially important were the break-fix processes for developing patches for broken code. On top of each step in the lifecycle was the necessary documentation and audit trail demonstrating that processes were followed during the development and delivery stages.

The new data set encryption feature has made controlling data encryption a more centralized, comprehensive process. The feature offers two primary areas of benefit: First, it simplifies the administration of encryption for secure data. Second, it simplifies the entire development process for applications requiring embedded encryption-related code.

The introduction of data set encryption will free administrators from the burdensome task of identifying individual data sets. Building encryption capabilities into the data access methods also frees developers from considering encryption in their code. All data sets will look the same to the developer simplifying the pattern from “read, decrypt, process, write, encrypt” to the normal “read, process, write” pattern. This simplifies the development lifecycle and removes the burdensome audit overhead necessary for insuring compliance.

Lowering Costs With z14

In the past, the concern about computational overhead gave most customers reason to pause. That’s why encryption was reserved for only the most important data. New encryption hardware in z14 has made comprehensive data encryption affordable by dramatically improving performance.

With the lower overhead of new z14 capabilities, costs have been reduced. The tradeoff between machine expense and security/simplification has also shifted, and deserves another look from cost-conscious customers. In the following paragraphs we’ll examine both the costs and the potential benefits of z14. For details on the methodology and tools behind this process, see “A Word on Cost-Benefit Analysis.”

A Cost Analysis of z14

In this analysis, we’ll consider the following cost elements: Additional hardware, hardware maintenance and license cost increases. Every customer will be different, but we can make a reasonable guess by considering a market basket of typical z/OS products along with a conservative estimate of hardware and maintenance costs. We won’t include ISV license costs in this estimate.

Let’s take a look at the cost-side of the equation.

Figure 1 shows additional costs at various points along the MIPS curve. The marginal cost is the cost of each additional MIPS on an annual basis. The bottom row represents the cost of a 2.6 percent increase in MIPS from the base MIPS in the first row. For example, at 1,400 MIPS, the cost of each additional MIP is $1,829.70 per year. A 2.6 percent increase would represent an additional 36.4 MIPS for a total cost increase of $66.6 thousand per year.

Now that we have a cost estimate, we can look at the productivity benefits of simpler, more centralized encryption control.

The Improvements Outweigh the Costs

There are four groups that might benefit from simplified encryption control: Security, administration/operation, programmers and users (see Figure 2). In our IT economics studies, we typically see that total application development costs are roughly 10 times the systems administration/operation costs and it seems reasonable that there’s an order of magnitude relationship between each of the groups identified above. For example, if administration and operations require 50 people, then applications will require 500 people to support a user population of 5,000 users while the security team will require five people. It’s not perfect, but it will work as a method to get to a sense of value.

Because encryption will be completely transparent to the users, we can eliminate them from consideration. And because the security group head count is so small, we can ignore that as well. Instead, let’s turn our attention to the administration and applications groups. If we assume a mere 5 percent improvement in productivity, we can apply that improvement to the cost of resources in those areas.

What we need now is a way to tie labor costs to MIPS. This is where another observation from our IT economics experience becomes valuable. Our data shows that there’s a very good linear fit between MIPS and FTE labor for administration with a derived formula of FTE = 6 + MIPS/625. Using this formula and our order-of-magnitude rule, we can estimate the combined FTE’s for applications and administration. Assuming a standard fully burdened rate of $150,000 per employee, we get the results in Figure 2, which aligns with our estimated costs from earlier in the article.

The real cost-benefit relationship could be somewhere in the middle, but it could also be even greater depending on your own incremental costs or the depth and complexity of administration procedures and coding practices.

Moving From z13 to z14

Customers who are considering data set encryption should look at the potential savings of a z14 move. For example, we examined a set of z13 customers who enabled data set encryption. Overhead ranged from a low of 3 percent to a high of 35 percent, with the bulk of the values in the 5-15 percent range. The average overhead was 11.6 percent.

In contrast, we examined the estimated improvement in overhead on z14 due to more efficient encryption-related hardware. We saw an impressive improvement with overhead measuring between 1 percent and 8 percent, with the bulk of the values between 2-4 percent. The average for this set of numbers was 2.6 percent.

Using the same analysis that we did for our cost-benefit approach, we can see that moving from z13 to z14 could save a z13 customer substantially in hardware and software costs.

Remember—all customers should conduct a customized review of costs and potential benefits. Savings could be even higher depending on your own mix of products.

Ask your account team to run a CP3000 study and a zBNA study to determine actual MIPS changes for your environment and ask the IT Economics Team to perform a no-cost study to help you look at how data set encryption and z14 might benefit your company.

Data Set Encryption and z14: A Wise Choice

Pervasive encryption can radically simplify your ability to protect data through encryption by centralizing control over settings and simplifying your application code. Combined with z14, the reduced cost of encryption makes it possible to get comprehensive data protection at a very reasonable cost.

With data set encryption and z14, you can have your cake and (keep it safe) too.

A Word on Cost-Benefit Analysis

Any approach of cost-benefit analysis that covers a broad range of customers and a diverse set of applications must make some simplifying assumptions. The purpose of this analysis is to examine the potential tradeoffs and see if the value is sufficient enough to merit further exploration. IBM has tools that enable customers to get a more customized assessment of value, including CP3000, zBNA and IT economics studies. As you read this article, please keep in mind that your own situation will be different. As the car advertisements like to say, “Your mileage may vary!”

The IBM IT Economics Team can be reached at


Roger Rogers is a senior analyst and IT economics consultant on the IT Economics team, part of the IBM Competitive Project Office.

Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.

comments powered by Disqus



2018 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

An Aptitude for Mainframes

A simple test gave Martin Wills his start as a mainframe operator

Complete 360

After 45 years, innovation brings the mainframe full circle.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters