Skip to main content

Pervasive Encryption is the No-Compromise Approach to Data Protection on IBM z14

IBM Z pervasive encryption gives organizations a compelling reason to rethink their data protection strategy.

Black computer hardware.

How secure is your company’s data? The Ponemon Institute’s Cost of a Data Breach Study (ibm.com/security/data-breach) shows the likelihood your organization will have a data breach within the next two years is 27.7 percent. In 2017, Ponemon estimates the cost of a data breach to average $3.62 million. It may be time to ask yourself if your organization is willing to take that risk.

In an attempt to minimize the threat of a breach, enterprises deploy firewalls and DMZs, purchase different software systems and make application changes. However, the results are mixed at best. According to a report from analyst firm Solitaire Interglobal, of the 11.2 billion records breached in the last three years, fewer than 3.5 percent were encrypted (ibm.co/2vxGMtZ).

“Organizations no longer have to choose what data to encrypt, they can simply encrypt all of the data, reducing the impact of a data breach and drastically simplifying compliance.”
—Nick Sardino, program director, IBM Z Offering Management

What about regulations? Organizations in a variety of industries must comply with an alphabet soup of regulations including HIPAA, Sarbanes-Oxley Act of 2002, PCI DSS and the new European Union General Data Protection Regulation. Regulated industries, like financial services, have the most costly data breaches because of fines and a higher than average rate of lost business and customers. In fact, in 2016, 24 percent of breaches affected financial organizations, according to the Verizon 2017 Data Breach Investigations Report.

As regulations grow increasingly complex, many hours per week are spent just understanding and interpreting them and the various changes that need to be made. Implementation of the controls can be costly, and policies need to be regularly assessed and updated. Audits—including internal, external and federal as well as those by customers and other third parties—occur on a regular and ongoing basis and can be costly and taxing for organizations.

Think about these pain points in concert with the reality that the IBM mainframe is a powerful tool that drives the digital economy. Trust is the currency that drives this new economy. It’s the foundation of digital relationships and demands security, transparency and greater value in every interaction and transaction.

With these facts in mind, IBM equipped the new z14* system with pervasive encryption. Transitioning away from selective encryption to end-to-end protection helps organizations secure all of their enterprise data while reducing the cost and complexity of meeting compliance mandates.

“Strong walls and perimeter defenses are no longer adequate to shield organizations from cyberattacks. We must view data as the new perimeter, and put the security controls for the data on the data itself,” says Nick Sardino, program director, IBM Z* Offering Management. “That means implementing strong encryption of data wherever it resides.”

The New Standard

Encryption is perceived as complex. Organizations struggle with determining which data should be encrypted, where encryption should occur (e.g., hardware, database, applications, etc.) and which business unit or executive is responsible for it (e.g., the CSO, DBA, line of business, etc.).

Because the responsibility for encryption is unclear, many companies only encrypt what’s required for compliance. Often this means encryption occurs at the application level. Doing so is costly because it requires people with the skills to handle the encryption, and ongoing maintenance is needed throughout the application lifecycle. Application outages often impact encryption, and application updates may be necessary to comply with regulatory changes. It can also be time consuming to determine what data needs to be encrypted. “Encrypting only the data required for compliance should be viewed as a minimum threshold, not a best practice,” explains Sardino.

IBM realized a better solution was needed. Because data is the new perimeter, encryption must evolve to protect all of the data on IBM Z. Pervasive encryption provides a transparent and consumable approach to enable extensive encryption of data in flight and at rest to simplify and reduce the costs associated with protecting data and achieving compliance mandates.

To achieve pervasive encryption, IBM Z delivered several new capabilities integrated throughout the z14 stack in the hardware, OS and middleware. The on-chip cryptographic acceleration was enhanced to provide more than 6x more performance than z13* at more than 18x faster than competitive platforms, according to the Solitaire Interglobal report. Bulk file and data set encryption was placed at a point in the OS where the encryption would be transparent to applications and highly optimized for performance. IBM also designed new capabilities to encrypt the data in the z/OS* Coupling Facility, and more easily report on the security of z/OS network sessions.

“The new capabilities being delivered with z14 will allow organizations to encrypt all of the data associated with an application or database, without the need to make any application changes, and without impacting service-level agreements. No other platform in the world can do this.”
—Nick Sardino

IBM middleware such as Db2* and IMS* was enhanced to exploit these new features as well. “Clients can transition Db2 and IMS high-availability databases from unencrypted to encrypted without stopping the database or the application,” says Sardino, “which is a huge value for the DBAs that we’ve spoken to.”

IBM Security also got in on the collaboration with IBM Z, enhancing the IBM Security zSecure* suite to provide administration and audit support for pervasive encryption. The suite can feed data into a newly designed QRadar* dashboard for auditors. Other IBM Security solutions such as IBM Security Guardium* Data Encryption for Db2 and IMS Databases and IBM Security Guardium Data Activity Monitor can be layered on top of pervasive encryption for additional levels of data protection.

“Pervasive encryption on IBM Z is a comprehensive solution for clients to protect all of their organization’s most critical assets on the platform,” says Sardino, “and by collaborating with IBM Security, we are removing much of the cost and complexity associated with demonstrating compliance to auditors.”

Shift in Thinking

IBM Z pervasive encryption gives organizations a compelling reason to re-think their data protection strategy because an option like this has never been available before. “We are enabling a paradigm shift from selective encryption to pervasive encryption with z14. Organizations no longer have to choose what data to encrypt, they can simply encrypt all of the data, reducing the impact of a data breach and drastically simplifying compliance,” Sardino says.

In addition to helping organizations protect all of their digital assets, pervasive encryption can decouple identification and classification from the process of encryption and reduce the risk of unidentified or misclassified data. It also makes sensitive data within the enterprise more difficult for attackers to identify because it’s all encrypted.

By quickly and easily demonstrating to auditors that all of their data is encrypted, organizations can reduce the cost and complexity associated with encryption.

No Compromises

The IBM Z platform is the only one to offer the protection of pervasive encryption. This no-compromise approach to data protection is at the core of trusted digital experiences. With pervasive encryption you can rest easy knowing your data is secure.

“The new capabilities being delivered with z14 will allow organizations to encrypt all of the data associated with an application or database, without the need to make any application changes, and without impacting service-level agreements,” says Sardino. “No other platform in the world can do this.”

IBM Systems Webinar Icon

View upcoming and on-demand (IBM Z, IBM i, AIX, Power Systems) webinars.
Register now →