adv

IBM unveils pervasive encryption approach in z14 mainframe

IBM wants businesses to use its new z14 mainframe to encrypt pretty much everything -- an approach to security it calls pervasive encryption.

Encrypting everything, and restricting access to the keys, is one way to reduce the risk and impact of data breaches. It can reduce the threat surface by 92%, according to research commissioned by IBM.

To make such pervasive encryption viable, the z14 has four times as much silicon devoted to cryptographic accelerators as its predecessor, the z13, giving it seven times the cryptographic performance.

That allows it to encrypt up to 12 billion transactions per day, according to IBM.

For other workloads, running under either z/OS or Linux, the z14 has 35% more capacity than the z13, the company said. That's possible because the z14 has three times the memory (up to 32 terabytes) and three times faster input-output than its predecessor, and a significant reduction in SAN latency when using zHyperLink.

As well as the hardware changes, the mainframe range has undergone a discrete change of name: Instead of the awkwardly capitalized z Systems, it's now called IBM Z.

The x86 systems that IBM Z is up against typically don't have the processing power to encrypt everything, all the time: They take a piecemeal approach, encrypting a password here, a credit card number there, with the result that plenty of personal information is there for the taking, if only hackers can find their way in.

In contrast, the z14 can encrypt every file -- or data set in IBM Z parlance -- and restrict who can access the keys, said Mike Jordan, distinguished engineer with IBM z Systems Security: Privileged users such as storage administrators, for example, will be able to move or copy files to do their job, but won't be able to decrypt them.

"We can eliminate those classes of users from risk if their IDs get hacked or attacked," he said.

Applications that do need to decrypt the data will run under a special user ID that can access the decryption key -- but such user IDs typically cannot be used to log in to the system, making it harder for hackers to both grab a file and decrypt it.

Even where a business is running development, test and production environments on the same machine, there is cryptographic separation between the environments, Jordan said. If hackers were to take over the test environment, say, and access its encryption keys they would still not be able to decrypt production data.

The key management system meets Federal Information Processing Standards (FIPS) Level 4 requirements, where the industry norm is only Level 2, IBM said.

All that makes it harder for hackers to get in. IBM commissioned research firm Solitaire Interglobal to study the impact of pervasive encryption on businesses. Drawing on 21 years' worth of data about security incidents, the researchers concluded that, "Of the breaches and incursions analyzed, they could reduce the threat surface by 92% by having pervasive encryption on IBM Z," said Nick Sardino, IBM's program director for offering management, z Systems Growth Initiatives.

What would that additional security would cost, though? Solitaire modeled the cost of running a business on IBM's z14 and compared it with data from thousands of businesses using x86 systems of different sizes to selectively encrypt data. Report author Kat Lind concluded that in IBM Z and x86 systems supporting the same overall level of business performance, the IBM Z encryption system would deliver 18 times the performance for one-twentieth the cost of the selective encryption systems in the x86 systems studied. The cost takes into account personnel, CPU capacity required, memory levels, and other factors.