Evolving Solutions Perspective – IBM z14 pervasive encryption strength versus the IBM z13 server platform and prior platforms.
Pervasive Encryption is an approach where the enterprise implements encryption for their Application Data (Sequential Datasets, VSAM), their Database Data (DB2, IMS/DB) and all network traffic entering or exiting their Large Systems server. As a reminder, clients consider this capability given the ever increasing threat of a platform breach followed by compliance centered primarily on the EU GDPR and penalty avoidance planned to go live January of 2018.
Dataset level encryption is made possible by updating the DFSMSdfp component of the operating system with service that allows extended format data sets to be tagged for encryption at the time they are created. Once “tagged”, the access method leverages the cryptographic primitives to both encrypt and decrypt the data set. Clearly, a bulk unload-reload of the file is required for existing data sets.
A high level summary of required support is found in the table below:
To create an encrypted data set, you assign a key label to the data set when it is created. A key label can be specified through the use of data set profiles, JCL, or the SMS data class ACS routine. This key label points to an AES-256 bit encryption key within the Integrated Cryptographic Service Facility (ICSF) key store known as the Cryptographic Key Data Set (CKDS). The keys that reside within the CKDS are enciphered with a symmetric AES master key that resides within a hardware protected boundary found within the CryptoExpress-5S or 6S, an optional but highly desirable feature. Especially when considering the EU GDPR 4% penalty and the value this secure key store offers your enterprise.
Reading between the lines, it is clear that ICSF will take a very active role on protecting your most important assets. ICSF provides API access to the cryptographic primitives that will provide high performance hashing, SSL handshake offload and encryption/decryption support. Prior to this Pervasive Encryption capability, clients were required to code to these API’s in support of data set encryption. That is no longer necessary.
Clients have the option to implement data set level encryption by policy. IBM’s Resource Access Control Facility (RACF®) is used to define that policy; data set profiles are used. RACF controls data set access by identifying and verifying authorized users and by preventing unauthorized users from accessing data. This is accomplished using these profiles.
When you study the above table and focus on the minimum hardware platform, you might ask, “Why would I ever consider investing in IBM’s latest server technology?” After all, IBM clearly states that pervasive encryption will run on older server technology, the z196 platform and it’s follow-on, the z13 class server. There is a very good reason to consider investing in the IBM z14 platform, consider the following.
One of the unique capabilities of IBM’s Large System platform is its ability to measure usage. Armed with this usage information, it is possible to estimate the additional processing power required to encrypt all of your data, estimate the incremental software cost, and then develop a corresponding Return on Security Investment (RoSI) model given the significantly improved risk posture you will deliver to the data that resides on the Large Systems platform. Evolving Solutions performs that service at no charge for clients interested in understanding the cost of full site encryption to improve their breach risk posture for their Large Systems platform. One such study for a client revealed the following:
The above graph represents an estimation of the additional MSUs required to implement data set encryption on 75% of the I/Os from this CPC.
Note how much lower the green MSU burn rate is.
- This rate represents the incremental MSUs required to support encrypt/decrypt for that same workload running on an IBM z14 Server during that same peak period.
- Versus, its z13 counterpart; granted a very capable alternative with a strong cryptographic primitive stack – just not as efficient as its follow-on.
Clearly, Pervasive Encryption significantly reduces the time and effort required to demonstrate GDPR compliance. Pervasive Encryption significantly reduces the compliance scope as so much data is now Off the Compliance Table – it is covered. Real-time self-service audit verification is now possible given extensions to the IBM zSecure offering. In addition, a QRadar APP is available that takes the zSecure Audit results and exposes them on a dashboard.
From an Evolving Solutions perspective, as you consider the costs – benefits on implementing Pervasive Encryption, strongly consider investing in server technology that will both improve your risk posture and provide a positive return on security investment. The IBM z14 platform makes for a smart investment. If you are interested in a complimentary study for your organization, feel free to reach out to me via LinkedIn or send me an email at firstname.lastname@example.org.
Learn more about Evolving Solutions enterprise server solutions.
Evolving Solutions next article will center on Machine Learning on the IBM z14 platform.