IBM mainframe encryption: The gold standard for security does an upgrade

IT security is like spinach — necessary for well-being, but few enjoy it. However, the advent of business compliance is a rare opportunity to improve both security and the benefits derived from it. Thus, IBM's recent announcement of software for encrypting file formats on mainframe tapes and disks, is not merely another System z9 encryption story: It rounds out an IBM mainframe security solution that should set the standard for another generation of business-critical system security.

IBM says its new System z9 z/OS software is specifically aimed to "help organizations … adhere to compliance laws." Over the last 30 years, at the least, customers have testified that the IBM mainframe is the "gold standard" for IT security, one that users depend on to protect their most trusted computer-based information assets. The new announcement shows that IBM senses the new difficulties and opportunities of security, and is moving proactively to answer customer needs.

So what is the impact of business compliance on security, and why is IBM's response appropriate?

Business compliance and security

In IT terms, business compliance is primarily about ensuring rapid access to information required by regulatory or legal authorities — all kinds of information, and access no matter how old the data is.

Business compliance impacts an environment in which the main focus of security has been the prevention of access to key proprietary information by unauthorized users. Enterprises may have accomplished prevention by disguising data (encryption), by erasing data as soon as possible, by removing data as soon as possible to a secure facility (archiving), or by controlling access to the data (access control, firewalls, and so on). In other words, security has emphasized keeping people outside a carefully chosen circle away from information; business compliance emphasizes giving new people outside that circle (and outside the enterprise) access to information.

Table 1 below shows the evolution of security caused by the clash between security and business compliance concerns.

Table 1: Impact on Security of Business Compliance

Security Type	Business Compliance Requirement	Resulting Change in Security
Disguising data	Provide rapid access to undisguised data to regulators/discovery, demonstrate data's safety from malicious attack	Allow encryption on data shared with partners, authorities, improve encrypt/decrypt speed
Erasing data	Save data of all types (structured accounting data, semi-structured email, unstructured media files) for many years, provide rapid access to the data	Instead of erasing data, archive in a secure but comprehensive, robust, and rapidly accessible manner
Placing (older) data in secure facility	Demonstrate data's safety from disaster, provide rapid access to all types of older data	Combine archiving with disaster recovery, add business-compliance (reporting) and security (firewall, encryption) mechanisms
Controlling data access	Demonstrate data's safety from malicious attack, extend right to access to regulatory and legal authorities and often to investors and the press	Integrate access-control and data-access (reporting, querying) mechanisms, make data stored on secure media available outside the enterprise. Use encryption over the internet when transmitting sensitive data.

Note that the result of these changes is actually to make security better than before — with less performance overhead, more comprehensive and integrated across all enterprise information, more applicable to inter-organization communication, better integrated with risk management and disaster recovery. Thus, security is harder to do; but, once done, delivers more benefits.

IBM's Response

Table 2, below, shows the ways in which IBM System z9 is aiming to incorporate the needed changes in security.

Table 1: Impact on Security of Business Compliance

Security Type	Business Compliance Requirement	Resulting Change in Security	IBM Mainframe Offerings
Disguising data	Provide rapid access to undisguised data to regulators/discovery, demonstrate data's safety from malicious attack	Allow encryption on data shared with partners, authorities, improve encrypt/decrypt speed	Encryption Facility for z/OS 1.1 extends mainframe encryption to tape/disk to share secure data with partner; allows decryption by non-mainframe partners with Java client program. Encryption performance is accelerated in the System z9 server. Recent enhancements in encryption over the internet, with improved performance and simplified implementation.
Erasing data	Save data of all types (structured accounting data, semi-structured email, unstructured media files) for many years, provide rapid access to the data	Instead of erasing data, archive in a secure but comprehensive, robust, and rapidly accessible manner	IBM business compliance solution combines IBM reporting, information integration, security and archiving software and hardware (e.g., information lifecycle management) including centralized encryption and key management facilities.
Placing (older) data in secure facility	Demonstrate data's safety from disaster, provide rapid access to all types of older data	Combine archiving with disaster recovery, add business-compliance (reporting) and security (firewall, encryption) mechanisms	IBM solution combines IBM reporting, business compliance, disaster recovery, information integration, security and archiving software and encryption and compression hardware
Controlling data access	Demonstrate data's safety from malicious attack, extend right to access to regulatory and legal authorities and often to investors and the press	Integrate access-control and data-access (reporting, querying) mechanisms, make data stored on secure media available outside the enterprise. Use encryption over the internet when transmitting sensitive data.	Support for secure encryption keys in z9 Crypto Express2 cards with tamper-resistant Master Key. Support for recent encryption standards (AES-128, SHA-256) in the hardware encryption. Built-in support in z/OS operating system for centralized key management, including disaster recovery.

In other words, IBM is extending System z9 security primarily by (a) integrating security with expanded business compliance and disaster recovery solutions in the servers and in the z/OS operating system and (b) expanding security offerings to improve performance and widen the scope of users employing IBM mainframe security (e.g., to more users outside the enterprise).

Conclusions

The bottom line is that while the mainframe is the gold-standard of security, it's not hack proof—and IBM is smart enough to know it. Take the time to make this upgrade. Big Blue has made it worth the effort.

This document is subject to copyright. No part of this publication may be reproduced by any method whatsoever without the prior written consent of Infostructure Associates. All trademarks are the property of their respective owners. While every care has been taken during the preparation of this document to ensure accurate information, the publishers cannot accept responsibility for any errors or omissions.

About Infostructure Associates

Infostructure Associates is an affiliate of Valley View Ventures that aims to provide thought leadership and sound advice to both vendors and users of information technology. This document is the result of Infostructure Associates sponsored research. Infostructure Associates believes that its findings are objective and represent the best analysis available at the time of publication.

Rate this Tip To rate tips, you must be a member of SearchDataCenter.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip BROWSE BY TAG Enterprise Systems Update Newsletter,   Infrastructure Management Tips,   Server hardware,   Mainframe computers,   Mainframe management,   Chapter 2: Mainframe security and disaster recovery,   Encryption,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Enterprise Systems Update Newsletter Roadmap to mainframe application modernization Weighing the costs and risks of mainframe application modernization The mainframe's potential for Web services and cloud computing Modernizing mainframe applications after a migration project: Part 4 The unforeseen costs of migrating off the mainframe Migrating off the mainframe, part 3: Tuning apps for the new platform Mainframe migration strategy, part 2: Segmenting the job Developing a successful mainframe migration strategy Coding a simple mainframe cryptography program How is CICS prepared for future IT market demands? Infrastructure Management Tips Grow a green business: Cut costs and improve energy efficiency with green IT Closing the green gap: Expanding data centers with environmental benefits Green data center site selection: Cost versus sustainability Improving data center cooling capacity with chilled water plants How to prepare for remote data center maintenance trips DC Pro: a breakdown of a data center efficiency tool Selecting a general contractor: Data center construction runbook, Chapter 3 Selecting a winning data center design team: Data center construction runbook, Chapter 2 Protecting your data center from real show-stoppers: Preparing a disaster recovery plan Economizer performance: Applying CFD modeling to the data center's exterior Mainframe computers The mainframe is 45 years old Using CICS dump tables to manage problems in online systems High mainframe software costs may lead to platform's demise Manage CICS workloads with transaction classes Run CICS in batch to beat a shrinking batch window Analyst group disses Hewlett-Packard report about mainframe migration Using External Call Interface (EXCI) to access CICS Mainframers go for a jog at Share user group conference Mainframe student anticipates a bright future HP puts fault-tolerant NonStop on a blade RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ACF2  (SearchDataCenter.com) Calibrated Vectored Cooling  (SearchDataCenter.com) enclave  (SearchDataCenter.com) IMS (Information Management System)  (SearchDataCenter.com) job  (SearchDataCenter.com) job scheduler  (SearchDataCenter.com) job step  (SearchDataCenter.com) MVS  (SearchDataCenter.com) z/OS  (SearchDataCenter.com) z990  (SearchDataCenter.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.