News Stay informed about the latest enterprise technology news and product updates.

IBM steps up mainframe encryption

Users and analysts say IBM's recent encryption software for zSeries mainframes is useful -- but what they really want is encryption in tape library hardware, expected in 2006.

IBM has announced the general availability of updates to its z/OS mainframe operating system that will allow users to encrypt data transferred to off-site media.

However, this is a temporary measure as IBM is expected to shift encryption off the mainframe altogether next year and leave this functionality in the hands of mainframe tape library hardware.

The latest updates will allow IBM mainframe users to use up-to-date algorithms for encryption and manage and secure keys within the mainframe. It will also offer a more viable encryption acceleration capability in server hardware, as opposed to a software-based product, which IBM offered in past decades but proved too slow and expensive.

The new facility is still largely software-based, but the difference between this release and former attempts at mainframe encryption is that it uses an encryption processor included with zSeries servers.

"It's offloaded a lot of processing to a specific hardware device," said John Oltsik, senior analyst for information security with the Enterprise Strategy Group. "Encryption is a very processor-intensive application, so that helps. We're also a quantum leap ahead of where we were (when IBM last offered this) in terms of processing power in general."

Oltsik said it also helped IBM's case that market interest in data security has also grown leaps and bounds. "Until recently, a lot of the market just wasn't all that interested in data security and encrypting off-site media," he said. "Now there's an absolute demand to secure tape and data."

Not every user, however, is convinced. "Encryption is very processor intensive … If it's a small file, that will probably be okay, but I doubt the processor will be up to the task if you're trying to replicate a large file like a whole database. It could overrun the firmware and spill into the main CPU," said Bob Venable, manager of enterprise systems at BlueCross BlueShield Tennessee.

IBM mainframe customers must pay IBM licensing fees according to millions of instructions per second (MIS). Currently, this means server-based hardware encryption will cost them more to deploy.

"Ideally, compression/encryption would be done away from the main CPUs with hardware/firmware capable of extremely high I/O rates -- ideally at the media level," Venable said. "Our current mainframe tape drives now do compression very efficiently and relatively inexpensively -- compression and encryption need to be together in our opinion."

"Mainframe MIS are expensive," said Oltsik. "Users want to do as much as they can off of the mainframe." Moving the encryption capabilities to the tape storage system would also free up server processing power, he said.

Mary Moore, z/OS marketing manager for IBM System z9, admitted that z/OS users have been anxious for the new encryption features but "what they really value is a move of encryption capabilities to the tape storage subsystem."

According to Moore, shifting encryption to tape hardware is part of IBM's "stated direction" for its mainframe products, but she said she could not specify when this would take place. Oltsik predicted IBM could make another announcement on such a product early in 2006.

"They're on the on-ramp of this process," Oltsik cautioned. "They do have a roadmap and I think it's a good one, but it remains to be seen what they can execute."

The products released this week are the IBM Encryption Services feature and Encryption Facility for z/OS Client. The first gives IBM mainframe users the ability to use hardware-based AES-128 encryption and decryption for certain files on tapes. Encryption keys can be managed within z/OS by customers running z9-109, z900, z990, z800 or z890 systems, and z/OS versions 1.4 or above.

The file types supported within the mainframe by the Encryption Services feature include physical sequential input files, members of partitioned data sets and partitioned data set extended data sets, as well as files stored in z/OS Unix system services file systems. It can optionally compress input files before encrypting them and writing the output files. Also, it can use the large block interface for output files written to tape, to help optimize performance and media space.

IBM is also making available a Java-based downloadable application, called Encryption Facility, which allows business partners shipping encrypted z/OS tapes to decrypt and encrypt files at their end on multiple platforms.

Meanwhile, an encryption feature for data sets written to on-site archival storage through the z/OS Data Facility Storage Management Subsystem Data Set Services, or DFSMSdss, is slated to ship Dec. 2. This feature will cover files written through DFSMSdss to both tape libraries and disk archives.

This article originally appeared on

Dig Deeper on IBM system z and mainframe systems

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I look forward to the return of 2006. I could really use a do-over for lots of stuff. Typos aside, we need all the beefed up security we can muster, though I'm still looking/hoping for a revolutionary update instead of a quiet evolution.