IBM Z Mainframe Runs Universal Encryption Quietly in the Background

Big Blue said this newest mainframe is its most significant system overhaul in 15 years. It was designed with input from 150 clients who cited data breaches and encryption as their biggest challenge and concern.

IBM.Z

Data encryption has always been a pain in the patootie for anybody charged with making sure all of an enterprise’s data is tightly protected during its lifetime.

While an increasing number of x86-type server systems and consumer PCs are now using various encryption approaches, not much has been happening regarding the use of encryption in mainframes, which still comprise a healthy percentage of all the computing done in the world.

As of July 17, a lot more is now happening in mainframe encryption.

IBM announced that its new IBM Z mainframe will be able to encrypt all the data in an enterprise all the time—and without users even knowing that the documents they are accessing and sharing is encrypted. It’s literally pervasive encryption.

Biggest Mainframe Advancement in 15 Years, IBM Says

Big Blue said this newest mainframe is the most significant system overhaul in more than 15 years. It was designed with input from 150 clients who cited data breaches and encryption as their biggest challenge and concern. 

Encryption has always been expensive and takes a lot of computing cycles to encrypt small chunks of data at a time, so a lot of time and power is always required. Not so with this new IBM system, which is automated and works as quietly as an international spy in the background.

“Our customers around the world that called out for a different approach to solving the problems with perimeter defenses that most companies need,” IBM Vice-President of Offering Management for Z Systems Mike Desens told eWEEK. “So, based on those core competencies we had in the mainframe, the CISOs we’ve been working with defined this capability to do 100 percent encryption of all your data—without having to have any application changes or impacts to your service-level agreements.”

This new capability lays encryption on everything—and not only through mainframes. The encryption follows the Z system data store from cloud services to databases, and it’s extremely scalable. The IBM Z is capable of running more than 12 billion encrypted transactions per day.

Changes the Approach of Encryption

“This changes the approach from a straight perimeter defense to where the data is; that’s where the (new) perimeter is. By encrypting the data, even if those bad entities get into your data center and behind your firewalls, they’re getting access to encrypted data, which is useless,” Desens said.

This is IBM’s front-line response to the problem of data breaches and enterprise compliance—encrypting entire workloads all at once. The company said that in 2016 more than 4 billion data records were compromised, a 556 percent increase over 2015. Of the 9 billion records breached during the past 5 years, a mere 4 percent were encrypted.

Key takeaways from this news include:

--Encrypts all data, all the time: IBM Z for the first time makes it possible for organizations to encrypt all data associated with an entire application, cloud service or database in flight or at rest with one click. The standard practice today is to encrypt small chunks of data at a time, and invest significant labor to select and manage individual fields. This bulk encryption at cloud scale is made possible by a huge 7x increase in cryptographic performance over the previous generation z13, driven by a 4x increase in silicon dedicated to cryptographic algorithms.

--Tamper-responding encryption keys: A concern for organizations is protection of encryption keys–an extreme version of the problem faced by millions of consumers with increasing complexity and vulnerability of passcodes. In large organizations, hackers often target encryption keys, which are routinely exposed in memory as they are used. IBM Z can protect millions of keys (as well as the process of accessing, generating and recycling them) in “tamper responding” hardware that causes keys to self-destruct at any sign of intrusion and then reconstituted in safety.

The IBM Z key management system is designed to meet Federal Information Processing Standards (FIPS) Level 4 standards, where the norm for high security in the industry is Level 2. This IBM Z capability can be extended beyond the mainframe to other devices, such as storage systems and servers in the cloud. In addition, IBM Secure Service Container protects against Snowden-style insider threats from contractors and privileged users, provides automatic encryption of data and code in-flight and at-rest, and tamper-resistance during installation and runtime.

--Encrypted APIs: IBM z/OS Connect technologies make it easy for cloud developers to discover and call any Z application or data from a cloud service, or for IBM Z developers to call any cloud service. IBM Z now allows organizations to encrypt these APIs–the digital glue that links services, applications and systems–faster than alternatives based on x86.

The IBM Z also is designed to help clients build trust with consumers and comply with new standards such as the EU’s General Data Protection Regulation (GDPR) that increase data compliance requirements for organizations doing business in Europe starting next year.

GDPR will require organizations to report data breaches within 72 hours or face fines of up to four percent of annual revenues unless the organization can demonstrate that data was encrypted and the keys were protected. At the U.S. Federal level, the Federal Financial Institutions Examination Council (FFIEC), which includes the five banking regulators, provides guidance on the use of encryption in the financial services industry. Singapore and Hong Kong have published similar guidance.

More recently, the New York State Department of Financial Services published requirements regarding encryption in the Cybersecurity Requirements for Financial Services Companies.

--Streamlines compliance: Auditors now are expected to manually inspect and validate the security of databases, applications and systems. IBM Security tools and IBM Z for the first time make it possible for organizations to streamline this process–taking data and applications out of scope of compliance by automating the verification that data is, in fact, encrypted and that the keys are secure. This will reduce the complexity and mounting cost of compliance for auditors. The system also provides an audit trail showing if and when permissioned insiders accessed data.

In an example of IBM Z as an encryption engine for cloud services, IBM today announced the opening of six new IBM Blockchain Global Data Centers in New York, United Kingdom, Frankfurt, Tokyo, Toronto and Brazil all secured using IBM Z, as the company scales this service to global organizations.

Wait, There’s More: New Container Pricing

IBM also announced new Container Pricing for IBM Z, which provides simplified software pricing that combines flexible deployment with competitive economics.

IBM initially announced these three solutions:

  • New applications for the deployment of new microservices and applications that enable clients to maximize the value from on-premises enterprise systems securely and in real time. Users can now colocate applications to optimize qualities of services that are priced competitively with public cloud and on-premises platforms.
  • Application development and test with the freedom to substantially increase capacity of all development environments on z/OS to support latest DevOps tooling and processes. Customers can triple capacity with no increase in monthly license charge.
  • Payment systems pricing based on the volume of payments a bank is processing, not the available capacity. Particularly in the fast-growing Instant Payment segment, this greatly increases flexibility to innovate affordably in a competitive environment. 


These container pricing options are designed to give clients the predictability they require for their businesses. It is scalable both within and across LPARs (logical partitions) and delivers enhanced metering, capping and billing capabilities. Container pricing for IBM Z is planned to be available by year-end 2017 and enabled in z/OS V2.2 and z/OS V2.3.

For more information, go here.

Chris Preimesberger

Chris Preimesberger

Chris Preimesberger is Editor of Features & Analysis at eWEEK, responsible in large part for the publication's coverage areas. In his 12 years and more than 3,900 stories at eWEEK, he has...