IBM Z Mainframes Promise to Break Down Barriers to Data Encryption

NEWS ANALYSIS: The new real-time encryption feature IBM is offering with it Z series mainframes should help overcome corporate resistance to implementing system-wide data encryption.

Data Encryption Key

At the risk of sounding repetitive like a broken record, I'll say it again. Encryption is vital to protecting your data in the event of a data breach. I’ve been saying that encryption is vital in this column for years. But that message has been slow to convince most organizations to start encrypting their data.

The reasons they haven't implemented encryption are complex and to some extent rooted in myth. Encryption is hard, the belief goes, and it bogs down computer performance terribly. Also, some people believe that encrypted files only serve to point out to hackers what files are important, so they can hack into those first.

IBM is now offering a solution to that complaint about the expense and difficulty of encrypting all of the vast archives of data stored in organization by offering its Z System mainframes as real-time encryption devices that run in the background. IBM uses the industry standard AES-256 encryption, which is sufficiently secure that it can’t be cracked even by quantum computers. However that security requires proper key distribution and management.

IBM approaches the problem by guarding the use of its keys, so that any compromise will invalidate the key. This combats the security hole that can sometimes exist in which the encryption key is stolen from memory while it’s actively being used. With IBM’s approach, such actions are immediately detected.

IBM also fights another potential exploit in which data is stolen while it’s being processed. For the computer to use the data that’s been encrypted, it must be decrypted. With IBM’s Z System mainframes, that period of decryption is limited to the brief time when the data is actually in the processor, and it’s returned to its encrypted state immediately afterwards.

For larger companies, especially those involved in cloud operations or ecommerce, this is an important development. Cloud based data is a favorite target of hackers, if only because some portion of the data must by necessity be accessible to the outside world. E-commerce companies have the same exposure, plus the fact that they necessarily must retain customer financial information for various periods of time. This makes them an even larger target.

IBM stresses in its press release that in today’s corporate environment only about 4 percent of data is encrypted while more than 80 percent of mobile data is encrypted. While this may sound like a good reason to buy something like IBM’s Z mainframes, there’s likely something else at work here related to security in general and encryption specifically. Too many IT managers don’t understand encryption or how to implement it.

In addition, too many IT managers don’t actually understand the demands that encryption places on their servers and their in-house workstations. Modern servers, if equipped with enough memory and with adequate processors, are perfectly capable of handling AES-256 encryption without significant impact.

Think of it this way. If your phone and your WiFi access point have the horsepower to encrypt and decrypt data in real time don’t you think your server can manage the task? If your iPhone can manage real-time encryption on its own, don’t you think your desktop workstation can do the same thing?

Of course IBM has a point. When you look at the number of organizations still running Windows XP or Windows Server 2003, then you’re also looking at computing environments in which encryption is far too demanding. In this case, implementing IBM’s Z System, either in the data center or as part of a cloud service, will do a lot to protect corporate data from theft.

Those companies will also benefit from the fact that IBM is quite capable of providing the services and support to deliver that real-time encryption in a way that’s reasonably transparent to the folks in the data center. This point has more value than you might think.

After all, these days IBM is primarily a services organization. The company can provide the encryption service, train the staff to use it, and provide the services to monitor and support it all in one big package. But does that mean that IBM can help every organization that’s been living so doggedly in the past that it hasn't performed a system upgrade during the last 15 years? Well, no.

IBM’s marketing prowess is considerable. But even IBM can’t help a company that doesn’t want to be helped. Like it or not, there will always be a few companies with their collective heads so totally buried in the sand that they won’t even see that a threat exists.

When that happens, your job is to find out whether the company you’re thinking about doing business with is one of those that won’t be helped. You can find this through your due diligence when consider partnering with them. Knowing that an organization you’re considering is using the new IBM Z mainframe for full encryption is certainly an encouraging point, especially if IBM is running things for them.

But remember that there’s more to security than encryption and you need to confirm that they understand the whole process of security data. But such encryption is a good start.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...