IBM Systems Magazine, Mainframe - January/February 2018 - 21
"In Z, the encryption keys are
never exposed to the hypervisor,
OS or application. If that protected
key gets exposed to the hacker, it's
worthless because it can't be used
to decrypt the data. This is something
that only Z can do."
-Nick Sardino, program director,
IBM Z Offering Management
reducing the risk of unidentified
or misclassified data.
"Encryption has been
around for a long time. Clients
experienced the pain points that
it's been expensive and slows
down performance," Sardino
says. "Organizations today are
implementing selective encryption.
They only encrypt the data needed
to meet the minimum threshold
for compliance regulations,
which is usually only the most
sensitive data. With z14, pervasive
encryption is the new standard."
With pervasive encryption, IBM
overcomes traditional challenges
to make encryption affordable
and scalable without impacting
service-level agreements (SLAs), he
says. "Our clients are particularly
sensitive to system performance.
However, with pervasive
encryption, organizations can
encrypt data at enterprise scale
without impacting SLAs such
as transactional throughput or
The Solitaire Interglobal report
found that the IBM pervasive
encryption solution requires less overhead than
other systems. Organizations that deploy pervasive
encryption on IBM Z can reduce overall processing
overhead by as much as 91.7 percent, according to
the report. The report also found a lower total cost of
ownership for IBM Z security implementations, by as
much as 83.7 percent than for other platforms.
Comprehensive Security Strategy
IBM Z faces security threats from a variety of
sources, Sardino warns. No single solution can
prevent them all.
"Pervasive encryption is the foundation of a larger
data security and protection strategy," he explains.
"Different solutions protect against different types of
threats. Pervasive encryption is a good way to protect
data at-rest and in-flight, but an attacker using the
stolen credential of an authorized user may still be
able to see unencrypted data."
Sardino advises organizations to integrate pervasive
encryption as a fundamental component of a strategic
security plan. That should include multi-factor
authentication and data activity monitoring to identify
who is accessing data. Security intelligence is also
critical, using detailed audit records and user behavior
analytics to spot anomalies.
Pervasive encryption can also simplify and accelerate
the process of working with a compliance auditor.
"When clients are doing selective encryption
and sit down with the auditor, they have to show
The Case for Pervasive Encryption
Encrypting all data in the enterprise and applications allows organizations to:
Reduce the risk associated with breached or misclassified sensitive data
Make it more difficult for attackers to identify sensitive data
Protect all of the company's digital assets
Reduce the cost of compliance
Decouple data encryption from data classification
how they decided what data to
encrypt. They have to show the
application changes needed to
do the encryption and where
those changes were made.
This can be a long, drawn-out
process," Sardino points out.
"If they can easily show
the auditor that they've
encrypted all the data across
all applications, this is an
extremely powerful statement
that shows they have met
and improved the compliance
capability of the organization."
Time for Encryption
Total encryption may be a seismic
shift for some organizations, yet
it offers unparalleled advantages.
Some companies are worried about
breaches because of the damage
to their brand, potential lawsuits,
loss of intellectual property and
the erosion of customers' trust.
Other organizations are wrestling
with meeting increasingly
stringent compliance mandates.
Despite having so much at stake,
many organizations haven't started
their data protection initiatives,
"With z14, IBM is really
delivering a comprehensive set of
capabilities that make pervasive
encryption of at-rest and in-flight
data possible for the first time,
including compliance reporting
and key management," he says.
Businesses should examine
applications where critical
data is stored, then start
encryption there. After that,
companies can roll it out on an
until all data is encrypted.
"The goal is to get everything
encrypted across all workloads
and applications," he says.
"The real value is when
encryption is pervasive."
Brett Martin is a freelance writer
based in Shakopee, Minnesota.
ibmsystemsmag.com JANUARY/FEBRUARY 2018 // 21