IBM Systems Magazine, Mainframe - January/February 2018 - 26
further lock down systems so
users are not only encrypting their
data, but also controlling who
has access to it, including from
internal credential abuse and
external, pilfered credential use.
Although it might not be lack
of interest in encryption-but
rather the costs associated with
it-causing some organizations to
forego or limit its use, the GDPR
is encouraging a second look at
it. Just as fines, potential lawsuits
and damaged brands are reason
enough to deploy encryption, so
is the goodwill that comes with
it, as customers place increased
accountability in organizations that
are diligently protecting their data.
Rather than parsing EU data
members from non-EU data
members, it's easier to treat
all data in the same manner,
with the safeguards offered by
pervasive encryption being used
across the board.
Of the firms that fall under
GDPR, eight in 10 expect they'll
have to adapt their existing
products and service offerings
to comply with the regulation,
anticipating that they'll have to
spend upward of $5 million for
Take a Proactive Approach to Compliance
Over the past few years, increasing amounts of
data, from healthcare providers, law firms, banking
institutions and other often-regulated organizations
that provide critical services, have moved online.
This is largely due to the amount of efficiencies
computing offers, with, for example, hospitals being
able to share patient data at the push of a button.
It's also why regulations such as General Data
Protection Regulation, Gramm-Leach-Bliley Act,
HIPAA and PCI are enforced. Without their compliance requirements, some critical data might not be
protected-and could be stored in simple cleartext,
accessible to any entity that has gained network
access, including those that are unauthorized.
Fortunately for companies and those who
conduct business with them, these regulations
often make it clear which data has to be most
securely protected. Typically, this is done using
encryption. However, the mechanisms, details and
overall operation of encryption can often be difficult
to manage and challenge system performance.
To address this concern and ensure that data can
be fully protected more easily, IBM has pioneered the
science of encrypting data wherever the data is in
the system and letting the OS do the hard work.
IBM has developed chip-level encryption in the new
IBM z14* that can alleviate much of the challenge
and surrounding encryption by enabling organizations to simply encrypt everything everywhere.
"The term 'pervasive' is nice because it
provides the concept that everything is protected
end-to-end, wherever data travels or is stored,"
remarks Phyllis Schneck, managing director,
Promontory Financial Group (an IBM company),
and former U.S. government cybersecurity official.
26 // JANUARY/FEBRUARY 2018 ibmsystemsmag.com
"For example, you really don't want a system that
requires laborious processes to lock and unlock a
simple email. So, if data is encrypted from beginning to end, as the encryption ability of the z14
allows, you know the data is inherently unreadable
by anyone but authorized parties, which ensures
compliance to regulations that demand that your
data has to be protected."
Promontory can help companies not only understand the benefits of pervasive encryption, but also
more broadly keep them in a place where they have
full compliance and open communication with regulators. This allows companies to be proactive and
build consumer confidence in their brand.
Additionally, as Schneck notes, "We have the
very difficult conversations with executives before
a crisis to enable decisions to be made thoughtfully
and applied when needed in an instant. So, you have
to conduct a risk assessment, prioritize your assets
before buying yet another cyber toy and understand
why this is important to your company.
"In the end, you'll have an idea of what your
risk tolerance is and what's the worst thing that
could happen to your company should something
indeed occur. We prioritize that for you so your
investments, your people, your culture are aligned
with your overall security goals. And we strengthen
your resilience to be sure you have a thoughtful,
well-practiced response when-not if-a cyber event
For further insight into Promontory's services,
including how it's using cognitive computing to make
security regulations easier to understand and money
laundering easier to find, visit promontory.com.