The Power of Pervasive Encryption – Security Intelligence (blog)

The new z14 mainframe computer offers a chance to re-evaluate what a mainframe can do for an organization. Gone are the days when the mainframe was the only way to do computing. Today, there are new and different choices, and the z14 can make those choices practical.

The z14 features standard improvements that users have come to expect, such as faster, more efficient hardware chips. It also includes a pervasive encryption scheme that may prove to be as important as anything that was done to the computing hardware.

Transitioning away from selective encryption toward end-to-end protection will help organizations secure enterprise data while reducing the cost and complexity of meeting emerging compliance mandates. It is a far more general approach that applies to data in transit and at rest. This routine and pervasive use of cryptography is performed all the time to all data, except that which is immediately processed inside the mainframe.

The details of the new cryptography system start with the z14s new coprocessor, the Central Processor Assist for Cryptographic Function (CPACF). This high-performance, low-latency coprocessor performs symmetric key encoding and calculates message digests (hashes) in hardware. It is standard on every core, directly supports cryptography and offers hardware acceleration for all encryption operations that occur on the core processor.

According to IBM Systems Magazine, a Solitaire Interglobal report found that this cryptographic acceleration provides six times more performance than the previous z13 model. Additionally, z14 is more than 18 times faster than competing platforms.

The CPACF also has extended key and hash sizes used in the Advanced Encryption Standard (AES) and Secure Hash Algorithm (SHA), as well as support for UTF8-to-UTF16 conversion. The cryptography hardware is available to all processor types used in the z14.

Bulk file and dataset cryptographic operations were specifically placed within the mainframes operating system software to maximize transparency to the running files and optimize performance. This is a critical point: All the potential benefits of pervasive encryption are lost if a required intermediary step interferes with getting the work done. With the z14, users can transition DB2 and information management system (IMS) high-availability databases from unencrypted to encrypted without stopping the database or the application.

The ability to seamlessly encrypt is a big deal to users. The data used by an application or database is protected, but no user changes are required. Additionally, this means service-level agreements can be maintained.

Both the financial and data processing businesses need this kind of encryption in all places due to the rush of new regulatory compliance mandates that will soon affect them. Additionally, cloud-based data stored in x86 boxes are encrypted at the source and protected at rest. A business using a z14 platform does not have to depend on the low-throughput encryption of such cloud solutions. Data stored in these boxes will already be in an acceptable state without the need for further processing.

No other platform can do this. And it took both advanced hardware and software to pull this off, not just one or the other.

Even with the mainframe doing all it can to keep things secure, bad policy decisions by the user can undercut everything. Users need to maintain security policies and enforce them not count on the machine alone to wave a magic encryption wand to keep data safe.

The z14 is a unique and effective tool to help organizations achieve their security goals. However, the mainframe cannot do this alone: It needs informed and committed users to maximize its effectiveness.

Read the white paper: Pervasive Encryption, The New Paradigm for Protection

The rest is here:
The Power of Pervasive Encryption - Security Intelligence (blog)