z/OS Communications Server - Group home

Pervasive Encryption of Data in Flight: End-to-End Encryption Options on z/OS

  

As we discussed in a previous article - Calculating the Cost of a Data Breach in 2019, data breaches continue to be costlier and result in more consumer records being lost or stolen in 2018. Now let’s see how pervasive encryption makes a difference.

Extensive use of encryption is one of the most powerful ways to help reduce the risks of a data breach and help meet complex compliance mandates. Implementing encryption can be complex. Organizations always struggle with three key questions:

  • What data should be encrypted?
  • Where should encryption occur?
  • Who is responsible for encryption?

IBM Z pervasive encryption marks a paradigm shift for security. Pervasive encryption provides a transparent and consumable approach to enable extensive encryption of data in flight and at rest to simplify and reduce the costs associated with protecting data and achieving compliance mandates.

To make this happen, IBM Z delivered several new capabilities through tight full-stack platform integration, in the hardware, OS, and middleware.
pe.png
This diagram is from the presentation IBM z14 / Pervasive Encryption

 

As highlighted in this diagram, to protect in-flight network data and APIs, IBM z14 can encrypt incoming and outgoing network connections for true end-to-end data protection.

In general, z/OS supports three robust end-to-end security protocols:

  • Transport Layer Security (TLS, including SSL) via System SSL and Java Secure Sockets Extension (JSSE)
  • IPsec, which is built into z/OS Communications Server
  • Secure Shell (SSH) via z/OS OpenSSH

Each protocol has its place and is suited for different types of traffic. Which protocol you select to protect each type of application traffic depends on a number of different factors. In most cases, you have a choice of protocols for any given application type. (See the attached table for a comparison of key protocols.)

Meanwhile, you need a tool to identify z/OS network traffic and protection. z/OS Encryption Readiness Technology (zERT), a core capability of pervasive encryption, does exactly that.

zERT provides intelligent network security discovery and reporting capabilities by monitoring TCP and Enterprise Extender traffic for TLS/SSL, IPsec and SSH protection, as well as cleartext. It also writes protection information to new SMF 119 records. Moreover, zERT Network Analyzer, a new web-based interface that is planned to be available in the future, will help you determine which z/OS TCP and Enterprise Extender traffic is or isn’t protected according to specific query criteria.

For more about zERT, see Things you should know about z/OS Encryption Readiness Technology (zERT).

---------------------------------------------------------------------------------------

Comparison of protocols: TLS, IPSec, and SSH using IBM-provided implementations
 

Attribute

TLS/SSL

IPsec

SSH-2

Traffic covered

TCP connections

All IP traffic (TCP, UDP (incl EE), ICMP, etc.)

TCP connections

Provides true end-to-end protection

Yes

Yes

Yes

Can protect specific network segments

No

Yes

No

Protection scope

Single TCP connection

Flexible (all traffic, by protocol, IP addrs, ports, etc)

One or more TCP sessions

Requires application layer changes

Yes (except basic AT-TLS)

No

No

Endpoints and authentication

Application to application

IP node to IP node

Host to Host

Auth credentials

X.509 certificates

X.509 certificates or pre-shared keys

public/private key

Auth frequency

Configurable

Configurable

Once at session startup

Session key refresh

Configurable based on time

Configurable based on data and time

Configurable based on data

Configuration

AT-TLS: Policy

System SSL direct: per application

JSSE: Java properties

Policy

OpenSSH configuration files as well as on command line invocation

Application transparency

AT-TLS: Yes (basic AT-TLS only)

System SSL direct: No

JSSE: No

Yes

Can be with port forwarding

SAF Keyrings

Yes

Yes

Yes (for keys only)

Secure Keys (CEXn)

Yes

Yes

No

Specialty engine (zIIP) support

JSSE only

Yes

No

System z hardware crypto

CPACF, CEXn

CPACF, CEXn

CPACF, CEXn (for random number generation)


-----------------------------------------------------------------------------------------------------------------------------
This blog was originally posted on Sep. 19, 2018 on IBM z/OS Communications Server developerWorks.