IBM Destination Z - Group home

New Security Standard

By Destination Z posted Mon December 23, 2019 03:33 PM


How often do compliance auditors descend upon your organization? If it is twice a year, consider yourself lucky. If it happens 50 times a year you’re not that unusual, observes Nick Sardino, IBM program offering manager for IBM Z. It could even be more.

If your data center is like many, the arrival of auditors amounts to preparing for and then running through a big fire drill. They are disruptive and can be costly. The recently announced IBM z14 can greatly reduce the disruption and preparation for the security parts of the audit through its pervasive encryption.

Data security has emerged as a key component of compliance audits and a major driver of the headaches. Any organization that stores customer data or consumer data or any personally identifiable data, whether from employees, partners, contractors or others will face strict compliance security audits. The auditors want to be assured that the data is properly protected and securely stored; they will want to see rigorous documentation to prove it.

Enter Pervasive Encryption

With the introduction of Z and what IBM described as automatic, comprehensive pervasive encryption, the company has radically changed what may have been for a company an annoying and costly security compliance headache. Basically, IBM Z will cover the security automatically and document it.

The Z system delivers compliance relief through pervasive encryption, the automatic encryption of all your data without interrupting business applications and operations and without negatively impacting service levels. In short, it encrypts everything without degrading system service performance.

Previously, organizations would only encrypt data selectively to lessen the burden on servers with the process of encryption and decryption. It also could burden staff, which would spend time determining which files to encrypt to meet minimum security compliance. That’s no longer the case. IBM optimized the hardware and cryptology software/firmware to eliminate noticeable delays due to increased processor overhead, enabling the company to promise no interruption of business applications and operations while all compliance could be documented through real-time, self-service audit verification.

This eliminates the disruptive and costly fire drill that IT would go through every time an audit was scheduled. In this drill, staff would check to make sure the correct files were safely encrypted and readily accessible to auditors, and be able verify it.

Pervasive encryption as handled on the z14 also automatically manages key protection, another high-risk headache. This is handled through integration with tamper-responding cryptographic HSM, which almost assuredly will please the auditors.

In short, through pervasive encryption and the accompanying automated key protection, the Z effectively decouples encryption from data classification since you are automatically encrypting everything, even data the auditors may not specifically be concerned with. This eliminates concerns about misclassified and missed data, a frequent audit failing.

Global Compliance Pressure

In Europe, General Data Protection Regulation (GDPR, EU Regulation 2016/679) takes effect spring 2018. It doesn’t yet apply to here in the US but it, or something like it might be required sooner rather than later. The reason: of the 9 billion records breached since 2013 only 4 percent were encrypted. Furthermore, IBM calculates a 26 percent likelihood of an organization having a data breach in the next 24 months involving 10,000-plus lost or stolen records.

There are still critical reasons to opt for pervasive encryption even if you don’t conduct business in Europe. Specifically, the PCI-DSS and then an old favorite, HIPAA. HIPAA have been aggravating compliance teams for at least a decade.

With automatic encryption through IBM Z, you can stop worrying about data classification and drop any compliance concerns because the data is automatically encrypted and the key securely protected. The data also is protected at multiple layers; as it is stored initially, in-transit, as encrypted APIs, real time self-service audit verifications, and as keys are encrypted. It would have to be an unusually over-compulsive auditor who, when faced with this depth of protection, continued to demand more in regards to security verification.

Compromised or stolen data that is encrypted is useless without the key. At one point during the z14 introductory briefing, one IBMer quipped, once you have IBM Z systems-based pervasive encryption in place, “if you get a call from someone trying to extort money through ransomware, just laugh and hang up the phone.” To further assuage the auditors, the encryption isn’t even accessible by system administrators. Crypto-keys themselves, are immediately stored and encrypted in memory to thwart tampering even by supposedly trusted administrators.

Compliance in the Cloud

IBM made the cloud a strategic imperative a few years ago, and it’s starting to pay off as cloud revenue slowly but steadily increases. So, it should be no surprise then that the company would bring multi-level security and encryption to the cloud too. The plan, apparently, is to take data center security into the future by making sure data is secure at every point.

Already, just in the enterprise, there are more points of data vulnerability than the compliance team can watch. Explains Michael Jordan, IBM Distinguished Engineer, IBM Z systems in a recent blog: Strong walls and perimeter defenses are no longer adequate to prevent cyberattacks in today’s enterprises. There are countless points of entry into an organization’s IT environment, all of which lead to what should be private data. Not only could a team be completely consumed by trying to secure all of the potential entry points, but they could do all that and still not achieve their objective.

As we noted above, industry and government regulations mandate that certain sensitive data be protected, which, in most cases, means encrypted. If you’re like most, you have probably adopted the practice of selective encryption. You already know the drill: look for credit card data, social security numbers and other sensitive and personally identifiable data and encrypt only that subset of data. This makes sense and might even appear to save some processing resources.

However, it certainly, won’t save the compliance team any time or effort. There are too many classification decisions to make, and if you miss just one occurrence you potentially have blown it. If you need proof that data breaches can happen in even a professional and security-aware organization, look at the September data breach at Equifax. Who in the world is not now at risk? Conventional security, firewalls and selective encryption don’t work any longer. What’s needed, noted Jordan, is a complete paradigm shift from protecting the data at the core of the enterprise to automatic pervasive encryption and key protection.

With pervasive encryption you now have a system that, according to IBM, features an encryption engine designed to extend the cryptographic umbrella across data, networks, external devices and entire applications, including their APIs, with no app changes or performance hit.
"The vast majority of stolen or leaked data today is in the open and easy to use because encryption has been very difficult and expensive to do at scale," said Ross Mauri, general manager, at the IBM Z introduction. "We created a data protection engine for the cloud era to have a significant and immediate impact on global data security." It will ensure the protection of data that comes into the enterprise, in transit when leaving the enterprise, and in the cloud.

Encrypt Everything

If you were particularly nervous, you could sever every outside link and never connect to anything. Yes, you would be extremely secure, except for thumb drives and such that employees would sneak into the organization anyway. You also would be out of business faster than any data breach would trigger. Companies must connect to survive.

A better reaction would be to open your organization to a securable enterprise cloud, on-premises or off, which lets you extend your organization, connect, and innovate. Simply deploy automatic Z-based pervasive encryption with zero impact on service-level agreements, and reduce if not completely eliminate compliance audit hassles. Then relax and stop worrying about the next hack.

Alan Radding may be reached at