Mainframe Storage

Encrypt everything, everywhere

By RAUL RAUDRY DIAZ DE LEON posted Sat November 14, 2020 12:36 PM


Organizations experience a continued push to minimize the risks of data breaches. There is a new focus on privacy management tools with the capability to mask data. This focus reinforces the need for cryptography plan, and subsequent demand to simplify the complexity of the key-based algorithms and management of keys throughout the lifecycle.  

What should be considered when implementing a data encryption strategy?

  • Encrypt as much data as possible, as intruders and threats take advantage of any vulnerability in the data flow chain to subtract information.
  • Consider the implementation of an encryption solution that is simple and transparent, without requiring changes in applications or operating systems.  
  • Plan for an encryption solution that does not degrade application performance or jeopardize your disaster recovery strategy.

In order to support an end-to-end encryption strategy, IBM DS8000 provides disk-based encryption for data that is at rest on disk or flash drives. It also allows encryption in flight when connecting to an IBM Z z15 host and encryption of data that is transmitted to the cloud.  

Encryption everywhere

Encryption at-rest: 

The IBM DS8000 supports hardware-level, self-encrypting Full Disk Encryption (FDE) disks and flexible key manager software. DS8000 encryption secures data at rest and offers a simple, cost-effective solution for securely erasing any disk or flash drive that is being retired or repurposed (cryptographic erasure).

Encryption in-flight

IBM Fibre Channel Endpoint Security is an end-to-end solution which ensures all data flowing on FICON® and Fibre Channel Protocol (FCP) links from IBM Z® to DS8000, or between IBM Z platforms over FICON Channel-to-Channel connections is encrypted and protected. This offering provides in-flight protection for all data, independent of the operating system, file system, or access method in use.

Encryption of data that is transmitted to de cloud

Transparent Cloud Tiering enables direct data movement from IBM DS8000 to cloud object storage, without the need for data to go through the host. DFSMS communicates with DS8000 through a REST API interface. It issues commands for the DS8000 to move the data directly to/from a public, private, or hybrid cloud.

Transparent Cloud Tiering Encryption ensures that critical mainframe data is encrypted while it is transferred over the network. It uses the DS8000 internal IBM POWER® servers hardware acceleration with 256-bit AES encryption at full speed, and I/O performance is not affected. The data remains encrypted in the cloud storage and is decrypted when it is transferred back to the DS8000.

IBM DS8000 offers a unique combination of encryption capabilities that are part of a broader set of data protection functions that help ensure business continuity. 

Please click here, if you want to know more about IBM DS8000 Encryption for data at rest, Transparent Cloud Tiering, and Endpoint Security.