IBM wants you to encrypt everything with its new mainframe
- 17 July, 2017 22:42
IBM wants businesses to use its new z14 mainframe to encrypt pretty much everything -- an approach to security it calls pervasive encryption.
Encrypting everything, and restricting access to the keys, is one way to reduce the risk and impact of data breaches. It can reduce the threat surface by 92 percent, according to research commissioned by IBM.
To make such pervasive encryption viable, the z14 has four times as much silicon devoted to cryptographic accelerators as its predecessor, the z13, giving it seven times the cryptographic performance.
That allows it to encrypt up to 12 billion transactions per day, according to IBM.
For other workloads, running under either z/OS or Linux, the z14 has 35 percent more capacity than the z13, the company said. That's possible because the z14 has three times the memory (up to 32 terabytes) and three times faster input-output than its predecessor, and a significant reduction in SAN latency when using zHyperLink.
As well as the hardware changes, the mainframe range has undergone a discrete change of name: Instead of the awkwardly capitalized z Systems, it's now called IBM Z.
The x86 systems that IBM Z is up against typically don't have the processing power to encrypt everything, all the time: They take a piecemeal approach, encrypting a password here, a credit card number there, with the result that plenty of personal information is there for the taking, if only hackers can find their way in.
In contrast, the z14 can encrypt every file -- or data set in IBM Z parlance -- and restrict who can access the keys, said Mike Jordan, distinguished engineer with IBM z Systems Security: Privileged users such as storage administrators, for example, will be able to move or copy files to do their job, but won't be able to decrypt them.
"We can eliminate those classes of users from risk if their IDs get hacked or attacked," he said.
Applications that do need to decrypt the data will run under a special user ID that can access the decryption key -- but such user IDs typically cannot be used to log in to the system, making it harder for hackers to both grab a file and decrypt it.
Even where a business is running development, test and production environments on the same machine, there is cryptographic separation between the environments, Jordan said. If hackers were to take over the test environment, say, and access its encryption keys they would still not be able to decrypt production data.
The key management system meets Federal Information Processing Standards (FIPS) Level 4 requirements, where the industry norm is only Level 2, IBM said.
All that makes it harder for hackers to get in. IBM commissioned research firm Solitaire Interglobal to study the impact of pervasive encryption on businesses. Drawing on 21 years' worth of data about security incidents, the researchers concluded that, "Of the breaches and incursions analyzed, they could reduce the threat surface by 92 percent by having pervasive encryption on IBM Z," said Nick Sardino, IBM's program director for offering management, z Systems Growth Initiatives.
What would that additional security would cost, though? Solitaire modeled the cost of running a business on IBM's z14 and compared it with data from thousands of businesses using x86 systems of different sizes to selectively encrypt data.
Report author Kat Lind concluded that in IBM Z and x86 systems supporting the same overall level of business performance, the IBM Z encryption system would deliver 18 times the performance for one-twentieth the cost of the selective encryption systems in the x86 systems studied.
The cost takes into account personnel, CPU capacity required, memory levels, and other factors.
That's around 360 times more bang for the buck, albeit from a small part of the overall IT budget. Businesses not already running on IBM Z would have to switch out much more than just their encryption system to benefit.
It's as if someone told you a Tesla can store away electricity much faster than all the smartphones in your company, and the electricity to run apps on its dashboard is thus way cheaper than that used by all the smartphones: It may well be true, but you'd have to seriously rethink your business's approach to mobility to profit from it.
Although on Solitaire's narrow measure of encryption IBM Z beats x86 hardware today, the comparison will change as other encryption methods improve, Lind said.
Taking into account the lead times for chip design and manufacturing, it'll take at least two to three years for competing hardware to appear, she said in the report, "Pervasive Encryption: A New Paradigm for Protection."
There are some applications that can profit from having one of IBM's mysterious black monoliths in the data center today. One such is IBM's own Cloud Blockchain, which the company said is already using the new IBM Z to encrypt and secure services in six centers around the world.