IBM Debuts Full Encryption with z14 Mainframe Release

In an effort to thwart the efforts of hackers—and potentially revolutionize security—IBM has released a suite of services known as IBM Z Pervasive Encryption, which encrypts all data, all the time, at every level of the network.

Intriguingly, the encryption process happens even while the application is running, with no impact on service level agreements (SLAs). Nick Sardino, program director of IBM Z Offering Management, tells Waters that not only will this release help to protect financial services firms from data breaches, but it will also help them to adhere to data protection rules stemming from rules like PCI-DSS and Sarbanes-Oxley, as well as new rules including the European Union’s General Data Protection Regulation (GDPR).

“What we’re really trying to do here with IBM Z Pervasive Encryption is to drive a paradigm shift in the industry,” he says. “Selective encryption should no longer be considered a ‘best practice’; it’s really a minimum threshold.”

Total Encryption

In 2016, more than 4 billion data records were compromised globally, a 556 percent increase over 2015, according to data from IBM. Over the last five years, nine billion records have been breached. Of those, only four percent were encrypted.

But encryption on a massive scale is expensive and time-consuming. To do it, firms traditionally have to identify and classify their sensitive data, which is an extremely manual process. They then decide where the encryption is happening—in the hardware, operating system, or bolting on a point solution—and then figure out who owns the enterprise encryption policy, which is often decided on an application-by-application or regulation-by-regulation basis. Mass encryption has proven to be inefficient and costly, so firms have been willing to roll the dice and encrypt only the most important (or regulatory mandated) data.

Z Pervasive Encryption—which is built into IBM’s newest mainframe, the z14, and was designed with input from 150 clients—was made possible because of a new cryptographic engine at the heart of the hardware, built on top of IBM’s main microprocessor core. Sardino explains that to make its objectives possible to achieve, IBM dedicated 400 percent more of the silicon area on the core to cryptographic processing, which has led to a 7-times performance improvement for z14 over the previous model, the z13, and encryption speeds of up to 13 gigabytes of data per-second and per-chip.

“When we look at comparing real-world scenarios and workloads for clients, encrypting data in bulk, we’re seeing an 18-times performance benefit over x86-based systems that are available today,” Sardino says. “By placing it on the layer in the operating system that we did, it gives you the ability to do that application-transparent encryption, but to send large chunks—our bulk encryption engine—of data off to be encrypted, and then we optimize the hell out of our microprocessor to be able to encrypt those large chunks of data.”

And while the encryption process—which uses 256-bit AES encryption—takes up some bandwidth, the end user will not notice a difference as applications are running while being encrypted.

“Of course encryption is going to consume CPU cycles, but no impact to SLAs means that the end users aren’t going to notice that anything’s happening,” he says.

Furthermore, the hardware-based protection of the encryption keys is vital. “The hardware-based protection of the encryption keys is incredibly important. It’s something that differentiates our platform from other platforms,” Sardino says. “It’s great that the data is encrypted and makes data useless to the attackers if they’re able to exfiltrate it, but then the encryption keys become the new target and if those encryption keys are exposed in-memory, anybody can poke or prod in-memory or if the system takes a memory dump, the encryption keys can become compromised, and if the encryption keys become comprised, the data’s compromised.”