Confused About Encrypting Data at Rest vs Pervasive Encryption?

From Jamie Pease CISA, CISM, CISSP, CITP, MBCS - Principal Security Consultant at RSM Partners

Rewind 20 years or so, we were more concerned about who had update access to data. If users had read access to it and it was transmitted someplace else, let's just say, it did not trigger any alarm bells.

Fast forward to the present day, we have to think very differently about how we protect sensitive data, which includes encryption. When your organization has to comply with the likes of PCI Security Standards, the General Data Protection Regulation (GDPR) or HIPAA to name a few, there are strict requirements for encrypting data at rest and in-flight. So you have two challenges: you need to encrypt the sensitive data that sits on disk; you also need to encrypt that data if it gets transmitted across a network. Therefore you need a solution that handles both situations.

What about if you only encrypt the data at rest?  Put simply, the chances of your organization passing a PCI audit where credit card data is only encrypted on disk, but not encrypted during transmission are practically zero. At some point through the lifecycle of data, it has to be transmitted somewhere and stored someplace. Throughout its journey, the data must be kept away from prying eyes – confidentiality is king. The reality is, this applies to all sensitive data, whether this is personally identifiable information, or company data such as revenue projections, product plans.

Think about where the journey of data begins and where it ends up – who could intercept it along the way? Then ask yourself, if you just encrypt the data at rest, does this really satisfy the confidentiality needs of the potential destinations for that data?  Now consider the following sample policy statements regarding the encryption of sensitive data:

Sample Policy Requirement Category   Covered by IBM Z Pervasive Encryption   Encryption of Data at Rest


All sensitive data must be encrypted during transmission

Data in-flight Yes No


All sensitive data residing on DASD (Disk) and Tape must be encrypted

Data at rest Yes Yes


Where sensitive data resides on disk, but whole disk encryption is not required, dataset or file level encryption must be applied

Data at rest Yes Yes


Databases containing sensitive data must be encrypted

Data at rest Yes Yes


Sensitive data flowing through the z/OS Coupling Facility must be encrypted

Data at rest/in-flight Yes No


Sensitive data flowing from application to application must be encrypted

Data at rest/in-flight Yes No


IBM Z pervasive encryption (PE) was introduced to address these encryption needs. It takes you beyond the perhaps traditional way of thinking about protecting data, to the way encryption should be implemented end-to-end. Note that encryption is not the silver bullet for all your security concerns surrounding sensitive data – its part of a collection of controls. So yes, we still need access to control lists, security monitoring and auditing.

Surprising, many mainframe shops still don’t encrypt sensitive data. Now that pervasive encryption is well established and with the ever-increasing compliance and regulatory demands, organizations no longer have the excuse of doing nothing or implementing partial solutions. 

In closing, make it personal. Somewhere around the world, your personal data probably resides on a mainframe – if your data was stolen and you later found out that it was not encrypted, how would you feel? Encryption is the norm and its becoming more pervasive in our lives!

Recent Stories
Security Experts Are Getting Excited About FHE (Fully Homomorphic Encryption)

SHARE Vice President Brian Kithcart Shares Why ‘Collaboration’ Is Key to Mainframe Work

Message From SHARE: A Look at Virtual Summit 2021