Encryption at Scale: A Matter of Shifting Priorities

For most enterprise CIOs and CISOs, the question around data encryption is not whether corporate data should be encrypted, but rather how much or which data should be encrypted.

That’s because most executives responsible for corporate information security understand the risks they could incur if they fail to keep their most sensitive data from prying eyes. Last year, the average cost of a data breach to an organization was $3.62 million, according to the Global Ponemon 2017 Cost of Data Breach Study. Failure to encrypt data could be especially costly on the mainframe, which often houses a corporation’s most sensitive data.

Still, enterprises are also mindful that it’s expensive and challenging to encrypt everything, which is why encryption has traditionally been a matter of priorities.

In a presentation at SHARE Providence, software engineer Eysha Powers profiled the four levels of mainframe encryption, which range from the broadest level of protection (full disk and tape encryption), all the way to application encryption, which offers the narrowest protection. She recommended organizations develop a strategy that protects a mix of data at each level, based on priorities. This should be done by performing a formal data classification exercise – you cannot protect something if you do not understand its business value.

Compliance regulations are often the biggest driver for encryption priorities. Many organizations only encrypt enough data to be compliant with federal or industry regulations, according to IBM Systems Magazine, but those regulations aren’t always specific about the types of data that should be encrypted, or the level of encryption that should be applied.

In healthcare, sensitive data is regulated by HIPAA, which does specify encryption for a number of different devices, but also offers exceptions if organizations can use an “equivalent alternative.” What would be an equivalent alternative? That’s up to your interpretation, and for some CIOs, it may be a risky proposition – if the organization is hit with a breach because its encryption alternative is insufficient, they’re on the line for serious fines. It may simply be safer to encrypt straightaway.

With the release of its new z14 mainframe, IBM is looking to do away with the debate altogether by offering pervasive encryption, which provides the option to encrypt 100 percent of an organization’s data at rest. This feature encrypts mainframe data in-flight or at-rest, protecting all of the data associated with an application, cloud service, or database.

IBM purports to solve the performance lag and complexities of encryption through several hardware upgrades, including a 4x increase in silicon dedicated to cryptography.

Ultimately, the release of the z14 is meant to help solve the encryption-at-scale problem, but it doesn’t necessarily mean CIOs and CISOs can take a “set it and forget it” approach to security. Any encryption at scale needs careful planning, and it’s important to conduct careful analysis and planning of your situation first. Mainframe security in some organizations requires improvement and, if nothing else, the focus on enhanced encryption technologies just demonstrates how critical these systems – and their protection – have become in enterprise IT environments.

For more on mainframe security and other mainframe topics, check out the SHARE Content Center.

Recent Stories
Mainframe Matters: How Mainframes Keep the Financial Industry Up and Running

GDPR and Mainframe: What You Need to Know

Millennial Mainframers: Kyle Beausoleil on Mainframe’s Perception Problem