By Mark Wilson, Technical Director, RSM Partners Ltd
A colleague recently sent this query to me: “With security and encryption a hot topic and IBM really pushing pervasive encryption (PE) on the new z14 and z14ZR1, how can our clients better understand PE and what risks and issues can it potentially resolve?"
This is a great question, one which I spent some time considering. I also picked the brain of Chad Rikansrud, our North America Director. There’s a lot of talk about PE, and many folks confuse it with transparent dataset encryption: IBM’s newest tech, encrypting some datasets with keys stored in Integrated Cryptographic Service Facility (ICSF). I recently reviewed an IBM presentation, which states that PE consists of the following elements:
- Integrated Crypto Hardware: “Hardware accelerated encryption on every core, CPACF performance improvements of 7x, Crypto Express6S – PCIe Hardware Security Module (HSM) and Cryptographic Coprocessor”
- Data at Rest (as mentioned above): “Broadly protect Linux file systems and z/OS data sets using policy controlled encryption that’s transparent to applications and databases”
- Clustering: “Protect z/OS Coupling Facility data end-to-end, using encryption that’s transparent to applications”
- Network: “Protect network traffic using standards-based encryption from end-to-end, including encryption readiness technology to ensure z/OS systems meet approved encryption criteria”
- Secure Service Container: “Secure deployment of software appliances, including tamper protection during installation and runtime, restricted administrator access, and encryption of data and code in-flight and at-rest”
- Key Management: IBM’s Enterprise Key Management Foundation (EKMF) “provides real-time, centralized secure management of keys and certificates with a variety of cryptographic devices and key stores”
In older versions of Z hardware, PE is still effective for many things. However, the big jump is the performance improvements in the crypto cards and CPU. PE will still add value on some of the older hardware, but it will be slower.
That said, people are—rather worryingly—continuing to overlook a key aspect of PE: it’s all about the keys. What I mean by that is: many are rushing headlong into PE, encrypting all their critical data, but singularly failing to take the steps necessary to ensure robust key management processes and/or making sure appropriate procedures are in place. To those folks, we’d pose the following question: What’s the difference between ransomware and PE? The answer: It’s who owns the keys. If you’ve been busily encrypting all your key data but then don’t look after the keys correctly, a shrewd attacker simply changes your keys (or prevents you from accessing them). Now who owns your data? Thinking along these lines, PE effectively performs the initial steps of a ransomware attack.
So, what’s the solution?
PE is a great concept. However, it needs careful thought and planning in order to avoid an investment in PE becoming your worst nightmare. The upshot is that for a user organization worried about the security of its data and the threat landscape that exists today, the solution lies in a combination of hardware, IBM software, and robust processes and procedures.
What organizations need to be doing, among many other things, is:
- Identifying any sensitive data that’s not encrypted when it should be
- Alerting on someone attempting to copy data from an encrypted dataset to a non-encrypted one
- Checking access controls for any encrypted data, along with access to the keys, while also performing various compliance checks, including:
- Access to data should likely only give access to the encrypted data (ideal for storage people who need to manage data but not actually read it)
- Access to the keys protecting the actual data, as this obviously needs careful monitoring 24/7
PE is a solution to some of the security challenges we have today, but it is not a silver bullet. PE needs careful planning and robust key management processes and procedures.