Newsletters   Subscriptions  Forums  Store   Career  Media Kit  About Us  Contact  Search   Home 
big
Volume 1, Number 9 -- September 27, 2005

IBM Readies Data Encryption for Mainframe Tapes and Disks


by Timothy Prickett Morgan


Back in July, when IBM launched the "Danu" System z9 mainframes, it made a statement of direction indicating it would very quickly extend the native data encryption features of its mainframe environment to allow for the encryption of data stored on external tapes and disk arrays and centralized management of the security keys that lock and unlock that data. Today, IBM is talking about this functionality in a little more detail.

As you might expect, the IBM mainframe, which is known for legendary security, was an early adopter of encryption, and as such, you might think it a bit strange that data stored on disks and tapes is not already encrypted. With a wave of tape thefts and losses at major financial institutions that have affected the private information concerning tens of millions of customers, including Social Security and credit card numbers, mainframe shops have been hammering on Big Blue to pick up the pace and provide facilities that allow the massive amounts of data that is stored on mainframe systems and kicked out onto tapes to be encrypted in such a way that customers can still share keys with customers and partners to unlock that data.

There are several reasons why all of that information on mainframe disks and tape has not been encrypted to date. For one thing, computers were not as ubiquitous in the world two or three decades ago and there was no such thing as a commercial Internet. Most people would not have known what to do with a mainframe tape packed with credit card numbers if you dropped it into their lap and walked away. But today, if someone steals a mainframe tape or a file off of a mainframe system, it is relatively easy to extract information from the tape or disk and do something nefarious with it. The lack of encryption standards has, to a smaller extent, been somewhat problematic, and so has the fact that encrypting and decrypting data are very compute-intensive tasks, and mainframe processing power is certainly not free. In fact, mainframes are by far the most expensive data processing platforms in the world--and still worth every penny as far as the 10,000 to 20,000 mainframe shops in the world are concerned.

That legendary mainframe security is something that is 35 years in the making. You do not, as Microsoft has discovered with its Trustworthy Computing effort launched nearly four years ago to make the Windows platform more secure, create security overnight, IBM added hardware cryptography to its System/370 mainframe line in 1970, and added the Resource Access Control Facility (RACF), which provides authentication and authorization to mainframes, to the precursor of the MVS operating system in 1976. In 1991, security key management features were built into its mainframe operating systems, and intrusion-detection services was added a decade later in 2001. In 2002, the mainframe got native Public Key Infrastructure (PKI) digital certificate support and was not only able to deal with certs, but was also able to be set up as a certificate authority. IBM added integrated, dedicated cryptographic processors (CPs) to mainframe engines years ago, and for customers who wanted better price/performance and performance on certain kinds of encryption, Big Blue has supported outboard PCI and PCI-X cryptographic coprocessors for a number of years as well--just as it does on its iSeries, pSeries, and xSeries lines. In early 2004, IBM added MultiLevel Security (MLS) support to z/OS 1.5 and the mainframe version of DB2 that allowed row-level data encryption, something that government agencies required at the time.

And now, in the wake of the System z9 announcement, mainframe customers are getting a bunch of new things that extend the mainframe encryption capabilities. The new encryption offering on mainframes is comprised of three different pieces of software, which interact with various pieces of mainframe hardware to do encryption. Collectively, these products are known as the Encryption Facility for z/OS 1.1.

The first piece of this solution is called Encryption Services, which is an optional priced feature for z/OS that will be available on October 28. This is the piece of software that takes the no-charge Integrated Cryptographic Service Facility (ICSF) feature of z/OS that manages security encryption keys and extends it so it can be used to encrypt and then remotely decrypt and re-encrypt data stored on mainframe tapes. The capability to remotely recover keys is necessary in disaster recovery scenarios, where information has to be unlocked at a remote site in order to failover to a set of backup systems. And obviously, you need remote key distribution to be able to unlock archive tapes that are stored offsite as well. Mary Moore, z/OS marketing manager at IBM, says some IBM mainframe shops have over 1 million archive tapes in vaults--this is a staggering amount of data, and they are really nervous about having that data unencrypted. (It seems unlikely, however, that companies will encrypt old data archives, but they certainly want to start doing it on new archives.) Both z/OS and z/OS.e releases ranging from 1.4 to 1.7 support this feature. Any 64-bit zSeries or System z9 server can run the software. You do not need to upgrade to a System z9 to take advantage of it, but Moore says the System z9 has some performance advantages with encryption that will nonetheless make it compelling to think about upgrading. For instance, if you want hardware-assisted encryption for the AES-128 and SHA-256 encryption codes, you need to be on the z9. IBM had an earlier implementation of the AES-128 encryption algorithm that was implemented in software, but obviously this is something you want to do with integrated encryption hardware and/or outboard cryptographic co-processors. This software will go into beta at the end of the month, and is expected to be generally available on October 28.

The other piece of the encryption solution is called the DFSMSdss Encryption feature, with DFSMS being the integrated hierarchical storage management software for IBM mainframes--Data Facility Storage Management Subsystem--and "dss" (which is not capped because the acronym would be even more impenetrable) being the Data Set Services component that is used to move and replicate data sets from one machine to another. With the DFSMSdss Encryption feature, you can encrypt so-called dump data sets before passing them around. This software also runs on all zSeries and z9 machines running z/OS 1.4 through 1.7. The encryption feature for DFSMSdss will be available on December 2, and it costs money--although IBM will not say how much.


Not everybody who needs to decrypt and re-encrypt data that is stored on mainframe tapes has a mainframe to do the job, which is why IBM has created a Java-based program called the Encryption Facility for z/OS Client, which obviously runs on anything that supports Java. This program will be available for download off the Web for free starting on October 28.

In a related by separate security announcement, Moore says IBM has also cooked up a freebie feature for z/OS 1.7 called Application Transparent TLS, which allows companies to activate SSL encryption for their applications and for FTP file transfers without having to tweak their code or gut FTP. Up until now, if you wanted to add SSL support to a portion of your application transaction stream, you had to tweak the application. This is often not possible and never desirable for mainframe shops.

IBM knows it has more work to do on the security front, and the company has issued a couple of statements of direction. Moore says mainframes are behind a lot of the ATM networks run by banks, and these all must have encryption keys for authentication. When the machines crash, ATM administrators often have to go out to each ATM and use a smart drive equipped with encrypted keys to reinitiate the ATMs. This is obviously a big pain in the neck, which is why IBM is working to make the zSeries a central repository for ATM keys and to allow remote distribution of trusted keys to the ATMs from the mainframe. This feature is expected to be available in 2006, and will require customers to use the Crytpo Express2 co-processor and a System z9.

IBM also plans to allow the mainframe to encrypt data stored on disk arrays, and over time, Moore suggests IBM will weave encryption facilities right into tape array and disk array controllers, while allowing the mainframe to centrally manage the keys behind that encryption in their tamper-proof electronic boxes. This is a smart way to do encryption: distribute the job of encrypting to cheaper iron, but manage the keys on the mainframe. Mainframes are simply too expensive to be given the job of encrypting data for giant data sets.


Sponsored By
SCALIX

Scalix Enterprise Edition is a full-function version of the award-winning Scalix software that provides advanced email and calendaring for "power users" in the enterprise.

In addition to its industrial strength email server that provides a high degree of reliability, security, scalability and flexibility, Enterprise Edition also includes full-function, native Outlook support, group calendaring and scheduling, public (shared) folders, advanced wireless email and PIM, support for multiple servers, and much more.

And it runs on the IBM mainframe in a Linux partition.

For more information, visit www.scalix.com
Editors: Dan Burger, Timothy Prickett Morgan, and Hesh Wiener
Publisher and Advertising Director: Jenny Delroy
Advertising Sales Representative: Kim Reed
Contact the Editors: If you have an inside story relating to mainframes, send
Timothy Prickett Morgan or Hesh Wiener a message through our contacts page.

THIS ISSUE
SPONSORED BY:

Scalix
Micro Focus
Novell


BACK ISSUES

TABLE OF
CONTENTS
IBM Readies Data Encryption for Mainframe Tapes and Disks

Top Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

The Four Hundred
iSeries Execs Talk Up the Future of the Platform at COMMON

COMMON Sound Off: Frustration Level Is Down a Bit Among the Faithful

Oracle to Support IBM's WebSphere with Project Fusion Apps

Mad Dog 21/21: New Moth

The Linux Beacon
AMD Cranks Up Dual-Core Opteron Clocks

Dell Starts Peddling Dual-Core Paxville Xeon DPs in PowerEdges

IDC Concurs that Q2 Was Pretty Good for Servers

Egenera Gets $300 Million Reseller Deal with Fujitsu-Siemens

The Windows Observer
Microsoft Reorganizes Ahead of Allchin's Retirement in 2006

Microsoft Refines Software Assurance for 2006

Softricity Streamlines Access to Desktop Apps with ZeroTouch

Egenera Gets $300 Million Reseller Deal with Fujitsu-Siemens

The Unix Guardian
UltraSparc-IV+ Chips Give Sun's Midrange Servers Twice the Oomph

Egenera Gets $300 Million Reseller Deal with Fujitsu-Siemens

IBM Shifts Its SOA Initiative Up Into High Gear

Notes/Domino 7 Brings New Collaboration Technology, Performance Gains





Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc. (formerly Midrange Server), 50 Park Terrace East, Suite 8F, New York, NY 10034
Privacy Statement