Considerations For Implementing Encryption On IBM i
February 18, 2015 Leo Salvaggio
Although it started out as a technology aimed at the financial industry, data encryption has become the standard among all industries. Think about it: health records, social media accounts, and state and local records all contain personal information. At the same time, security breaches are becoming commonplace.
According to the “2014 Cost of Data Breach Study: United States” by IBM and Ponemon Institute, the total average cost of a data breach is $5.9 million. That is a big price tag for an organization to pay for something that could have been prevented. That cost does not even take into consideration money lost from the lack of confidence from consumers after a breach. The good news is, IBM i shops have options when it comes to encryption and other security measures.
Before encryption, data was stored on rotational hard drives and could be read by anyone with access. In an encrypted scenario, the data written on the disk is jumbled using unique algorithms. In this encrypted format, if someone gains access to a hard drive, the data isn’t usable without an encryption key. This is essentially the last line of defense in protecting data.
Hardware or Software Encryption
Data encryption plays well into the greater security and data storage discussion. IBM i shops should consider a layered approach, examining the entire data storage and security infrastructure within an organization. There are two ways that data can be encrypted on a storage mechanism: with software or hardware. IBM i shops have options for both.
Software-based encryption offers flexibility in what the IBM i organization deems encryption-worthy and also allows flexibility in the method of storage. Whatever backup process is currently implemented, software encryption can be incorporated into almost any system.
On the flip side, software-based encryption can put a high performance demand on servers. Implementation of encryption software could require a server upgrade. Also, depending on which encryption service an IBM i shop implements, there could be some additional equipment fees to connect the system to the network.
Alternatively, IBM i shops may choose to incorporate encryption protection through a hardware device. This type of encryption is built into physical equipment. Typically, hardware-based encryption does not lead to any system degradation or require improved server operations. By utilizing a hardware-based encryption implementation, server host cycles are not burned up in the encryption process as they are in a software-based scenario. This allows the host to dedicate resources to the core application. Hardware-based encryption also does not burden the system with a high overhead processor drain on performance.
Whether choosing hardware- or software-based encryption, it is important to ensure that both data at rest and data in flight are encrypted. Data at rest is typically protected by whichever storage media your data storage solution utilizes. An example of this is VTL. If you are using a virtual tape library as your primary backup solution, encryption algorithms are developed, all of which are managed by the virtual tape solution.
Utilizing the VTL to manage your encryption needs has several advantages. The first advantage allows for secure offsite replication to a remote location. Primary copies of the data are written to the VTL and either through policy, watermark or timestamp those volumes can be written to a remote location via your IP network. While in transit across your IP network, the data is encrypted and compressed allowing for a secure method of transmission and compliance.
Another benefit to VTL encryption is compliance, which is native to VTL solutions; operators have the capability to export virtual tape volumes to physical tape volumes, which reside in an encrypted state. The VTL manages encryption keys and does not impact the host cycles throughout this process.
What Requires Encryption?
Determining what data needs to be encrypted really boils down to policies inside an organization and the value of data. PowerPoint presentations and Word documents, for example, are usually not critically important or sensitive. As a result, those should be segmented appropriately on your network. On the other hand, information that’s part of your CRM package, your accounting software, financials, customer data, and price books are typically items that should reside in an encrypted state.
In essence, figure out what data in your environment you can’t live without, what’s competitive and sensitive, what’s protected with traditional archival policies, and consider the future direction of your company. Look at those opportunity costs and make a decision from there.
Encryption should be a part of your IBM i shop’s overall storage discussion. Before making a decision, be sure to think about what kind of impact various solutions will have on your current system. Talk to a trusted storage advisor about any latency concerns and how data encryption options fit into your tiered storage infrastructure and backup solution.
Leo Salvaggio is a vice president at Dynamic Solutions International (DSI). He has more than 15 years of experience helping businesses find strategic technology solutions for their data storage and management needs. He can be reached at L.Salvaggio@DynamicSolutions.com.