IBM steps up mainframe encryption

By Beth Pariseau, News Writer 01 Nov 2005 | SearchStorage.com

News and trends in the storage industry Digg This!     StumbleUpon     Del.icio.us

However, this is a temporary measure as IBM is expected to shift encryption off the mainframe altogether next year and leave this functionality in the hands of mainframe tape library hardware.

The latest updates will allow IBM mainframe users to use up-to-date algorithms for encryption and manage and secure keys within the mainframe. It will also offer a more viable encryption acceleration capability in server hardware, as opposed to a software-based product, which IBM offered in past decades but proved too slow and expensive.

Related articles IBM refreshes mainframe storage iSeries and mainframe users get cheap disk   Use mainframes for backups   Make tape libraries work with all platforms

The new facility is still largely software-based, but the difference between this release and former attempts at mainframe encryption is that it uses an encryption processor included with zSeries servers.

"It's offloaded a lot of processing to a specific hardware device," said John Oltsik, senior analyst for information security with the Enterprise Strategy Group. "Encryption is a very processor-intensive application, so that helps. We're also a quantum leap ahead of where we were (when IBM last offered this) in terms of processing power in general."

Oltsik said it also helped IBM's case that market interest in data security has also grown leaps and bounds. "Until recently, a lot of the market just wasn't all that interested in data security and encrypting off-site media," he said. "Now there's an absolute demand to secure tape and data."

Not every user, however, is convinced. "Encryption is very processor intensive … If it's a small file, that will probably be okay, but I doubt the processor will be up to the task if you're trying to replicate a large file like a whole database. It could overrun the firmware and spill into the main CPU," said Bob Venable, manager of enterprise systems at BlueCross BlueShield Tennessee.

IBM mainframe customers must pay IBM licensing fees according to millions of instructions per second (MIS). Currently, this means server-based hardware encryption will cost them more to deploy.

"Ideally, compression/encryption would be done away from the main CPUs with hardware/firmware capable of extremely high I/O rates -- ideally at the media level," Venable said. "Our current mainframe tape drives now do compression very efficiently and relatively inexpensively -- compression and encryption need to be together in our opinion."

"Mainframe MIS are expensive," said Oltsik. "Users want to do as much as they can off of the mainframe." Moving the encryption capabilities to the tape storage system would also free up server processing power, he said.

Mary Moore, z/OS marketing manager for IBM System z9, admitted that z/OS users have been anxious for the new encryption features but "what they really value is a move of encryption capabilities to the tape storage subsystem."

According to Moore, shifting encryption to tape hardware is part of IBM's "stated direction" for its mainframe products, but she said she could not specify when this would take place. Oltsik predicted IBM could make another announcement on such a product early in 2006.

"They're on the on-ramp of this process," Oltsik cautioned. "They do have a roadmap and I think it's a good one, but it remains to be seen what they can execute."

The products released this week are the IBM Encryption Services feature and Encryption Facility for z/OS Client. The first gives IBM mainframe users the ability to use hardware-based AES-128 encryption and decryption for certain files on tapes. Encryption keys can be managed within z/OS by customers running z9-109, z900, z990, z800 or z890 systems, and z/OS versions 1.4 or above.

The file types supported within the mainframe by the Encryption Services feature include physical sequential input files, members of partitioned data sets and partitioned data set extended data sets, as well as files stored in z/OS Unix system services file systems. It can optionally compress input files before encrypting them and writing the output files. Also, it can use the large block interface for output files written to tape, to help optimize performance and media space.

IBM is also making available a Java-based downloadable application, called Encryption Facility, which allows business partners shipping encrypted z/OS tapes to decrypt and encrypt files at their end on multiple platforms.

Meanwhile, an encryption feature for data sets written to on-site archival storage through the z/OS Data Facility Storage Management Subsystem Data Set Services, or DFSMSdss, is slated to ship Dec. 2. This feature will cover files written through DFSMSdss to both tape libraries and disk archives.

Tags: Secure data storage,  Disaster recovery and planning,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure data storage Throwing caution to the clouds Storage encryption essentials Vendors take steps to lock down cloud storage services Encryption Special Report: Key management stumbling block to securing data What you need to know about storage encryption products Isilon targets enterprise NAS with Backup Accelerator, N+2:1 parity Storage Decisions Chicago 2009 Session Downloads Storage Decisions Session Downloads: Disaster Recovery Track (Chicago 2009) Storage Decisions Session Downloads: Data Retention & Retrieval Track (Chicago 2009) Data on the brink Disaster recovery and planning Backup in a snap: A guide to snapshot technologies Storage Decisions Chicago 2009 Session Downloads Storage Decisions Session Downloads: Disaster Recovery Track (Chicago 2009) Storage Decisions Session Downloads: Data Retention & Retrieval Track (Chicago 2009) More testing, more confidence for DR plans The under-over on DR Best storage Products of the Year 2008 Disaster recovery site options DR for virtualized servers Storage Decisions San Francisco 2008 Session Downloads

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary hard drive shredder  (SearchStorage.com) Storage as a Service (SaaS)  (SearchStorage.com) storage encryption  (SearchStorage.com) storage security  (SearchStorage.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary