Which role to the Pervasive Encryption ?

Today lots of companies are working hard on their IT security area to realize an efficient infrastructure able to be really secure in order to avoid exposures, data breaches and to be compliant with standards & regulations such as GDPR (for example). The encryption is an increasingly used technique that satisfies some aspects of compliance providing an important contribution to the security. 

Up to day, the most important breaks to the encryption spread were:

- resource cost

- application impacts

- uneasy key management

Now, in the actual IT scenarios, do you really need encryption ? If yes, then the second question is: when do you need to use encryption ? And again: where do you need to apply encryption ?

In September 2017 IBM released the new mainframe Z14 with more encryption capabilities but probably the most important news regards the introduction of the Pervasive Encryption concept. The Pervasive Encryption is a very strong philosophy that tells us how to protect all data in use, in motion and at rest reducing costs. Thanks to the new hardware capabilities provided by CPACF components that provide faster encryption/decryption than previuos servers, and by perfomance improvement included in the Crypto Express6S Cards, the Pervasive Encryption can be seriously considered because its deployment reduce the complexity without any applications change to business processes. In other words, the encryption now could be applied in a completely transparent mode. In fact, with z/OS 2.3, the basic operating system software is responsible for applying encryption during the data origin (data allocation), data processing and data transmission (data on the network). Data can be encrytped at origin because in the allocation phase the ACS routines can filter the requests and by DFSMS Dataclass can call the ICSF encryption services to encrypt the data. But you can consider the use of other two modes: one is a RACF key-label in the DFP segment, the other one is the JCL allocation parameter 

The right order of precedence is as follows:

• RACF dataset profile - DFP segment
• JCL - dynamic allocation, tso allocate command, IDCAMS define
• SMS - ACS routine by Dataclass 

Data can be encrypted in the Coupling Facility Today, customer data that flows through the Coupling Facility (CF) and the CF Link infrastructure is vulnerable to potential for exposure because the data is not encrypted. Customer data is stored in CF structures is also not protected by encryption and could be vulnerable to attack. With the pervasive encryption you can protect the data flowing over the coupling links and at rest in the CF with end-to-end host-based encryption. Now, individual CF structures can be designated in the CFRM policy as encrypted in which case the data will be encrypted with no middleware or application changes needed.

Critical data can be discovered and encrypted automatically during transmission With z/OS Encryption Readiness Technology (zERT) you can transform your TCP/IP stack as a central collection point and repository for cryptographic protection attributes for all TCP connections that are protected by TLS, SSL, SSH, IPsec or are unprotected. There are two methods for discovering the security sessions and their attributes:

• Stream observation (for TLS, SSL and SSH) – the TCP/IP stack observes the protocol handshakes as they flow over the TCP connection
• Advice of the cryptographic protocol provider (System SSL, OpenSSH, TCP/IP’s IPsec support) 

zERT value is provided to help you during the phases of:

• Which traffic is being protected (and which is not)
• How is that traffic being protected
• Security protocol and its version
• which cryptographic algorithms in use including key lengths

…and so on

Now we can say: "We have all the possible software and hardware solutions ready to deploy the encryption in our IT environment ". Of course, but.... what kind of approach is the most suitable for your specific environment ? The first point to consider regards the security level implemented in the infrastructure. You have to check or to analyze your data protection policy, but probably a right mixture of solutions could provide the best result. Let's make examples with some considerations useful to an implementation planning

An ideal case : for example, a well-structured and controlled environment assumes that people in the security team (maybe the SOC team) are focused on different specific areas, supported by a well done security process compliant with SoD and by systematical audit procedures and policy enforcement, that ensure security-integrity and stability. In a similar environment the data discovery and classification are a very added value to the security. The data protection can be easily satisfied, because user identification, user access and user behavior are monitored. Critical and sensitive resources are covered by controlled policy. Applications are designed under security directives. Devices and sources are managed against possible exposures, etc. Yes, the use of encryption can improve your security level without concerns about its costs because it couldn't be intensive. In fact, in this scenario the encryption could be "selective" on specific data type during specific processes. Then the "dataset encryption" function included in z/OS 2.3 with the hardware provided by Z14 is a perfect solution that covers different type of data (from extended PS up to VSAM and databases) without added costs and effort ! Obviously we are working in a very efficient security environment !

A common case: what could it happen if you are in presence of a very dynamic infrastructure with frequently changes, and not ready for a granularity control ? Then the risk of a possible data-breaches is very high ! The fear to be vulnerable is more real and the constraint to be compliant could become a stressful concern. What can you do ? Well, the Pervasive Encryption is ready to help you . Applying a total encryption you are put in a safe state (for example referring to the GDPR), because you don't have the obligation to notify the relevant supervisory authority within 72 hours of the data-breach. But in any case you can be confident that any captured data cannot be improperly used. Is it sufficient ? Obviously not, but it is a very good start point. Then, which innovative role can play the Pervasive Encryption ? It could be applied in very different modes, with different purposes, in many different mainframe environments, without any possible impacts to the business continuity. This is the very added value: an easily and transparent solution that supports the security everywhere and whatever it is the security gap.

I think it's worth trying it !