Data Privacy - The Cornerstone of Contemporary Compliance

by Joe Sturonas, Jeff Cherrington
February 1, 2010

Disk encryption seems an obvious response. If all the data on all the DASD in the data center is encrypted, then all risk would be mitigated, right? The hesitance of the market to pursue this option stems directly from the issues underlying the approach. Full disk encryption in the hardware is a necessary layer of security that protects customers when an IBM Field Engineer (FE), without the need to destroy or wipe the data off the drive, removes a Redundant Array of Inexpensive Disks (RAID) 5 disk from a DS8000 series cabinet. The IBM FE can leave with the drive confident that all the data on the drive itself is encrypted and not accessible by anyone once it leaves the premises. However, when the DS8000 is up and operational, all the data on those encrypted disks is accessible, protected only by the layers of security that security server offers.

The second encryption approach is transport encryption, wherein data is protected as it leaves one point and is transmitted to a receiving point. This approach is widely accepted, offering the advantage that it can be applied naturally as a new, non-disruptive step in existing workflows. Transport encryption does require that both the sender and receiver use compatible applications and exchange encryption keys. When in place, it then provides significant mitigation to the risk of data being intercepted and used for dishonest purposes. While widely used, many organizations are finding transport encryption application licensing too expensive and that it leaves gaps in data protection. These gaps occur when the data is sitting on an intermediate server waiting for transmission; when it’s written to physical media; and when it sits within the recipient’s data center, on the receiving transmission server, or on physical media.

Data-Centric Security

The third approach is encryption attached to the data itself. Data-centric encryption offers another layer of protection. This approach encrypts the data so that whether the data remains on z/OS or moves to another platform, the data itself is protected and can be decrypted only by the authorized users or systems with access to private keys used to decrypt the data. This provides a way to protect the data itself, without having to rely on the access control mechanisms on various operating systems and platforms.

Data centers increasingly rely on a layered security approach because no one layer of protection is enough when it comes to information security. Given the pervasive connectivity of z/OS with TCP/IP, data-centric security provides a means for another layer of security on the platform. Even if the data you’re protecting is never intended to leave z/OS, it remains protected at rest and in motion should things change and the data needs to be shared with others.

Data-centric security doesn’t require you to rebuild all your z/OS applications to accommodate encryption; it’s typically incrementally integrated into existing online and batch environments. File-based encryption can occur by augmenting existing batch and online environments so you decrypt information needed by applications just in time, and encrypt the information when the originating applications complete. (Encryption can occur even before that time; emerging best practices look to have data protected record-by-record as it’s produced by applications or extracted from the database.) This doesn’t require any changes to existing application programs and still protects your information at rest.