Enterprise Mainframe Tape Encryption: What Are Your Options?

by James Yu, Dave de la Plante
July 17, 2007

The encryption of mainframe tape data is a top priority today for more than 1,500 major U.S. enterprises that rely on mainframe systems for fault-tolerant, mission-critical, transaction- intensive data processing. Most of these organizations are in the financial, healthcare, and government sectors—the same industries coping with privacy and identity theft regulations that mandate encryption of sensitive client, patient, and employee information.

With the introduction of IBM’s System z architecture, the mainframe market is generating solid growth that’s expected to continue well into the future. While new mainframe storage systems are typically FICON-attached to the host, legacy ESCON deployments continue to grow with more than 3 million ESCON channels deployed worldwide. Unlike open systems technologies that are routinely upgraded every three to five years, there’s a strong tradition in the mainframe industry where host processing systems and storage peripherals will remain in service for 10 years or more. The well-known statement, “If it ain’t broke, don’t fix it!” must surely have been the brainchild of a seasoned veteran of the mainframe age.

The greatest challenge of enterprise mainframe tape encryption is delivering strong Advanced Encryption Standard (AES) 256 encryption for legacy ESCON tape systems and simultaneously satisfying new FICON growth.

What Works and What Doesn’t

There are three types of mainframe encryption solutions available today:

• Host encryption solutions provide good coverage across multiple storage applications, but the performance impacts are significant and host CPU utilization can be expensive when dedicated to encryption operations. Storage operations can’t afford to suffer large increases in backup windows or excessive delays in restoration. Many enterprises that deployed software encryption products are looking to upgrade to hardware-based solutions that deliver the best cost/performance ratio.
• Tape drive encryption products recently introduced by IBM and Sun provide a high-performance solution for new FICON growth, but require that customers replace their existing ESCON and FICON tape systems at a significant cost. While some enterprises may choose to modernize their entire ESCON infrastructures to FICON, most wish to protect prior tape system investments.
• Native ESCON tape encryption appliances solve the problem of delivering high-performance encryption for the deployed base of legacy ESCON and bus and tag tape drives. Such appliances have multiple channel configurations, AES 256 encryption at line speeds, and hardware-based compression ratios that sometimes actually increase backup performance over non-encrypting tape backups.

A hybrid of drive-based and appliance- based hardware encryption technologies is superior to software encryption alternatives; both deliver the best price/performance for new growth and in-place tape systems.