Posts Tagged ‘IBM pervasive encryption’

High Cost of Ignoring Z’s Pervasive Encryption

May 17, 2018

That cost was spelled out at IBM’s Think this past spring.  Writes David Bruce, who leads IBM’s strategies for security on IBM Z and LinuxONE, data breaches are expensive, costing $3.6 million on average. And hoping to avoid one by doing business as usual is a bad bet. Bruce reports breaches are increasingly likely: an organization has a 28 percent chance of being breached in the next 24 months. You can find Bruce’s comments on security and pervasive encryption here.

9 million data records were compromised in 2015

Were any of those 9 million records from your organization? Did you end up on the front page of the newspaper? To stay out of the data breach headlines, organizations require security solutions that protect enterprise and customer data at minimal cost and effort, Bruce observes.

Encryption is the preferred solution, but it is costly, cumbersome, labor-intensive, and hit-or-miss. It is hit-or-miss because the overhead involved forces organizations to choose what to encrypt and what to skip. You have to painstakingly classify the data in terms of risk, which takes time and only adds to the costs. Outside of critical revenue transactions or key intellectual property—no brainers—you will invariably choose wrong and miss something you will regret when it shows up on the front page of the New York Times.

Adding to the cost is the compliance runaround. Auditors are scheduled to visit or maybe they aren’t even scheduled and just drop in; you now have to drop whatever your staff was hoping to do and gather the necessary documentation to prove your data is safe and secure.  Do you really need this? Life is too short as it is.

You really want to put an end to the entire security compliance runaround and all the headaches it entails. But more than that, you want protected, secure data; all data, all the time.  When someone from a ransomware operation calls asking for hundreds or thousands of dollars to get your data back you can laugh and hang up the phone. That’s what Bruce means when he talks about pervasive encryption. All your data is safely encrypted with its keys protected from the moment it is created until the moment it is destroyed by you. And you don’t have to lift a finger; the Z does it all.

That embarrassing news item about a data breach; it won’t happen to you either. Most importantly of all, customers will never see it and get upset.

In fact, at Think, Forrester discussed today’s customer-obsessed approach that leading organizations are adopting to spur growth. To obsess over customers, explained Bruce, means to take great care in protecting the customer’s sensitive data, which provides the cornerstone of a customer-obsessed Forrester zero trust security framework. The framework includes, among other security elements, encryption of all data across the enterprise. Enabling the Z’s built in pervasive encryption and automatic key protection you can ignore the rest of Forrester’s framework.

Pervasive encryption, unique to Z, addresses the security challenges while helping you thrive in this age of the customer. At Think, Michael Jordan, IBM Distinguished Engineer for IBM Z Security, detailed how pervasive encryption represents a paradigm shift in security, reported Bruce. Previously, selective field-level encryption was the only feasible way to secure data, but it was time-, cost-, and resource-intensive – and it left large portions of data unsecured.

Pervasive encryption, however, offers a solution capable of encrypting data in bulk, making it possible and practical to encrypt all data associated with an application, database, and cloud service – whether on premises or in the cloud, at-rest or in-flight. This approach also simplifies compliance by eliminating the need to demonstrate compliance at the field level. Multiple layers of encryption – from disk and tape up through applications – provide the strongest possible defense against security breaches. The high levels of security enabled by pervasive encryption help you promote customer confidence by protecting their data and privacy.

If you have a Z and have not enabled pervasive encryption, you are putting your customers and your organization at risk. Am curious, please drop me a note why.

DancingDinosaur is Alan Radding, a veteran information technology analyst, writer, and ghost-writer. Please follow DancingDinosaur on Twitter, @mainframeblog. See more of his IT writing at technologywriter.com and here.

 

IBM Introduces Skinny Z Systems

April 13, 2018

Early this week IBM unveiled two miniaturized mainframe models, dubbed skinny mainframes, it said are easier to deploy in a public or private cloud facility than their more traditional, much bulkier predecessors. Relying on all their design tricks, IBM engineers managed to pack each machine into a standard 19-inch rack with space to spare, which can be used for additional components.

Z14 LinuxONE Rockhopper II, 19-inch rack

The first new mainframe introduced this week, also in a 19-inch rack, is the Z14 model ZR1. You can expect subsequent models to increment the model numbering.  The second new machine is the LinuxONE Rockhopper II, also in a 19-inch rack.

In the past, about a year after IBM introduced a new mainframe, say the z10, it was introduced what it called a Business Class (BC) version. The BC machines were less richly configured, less expandable but delivered comparable performance with lower capacity and a distinctly lower price.

In a Q&A analyst session IBM insisted the new machines would be priced noticeably lower, as were the BC-class machines of the past. These are not comparable to the old BC machines. Instead, they are intended to attract a new group of users who face new challenges. As such, they come cloud-ready. The 19-inch industry standard, single-frame design is intended for easy placement into existing cloud data centers alongside other components and private cloud environments.

The company, said Ross Mauri, General Manager IBM Z, is targeting the new machines toward clients seeking robust security with pervasive encryption, cloud capabilities and powerful analytics through machine learning. Not only, he continued, does this increase security and capability in on-premises and hybrid cloud environments for clients, IBM will also deploy the new systems in IBM public cloud data centers as the company focuses on enhancing security and performance for increasingly intensive data loads.

In terms of security, the new machines will be hard to beat. IBM reports the new machines capable of processing over 850 million fully encrypted transactions a day on a single system. Along the same lines, the new mainframes do not require special space, cooling or energy. They do, however, still provide IBM’s pervasive encryption and Secure Service Container technology, which secures data serving at a massive scale.

Ross continued: The new IBM Z and IBM LinuxONE offerings also bring significant increases in capacity, performance, memory and cache across nearly all aspects of the system. A complete system redesign delivers this capacity growth in 40 percent less space and is standardized to be deployed in any data center. The z14 ZR1 can be the foundation for an IBM Cloud Private solution, creating a data-center-in-a-box by co-locating storage, networking and other elements in the same physical frame as the mainframe server.  This is where you can utilize that extra space, which was included in the 19-inch rack.

The LinuxONE Rockhopper II can also accommodate a Docker-certified infrastructure for Docker EE with integrated management and scale tested up to 330,000 Docker containers –allowing developers to build high-performance applications and embrace a micro-services architecture.

The 19-inch rack, however, comes with tradeoffs, notes Timothy Green writing in The Motley Fool. Yes, it takes up 40% less floor space than the full-size Z14, but accommodates only 30 processor cores, far below the 170 cores supported by a full size Z14, , which fills a 24-inch rack. Both new systems can handle around 850 million fully encrypted transactions per day, a fraction of the Z14’s full capacity. But not every company needs the full performance and capacity of the traditional mainframe. For companies that don’t need the full power of a Z14 mainframe, notes Green, or that have previously balked at the high price or massive footprint of full mainframe systems, these smaller mainframes may be just what it takes to bring them to the Z. Now IBM needs to come through with the advantageous pricing they insisted they would offer.

The new skinny mainframe are just the latest in IBM’s continuing efforts to keep the mainframe relevant. It began over a decade ago with porting Linux to the mainframe. It continued with Hadoop, blockchain, and containers. Machine learning and deep learning are coming right along.  The only question for DancingDinosaur is when IBM engineers will figure out how to put quantum computing on the Z and squeeze it into customers’ public or private cloud environments.

DancingDinosaur is Alan Radding, a veteran information technology analyst, writer, and ghost-writer. Follow DancingDinosaur on Twitter, @mainframeblog. See more of his work at technologywriter.com and here.

Illusive Networks’ Mainframe Guard to Deter Cyber Attacks

October 18, 2017

At a time when IBM promised that automatic pervasive encryption on the new Z would spell an end to worries about security an Israeli company stepped forward this week to insist that the z14, or just Z, can’t do the entire job. Pervasive encryption can be undermined by Advanced Persistent Threats (APT), which co-op legit users as they access protected data. Illusive Networks introduced its security tool, Mainframe Guard, earlier this week at Sibos in Toronto.

Mainframe Guard enables admins to action against advanced, targeted cyberattacks by detecting and disrupting movement toward critical business assets early in the attack cycle. Illusive deploys sophisticated and confusing honeypots to distract, misguide, and trap an attacker before he or she can touch the data. In short, the security staff can identify and intervene against advanced, targeted cyberattacks by detecting and disrupting movement toward critical business assets early. With the new Z and pervasive security, of course, that data will already be encrypted and the keys safely stored out of reach.

IBM Breach Cost Estimator

At a time when organizations of all types and in every market segment are under attack from hackers, ransomware, data breaches, and more all data center managers should welcome any data protection tools that work. Yet 96% don’t even bother to encrypt—too costly, too cumbersome, too complicated. As DancingDinosaur noted at the Z launch, the list of excuses is endless. Of the 9 billion records breached since 2013 only 4% were encrypted! And you already know why: encryption is tedious, impacts staff, slows system performance, costs money, and more.

Such attitudes, especially at a mainframe shop, invite serious breaches. While IBM’s latest mainframe automatically encrypts all transaction data, the vast majority of systems expose significant vulnerabilities.

Making the situation even worse; the need to secure against innovations such as mobile applications, cloud-based services, and smart devices presents new challenges. “Organizations are sometimes reluctant to upgrade legacy applications and databases on these enterprise servers, particularly in today’s always-on economy. But unless you address every link in the end-to-end process, you haven’t secured it.” noted Andrew Howard, CTO at Kudelski Security, which cites experience remediating mainframe systems in the wake of cyber breaches.

Even older mainframe shops—pre pervasive encryption—can have effective security. Consider adding Mainframe Guard, which requires you to actively follow the threats and initiate defensive actions.

So how might an attacker today get around the Z’s pervasive encryption? The attack typically starts with lurking and watching as legitimate users gain access to the system. The attacker will then impersonate a legit user. Illusive, however, lures the attacker to locations where the attacker may think he or she has found a trove of intelligence gold.  “Remember, the attacker doesn’t know which machine he has landed on,” said Ofer Israeli, CEO of Illusive Networks. Unless the attacker brings inside information, he is blind inside the network.  From there Illusive leads constantly baits the attacker with deceptive information, which the attacker will have to dodge correctly to avoid giving away the attack.

Leveraging Illusive’s deceptive approach, Mainframe Guard works by detecting malicious movement toward the mainframe and providing a non-intrusive method of protecting the systems, the data they host, and the services they support. The solution is comprised of:

  • A family of deceptions for mainframe environments
  • The ability to display mainframe assets along with other sensitive assets in the Illusive Attacker View portion of the management console, which enables security personnel to see potential attack paths toward the mainframe and track the proximity and progress of attackers toward these assets
  • Purpose-built views of the mainframe environment monitor unexpected connections to mainframe servers
  • An interactive layer added to the Illusive Trap Server mimics mainframe behavior and login screens, tricking attackers into believing they are interacting with an actual mainframe system.

When everything is encrypted and the keys, APIs, and more are safeguarded with the Z’s pervasive encryption on top of Illusive’s deceptions, maybe you can finally begin to relax, at least until the next level of attacks start to emerge.

BTW, DancingDinosaur will be away for 2 weeks. Given IBM’s just released Q3 results. you can hear IBM’s relief even before I’m gone.  Expect some celebrating around the Z; nothing like a new machine to boost revenues. Look for DancingDinosaur the week of Nov. 6.

DancingDinosaur is Alan Radding, a veteran information technology analyst, writer, and ghost-writer. Please follow DancingDinosaur on Twitter, @mainframeblog. See more of his IT writing at technologywriter.com and here.


%d bloggers like this: