IBM Z for Data Protection With Pervasive Encryption for Cloud Era

Highlights:

Pervasively encrypts data, all the time at any scale
Addresses global data breach epidemic; helps automate compliance for EU General Data Protection Regulation, Federal Reserve and other emerging regulations
Encrypts data 18x faster than compared x86 platforms, at 5% of the cost ^[1]
Announces six Cloud Blockchain data centers with IBM Z as encryption engine
Delivers Container Pricing for new solutions, such as instant payments

IBM Corp. unveiled IBM Z, the next generation of transaction system, capable of running more than twelve billion encrypted transactions per day.

This system also introduces an encryption engine that, for the first time, makes it possible to pervasively encrypt data associated with any application, cloud service or database all the time.

The Z’s data encryption capabilities are designed to address the global epidemic of data breaches, a major factor in the $8 trillion cybercrime impact on the global economy by 2022. Of the more than nine billion data records lost or stolen since 2013, only 4% were encrypted, making the vast majority of such data vulnerable to organized cybercrime rings, state actors and employees misusing access to sensitive information.

In the most significant re-positioning of mainframe technology in more than a decade, when the platform embraced Linux and open source software, the Z systems expands the protective cryptographic umbrella of encryption technology and key protection. The system’s cryptographic capability extends across any data, networks, external devices or entire applications – such as the company’s Cloud Blockchain Service – with no application changes and no impact on business SLAs.

“The vast majority of stolen or leaked data today is in the open and easy to use because encryption has been very difficult and expensive to do at scale,” said Ross Mauri, GM, IBM Z. “We created a data protection engine for the cloud era to have a significant and immediate impact on global data security.“

Technology breakthrough: Pervasive encryption for cloud era
A recent study found that extensive use of encryption is a top factor in reducing the business impact and cost of a data breach. To put that in context, the IBM X-Force Threat Intelligence Index reported that more than four billion records were leaked in 2016 (a 556% increase from 2015).

However, encryption is often largely absent in corporate and cloud data centers because current solutions for data encryption in x86 environments can dramatically degrade performance (and thus user experience), and can be too complex and expensive to manage. As a result, only about 2% of corporate data is encrypted today, while more than 80% of mobile device data is encrypted^[1].

Company’s Z pervasive encryption reflects a call to action on data protection articulated by chief information security officers and data security experts worldwide, and more than 150 firm’s clients around the world who participated and provided feedback in Z’s system design over three years.

As a result of this collaboration, Z’systems brings advances in cryptography technology, building on an encryption platform that safeguards the world’s banking, healthcare, government and retail systems.

The Z pervasive encryption delivers breakthroughs including:

Pervasive encryption of data – all the time. Z’systems makes it possible, for the first time, for organizations to pervasively encrypt data associated with an entire application, cloud service or database in flight or at rest with one click. The standard practice today is to encrypt small chunks of data at a time, and invest significant labor to select and manage individual fields. This bulk encryption at cloud scale is made possible by a massive 7x increase in cryptographic performance over the previous generation z13 – driven by a 4x increase in silicon dedicated to cryptographic algorithms. This is 18x faster than compared x86 systems (that today only focus on limited slices of data) and at just 5% of the cost of compared x86-based solutions ^[1].
Tamper-responding encryption keys. A top concern for organizations is protection of encryption keys. In large organizations, hackers often target encryption keys, which are routinely exposed in memory as they are used. The Z’systems can protect millions of keys (as well as the process of accessing, generating and recycling them) in ‘tamper responding’ hardware that causes keys to be invalidated at any sign of intrusion and can then be restored in safety. The Z key management system is designed to meet Federal Information Processing Standards (FIPS) Level 4 standards, where the norm for high security in the industry is Level 2. This Z’systems capability can be extended beyond the mainframe to other devices, such as storage systems and servers in the cloud. In addition, IBM Secure Service Container protects against insider threats from contractors and privileged users, provides automatic encryption of data and code in-flight and at-rest, and tamper-resistance during installation and runtime.
Encrypted APIs. Z/OS Connect technologies make it easy for cloud developers to discover and call any Z application or data from a cloud service, or for Z developers to call any cloud service. Z systems allows organizations to encrypt these APIs – the digital glue that links services, applications and systems – nearly 3x faster than alternatives based on compared x86 systems^[2].

“The pervasive encryption that is built into, and is designed to extend beyond, the new IBM Z really makes this the first system with an all-encompassing solution to the security threats and breaches we’ve been witnessing in the past 24 months,” said Peter Rutten, analyst, servers and compute platforms group, IDC.

Designed for new data protection regulations
The Z systems also helps clients build trust with consumers and comply with new standards such as the EU’s General Data Protection Regulation (GDPR) that will increase data protection requirements for organizations doing business in Europe starting next year. GDPR will require organizations to report data breaches to the regulatory authority within 72 hours and face fines of up to 4% of annual worldwide revenues or €20 million, unless the organization can demonstrate that dta was encrypted and the keys were protected. At the U.S. Federal level, the Federal Financial Institutions Examination Council (FFIEC), which includes the five banking regulators, provides guidance on the use of encryption in the financial services industry. Singapore and Hong Kong have published similar guidance. More recently, the New York State Department of Financial Services published requirements regarding encryption in the Cybersecurity Requirements for Financial Services Companies.

The Z’systems, deeply integrated with IBM Security software, automates and streamlines security and compliance processes. For example, auditors are expected to manually inspect and validate the security of databases, applications and systems. Organizations can immediately demonstrate that data within the scope of compliance is protected and the keys are secure. This can reduce the mounting complexity and cost of compliance for auditors. The system also provides an audit trail showing if and when permissioned insiders accessed data.

Creating secure blockchain service
As blockchain applications become increasingly integrated into core business processes, client’s concerns are naturally shifting to security, encryption, and resiliency. The IBM Cloud is evolving with compute options. Now it is evolving again to bring Z onto the IBM Cloud, launching initially as an encryption engine for cloud services and to run the firm’s Blockchain services to provide the highest commercially available levels of cryptographic hardware. New blockchain services in centers in Dallas, London, Frankfurt, Sao Paolo, Tokyo and Toronto are secured using the Z’s cryptography technology.

“The powerful combination of IBM Z encryption and secure cotainers ifferentiates IBM Blockchain ervices o the cloud by supporting the trust models new blockchain networks require,” said Marie Wieck, GM, IBM Blockchain. “Enterprise clients also benefit from the ease of use making management transparent to the application and the user.“

AngelHack, in collaboration with the company, launched ‘Unchain the Frame,’ a global virtual hackathon with more than $50,000 in prizes. Developers from around the world are invited to show off their skills and creativity using technologies such as blockchain, open source applications, financial industry APIs and machine learning on Z’systems.

Predictable and transparent container pricing
The company also announced three Container pricing models for the Z’systems, providing clients simplified software pricing that combines flexible deployment with competitive economics vs. public clouds and on-premises x86 environments:

Microservices and applications that enable clients to maximize the value from security-rich on-premises enterprise systems in real time. Clients can now co-locate applications to optimize qualities of services that are priced competitively with public cloud and on-premises platforms.
Application development and test with the freedom to triple capacity of all development environments on z/OS to support latest DevOps tooling and processes. Clients can triple capacity with no increase in monthly license charge.
Payment systems pricing based on the business metric of payments volume a bank processes, not the available capacity. This gives clients greater flexibility to innovate affordably in a competitive environment, particularly in the fast-growing Instant Payment segment.

These precedent-setting Container pricing options are designed to give clients the predictability and transparency they require for their business. The pricing models are scalable both within and across logical partitions (LPARs) and deliver greatly enhanced metering, capping and billing capabilities. Container Pricing for the Z’systems is planned to be available by year-end 2017 and enabled in z/OS V2.2 and z/OS V2.3.

Transaction system for cloud era
The Z’systems builds on the capabilities of a powerful transaction engine at the center of global commerce today supporting:

87% of all credit card transactions and nearly $8 trillion payments a year.
29 billion ATM transactions each year, worth nearly $5 billion per day.
Four billion passenger flights each year.
More than 30 billion transactions per day – more than the number of Google searches every day.
68% of the world’s production workloads at only 6% of the total IT cost.

Banks and others in the financial services industry process thousands of transactions per second to keep the world’s financial systems running. The mainframe is more critical for reliably handling high volumes of transaction data.

92 of the world’s top 100 banks rely on the company’s mainframe because of its ability to efficiently process huge volumes of transactions. To help financial services organizations more effectively compete in the cloud era, enormous amounts of sensitive data produced by transactions can now be better protected against fraud and cybercrime, analyzed, and monetized using Z’systems – without causing disruption of day-to-day operations. For banks, this means encryption at the click of a button – even while applications are running – and the ability to migrate data from unencrypted to encrypted with no impact to SLAs.

The Z’systems, the next generation of the company’s CMOS mainframe technology, features the fastest microprocessor, running at 5.2GHz, and a scalable system structure that delivers up to a 35% capacity increase for traditional workloads and a up to a 35% capacity increase for Linux workloads compared to the previous generation z13. The system can support:

More than 12 billion encrypted transactions per day on a single system.
World’s largest MongoDB instance with 2.5x faster NodeJS performance than compared x86-based platforms.
Two million Docker Containers.
1,000 concurrent NoSQL databases.

Other available capabilities announced include:

Three times the memory of the z13 for faster response times, greater throughput and accelerated analytics performance. With 32TB of memory, IBM Z offers one of the largest memory footprints in the industry.
Three times faster I/O and accelerated transaction processing compared to the z13 to drive growth in data, transaction throughput and lower response time.
The ability to run Java workloads 50% faster than x86 alternatives ^[3].
SAN response time with zHyperLink, delivering 10x latency reduction compared to the z13 and cutting application response time in half – enabling businesses to do much more work such as real-time analytics or interact with IoT devices and cloud applications within the same transaction, without changing a line of application code ^[4].

As part of this announcement, the company previewed new z/OS software that provides foundational capabilities for private cloud service delivery, enabling a transformation from an IT cost center to a value-generating service provider. When available, these capabilities will include the support of workflow extensions for Cloud Provisioning and Management for z/OS and real-time SMF analytics infrastructure support.

Company’s Global Financing can help credit-qualified clients acquire the Z’systems, lower their TCO, and accelerate ROI. It offerings for the firm’s mainframe solutions are available from the company and business partners, and provide flexible terms and conditions that can be customized to align cost to project benefits or other client needs.

About Z’systems portfolio, z14 mainframe or Z’ enterprise security.

⁽¹⁾ Source: Pervasive Encryption: A New Paradigm for Protection, K. R. E. Lind, Chief Systems Engineer, Solitaire Interglobal Ltd., June 30, 2017.
⁽²⁾ Customers running WebSphere Liberty on z14 Linux on z using clear key encryption AES_128_GCM cipher can get up to 2.6X improvement in throughput per core with IBM Java 8 SR5 compared to x86. Performance results based on IBM internal tests running DayTrader 3 with WebSphere Liberty 8.5.5.9 using SSL clear key and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher. Liberty DayTrader 3 measurements were performed on a standalone dedicated LPAR on IBM z14 running SLES 12 SP1 with four IFLs configured with SMT for a total of 8 hardware threads. Liberty used IBM 64-bit SDK for z/OS, Java Technology Edition, Version 8 Service Refresh 5 (Java 8 SR5). The compared x86 DayTrader 3 on Liberty measurements were performed on a standalone WebSphere Liberty 8.5.5.9 server on Intel Xeon CPU E5-2690 v4 @ 2.60GHz, HyperThreading enabled, four cores/eight hardware threads, 97GB of memory, RHEL 7.2, and HugePages enabled. Liberty used OpenJDK 8_131. A second x86 system ran DB2 V10.1 used to persist application data. This second x86 system was an Intel Xeon CPU E7- 2830 @ 2.13GHz, No HyperThreading, CPUs: eight physical cores and 8 logical cores, 16GB of memory, and RHEL 5.7. A third x86 system ran JMeter-2.12 to drive the DayTrader 3 workload. This third x86 system was an Intel Xeon CPU E5-2650 v2 @ 2.60GHz, HyperThreading enabled, CPUs: 16 physical cores & 32 logical cores, 197GB of memory, RHEL 7 GA x86-64. All network traffic was over 10GB Network.
⁽³⁾ Customers running WebSphere Liberty on z14 Linux on z without encryption can get up to 1.6X improvement in throughput per core with IBM Java 8 SR5 compared to x86. Performance results based on IBM internal tests running DayTrader 3 with WebSphere Liberty 8.5.5.9 using SSL clear key and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher. Liberty DayTrader 3 measurements were performed on a standalone dedicated LPAR on IBM z14 running SLES 12 SP1 with 4 IFLs configured with SMT for a total of eight hardware threads. Liberty used IBM 64-bit SDK for z/OS, Java Technology Edition, Version 8 Service Refresh 5 (Java 8 SR5). The compared x86 DayTrader 3 on Liberty measurements were performed on a standalone WebSphere Liberty 8.5.5.9 server on Intel Xeon CPU E5-2690 v4 @ 2.60GHz, HyperThreading enabled, four cores/eight hardware threads, 97GB of memory, RHEL 7.2, and HugePages enabled. Liberty used OpenJDK 8_131. A second x86 system ran DB2 V10.1 used to persist application data. This second x86 system was an Intel Xeon CPU E,2830 @ 2.13GHz, No HyperThreading, CPUs: 8 physical cores and 8 logical cores, 16GB of memory, and RHEL 5.7. A third x86 system ran JMeter-2.12 to drive the DayTrader 3 workload. This third x86 system was an Intel Xeon CPU E5-2650 v2 @ 2.60GHz, HyperThreading enabled, CPUs: 16 physical cores and 32 logical cores, 197GB of memory, RHEL 7 GA x86-64. All network traffic was over 10GB Network.
⁽⁴⁾ The 10x lower read latency projection was based on z14 and zHyperLink results with DS8886 and z13 measurements that provided resuts for I/O interrupt and dispatching. his response time projection was based on IBM internal measurements and projections that contrasted zHyperLink Express with a similar configuration using zHPF. The measurements and projections assume that assume 75% or more of the workload response time is associated with read DASD I/O and the storage system random read cache hit ratio is above 80%. The execution environment for both scenarios was a z14 with 10 CPs. The zHPF tests used FICON Express 16S+ connected to a DS8886. The zHyperLink tests were also conducted using DS8886. The actual performance that any user will experience may vary.