Encryption is a two-edged sword: It has the benefit of protecting data, but there can be a performance hit. That’s why CISOs can’t encrypt everything.
Until now, says IBM. Today it announced a new Z series of mainframes which replaces the z12/13EC (enterprise class) machines with the bold promise that it comes with the power and software to encrypt all enterprise data in flight and at rest without changes to applications or performance. And with one click, thanks to easier encryption key management.
It does it mainly through a significant boost in the power of IBM-made encryption co-processors compared to previous models, with hardware and software highly integrated. But the new z14 series also has three times the memory (32TB) and three times faster I/O and accelerated transaction processing compared to the z13.
“What we believe we are bringing to the market is not just a replacement machine with better price-performance, but truly a machine that has a revolutionary breakthrough in the area of data protection, Marshall St. Louis, general manager of systems at IBM Canada, said in an interview. “It will be possible to protect all data all of the time for entire cloud services, applications, databases with one click.” both applied and at rest without impact to system performance.
“It will be positioned as a data protection engine for the cloud era.”
IBM says the new system comes with other big numbers, promising it can handle
·more than 12 billion encrypted transactions per day on a single system;
·the world’s largest MongoDB instance with 2.5x faster NodeJS performance than x86-based systems;
· 2 million Docker Containers;
· or 1,000 concurrent NoSQL databases.
Overall the new series has been better adapted to handle applications needing real-time analytics and workloads that require in-memory database processing, said St. Louis.
The price, of course, is that this is a mainframe solution that comes with mainframe pricing, which means a bundled system – what IBM calls Container solutions– costs least $500,000 for a new customer, less for those upgrading. It isn’t clear when the new series will be available in Canada. Container pricing will be available by the end of the year
However, enterprises interested in using blockchain technology in applications can get leverage the power of new Z series in one of new IBM Blockchain Global Data Centers being built in six cities, including Toronto. Dates of the creation of these centres were not announced, nor was pricing for the use of the services.
Blockchain is a distributed database made to resist modification of records. Encryption can improve security. IBM is contributing research through the open source Hyperledger project.
While the new series can be used for many applications IBM is pushing the cryptographic capability. St. Louis noted that the goal is to confront an “epidemic” of data breaches: Nine billion records have been stolen world-wide over the last five years, he said, only four per cent were encrypted.
“Most data centres are very sophisticated in terms of security, with firewalls to prevent intrusions,” he said, “but intrusions are happening regardless. If it was possible to encrypt 100 per cent of their data customers would, but the fact of the matter is its very hard to do, impossible in fact. So that’s leaving billions of records vulnerable to these attackers. So this is really a breakthrough we’re delivering.”
Certainly before the announcement experts were reluctant to recommend large enterprises try for end to end encryption. In an interview before the IBM announcement Saj Nair, national lead cyber security and privacy for PricewaterhouseCoopers Canada said that the usual recommendation to such firms or government departments would be to only encrypt critical data assets, or data mandated by regulators to be protected.
“The moment you implement encryption it breaks business processes,” he pointed out. There will need to be some business process re-engineering, he said. That includes organizations adopting big data and analytics and machine learning. One answer is format-preserving encryption, he said. But, he added, “from a risk perspective you don’t need to do that (full encryption).”
IBM [NYSE: IBM] says the new hardware along with the newest version of z/OS operating system “with the requisite middleware is all what is needed to enable pervasive encryption.” There will be no need to make application changes. “By encrypting all of the data associated with an application, clients can de-couple identification and classification from the process of encryption,” the company said in a statement. “They likely will still identify / classify data, however this no longer has to be done serially. This greatly reduces the risk of mis-identification or mis-classification.”
IBM also says its z/OS Connect technologies make it easy for cloud developers to discover and call any Z application or data from a cloud service, or for IBM Z developers to call any cloud service. The new mainframe allows organizations to encrypt these APIs much faster than using x86 servers.
St. Louis agreed not all enterprise data is sensitive, but IBM believes with the new mainframe organizations don’t have to put different classes of data into different drawers, which adds infrastructure complexity. Assuming it’s economical and there is no performance hit, why not encrypt everything, he asks.