The encryption of mainframe tape data is a top priority today for more than 1,500 major U.S. enterprises that rely on mainframe systems for fault-tolerant, mission-critical, transaction- intensive data processing. Most of these organizations are in the financial, healthcare, and government sectors—the same industries coping with privacy and identity theft regulations that mandate encryption of sensitive client, patient, and employee information.
With the introduction of IBM’s System z architecture, the mainframe market is generating solid growth that’s expected to continue well into the future. While new mainframe storage systems are typically FICON-attached to the host, legacy ESCON deployments continue to grow with more than 3 million ESCON channels deployed worldwide. Unlike open systems technologies that are routinely upgraded every three to five years, there’s a strong tradition in the mainframe industry where host processing systems and storage peripherals will remain in service for 10 years or more. The well-known statement, “If it ain’t broke, don’t fix it!” must surely have been the brainchild of a seasoned veteran of the mainframe age.
The greatest challenge of enterprise mainframe tape encryption is delivering strong Advanced Encryption Standard (AES) 256 encryption for legacy ESCON tape systems and simultaneously satisfying new FICON growth.
What Works and What Doesn’t
There are three types of mainframe encryption solutions available today:
- Host encryption solutions provide good coverage across multiple storage applications, but the performance impacts are significant and host CPU utilization can be expensive when dedicated to encryption operations. Storage operations can’t afford to suffer large increases in backup windows or excessive delays in restoration. Many enterprises that deployed software encryption products are looking to upgrade to hardware-based solutions that deliver the best cost/performance ratio.
- Tape drive encryption products recently introduced by IBM and Sun provide a high-performance solution for new FICON growth, but require that customers replace their existing ESCON and FICON tape systems at a significant cost. While some enterprises may choose to modernize their entire ESCON infrastructures to FICON, most wish to protect prior tape system investments.
- Native ESCON tape encryption appliances solve the problem of delivering high-performance encryption for the deployed base of legacy ESCON and bus and tag tape drives. Such appliances have multiple channel configurations, AES 256 encryption at line speeds, and hardware-based compression ratios that sometimes actually increase backup performance over non-encrypting tape backups.
A hybrid of drive-based and appliance- based hardware encryption technologies is superior to software encryption alternatives; both deliver the best price/performance for new growth and in-place tape systems.
Why Key Management Matters
The other half of the encryption solution is the key management practice, which is the combination of the system, people, and operations required to create, maintain, and control encryption keys. Enterprises routinely use mainframe tapes to share information with third parties and business partners. Unique security approaches are required to generate, distribute, and protect encryption keys associated with each of the disaster recovery and information sharing functions.
The choice of key management system is a critical one. Security of the key management system itself, such as in the form of access control and logging, is an important consideration. Access control ensures who or what has access to which keys. By limiting access to keys, the organization also limits its vulnerability to security risks. An effective key management system should have role-based access control to ensure a single user doesn’t have ubiquitous rights to all keys.
The key management system should log every event in a secure audit log. Only audit users should have access to this log; the system shouldn’t allow log alteration or deletion. Log files should be archived using encryption, authentication, and a digital signature.