Credit: Connie Zhou for IBM
IBM wants businesses to use its new z14 mainframe to encrypt pretty much everything -- an approach to security it calls pervasive encryption.
Encrypting everything, and restricting access to the keys, is one way to reduce the risk and impact of data breaches. It can reduce the threat surface by 92 percent, according to research commissioned by IBM.
To make such pervasive encryption viable, the z14 has four times as much silicon devoted to cryptographic accelerators as its predecessor, the z13, giving it seven times the cryptographic performance.
That allows it to encrypt up to 12 billion transactions per day, according to IBM.
For other workloads, running under either z/OS or Linux, the z14 has 35 percent more capacity than the z13, the company said. That's possible because the z14 has three times the memory (up to 32 terabytes) and three times faster input-output than its predecessor, and a significant reduction in SAN latency when using zHyperLink.
As well as the hardware changes, the mainframe range has undergone a discrete change of name: Instead of the awkwardly capitalized z Systems, it's now called IBM Z.
The x86 systems that IBM Z is up against typically don't have the processing power to encrypt everything, all the time: They take a piecemeal approach, encrypting a password here, a credit card number there, with the result that plenty of personal information is there for the taking, if only hackers can find their way in.
In contrast, the z14 can encrypt every file -- or data set in IBM Z parlance -- and restrict who can access the keys, said Mike Jordan, distinguished engineer with IBM z Systems Security: Privileged users such as storage administrators, for example, will be able to move or copy files to do their job, but won't be able to decrypt them.
"We can eliminate those classes of users from risk if their IDs get hacked or attacked," he said.
Applications that do need to decrypt the data will run under a special user ID that can access the decryption key -- but such user IDs typically cannot be used to log in to the system, making it harder for hackers to both grab a file and decrypt it.
Even where a business is running development, test and production environments on the same machine, there is cryptographic separation between the environments, Jordan said. If hackers were to take over the test environment, say, and access its encryption keys they would still not be able to decrypt production data.
The key management system meets Federal Information Processing Standards (FIPS) Level 4 requirements, where the industry norm is only Level 2, IBM said.
Sign up for Computerworld eNewsletters.