Data Protection Must Be a Business Imperative
Digital transformation and advancements in technology has opened myriad challenges for IT executives.
By John Duffy Jr. ,
Levi, Ray, & Shoup, Inc.
Data protection must be a key business imperative for any organization in this new paradigm because data never sleeps. Organizations need to be constantly aware of the boundaries of their data, and whether it is protected, who has access, can that access be controlled and is it compliant with industry and government regulations. Knowing where the perimeter is, what the supply chain is, and the lifecycle of the data is key to protecting it.
Systems of record data contained within the enterprise has, for the most part, always been protected. However, as systems of record data moves out of the enterprise into hybrid and multi-cloud environments, the risk of that data being exposed to unwanted entities increases. No organization wants to chance an exposure that becomes front page news or a cause for legal action.
The simple fact is organizations must assume nothing and take a proactive, zero trust approach to protecting their systems of record.
Encryption of data has offered most organizations the ability to protect sensitive data, but it is not a panacea. Storage device encryption, or data-at-rest encryption, does a very good job of protecting data when it is stored on the device but delivers the data in the clear when accessed. Software encryption offers a broader level of protection by encrypting data in-flight and at-rest but is resource intensive, costly, and limits the scope of what is encrypted. It requires organizations to conduct data classification and data segmentation exercises to conform to ever-changing regulatory requirements and results in encrypting only what is required and lacks a holistic approach.
IBM Z® and IBM LinuxONE™ III have two solutions for protecting all data wherever it lives. The first is Pervasive Encryption, which was introduced in the IBM z14® generation of servers. The second is Data Privacy Passports, which is available with the IBM z15® generation of servers. Think of pervasive encryption as protecting data within the enterprise and Data Privacy Passports as protecting data everywhere. These two technologies can each stand on their own, but in combination they provide a holistic shield around data protection.
Pervasive encryption is a centralized policy-based encryption technology that leverages Central Processor Assist for Cryptographic Function (CPACF), available on every IBM Z core, and Crypto Express PCI cards. In combination, these two hardware technologies deliver safer and faster encryption/decryption over software-based solutions, significantly reducing the administrative and management costs associated with encrypting data. It works seamlessly with any pre-existing encryption techniques and is transparent to applications, meaning no application changes are necessary.
Pervasive encryption prevents disruption of roles and responsibilities. Authorized users such as storage administrators and DBAs can still manage data, but the content will be encrypted. Even diagnostic memory dumps with application data sent to vendors for diagnosis will not be exposed.
Because hybrid cloud environments have opened the door for data to be moved off the systems of record, IBM Data Privacy Passports, which are available on IBM z15 and IBM LinuxONE III, provide transparent, end-to-end, data-centric protection wherever the data goes.
Data Privacy Passports transform the raw data into a trusted data object (TDO). Metadata is packaged with the TDO to control access to the data. Access is granted through centralized policy control. The data is protected at the point of extraction and enforced at the point of consumption, allowing the data itself to become the new security perimeter.
As I mentioned earlier, data never sleeps. More and more avenues are opening all the time and increasing the risk of exposure. Data privacy is critical to you and your consumers, but it has never been more of a challenge. The key to data protection is understanding the supply chain of the data, its lifecycle, its scope or perimeter and the ability for the data to protect itself. Pervasive Encryption and Data Privacy Passports on the IBM Z and IBM LinuxONE III platform deliver on the ability to safeguard sensitive data, ease compliance and control the protection of the data wherever it resides. This is a business imperative that organizations cannot ignore.
John Duffy Jr. is the LRS IBM Z Solution Advisor. He has been involved with mainframes since 1981 (39 years) in various roles from Operations, Technical Support, Consulting and Technical Sales. Twenty one of those years were spent with IBM.
About Levi, Ray, & Shoup, Inc.
The LRS® IT Solutions Group strives to earn the trust of our clients by helping them determine the right deployment model for their data Learn more about our solutions →