When buyers get their hands on IBM’s newest line of mainframes this year, they’ll get access to a new anti-data-breach feature the company calls “pervasive encryption.”
The new tech lets companies that rely on the high-powered machines for things like processing credit card transactions and airline reservations encrypt every file and database entry they store on the systems, ensuring that only specially authorized users can get access to the decoded data. That helps guarantee that even if data is stolen from the hard drive of one of IBM’s new z14 series of mainframes, it still won’t be readable to the thieves, who won’t have the digital decryption keys necessary to read it.
“It became clear that one of the biggest problems out there in the industry today was cybercrime,” says Mike Desens, vice president for IBM zSystems, as the current lines of mainframes are known. “Every corporation and every industry around the globe is dealing with this today.”
While mainframes may seem like relics, the high-powered servers designed for speed and reliability are still used to process huge volumes of banking transactions and insurance and payroll computations around the world. The machines and many of the programs running on them have gradually evolved over decades, but the companies who use them are aware of the modern dangers that data breaches pose to themselves and their customers. (That’s especially true after Equifax’s announcement last week of a massive data breach potentially affecting 143 million consumers. The revelation led to a quick drop in Equifax’s stock price and to a number of lawsuits filed against the credit reporting agency.)
Big companies are also keenly in tune with the growing requirements of data protection laws like Europe’s pending General Data Protection Regulation. Many of those rules don’t require that customers be notified if stolen data is securely encrypted, says Mikhail Sosonkin, director of research and development at the security firm Synack.
“If there’s a breach, you have to say to all the people involved in the breach, ‘Hey, we lost your data,'” he says. “If it’s encrypted, you don’t have to do that.”
But while there’s little dispute that keeping data encrypted whenever possible boosts security, introducing encryption into already complex systems can be difficult and expensive.
“The mathematical algorithms to do encryption at scale are significant, and they take a lot of processing power, which then translates into time and money,” says Caleb Barlow, vice president for security at IBM.
And while full-device encryption has become commonplace on personal machines like laptops and smartphones, they usually use a single password to unlock the contents of the entire machine. That technique doesn’t extend well to mainframes, which can have hundreds of users, each with their own privileges to access certain pieces of data but not others. An accountant at an insurance company might need access to general financial information around claims, but not to personal information about the people who filed them, for example.
That’s why the z14 will include specialized hardware to manage encrypting and decrypting data, and storing keys to grant particular user accounts access to the right pieces of data. Individual developers won’t have to build complicated permissions and encryption code into their own software since they’ll be able to take advantage of the tested, system-level support, according to Angel Diaz, IBM vice president for developer technology and advocacy.
“All of a sudden, now with this function, you can say, ‘I want all of the data to be encrypted,’ and you won’t have a performance hit,” he says. “And you don’t have to worry about writing that code.”
Since the keys are stored by specialized cryptographic processors, they should never be accessible to a hacker, rogue piece of software, or even a rogue technician.
“If for some reason you physically get access to the machine and you touch that cryptographic processor and you try to break the system, it tosses the keys and the entire mainframe turns into a brick,” Barlow says.
Even administrators with the ability to access lots of files on a machine won’t necessarily be able to decrypt it since they’ll be able to back up or restore data in encrypted form without needing to actually decode the contents.
The new encryption system may help reduce some of the data breaches that regularly annoy consumers, but they won’t prevent all such hacks. While credit card transactions often run through mainframe systems, for instance, plenty of card numbers get stolen elsewhere in the system, including through hacked point-of-sale terminals or e-commerce platforms. And though IBM emphasizes that keys found to be compromised can be quickly revoked, sophisticated attackers could still phish or otherwise steal credentials that give them access to unlock encrypted data before anyone catches on.
“At some point the data has to be decrypted, and at some point you have to work on this data,” says Sosonkin.
Pervasive encryption has spurred interest in upgrading to the new mainframes among existing IBM customers, says Jeff Shoup, mainframe product leader at IT services company Ensono.
“I think the z14 announcement has been pretty positively received, especially in the area of that encryption,” he says. “We’re getting questions about how much would it cost to upgrade the hardware to take advantage of it.”
That could be good news for Big Blue, where the mainframe line is said to still account for a sizable share of revenues and profits. The systems don’t just run legacy software—”50% of the IBM Z business is actually running Linux and open source workloads,” Barlow says—and IBM has emphasized how the machines can be cost competitive with other cloud and data center alternatives for modern-day tasks.
But observers generally say the company hasn’t made as much progress wooing startups to choose its tools over cloud services from companies like Amazon, Google, and Microsoft. “If someone is forming a brand-new company, and needing a computer to run their business, they’re probably not thinking of creating a brand new z/OS instance from scratch,” says Shoup, referring to the modern mainframe operating system.
Still, for existing enterprises concerned about security and privacy, the new encryption system may bring a sigh of relief.
“IBM has a little bit of an expensive solution, but it’s great,” says Monica Eaton-Cardone, cofounder and COO of the payment security risk management provider Chargebacks911. “It is fantastic news for large-scale banking, health care, government, and a lot of the enterprise systems.”