IBM has upgraded System Z—the giant mainframe that until now looked like Darth Vader’s refrigerator— to be able to run more than 12 billion encrypted transactions per day and encrypt all data associated with any application, cloud service or database all the time.
The mainframe now meets new data security and privacy requirements. This matters to banks because the need to encrypt data is increasing.
Banks have had to hash personally identifiable customer information, such as address, date of birth and Social Security number, since 2003, when states began rolling out consumer data protection laws as a result of some high-profile breaches. But recently there have been calls to go further.
The New York State Department of Financial Services’ latest cybersecurity rules say that starting next year, banks will have to encrypt all nonpublic data in transit and at rest. Nonpublic data is almost everything, lawyers say.
“I think this is going to be quite a challenge,” said Steve Durbin, managing director of the Information Security Forum. “I don’t think this should be underestimated at all. Encryption of data in transit and at rest requires you to identify all that data, and to look at where it’s going.”
U.S. federal regulators are also eyeing it, but have been more vague. “Management should implement the type and level of encryption commensurate with the sensitivity of the information,” the Federal Financial Institutions Examination Council’s cybersecurity guidance says. Europe’s General Data Protection Rule, which affects every bank that has a European client, will require organizations to report data breaches within 72 hours or face fines of up to 4% of annual revenues unless the organization can demonstrate that data was encrypted and the keys were protected.
And a lack of encryption has been making cybercriminals’ jobs easier. The IBM X-Force Threat Intelligence Index found that more than 4 billion records were stolen in 2016, a 500% increase from 2015, and only 4% of that data was encrypted.
“As cyberdefenses aren’t proving to be as strong as people would hope they would be, the fact that clients are not encrypting data allows that data to be used quickly by the crooks,” said Ross Mauri, general manager for Z Systems.
Mauri said IBM worked with chief information security officers at 150 clients on this new version of its mainframe, which the company said is owned by thousands of companies around the world, including 92 of the top 100 banks, and is purchased at a rate of five to 10 per quarter. It costs anywhere from $500,000 to $3 million, depending on how it’s configured, he said.
The clients who guided the design focused on encryption, knowing they have to advance from the selective encryption many perform today — just hashing Social Security numbers, for instance — to high-volume encryption of data in storage and while moving.
This takes a lot of horsepower.
“We’ve amped up the cryptography throughput and speed because what we couldn’t do was take a client system, like a credit card system clearing thousands of transactions a second, and slow it down, which would have happened in the old days, because it does take time to encrypt and decrypt,” Mauri said. “By adding hardware and changing some of the software stack, we were able to make it so this is transparent to the clients’ service level agreements and won’t impact them.”
The client doesn’t have to make any changes to their applications or operations, just click on a few boxes to turn on and encrypt an entire database, he said. The system’s encryption meets industry standards. It also has tracking built in so an auditor can automate the process of making sure data is encrypted.
Stephen O’Grady, industry analyst at RedMonk, sees IBM’s new offering as on point.
“Security is a top-level concern for enterprises today, so the ability to ensure that data is encrypted at rest and in transit without additional effort will be attractive,” he said.
Charles King, president and principal analyst of Pund-IT, also saw the value in IBM’s focus on security.
“Pervasive encryption which can provide blanket security across all of the data residing on a z14 system without impacting overall system performance is quite unlike anything offered by any other vendor,” he said.
Of course, encryption only prevents those who don’t have the right credentials from reading the data. Hackers who have stolen, guessed or brute-forced a privileged user’s name and password can read what they want.
To prevent such break-ins, System Z also supports multifactor authentication. This starts with a fob and a password, but other types of authentication, such as iris scans, can be added. IBM also offers secure services containers, which Mauri calls “the ultimate lockdown.” These are being used to secure IBM’s blockchain cloud service.
Some in the computing world say that the days of the mainframe are numbered and that the future is in distributed computing.
But not IBM. “The people that say the mainframe should go away are uninformed,” Mauri said. He pointed out that IBM’s cloud services run on mainframes.
“As clouds continue to develop, they’re becoming much more specialized,” he said. For instance, he pointed to accelerators for running artificial intelligence. “The mainframe has an important place in the public cloud for IBM and an important place in the private and hybrid clouds of our clients.”
King said “the vast majority of IBM mainframe customers continue to add to and update their Z infrastructures on a regular basis to the tune of billions of dollars in annual IBM revenues.” They don't do so because they're a captive audience, he said, but because IBM diligently updates and upgrades the mainframe.
O’Grady agreed that the death of the mainframe has been grossly exaggerated.
“While people have been calling for the mainframe's demise for years, requirements today are more diverse than ever and customers are suggesting that for substantial segments of their workloads, the mainframe remains an efficient platform,” he said.