Gursimar Singh's blog

Pervasive Encryption (Cryptography)

Pervasive Encryption (Cryptography)

Gursimar Singh's photo
Gursimar Singh
·

6 min read

In 2017, there were a number of documented data breaches, in which sensitive or confidential information was made available to the general public. According to the findings of the 2017 Cost of Data Breach Study conducted by the Ponemon Institute, there are approximately 58 data records that are stolen every second, with the average cost per record being $141 USD.

Encryption of data is a critical component of any comprehensive defense strategy against data breaches. Encryption of data is becoming an essential need for several compliance requirements, such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation of the European Union (GDPR).

In the past, a popular strategy consisted of encrypting only the data that needed to be encrypted and only in the locations where it needed to be encrypted.

Therefore, you are only permitted to encrypt client data when it is being sent from system to system. Alternatively, individual files or databases containing financial information.

There is also an option known as ubiquitous encryption, which can be used instead of selective encryption. This implies that all of the data is encrypted both while it is stored and while it is being transferred. This includes data that is stored on physical media such as discs and tapes, as well as data that is stored in files and databases and data that is being sent across network connections.

The use of pervasive encryption is one solution that has been suggested as a method to improve compliance and data security.

Why use Pervasive Encryption?

There are a lot of benefits that come along with using pervasive encryption. For example, given that every piece of data is encrypted, there is no possibility that any critical information may be overlooked inadvertently and then either saved or transferred without encryption.

Another significant advantage of pervasive encryption is that compliance verification is simplified by the fact that the technology encrypts all of the data. Finally, malicious users cannot target encrypted data knowing that it contains sensitive data because the data is hidden from them.

If pervasive encryption is so good, why isn’t everyone using it?

In most cases, this is due to the fact that it is either difficult or prohibitively expensive. To encrypt different types of data, such as files, databases, physical discs and tapes, and network connections, for instance, different encryption algorithms are used by different types of systems. These things need to be configured independently, and frequently in a manner that is unique to each resource.

The performance of encrypted data can suffer, and it can lead to an increase in the amount of CPU time that is needed. Modifications to the application’s source code can be necessary for certain circumstances.

In conclusion, the majority of websites do not believe that it is necessary to encrypt everything.

In 2017, IBM announced the z14 IBM Z mainframe. As part of this announcement, IBM introduced its pervasive encryption solution. This solution proposed encrypting all data at-rest or in-flight using new and existing hardware and software features.

This solution enabled the encryption of data at the physical media, file or database, coupling facility, and network levels.

The IBM pervasive encryption solution uses existing network encryption
features such as SSL.

The IBM pervasive encryption solution uses existing encryption features of
disk hardware such as the IBM DS8000. This encryption protects data if a
third party gets access to the physical disk media. However, it does not
protect against applications or users accessing files.

Many database systems including Db2, IMS, and Oracle provide features
to encrypt individual databases, tables, and even columns. The IBM
pervasive encryption solution relies on these existing database encryption
features.

The IBM pervasive encryption solution uses existing encryption features of
tape hardware devices such as the IBM TSI 155. This encryption protects
data if a third party gets access to the physical tape. However, it does not
protect against applications or users accessing files.

IBM's pervasive encryption is not entirely a new offering, in that it utilizes several encryption features that have been available for some time. However, the IBM Z mainframe includes features that reduce the overhead of encryption. This together with other features makes pervasive encryption more viable.

Pervasive encryption aims to encrypt all data at-rest. Traditionally you might think of files, databases, disks, and tapes as such at-rest data. It also aims to encrypt data in-flight. Or in other words, data in networks. It also supports support standard network encryption including SSL, TLS, and IPSec.

IBM provides a free library to implement the IBM Common Cryptographic Architecture (CCA). This includes APIs for C and Java applications.

The Linux libica library provides APIs for programs requiring cryptographic services. This library is supported by the icatools command that can show cryptographic information and statistics.

The open source openCryptoki library can be used to implement the PKCS #11 cryptographic standard on Linux.

A special Logical Partition (LPAR) type called a Secure Service Container (SSC) can be created in IBM Z mainframe systems. SSC partitions contain an operating system — usually Linux, middleware, and applications. One SSC cannot access any resources in another. SSCs are defined and then deployed as standalone appliances.

SSC files are encrypted for at-rest security. No direct access to the SSC is possible. Access is via Remote APIs only. Diagnostic data, and dumps, are encrypted as well.

So, there are different options for encrypting data for at-rest and in-flight. But, will we use all? No. For example, we probably won’t use both SSL/TLS and IPSec.

So, what option should we choose?

Well, it depends. To be blunt, there’s no simple solution. No easy answer as to which encryption solution is best.

It’s difficult to recommend one or a combination. Here’s a toolbox,

  • • Full Disk/Tape Encryption
    • Dataset Encryption
    • Coupling Facility Encryption
    • SPOOL Encryption
    • Database Encryption
    • Other Encryption
    • Channel Encryption
    • SSL/TLS
    • AT-TLS
    • JSSE
    • IPSec
    • SSH
    • VTAM Encryption

It’s up to us which tools to utilize and when. So, here are some tactics when you’re starting to look at pervasive encryption, and need to figure out which of our tools to use.

First, ask yourself why you’re encrypting. For example, if you’re encrypting to satisfy a compliance requirement, then you may not need coupling facility encryption to achieve this.

Next, list the encryption options you have like dataset encryption. You may also have other products or features that can be used.

Third, triage your data: most sensitive/important to least sensitive. Some will be very important to encrypt, others not so much.

Now, you can choose your solutions to achieve the encryption you need. You’ll probably start with data that needs encrypting the most, and move out from there.

In summary,

  • Encryption is becoming essential for data security and compliance.

  • Most encryption is selective, encrypting only what is required and where.

  • Pervasive encryption encrypts all data, at-rest and in-flight.

  • Pervasive encryption provides added security, together with simplified compliance verification.

Did you find this article valuable?

Support Gursimar Singh by becoming a sponsor. Any amount is appreciated!

CryptographySecurityencryptionIBM