Mainframe Security | Encryption

There are several mainframe encryption methods; the key is to use the method that best fits your organization’s needs. Truly secure data can be achieved through encryption and an organization-wide security and protection plan.

It’s hard to argue that anything is more important than data protection and data security on the mainframe and at data centers. Mainframe encryption helps achieve the data security that’s demanded from stakeholders, auditors, compliance regulations and most importantly, customers.

These mainframe security articles are the latest from around the internet involving a variety of important data security and encryption topics. Some are quite technical while others offer more of a broad overview of subjects like tokenization, data privacy and cryptography.

Every organization should have a data security plan in place and most will include encryption software. Organizations that use a mainframe must find mainframe encryption software that keeps their data secure. Depending on the method of encryption desired, there are several solutions available, one of which being the topic of the first article below, E-Business Server.


SDS E-Business Server® Research Report

E-Business Server is an extremely powerful z/OS mainframe encryption tool that’s utilized by many of the largest organizations in the world. In 2013, SDS took over development, support and distribution for this product; since then, SDS has been systematically upgrading the algorithms, features and overall security of this encryption solution. Besides IBM z/OS and z/OS-USS, E-Business Server offers encryption for five more platforms: Microsoft® Windows®, Solaris, IBM AIX®, HP-UX® and both Linux Red Hat® and Linux SUSE®.

E-Business Server utilizes OpenPGP encryption and decryption, compression, creation and authentication of digital signatures and more. This white paper describes this offering in detail and does an excellent job highlighting its benefits. It’s really a worthwhile read whether you’re looking for an encryption tool or just want to learn about encryption basics.

SDS E-Business Server Research Report by Clabby Analytics


Sensitive Data: Knowing What to Protect and How Best to Protect It

In order to fully secure all the sensitive data under your control, you must know where it is. That’s me being Captain Obvious, but it seems to be a real problem. In this article, Mr. Schrager says, “Securing all your sensitive data is an overwhelming concept for many data center managers, security officers and privacy officers. To a great extent, they would prefer to ignore it. Decades of migrated data have been swept under the rug; this mountain of data sets represents the dirty little secret nobody wants to address. The fact is, most security staffs can’t tell you where all the sensitive data resides, which means they just can’t protect data they can’t locate and categorize.” Now that the problem has been established, it should be examined and fixed, hopefully. This article is an excellent resource for that and will get you started on the right path.

Sensitive Data: Knowing What to Protect and How Best to Protect It by Barry Schrager


To Passphrase or Not to Passphrase?

The question of whether to passphrase or not to passphrase is explored here. The easy answer, according to Mr. Boyd, is not to use the passphrase utility. Using passphrase will make things easier, but it’s not the best for your organization’s encryption and overall security. “While the passphrase utility is a great way to get your hardware initialized, it doesn’t provide sufficient security for those master keys… Be sure to include things such as the number of master key officers, who they are, and how they will generate their random numbers.”

To Passphrase or Not to Passphrase? by Greg Boyd


LINUX for System Z Crypto Breaks New Ground

If you’re looking for new cryptographic functions to use on applications deployed on Linux on System z, this mainframe encryption article has quite a few. There’s also new functionality for applications that depend on either secure key or protected key cryptographic solutions.

*This is an extension to “The New Frontier for Cryptography on Linux on System z”; there’s much more related information there.

LINUX for System Z Crypto Breaks New Ground by Peter Spera


The New Frontier for Cryptography on Linux on System z

Protecting data at rest, in transit and in use will always be one of the most important tasks related to mainframe security. If you’re running Linux on System z, this should be a great study to help with cryptography. “The IBM CEX3C Common Cryptographic Architecture (CCA) Support Program for Linux on System z 4.0.0 (the CCA host library) works with a CryptoExpress2 (CEX2C) or CryptoExpress3 (CEX3C) PCI card configured as a co-processor to provide applications with the secure cryptographic algorithms needed to meet the most rigorous end-to-end enterprise solutions.”

The New Frontier for Cryptography on Linux on System z by Peter Spera


Implementing Cryptographic Keys

In this mainframe encryption article, a step by step process is given for securing your root account (and other user names) to prevent password-guessing attacks from accessing your server. By implementing cryptographic keys for the SSH root login, it will be nearly impossible for someone to guess their way into your server. The most air-tight solution is to simply disallow root SSH logins, but that’s hardly convenient. If you still want to be able to use the root account, follow the steps included and do it securely.

Implementing Cryptographic Keys by Don Crawley


Data Lockdown

This article focuses on securing data at all levels- not just securing access to the server. A bit of theory is offered into what a competent data security plan should look like and the layers that are needed to achieve this: network layer, server layer, operating-environment layer, data-protection layer. Also, the preventative measures included in the security options for DB2 9 for z/OS are listed. Some steps that should be part of any suitable mainframe encryption and data security plan are incorporated as well.

Data Lockdown by Jim Pickel


Demystifying Data Security

The focus here is on data security and different ways to manage it. This is a more conceptual study on mainframe encryption as a whole and also considers the importance of going beyond encryption to achieve blanketed security. A more cost-effective way to achieve data security, rather than fixing every possible weakness in existing legacy applications, is through adding layers of security. Both this and the risk-management model to manage data security are explored.

Demystifying Data Security by Ulf Mattsson


It’s Time to Renew Your Commitment to Data Protection

This article provides an excellent framework for creating a rock-solid, comprehensive data protection program on the mainframe and beyond. To have an airtight data protection program, there must be certain “building blocks” in place. This would consist of an information-centric focus, a GRC framework, an understanding of data protection objectives and a data governance program. Here, all of this is defined and an overall scope of what it takes to keep all your organization’s data secure is explored.

It’s Time to Renew Your Commitment to Data Protection by David Hill


Tokenization: A New Approach to Enterprise Data Security

Tokenization provides an extra layer of defense to organizations well beyond what strong mainframe encryption can attain. Certain requirements, such as an encryption key manager, token server and central data vault, are needed for tokenization. For enterprise-level organizations looking to keep all the data in their hands completely secure, these extra precautions are well worth the cost. This mainframe encryption article presents quite a thorough look at what tokenization is and some interesting case studies showing it at work.

Tokenization: A New Approach to Enterprise Data Security by Gary Palgon


Data Privacy – The Cornerstone of Contemporary Compliance

Security has always been a concern for mainframes and data centers. However, mainly because of how the data is held within the mainframe and the “pervasive connectedness,” thanks to the internet and LANs, it’s difficult to fully secure data on the mainframe. The importance of data security has risen and a solid security policy regulating data must be in place. Data-centric security offers the best chance to keep data secure while doing it responsibly (from many perspectives) and is the main focus here.

Data Privacy – The Cornerstone of Contemporary Compliance by Joe Sturonas & Jeff Cherrington