Skip to main content

 

Data encryption

Protecting sensitive company data against theft or accidental loss

OverviewResources

Data encryption solutions overview

Data is one of the most highly valued resources in a competitive business environment. Protecting that data, controlling access to it, and verifying its authenticity while maintaining its availability are priorities in our security–conscious world. Increasing regulatory requirements are also helping to drive the need for the security of data. Encryption is a powerful and widely used technology that helps protect data from loss and inadvertent or deliberate compromise.

The IBM System Storage™ TS1120 Tape Drive and the IBM Ultrium™ 4 tape drives include data encryption capabilities within the drives. Encrypting at the storage end–point helps avoid the need for host–based encryption of data–and the concurrent drain on host performance. It may allow elimination of the use of specialized encryption appliances and the complexity of another layer of devices to manage in the SAN. Encrypting at the tape drive level can preserve the compression characteristics of tape storage avoiding a requirement for additional cartridges. In addition, in the IBM implementation data encryption is performed without significant impact to the tape drives native performance, meaning that batch processing windows are likely not affected. This capability is intended to provide customers with greater ability to protect information if tape cartridges are lost or stolen by enabling the storage of the data in an encrypted form with minimal impact on operational complexity.

Any encryption solution introduces new functional requirements to manage encryption keys. The application of encryption to storage disciplines may significantly increase the length of time any given encryption key needs to be retained and managed. Both of the IBM encrypting tape drives provide customers alternatives for the management of encryption keys that are designed to simplify management of those keys. IBM provides support for encryption keys to be managed by a backup application explicitly or by a key store or key management application external to the applications and systems using the tape drive for storage of data.

Both the TS1120 and LTO Gen 4 drives support application based keystores where a customer’s backup application is responsible for generation, retention, management, and providing encryption keys to the tape drive when needed. IBM Tivoli™ Storage Manager has been enhanced to control the encryption process, and provides functions to generate, retain, manage, and provide keys to the TS1120 or IBM Ultrium 4 tape drive.

The IBM Encryption Key Manager component for the Java™ platform provides the interface between the IBM encrypting tape drive products and external keystores. The EKM component is supported on a wide variety of environments including z/OS™, i5/OS™, AIX™, HP, Sun, Windows and Linux, can help generate and manage encryption keys for TS1120 and IBM Ultrium 4 tape drives across the enterprise. This component interfaces to a variety of open and standards based key repositories on supported platforms.

The TS1120 and IBM Ultrium 4 tape drives are designed to provide transparent encryption when integrated with an external key store, minimizing change at the application and OS layer. The encryption capability is supported when the TS1120 tape drive is integrated into or attached to the IBM System Storage TS3500 Tape Library, the IBM TS3400 Tape Library, the IBM Virtualization Engine TS7700, the IBM System Storage TS1120 Tape controller, the IBM TotalStorage™ 3494 Tape Library, the IBM 3592 Tape Frame Model C20 or is used in stand–alone environments. The transparent encryption capability for IBM Ultrium 4 tape drives is supported when FC or SAS capable tape drives are integrated into or attached to IBM System Storage TS3100, TS3200, TS3310 and TS3500 Tape Libraries and the transparent encryption feature is installed.

Centralized key management with z/OS

The TS1120 encryption solution benefits from IBM's decades of mainframe expertise in encryption and encryption management. The z/OS operating system has provided encryption key management for over 15 years, allowing you to generate keys, manage them based on customer policies, and recover keys when necessary. When used with z/OS, the TS1120 leverages System z's unique security and cryptographic features to provide a powerful solution for enterprise–wide encryption key storage and management. z/OS also provides information for audit compliance, as well as management and access controls.

IBM has enhanced its encryption capabilities with the IBM Encryption Facility for z/OS — a software–based product that’s designed to leverage mainframe cryptography to encrypt data that’s then written to tape drives. This host–based solution is ideal for businesses that need to exchange data with business partners who utilize non–mainframe platforms since it may not require installation of any additional or special purpose hardware to support data encryption and decryption.

With the tape subsystem–level encryption, you have the flexibility to use z/OS centralized key management to provide a long term repository for the tape–encryption keys. z/OS centralized key management is designed to offer exceptional security and availability with a single point of control and excellent disaster–recovery (D/R) capabilities. Customers can opt to store their keys for all supported servers in the z/OS system leveraging TCP/IP for the transfer of key information between servers.

Featured solution areas
IBM Encryption Facility for z/OS
IBM security solutions
IBM System Storage TS1120 Tape Drive
IBM Tivoli Storage Manager
Infrastructure and Systems Management Services
Linear Tape–Open
 
We're here to help
Easy ways to get the answers you need
E-mail us

Or call us at 1-888-746-7426
Priority code: 6N7BL08W


A product guide comparing all of IBM System Storage products

Learn more