Security

The System z Solution Edition for Security accelerates, automates, and simplifies both the assessment of a client’s holistic security needs and the deployment of a comprehensive set of rich security solutions to address those security needs. The Solution Edition for Security includes System z hardware, software, maintenance and services. The following offering solutions allow the enterprise to host a variety of workloads and applications in a security rich business environment:

• Enterprise Fraud Analysis (Linux on System z)
• Enterprise Encryption and Key Management (z/OS)
• Centralized Identity & Access Management (Linux on System z, z/OS)
• Securing Virtualization (z/VM, Linux)
• Compliance / Risk Mitigation / Secure Infrastructure (z/OS)

IBM Security zSecure suite provides cost-effective security administration, improves service by detecting threats, and reduces risk with automated audit and compliance reporting. IBM Resource Access Control Facility (RACF) is the security standard for mainframes running IBM z/OS. The suite consists of offerings that take advantage of the most recent zEnterprise and IBM Resource Access Control Facility (RACF) enhancements. A variety of product editions help ensure that everyday administrative capabilities are available across a variety of operating environments. The IBM Security zSecure suite can help customers centralize and consolidate security administration and leverage the mainframe as their enterprise security hub.

IBM z/OS has a huge breadth of security capabilities built into the base of the operating system at no extra cost. Many z/OS security functions, such as data encryption, encryption key management, digital certificates, password synchronization, and centralized authentication and auditing can be deployed as part of enterprise-wide security solutions. IBM z/OS V1.11 is the first operating system to be certified as meeting the requirements of the recently published German Common Criteria Certification Body (BSI) Operating System Protection Profile (OSPP). The operating system meets many of the industry’s toughest security standards.

Several security enhancements have been made in the latest release, z/OS v1.12. PKI services have been extended with several usability enhancements. New cryptographic capabilities have been added such as support for new smart card formats and new standards and algorithms. Updates for IBM Tivoli Directory Server for z/OS in support of new password policy rules have been added. The z/OS Communications Server has new support for IKEv2 and Federal Information Processing Standard FIPS 140.2.

An important first step in taking control of information and helping to meet regulatory requirements is encrypting sensitive data. IBM now offers a comprehensive range of encryption solutions designed to meet your data protection requirements.

• Storage Systems Tape Data Encryption Solution

  IBM introduced the industry’s first self-encrypting enterprise tape drive, the IBM System Storage TS1120, in 2006, followed by the IBM System Storage TS1130. The IBM System Storage DS8000 with Full Disk Encryption extends this market-proven encryption model to enterprise disk systems to support the security requirements of demanding enterprise environments in a practical and cost-effective manner.

  Just as each tape drive has an embedded encryption engine, each disk drive also has an embedded encryption engine, and it, too, uses IBM’s encryption key management software to manage the keys associated with the solution.

  As with the encrypting tape solution, the encrypting disk solution is designed to be transparent to the operating system, applications, databases, system administrators and users, making deployment much simpler than with specialized encryption appliances.

• Software Based Tape Data Encryption Solution

  The Encryption Facility for z/OS, is a host based software solution designed to encrypt sensitive data before transferring it to tape for business partner exchange. The Encryption Facility for z/OS provides a highly flexible solution since your business partners may not need to purchase new storage hardware, have a mainframe or run z/OS. To decrypt the data they have the choice of utilizing a no-cost, web downloadable Java-based client, designed to run in any environment that supports Java. And now with the introduction of the Encryption Facility for z/OS, V1.2 with support for the OpenPGP standard, RFC 2440, this encryption capability is even more flexible allowing your business partners a number of options to choose from when decrypting and re-encrypting data. The Encryption Facility for z/OS is specially designed to help you protect your sensitive data during the data exchange process.

• Data Encryption for IMS and DB2 Database Solution

  The IBM Data Encryption for IMS and DB2 Databases provides you with a data encryption tool for both IMS and DB2 for z/OS databases in a single product. This product is designed to enable you to protect sensitive and private data for IMS at the segment level and for DB2 at the row level. IBM Data Encryption for IMS and DB2 Databases is implemented via standard IMS and DB2 exits which invoke System z cryptography hardware to encrypt data for storage and decrypt data for application use. Click here to examine how IBM Data Encryption for IMS and DB2 Databases can help.

  To provide our customers with open solutions that integrate; both the Encryption Facility for z/OS and the System Storage tape drives with encryption enabled (TS1120) are designed to leverage Centralized Key Management (provided by ICSF in z/OS) for the enterprise and provide support for a variety of system environments. To see which tape encryption solution best suits your needs check out our comparison chart below.

  As you can see from this chart IBM's tape encryption solutions are designed to complement each other by providing capabilities to address a comprehensive range of data protection goals. And by utilizing the same key management (ICSF) in z/OS and hardware cryptography (PCIXCC, Crypto Express2) features, customers may benefit by leveraging mainframe features and function that are both flexible and integrated.

  

  Depends on Customer Requirements
  Satisfies Requirements

  For advanced flexibility in the exchange of encrypted data, z/OS mainframe customers can use the Encryption Facility for z/OS. If performance is paramount, the TS1120 tape encryption solution is well suited for speedy creation of encrypted archival and backup tapes. And when your most concerned about protecting sensitive information in DB2 or IMS databases try out the Data Encryption for IMS and DB2 Database Tool. Or use all three solutions to provide data protection that reaches across your enterprise and beyond.