IBM z/OS Security Enhancements

IBM z/OS has a huge breadth of security capabilities built into the base of the operating system at no extra cost. Many z/OS security functions, such as data encryption, encryption key management, digital certificates, password synchronization, and centralized authentication and auditing can be deployed as part of enterprise-wide security solutions. IBM z/OS, System z PR/SM and now RACF, have all been evaluated under Common Criteria (an ISO/IEC 15048 standard). z/OS V1.12 was evaluated at EAL 4+ , PR/SM was evaluated at EAL 5+. and RACF at EAL 5 meeting some of the industry's toughest security standards. For more details about protection profile testing see Security targets are also published on the (DE) website.

Several security enhancements have been made in the latest releases.
In z/OS V1.13, PKI Services support was added for DB2 9 for z/OS and later to store objects and certificates, enabling enterprise-class scale and resilient certificate management. In z/OS V1.12. PKI services have been extended with several usability enhancements. New cryptographic capabilities have been added such as support for new smart card formats and new standards and algorithms. Updates for IBM Tivoli Directory Server for z/OS in support of new password policy rules have been added. The z/OS Communications Server has new support for IKEv2 and Federal Information Processing Standard FIPS 140.2.

RACF now supports hardware-generated Elliptic Curve Cryptography (ECC) secure keys, for the extra advantage of Elliptic Curve security.

IBM Security zSecure suite

IBM Security zSecure suite provides cost-effective security administration, improves service by detecting threats, and reduces risk with automated audit and compliance reporting. IBM Resource Access Control Facility (RACF) is the security standard for mainframes running IBM z/OS. The suite consists of offerings that take advantage of the most recent zEnterprise and IBM Resource Access Control Facility (RACF) enhancements. A variety of product editions help ensure that everyday administrative capabilities are available across a variety of operating environments. The IBM Security zSecure suite can help customers centralize and consolidate security administration and leverage the mainframe as their enterprise security hub.

IBM Data Encryption Solutions

An important first step in taking control of information and helping to meet regulatory requirements is encrypting sensitive data. IBM now offers a comprehensive range of encryption solutions designed to meet your data protection requirements.

  • + Expand Storage Systems Tape Data Encryption Solution

    IBM introduced the industry’s first self-encrypting enterprise tape drive, the IBM System Storage TS1120, in 2006, followed by the IBM System Storage TS1130. The IBM System Storage DS8000 with Full Disk Encryption extends this market-proven encryption model to enterprise disk systems to support the security requirements of demanding enterprise environments in a practical and cost-effective manner.

    Just as each tape drive has an embedded encryption engine, each disk drive also has an embedded encryption engine, and it, too, uses IBM’s encryption key management software to manage the keys associated with the solution.

    As with the encrypting tape solution, the encrypting disk solution is designed to be transparent to the operating system, applications, databases, system administrators and users, making deployment much simpler than with specialized encryption appliances.

  • + Expand Software Based Tape Data Encryption Solution

    The Encryption Facility for z/OS, is a host based software solution designed to encrypt sensitive data before transferring it to tape for business partner exchange. The Encryption Facility for z/OS provides a highly flexible solution since your business partners may not need to purchase new storage hardware, have a mainframe or run z/OS. To decrypt the data they have the choice of utilizing a no-cost, web downloadable Java-based client, designed to run in any environment that supports Java. And now with the introduction of the Encryption Facility for z/OS, V1.2 with support for the OpenPGP standard, RFC 2440, this encryption capability is even more flexible allowing your business partners a number of options to choose from when decrypting and re-encrypting data. The Encryption Facility for z/OS is specially designed to help you protect your sensitive data during the data exchange process.

  • + Expand Data Encryption for IMS and DB2 Database Solution

    The IBM Data Encryption for IMS and DB2 Databases provides you with a data encryption tool for both IMS and DB2 for z/OS databases in a single product. This product is designed to enable you to protect sensitive and private data for IMS at the segment level and for DB2 at the row level. IBM Data Encryption for IMS and DB2 Databases is implemented via standard IMS and DB2 exits which invoke System z cryptography hardware to encrypt data for storage and decrypt data for application use. Click here to examine how IBM Data Encryption for IMS and DB2 Databases can help.

    To provide our customers with open solutions that integrate; both the Encryption Facility for z/OS and the System Storage tape drives with encryption enabled (TS1120) are designed to leverage Centralized Key Management (provided by ICSF in z/OS) for the enterprise and provide support for a variety of system environments. To see which tape encryption solution best suits your needs check out our comparison chart below.

    As you can see from this chart IBM's tape encryption solutions are designed to complement each other by providing capabilities to address a comprehensive range of data protection goals. And by utilizing the same key management (ICSF) in z/OS and hardware cryptography (PCIXCC, Crypto Express2) features, customers may benefit by leveraging mainframe features and function that are both flexible and integrated.

    Encryption Facility for z/OS and TS1120 enabled for encryption - Chart

    Depends on Customer Requirements
    Satisfies Requirements

    For advanced flexibility in the exchange of encrypted data, z/OS mainframe customers can use the Encryption Facility for z/OS. If performance is paramount, the TS1120 tape encryption solution is well suited for speedy creation of encrypted archival and backup tapes. And when your most concerned about protecting sensitive information in DB2 or IMS databases try out the Data Encryption for IMS and DB2 Database Tool. Or use all three solutions to provide data protection that reaches across your enterprise and beyond.

System z Security Portal

The System z Security Portal is intended to help customers stay current with security fixes, and improve security planning. Customers can subscribe to the System z Security Portal to receive the latest information on System z security.

Contact IBM

Browse System z


IBM provides world-class IBM mainframe technology to help today's enterprises respond quickly to evolving business conditions and with extreme flexibility. From automation to advanced virtualization technologies and open industry standards, IBM mainframes help deliver competitive advantages for enterprises contributing and succeeding on a smarter planet.

Operating Systems

IBM System z supports multiple operation systems:


IBM's technology, solutions and industry expertise can help you find the competitive edge with a sharper understanding of your customers. Our System z solutions combine the foundation of IBM hardware, software and middleware with flexible financing and packaging options to help your business meet and overcome the challenges of doing business in the on demand world. IBM can help you develop a customer-centric view—and assist you in delivering the right solution and the right products.


Data encryption

z/OS V1.13 announcement letter

Competitive muscle

  • Powerful System z Solution Editions: Hardware, software and service, priced to win