This blog, and the more detailed paper to which it links, aims to answer the following questions:
- Why is extensive data encryption so important?
- What is pervasive encryption?
- How does it apply to CICS?
- How do I set it up with CICS?
- What are the costs?
The need for extensive encryption
Clearly, data protection and compliance are important business imperatives. Note the 2018 Cost of a Data Breach Study put the average cost of a data breach at around $3.9 million. Furthermore, compliance requirements don’t stand still either: an example is the recent GDPR (General Data Protection Regulation 2016/679) legislation in Europe.
Extensive use of encryption is one of the most impactful ways to help reduce the risks and impact of a data breach and help meet compliance mandates and audit requirements. But implementing encryption can be complex, and organizations that run CICS have questions such as:
- What CICS data should be encrypted?
- Where should encryption occur?
- Who is responsible for encryption?
Pervasive encryption simplifies data encryption, making it more cost-effective and easier to be compliant.
What is pervasive encryption: from selective encryption to pervasive encryption
First, selective encryption, which involves encrypting specific fields and data and can often require changes to applications, is costly in terms of skills, resources, maintenance, and potential outages. Pervasive encryption enables extensive encryption of data both in-flight and at-rest. This makes it easier to protect data and to meet compliance requirements.
IBM Z offers capabilities that are integrated through the stack to provide pervasive encryption. Indeed, these capabilities, including z/OS data set encryption and z/OS Coupling Facility encryption, allow you to protect CICS data in a way that is transparent to applications and databases. Furthermore, the IBM z14 provides a highly-optimized environment, using IBM Z integrated cryptographic hardware (CPACF) to reduce overheads on pervasive encryption. IBM Z pervasive encryption provides a broad level of protection and privacy that is managed by the operating system:
Figure 1: Multiple Layers of Encryption
How does pervasive encryption apply to CICS?
You can use pervasive encryption with any in-service release of CICS Transaction Server for z/OS. Moreover, you can encrypt any CICS data which z/OS supports encryption in just a few one-time set up steps. Indeed, benchmarks taken inside IBM show very low CPU overheads on CICS transactions after enabling dataset encryption and Coupling Facility encryption.
Our CICS paper provides a more in-depth discussion of how you apply this encryption with CICS and provides details of the workloads used to measure the performance impact.
Get the paper here.