IBM: First-of-its-Kind Encryption?

IBM has announced what it claims is a first-of-its-kind encryption technology and services for enterprise-class security and privacy.

The centerpiece of the solution is the introduction of the industry's first fully encrypting data drive, bringing security to small, medium and large businesses. The open-standards-based drive is designed to protect the data in the event that it is lost or stolen, rendering it unreadable to anyone who finds it. With this option, customers can encrypt the large files intended for remote recovery sites, or for data archiving, at tape hardware speeds. It will also provide customers with the ability to share encrypted tapes with their business partners.

IBM's Security and Privacy Services practice within IBM Global Technology Services will provide the necessary framework, architecture and support to execute an enterprise security program and leverage IBM's encryption solution to resolve data security issues. Additionally, IBM Business Continuity and Resiliency Services (BCRS) have IBM's data encryption drives installed at their worldwide recovery locations. IBM BCRS will also offer services to execute recovery procedures and operations that include use of tape hardware encryption.

The IBM System Storage TS1120 is supposedly the first encryption drive in the market that addresses the requirements of security compliance legislation. According to IBM, there are significant advantages to performing encryption in the tape drive. Early measurements show no appreciable degradation to performance during the reading and writing of encrypted data. Encryption in the drive also allows data compression, reducing potential impact on the media, and the encryption-enabled tape drive can also process non-encrypted workloads.

In addition to providing high-performance encryption in the drives, IBM's approach is designed to allow customers to ensure that the tape can only be decrypted by authorized parties, and the decryption keys are available when and where they are needed. The IBM tape encrypting solution leverages the proven encryption technologies of the IBM mainframe. Mainframe centralized key management provides a single point of control for the tape encryption keys, with high security and availability, long-term key management, and excellent disaster recovery capabilities. System z servers also use tamper-resistant hardware features for further protection of the keys.

"Public-key cryptography gives customers a tool set that allows them to radically simplify the process of key management. A unique key can be used with each tape cartridge, and by using public key cryptography, customers can conceal these unique keys and leave them right with the tape cartridge," said Marianne Mostachetti, Director of IBM System z Software. "The public-key infrastructure that's inherent in the IBM z/OS is the ideal way for tape cartridges to be opened up."

Encryption comes standard on all newly ordered TS1120 tape drives and clients with installed TS1120 drives can upgrade to include this feature for a fee. The IBM Encryption Key Manager for the Java platform -- free as part of IBM's Java software development kit -- can help generate and communicate encryption keys for tape drives across the enterprise. Finally, key management software supports the encryption tape drive on a wide variety of configurations, such as z/OS, i5/OS, AIX, HP, Sun, Linux and Windows.

The TS1120 drives support three different encryption management methods: Application, System, or Library Managed. For System or Library managed encryption, the IBM Encryption Key Manager for the Java platform -- included, at no additional charge, as part of IBM's Java Virtual Machine -- will generate and communicate encryption keys for tape drives across the enterprise. This encryption capability is supported when the TS1120 Tape Drive is integrated or attaches in the IBM System Storage TS3500 Tape Library, IBM System Storage TS1120 Tape Controller Model C06, IBM TotalStorage® 3592 Tape Controller Model J70, IBM TotalStorage 3494 Tape Libraries, IBM TotalStorage C20 Silo Attach frame, and stand-alone environments.

For Application managed encryption, IBM Tivoli Storage Manager -- IBM's enterprise-level back up and recovery software -- can generate and communicate encryption keys to the TS1120 drives. Tivoli Storage Manager's policy management capabilities automatically determines if TS1120 encryption is to be used, and if so invokes encryption and provides the necessary encryption keys. TSM support for TS1120 encryption capabilities is the newest addition to TSM's encryption capabilities for securing data-at-rest. Tivoli Storage Manager is the only backup/archive software that supports encryption keys, offering customers one-stop shopping for backup, archiving and encryption, all from IBM and managed by Tivoli.

Posted by Jon Erickson at 07:55 AM  Permalink