Encryption Meets the Mainframe

In the past few years, industry initiatives and government regulations have become significantly more demanding and specific about data security. The payment card industry (PCI) has led the charge with myriad IT security requirements that must be met by any organization involved in the credit-card value chain. These requirements apply to computing environments that manage sensitive credit-card information. While the early focus of the PCI initiative was transactional systems, the assessment process has become more rigorous and more inclusive each year. If card data touches the computing infrastructure, the PCI assessors expect data protection to be implemented across the board - mainframes included.

Data Protection
Most U.S. states and many countries worldwide have passed privacy legislation. In the United States, the common form of this legislation requires protection for any personally identifiable information, but it provides a safe-haven for electronic storage of private data if the data is encrypted. The legislators have clearly provided guidance to organizations about how to avoid the risks of theft and the embarrassment of being required to publicly disclose all suspected data breaches. Focusing on data is the key to protecting your organization. However, even with this clear legislative guidance and safe haven, it's shocking how many computing environments are still relying solely on perimeter protections and haven't focused on the heart of the data-security challenge - protecting the data.

More than 80 percent of corporate data resides on mainframes, and IBM's "Big Iron" mainframe is the backbone of corporate computing. Because of the quantity and type of data that's available on corporate databases, these mainframes are target-rich environments for thieves and hackers. The bad guys know that if they infiltrate a corporate mainframe they'll have access to a treasure-trove of sensitive data. Security isn't a new thing in the mainframe arena, and many excellent security products have been available for years. But security strategies of the past haven't kept pace with the security risks of the present.

Not all security breaches come from external sources. In fact, the vast majority of data breaches are perpetrated by corporate insiders. Sometimes these are authorized users performing malicious acts. However, data losses are frequently as mundane as physically misplaced backup tapes or misguided data extracts that happen to include too much data. Perimeter security is useless to prevent this type of threat.

In addition to internal-security threats, external threats are very real. The hacking community is constantly refining new ways to attack systems. When external hackers succeed, the results are usually sensational and devastating. In 2005, more than 40 million consumers were exposed to identity theft when hackers breached the security barriers of several corporations. The estimated damage from these thefts was more than $3 billion.