26 July 2017

IBM'S PLAN TO ENCRYPT UNTHINKABLE AMOUNTS OF SENSITIVE DATA


LILY HAY NEWMAN

DATA BREACHES AND exposures all invite the same lament: if only the compromised data had been encrypted. Bad guys can only do so much with exfiltrated data, after all, if they can't read any of it. Now, IBM says it has a way to encrypt every level of a network, from applications to local databases and cloud services, thanks to a new mainframe that can power 12 billion encrypted transactions per day.

The processing burden that comes with all that constant encrypting and decrypting has prevented that sort of comprehensive data encryption at scale in the past. Thanks to advances in both hardware and software encryption processing, though, IBM says that its IBM Z mainframe can pull off the previously impossible. If that holds up in practice, it will offer a system that's both accessible for users, and offers far greater data security than currently possible.

Encryption Conniption

According to IBM, hackers have compromised around nine billion digital data records since 2013, a third of them medical. A meager four percent of that data was encrypted, though, meaning those credit card numbers, user names and passwords, and social security numbers passed easily onto dark-web criminal exchanges.

Even encrypted data often ends up compromised, because companies don't always opt for hacker-proof cryptography. Cybercriminals don't mind putting in the effort; the data people bother to encrypt tends to be valuable, which means putting resources into decrypting it usually pays off.

A system that encrypts virtually all data, though, makes it much more difficult for criminals to identify worthwhile targets. Enter IBM Z. All it takes is a massive amount of computing power.

Remember the Mainframe

The IBM Z mainframe locks data down with public 256-bit AES encryption—the same robust protocol used in the ubiquitous SSL and TLS web encryption standards, and trusted by the US government for protecting classified data. But the company's breakthrough lies less in quality than it does quantity. Thanks to some proprietary on-chip processing hardware, IBM Z can encrypt up to 13 gigabytes of data per second per chip, with roughly 24 chips per mainframe, depending on the configuration.

"This represents a 400 percent increase in silicon that’s dedicated specifically to cryptographic processes—over six billion transistors dedicated to cryptography," says Caleb Barlow, vice president of threat intelligence at IBM Security. "So for any type of transaction system we can now get the safety that we’re all after, which just hasn’t really been attainable up to this point."

For a better sense of why that all-encompassing encryption matters, compare it to something like a typical banking website interaction. The service likely encrypts your browsing session on the site, but that encryption may not endure in the backend of the application and the network operating system. Some point in the workflow lacks encryption, and that's where your data becomes vulnerable.

IBM Z, by contrast, keeps data encrypted at all times unless it is being actively processed, and even then it is only briefly decrypted during those actual computations, before being encrypted again.

"It can process 12 billion transactions per day on one machine. If you take something like Cyber Monday there’s probably about 30 million transactions that go on," says Barlow. "So one of these machines can process that kind of crazy workload without even breaking a sweat in less than a day."

The system also drastically cuts down on the number of administrators who can access raw, readable data. That means hackers have fewer fruitful targets to go after in their attempts to gain privileged credentials to access a system. And IBM Z offers granularity so users can access the data they need for day to day work without exposing large swaths of data they don't need.

Full Crypto

IBM says breakthroughs in its ability to do large-scale cryptographic processing let it take the leap. The company also has full component control in its mainframes, increasing efficiency and system control. The company says that large-scale cryptographic implementation is a "natural extension of the architecture."

Big questions remain, though. IBM Z's "pervasive" encryption may stymie many current methods of attack, but there's no such thing as perfect security; researchers and bad actors will almost certainly find weaknesses, given the chance. IBM developers anticipate this as well; they've added a feature in which the mainframe stores its decryption keys in a tamper-resistant way. At any sign of an intrusion, the system can automatically invalidate all of its keys until the breach is mitigated.

The other question about a system like the IBM Z is how widely it will be adopted. It would have potential economic benefits for companies in terms of easily allowing them to comply with increasingly stringent international data retention regulations, like US Federal Information Processing Standards. But for organizations that don't already rely on mainframes, the IBM Z may not seem like a relevant option.

"The established mainframe-based clients will jump all over this," says Joe Clabby, an analyst at the independent technology assessment firm Clabby Analytics. "As for new clients, that’s a hard one to answer. A lot of clients have a strong Intel bias. But encrypting all data, that’s a huge step. It’s pretty exciting given what a mess the world is without it."

No comments: