CA Rolls Out Tape Encryption for Mainframes

Options proliferate for encrypting your z/OS backup tapes

In this age of data breaches, IT managers are grappling with how to encrypt their backup tapes, and for good reason.

“People have … realized that backup tapes were not stored in a format that would prevent unauthorized review of the data on those backup tapes,” notes Gerard Shockley, the assistant director of technical services for Boston University. “That’s why we’re seeing the proliferation of encryption of tapes.”

When it comes to encrypting sensitive information, don’t forget about your mainframe, he says, with 23 years of mainframe experience to back him up. Indeed, when mainframes are used, more often than not they store an organization’s most sensitive and business-critical information. That’s the case at Boston University.

To secure mainframe data stored to tape, the university recently implemented Brightstor Mainframe Tape Encryption for z/OS from CA Inc., which was released last month. Now, for its mainframes, “we are encrypting all but licensed code today, licensed code being the operating system—there’s no need to encrypt that,” notes Shockley.

Boston University isn’t alone. More organizations now are at least investigating encryption to safeguard their saved mainframe data, and that means securing backup tapes—as opposed to disk arrays or some other backup medium. “About 98 percent of all mainframe shops back their systems up to tape,” notes Mary Cochetti, CA’s product marketing manager for Brightstor for z/OS.

Yet how many organizations are actually implementing encryption for stored information, whether derived from mainframes or not? “My suspicion is not a lot of companies are actually employing encryption on removable media,” says Robert Amatruda, the research manager for tape and removable storage at IDC in Framingham, Mass. “But there’s a huge amount of awareness, especially as the weeks and months have gone by with all these companies that have actually lost customer information—things like Social Security numbers [and] financial information—on various pieces of removable media, i.e. tape.”

Tape-Backup Options Proliferate

For companies that want to encrypt their mainframe backup tapes, options already abound. For starters, numerous encryption appliances can also add enterprise-wide security for data at rest. On the tape front, the new Linear Tape Open (LTO) 4 format, backed by HP, IBM, and Quantum will include built-in encryption capabilities. Already, Quantum’s DLT Sage Tape Security system allows for encrypted headers, which must first be decrypted to view any data stored on the tape. Spectra Logic Corp. will also begin offering encryption for its tapes.

Meanwhile, mainframe powerhouse IBM will soon launch a z/Series drive with encryption built in. Experts predict Sun Microsystems Inc., which bought StorageTek, will be a dominant force, given StorageTek’s long mainframe-attached-storage history.

CA’s z/OS Software-Based Approach

Beyond such hardware options, another choice—or complement—is CA’s Brightstor Mainframe Tape Encryption for z/OS. It’s software-based, running on z/OS at the mainframe’s I/O level, and it also relies on the Integrated Cryptographic Services (ICSF) and other cryptography hardware features built into z/Series servers, to speed operations. “We interface right with ICSF and write it out at the I/O level, so there’s no secondary processing,” says John Hill, the director of product management for Brightstor for z/OS. For access control and auditing, the product also integrates with CA’s eTrust CA-ACF2 and eTrust CA-Top Secret, plus IBM’s RACF.

One of the benefits of today’s mainframes is that they’re often used to run multiple operating systems, including Unix and Linux. Accordingly, “this product has the ability to encrypt any data that is on the z/OS environment, and that includes data produced by any data on z/OS, or data in applications in the distributed world but which are distributed to z/OS,” says Cochetti. “So if it can be written to a z/OS standard label tape, it can be encrypted.”

The product handles key management on the mainframe via a database “which is encrypted, protected, mirrored, and so on,” says Hill. Beyond generating and tracking keys, the key for an individual tape can also be automatically expired—after regulations or security policies say it’s no longer needed, which essentially renders the data on the tape irretrievable. “So we not only do the generation and full tracking of keys, we also do the full deletion, so that at the end of 10 years, you don’t have thousands of unassociated keys out there.”

Since one widespread use of backup tapes is to share information with outside organizations, for the product’s users, Hill says CA is offering “a no-charge decryption module for partners and customers” so they can also read the encrypted backup tapes. In addition, the product works with digital certificates to enable the “public and private key swaps” needed to secure such arrangements.

Finally, CA says IBM is building support for the product into its DFSMSrmm tape management system via a Program Temporary Fix (PTF). An API is also available, says Hill, for other tape-management vendors who want to support the CA product’s key management capabilities.

Mainframe Backup Equals Tape Backup

Even though a number of tape-backup encryption options are available today, enterprises still grapple with fundamental encryption issues. “There are still a lot of logistical questions that need to get answered before encryption is really embraced,” says Amatruda. For example: “How do you integrate it into an existing environment? How do you really manage pools of tape media that have been encrypted, and those that haven’t been encrypted?”

Simplicity reigns. Boston University’s Shockley, for example, says “tape encryption is extremely simple” with the Brightstor product, that it has worked as advertised since installed, and also that it didn’t require any changes to applications or job control language (JCL) to be installed. All of those things were crucial requirements.

Indeed, such characteristics are mandatory for any mainframe tape-encryption product to succeed, says Amatruda. “It’s all about non-interruption [and] being easy to integrate and implement.”

Interestingly, he predicts encryption will take off more rapidly in mainframe environments than in open-system environments. Mainframe operators tend to be more sophisticated, he notes, and “at the end of the day, the mainframe environment is really different functionally, and I think the criticality of that data, and the criticality of that customer information, is such that they’d be more than likely to embrace encryption.”

CA says it began developing the Brightstor z/OS tape encryption product after numerous customer requests for such technology, starting about a year ago. “We’ve had mainframe utilities in the past that supported encryption, but they’ve been just that: utilities,” says Cochetti. “They don’t fit into the mainframe paradigm, which says it has to be centralized, automated, and transparent, so there isn’t a lot of individual involvement in the whole process.”

Related Articles:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.

Must Read Articles