How to Manage Centralized Encryption for the Mainframe

When new regulations are implemented, like GDPR or the New York State cybersecurity requirements for financial services companies, it’s challenging to figure out where you stand and what you need to do to stay compliant. From an IT perspective, it’s important for companies to show regulators how you protect corporate data, and that might mean demonstrating strong data encryption standards. In a recent interview, computer security experts Stu Henderson and Greg Boyd emphasized how important it is that encryption efforts are coordinated from the CIO down.

The problem? CIOs often don’t know exactly what parts of their IT estate already have encryption, so they may not be sure where to get started. That’s especially challenging in the mainframe environment, where work can be fairly siloed in many major corporations.

“Often, a system programmer will set up encryption, retire, and then no one will know what’s encrypted or why,” Henderson explained. Running encryption through common control points can help organizations save money and stay up-to-date with regulatory changes.

This directive needs to come from the CIO, especially because centralizing administration requires the cooperation of several key disciplines: your legal department, compliance department, capacity planning people and application owners. With CIOs at the helm, cryptography management can be streamlined, cutting costs, reducing risk and bolstering security.

While Henderson and Boyd see this first and foremost as a management problem, there are a number of tools that make managing the technical side much easier. Mainframers need both crypto hardware and ICSF software to provide effective security and integrity on z/OS, with minimum cost and minimum overhead. Here are some of the cryptography tools mainframers should know about.

CP Assist for Cryptographic Function (CPACF)

Using the CPACF hardware is a no-brainer, says Henderson. CPACF is free, and while you may have to ask IBM to add some micro-code, it’s often already ready on your system. CPACF adds instructions to the CPU, speeding up CPU processing for encryption by a factor of 1,000 or more. Not only does this reduce your current CPU load, but it also means you’ll save money on hardware in the future, since you won’t have to invest in a more powerful CPU.

Crypto Express (CEX)

Unlike CPACF, the Crypto Express card is hardware that you’ll need to pay for. But, CEX will also help you avoid the further cost of increased CPU and speed up encryption processing. With CEX, encryption requests go off to a separate card and come back, so while CEX uses more “wall clock” time than CPACF, the CPU time is a lot faster. Mainframers will probably need CEX sooner or later, according to Henderson and Boyd, so they recommends learning about it now to be prepared.

Another advantage of CEX is its self-protecting, tamper-resistant design. If the tamper sensors are triggered, the box will self-destruct, destroying critical keys and certificates, and renders itself permanently inoperable. Some government agencies (and some commercial groups) are starting to require this kind of hardware self-destructing module. CEX is a good option for the mainframe, especially since it gives you support and improved CPU time.

Integrated Cryptologic Services Facility (ICSF)

This free software is a started task that serves as a router for cryptography requests. ICSF works with the hardware cryptographic feature and the z/OS Security Server to provide secure, high-speed cryptographic services.

Having this kind of central control point for cryptography allows for visibility into encryption processes and helps streamline management. If and when new regulations come down, it will be easier to make changes to your cryptography, since it’s all sent through a centralized location.

Policy Agent

Policy Agent is another piece of free software to keep an eye on. Henderson and Boyd say this firewall and encryption tool for TCP/IP networks is not often used, but should be. Policy Agent is a very powerful tool for providing centralized effective encryption and many other TCP/IP security functions.

The need for better management of mainframe cryptography is unavoidable, according to Henderson. Above all, he says, if it’s not managed from the CIO down, the odds of failure will go up. Start with the easy steps, like CPACF and ICSF, and then dedicate resources to doing a whole lot more.

To learn more about cryptography tools on the mainframe, watch the full video from Stu Henderson’s “Crypto on z/OS Systems for CIOs and the Rest of Us” presentation in the SHARE Content Center.


Recent Stories
Using IPCS to Solve CICS Failures

Tips and Tricks: The Transition to Remote Work

Master the Mainframe 2005: Anna Clayton's Springboard to Success