Mainframes process roughly 30 billion business transactions per day; this includes “most major credit card transactions and stock trades, money transfers, manufacturing processes, and ERP systems.”
Consider this: Mainframes are used by… (Janet Sun, 2013)
- 96 of the world’s top 100 banks
- 23 of the 25 top US retailers
- 9 out of 10 of the world’s largest insurance companies
- Seventy-one percent of global Fortune 500 companies
- Nine out of the top 10 global life and health insurance providers
More than 80 percent of corporate data resides on mainframes (Eric Chabrow, 2013). Today data travels on local PC’s, on the cloud, across one, two or three different platforms and the Internet. In the past, mainframe security was handled simply by restricting access to data by unauthorized users. That should not be the case today.
The Ponemon Institute’s 2013 Cost of Data Breach Study, which the institute conducted for IT security provider Symantec, reports that the global average cost of a data breach was $136 in 2012, up $6 from in 2011. The study concluded that the cost per data breach in the United States averaged $188 in 2012. The study found that most data breeches could be divided into three categories:
- Malicious attacks – 37%
- Negligence – 35%
- System Glitches – 29%
Although only one third of the breeches were caused by outside malicious attacks, any action that leads to unauthorized data access should be of concern to any enterprise, and a data protection plan should be put in place.
Why Encrypt Mainframe Data
Although there have not been any reported instances of virus attacks on mainframes, organizations should not rely on old methods to protect their data. Today the mainframe is the hub (the central data repository) for many, many organizations. Mainframes process data in conjunction with other nodes on a network, each with its only level of security, so a data attack can come from anywhere. That means that any security strategy adopted by an organization must include methods that protect data at rest and data in transit. It is widely agreed today that any serious system security strategy designed to protect data must start with encryption.
Why encrypt data? Well first, data has value for an enterprise; it is an asset (Navin Sharma, 2010). Stolen, lost, or corrupted data can reduce the value on a company’s balance sheet. Secondly, laws, regulations, and standards have been instituted, both nationally and internationally, requiring that certain kinds of data be encrypted for privacy reasons, international security reasons, and financial auditing control. Three important standards are…
In one broad sweep, the Gramm-Leach-Bliley Act includes provisions requiring financial institutions to protect the personal information of their customers and prove that they do. And the government is serious about forcing organizations to protect everyone’s personal data. According to Jeffrey Vagle, a lawyer with Pepper Hamilton, “Courts are starting to pick up on the fact that the data that can get out there can cause serious harm, maybe not immediately, but sometime in the near future” (Antone Gonsalves, 2012). Vagle sees a trend by judges in Federal courts to redefine the magnitude of the damages that people suffer from data breeches. And he sees big payouts to victims of data breaches by organizations that have not protected their data. The loss of unencrypted data can not only reduce assets on a balance sheet but reduce the bottom line.
Encryption is converting data, whatever form it takes, into unreadable cipher by applying a set of complex algorithms to the original data. Encryption keys can be either symmetric or asymmetric. With symmetric keys, the same key governs both encryption and decryption. With asymmetric keys, a sender encrypts data with a public key supplied by the recipient. Decryption is only possible with the recipient’s private key. SDS E-Business Server® is a world class, cross-platform encryption solution that utilizes PGP encryption.
While encrypting mainframe data is mandatory in today’s system environments, it should be just part of a completely developed set of security policies and procedures. Without controlling the type of keys that an organization creates, and carefully determining who should control them, implementing encryption may just prove to be an expensive operation that does not yield the expected results—data security.