IBM announced IBM z15, a new enterprise platform delivering the ability to manage the privacy of customer data across hybrid multicloud environments. With z15, clients can manage who gets access to data via policy-based controls, with an industry-first capability to revoke access to data across the hybrid cloud. Read the full announcement from IBM.
The movement of data between partners and third parties is often the root cause of data breaches. In fact, 60 percent of businesses reported they suffered a data breach caused by a vendor or third party in 2018 1. With the growing adoption of hybrid multicloud environments, the importance of maintaining data security and privacy only grows more acute and challenging.
The IBM z15 culminates four years of development with over 3,000 IBM Z patents issued or in process and represents a collaboration with input from over 100 companies. Key z15 innovations from these investments across IBM Systems and Research include:
- Encryption Everywhere – Building upon pervasive encryption, IBM unveiled new Data Privacy Passports technology that clients can use to gain control over how data is stored and shared – enabling the ability to protect and provision data and revoke access to that data at any time, not only within the z15 environment but across an enterprise’s hybrid multicloud environment. z15 can also encrypt data everywhere – across hybrid multicloud environments – to help enterprises secure their data wherever it travels.
IBM z15: Taking Data-Centric Audit and Protection to the Next Level
Analyst Take: With the z15 launch, IBM is taking advantage of rising enterprise demand for data-centric protection on an end-to-end basis. Enterprises must prioritize data privacy or endure public relations fallouts as well as potentially hefty fines. For example, this July the FTC fined Facebook $5 billion for violating the privacy rights of consumers. Now the company is potentially facing up to $2.23 billion in EU fines for various General Data Protection Regulation (GDPR) infractions, with a decision expected by the end of September. In other words, data privacy violations and breakdowns are increasingly a costly affair.
To protect individual’s identity in the digital realms and ecosystem, IBM debuted its Data Privacy Passports offering as integral component of the z15 launch. This debut follows on IBM’s 2017 introduction of Pervasive Encryption capabilities that deliver full protection of IBM Z data within Z Systems implementations. Now IBM is focusing on augmenting data-centric audit and protection (DCAP) techniques that combine extensive data security and audit functions with policy control, real-time monitoring, and discovery to help automate data security and regulatory compliance, which is especially vital in fulfilling data privacy legal requirements like GDPR.
Ongoing DCAP employs point-to-point methods where data is protected via encrypted network sessions with encryption and decryption occurring at each point as data traverses the network (e.g., IPSec, TLS, SFTP, MQ AMS). Any data stored at end points and intermediate points must be explicitly encrypted – a difficult and costly task. IBM is proposing broadening DCAP to enable an end-to-end (E2E) model. With an E2E approach data is encrypted at the starting point and remains encrypted until it reaches the end point. Data stored at end points and intermediate points is implicitly encrypted and managed through centralized policy.
Data Privacy Passports: Fortifies and Broadens z15 Security Assurances and Leadership
IBM’s Data Privacy Passport’s most significant innovation is providing protection and enforcement for IBM Z data on and off the platform. By enabling the dynamic enforcement of data, IBM is making sure the source data remains in the clear and clients connect to a proxy which will enforce data policies for them. One major additional benefit is that no changes are needed to the database system that originated the data. Equally important, data can be protected and then enforced, as source data is encrypted into Trust Data Objects (TDO) and then inserted into a new table. Clients are able to connect to the new protected table and based on the policy rules are presented an enforced view of the data. The new protected table elements are stored on an encrypted basis to ensure that the overall protection and enforcement flows are preserved.
Where the protected or enforced data is stored is a vital consideration. For starters, enforced data may be stored in a table with the same schema as the source table, streamlining the storage process. Additionally, protected data can be packaged into TDOs. The TDOs do not share the same size as the source data, since it is an encrypted package with additional metadata, helping to broaden data protection while minimizing complexity.
IBM’s packaging of the Data Privacy Protection process consists of two components: Trust Authority and Passport Controller. The Trust Authority acts as a central point of control for managing and enforcing data security and privacy and could be deployed independently from the Passport Controller. The Passport Controller provides an intercept point to transform raw data into TDOs or enforce data protection, ensuring that all data access coming through is audited. By offering to integrate the Passport Controller with the Trust Authority, IBM can ease client adoption by providing a simpler on-ramp for implementing their first set of use cases.
IBM Gains Vital Security Differentiation through Data Privacy Passports Debut
With Data Privacy Passports, IBM is delivering data protection breakthrough benefits including flexible data revocation schemes, whereby copies of data throughout the enterprises are TDOs. Since all TDOs are encrypted using a specific key (or set of keys), data access revocation can be performed dynamically, revoking access to data for specific users or all users. Through policy updates, users can be included or excluded from Trust Zones which have access to open TDOs. Moreover, cryptographic erasure is applicable to TDOs protected with a generated key. When the key is deleted that causes the Passport Controller to not open key TDOs.
The overall value of Digital Privacy Passports to z15 platform clients is immense. Digital Privacy Passports provide a single protected table that provides multiple views of data while also protecting data at the point of extraction and enforcing protection at the point of consumption. Clients now have the capability to move data from IBM Z platforms as TDOs or enforced data, enabling the tracking of the complete data transformation journey from point of origin to consumption. Moreover, policy access can be changed dynamically to revoke or entitle user access to data.
IBM is taking security protection to the next level with Data Privacy Passports by extending data-centric protection and enforcement on and off IBM Z platforms – i.e., anywhere, anytime data security. This offers a compelling contrast to the existing cloud data protection and security capabilities of the major public cloud service providers, such as AWS, Microsoft Azure, Google Cloud, and Alibaba, where E2E data protection is more difficult to attain, relying more on point-to-point, session-based encryption methods. To the point, Capital One’s recent data breach is illustrative of some of the risks built-in with existing cloud security arrangements.
1 Ponemon and Opus 2018 Data Risk in the Third-Party Ecosystem: Third Annual Study
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.