Employing Best Practices for Mainframe Tape Encryption

Transcription

1 WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE Employing Best Practices for Mainframe Tape Encryption JUNE 2008 Stefan Kochishan CA MAINFRAME PRODUCT MARKETING John Hill CA MAINFRAME PRODUCT MANAGEMENT

2 Table of Contents Executive Summary 1 SECTION 1: CHALLENGE 2 Securing Personal and Business-critical Data There s No Such Thing as Low Risk Encryption is Key The Real Cost of Exposure SECTION 4: CONCLUSIONS 6 SECTION 5: REFERENCES 6 SECTION 6: ABOUT THE AUTHORS 7 SECTION 2: OPPORTUNITY 3 Minimizing Risk and Loss Finding the Right Balance SECTION 3: BENEFITS 4 Implementing Best Practices for Better Results The Data Selection Process Copyright 2008 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document As Is without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.

3 Executive Summary Challenge Increased regulatory scrutiny on the protection levels afforded sensitive information by those that transact and process it is causing enterprises to improve mainframe security strategies. This entails proactively investigating exposures and implementing appropriate policies, processes and technologies, including those for data z/os tape encryption. Opportunity Organizations need to identify exposure points and the information in need of encryption, taking steps to avoid encrypting too much or too little or both. To that aim, they need to implement tape encryption policies that protect all sensitive data without burning money and man hours safeguarding information that doesn t require that higher level of security. Benefits Because all data is not created equal, it s best to consider a tape encryption strategy that s aligned with business practices, security objectives and compliance drivers. But, the final reality check would be to judge if a data set satisfies the minimal non-disclosure criteria of existing or emerging regulatory requirements. Doing this comparison will help enterprises address both the spirit and letter of applicable mandates as they apply to the security and protection of personal and business-critical data. WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE 1

4 SECTION 1: CHALLENGE Securing Personal and Business-critical Data There s No Such Thing as Low Risk Data loss incidents expose enterprises and their partners, clients, constituents and employees to a multitude of risks. After all, unauthorized and rogue access to sensitive personal and business-critical information often results in identity theft, and ultimately, adversely affects: Consumer credit ratings Press coverage Organizational reputation and perception The bottom line via citations and fines for noncompliance Unless steps are taken to secure data by all businesses and governmental agencies, the situation simply promises to get worse. In fact, millions of individuals are impacted by data loss every year. And as criminals increase their sophistication and we become more dependent on technology, the collateral damage will continue to grow exponentially. That means that there is no such thing as a low-risk organization or low-risk personal information. It also means an institution s trustworthiness is the least of its concerns. Encryption is Key Data breach exposures aren t hype they re very real and can have significant impact on an organization. And because all data is now business critical, many US and EU governing bodies have written laws that: Protect consumer data identities Require businesses to be proactive in disclosure and remediation Levy hefty fines for incidents of exposure To date, nearly all of the 50 US states have enacted legislation requiring companies and government agencies to report loss or theft of personal information when the exposed data is not encrypted. Thus, encryption for mainframe tapes has rapidly percolated to the top of data center requirements. After all, approximately 70 percent of organizations and governments are running critical applications on mainframes. And with the systems still boasting the best in processing power and transaction times, a good deal of sensitive data resides on and is managed by the mainframe. Connecting the dots, it becomes apparent that a significant amount of personal and private information resides on tape. 2 WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE

5 As recently as 2006, the Ponemon Institute found that data breach remediation cost businesses an average of $182 per record, totaling as high as $22 million, $4.7 million on average, and no less than $226,000. Those staggering dollars are consumed by legal fees, investigative and administrative expenses, stock performance, customer defections, opportunity loss, public relations services and customer support costs. The Real Cost of Exposure Organizations offer several common excuses for failing to encrypt their data, including a simple lack of time or money to do so. Unfortunately, no explanation after the fact can help an institution sufficiently recover from a data breach. And, the costs and time associated with fines, remediation efforts, negative publicity and lost customers are as incalculable as they are crippling. If one does nothing to protect sensitive data and it s never compromised, then there s no cost involved. However, as news stories demonstrate time and again, the probability of information being lost or stolen is high. In fact, it becomes a matter of when rather than if that compromise will occur. As recently as 2006, the Ponemon Institute found that data breach remediation costs businesses an average of $182 per record, totaling as high as $22 million, $4.7 million on average and no less than $226,000. Those staggering dollars are consumed by legal fees, investigative and administrative expenses, stock performance, customer defections, opportunity loss, public relations services and customer support costs. In addition, organizations face losses that are more difficult to quantify. The damage to reputations and brand identities can take years to correct if it s even possible at all. And, that s really just human nature. After receiving a letter of notification that one s personal information has been exposed, it s difficult to imagine the victim quickly trusting the offender again. SECTION 2: OPPORTUNITY Minimizing Risk and Loss Finding the Right Balance The importance of protecting data and consumers, combined with escalating compliance regulations, is causing enterprises to rethink corporate governance mandates. This entails proactively investigating exposures and implementing appropriate information security policies, processes and technologies, including those for tape data encryption. Others have not yet embraced encryption and have no procedures in place. After all, they may argue, they don't have any sensitive data. So, why bother with encryption? The reality is, nearly every company has some sensitive data on its systems and it needs to be adequately protected for compliance and longevity. That s why a growing number of organizations are incorporating data encryption into their security best practices. But, haphazard application of these best practices is, in fact, not a best practice. Institutions need to perform due diligence to identify exposure points and the information in need of encryption on tape. Anything short of this approach will lull them into a false sense of security. WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE 3

6 Yet, too wide a net can be cast in encrypting data. Deeming all information sensitive and then encrypting it would certainly be cost prohibitive. And, there are also the issues of time and computing resources to consider. Moreover, institutions may selectively encrypt the wrong data. For instance, they might encrypt everything that goes offsite, including information that really doesn't need the additional protection. At the same time, they may neglect to encrypt archived data or data sitting in their onsite vault, which could be easily accessed by an unscrupulous or malicious insider. In a sense, these organizations have encrypted too much or too little or both. The goal, then, is to implement a tape encryption policy that protects all sensitive information without covering any that doesn t require that higher level of security. SECTION 3: BENEFITS Implementing Best Practices for Better Results As organizations embark on data encryption projects, they often struggle to identify information that should be backed up to their tape media and what portion of that information really needs to be encrypted. After all, the existing and universal standard operating procedure is usually to back up everything to tape on a daily basis. This approach means organizations don t know which data sets contain sensitive information and which don t. But as previously established, not all data is created equal. That s why it s best to consider an encryption strategy that s aligned with business practices, security objectives and compliance drivers. The business needs of an institution will determine which one of the following common mainframe encryption methods it chooses: ALL Z/OS DATA Encrypting all z/os tape data is the fastest way to implement an umbrella encryption policy. This may be overkill, but it s also the most expedient if the mandate is rapid encryption deployment. ALL Z/OS DATA THAT S OFFSITE Tapes that have transit requirements from local control to remote locations (offsite storage sites or business partners) are at higher risk. Thus, it s a good compromise to take a blanket approach to safeguarding these assets while selectively encrypting onsite tape data. SELECTED DATA If efficiency and economies of scale are the primary goals, it is prudent to take the time upfront to select the data that needs to be encrypted and the data that doesn t and set policies based on those decisions. This saves time and resources in the actual encryption/decryption process. Following is a base-line checklist for the tape data encryption selection process: 4 WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE

7 Data examples that make good encryption candidates: Names and address files Business or bank account numbers Social security numbers Drivers license numbers Payroll information Customer history files Data examples that don t make good encryption candidates: Operating system files Temporary files Disaster recovery start-up files Licensed software products System support files The Data Selection Process The easiest way to identify data that is sensitive enough to be encrypted is to target businesscritical and personal information, though any data would be a candidate if it satisfies the minimal non-disclosure criteria of existing or emerging regulatory requirements. Beyond that, the following tips can help ensure that encryption levels are appropriate for an environment: INCLUDE A COMPLIANCE OFFICER IN THE STRATEGY DEVELOPMENT AND REVIEW PROCESS In its 2007 Survey on Identity Compliance, the Ponemon Institute reported that 42 percent of enterprises said their IT and audit/compliance groups rarely collaborate. An additional 23 percent said the two groups never work as a team. The simple step of bringing both groups together to discuss encryption issues can help ensure that organizational policies protect customers, employees and information. In addition, this line of communication can help ensure that official and stated policies are followed in daily practice. FOLLOW ALL APPLICABLE STATE LAWS Observing the rules of an organization s state of incorporation or physical location is simply not enough, particularly if an institution is international or does business over the Internet. Rather, enterprises need to follow the laws of every state where they have customers. Moreover, they need to keep pace with the rapid change in this area. ENCRYPT ARCHIVE TAPES AFTER ENCRYPTING LIVE TAPES Enterprises often neglect to consider all the sensitive data that may reside on archived tape, but this older data may be just as valuable as current data. For example, in a recent case involving a large retailer, identity thieves waited years after obtaining stolen credit information before actually using it to fraudulently purchase items. WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE 5

8 The process of encrypting archived tapes is not as time-consuming as it is generally perceived, and it may offer unforeseen benefits. If there is a desire to migrate off old tape media, institutions could employ virtual tape software, along with tape encryption software, to easily migrate to newer media as data is encrypted. In the process, they may be able to improve tape usage, eliminate thousands of old tapes and reduce tape storage costs. DON T BLINDLY TRUST Organizations want to believe all their employees are trustworthy, but it takes only one rogue individual to cause a major data loss incident. And in several events recently reported in the news, employee involvement is suspected. The US Government Reform Committee found that most government data breaches involve hardware theft or unauthorized employee access to data. Moreover, 60 percent of US organizations surveyed told the Ponemon Institute they were unable to assess their insider threat for data loss. The lesson: data must be secured from employees and outsiders. ACCEPT NO LESS THAN FULLY AUTOMATED END-TO-END KEY MANAGEMENT These days, it's not enough to say you re compliant; you have to prove it. That means a full lifecycle key management system that integrates with the mainframe security and tape management system. A complete solution will be able to create, audit, track, backup, restore and delete key data. And to be effective, z/os tape encryption software should automate key management and provide that integration throughout the lifecycle of sensitive business information. SECTION 4 Conclusions Encryption for mainframe tapes has rapidly ascended to the top of the list of data center requirements due to increasing disclosures by high-profile organizations regarding the loss or theft of non-encrypted tapes containing sensitive personal and business-critical information. The urgency to encrypt sensitive data is further amplified because many governing bodies have passed or are considering legislation requiring accountability and proactive notification of such losses when the compromised data is not encrypted. The key to effective encryption is understanding what information needs to be safeguarded to this level and what does not. SECTION 5 References Ponemon Institute LLC, 2006, Cost of Data Breach Study, 2006 Ponemon Institute LLC, 2007, Survey on Identity Compliance, WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE

9 SECTION 6 Stefan Kochishan CA Mainframe Product Marketing John Hill CA Mainframe Product Management About the Authors Stefan Kochishan is director of product marketing at CA, responsible for building market awareness and growth of CA s mainframe storage management solutions. He has nearly 30 years of IT industry experience in sales, marketing and technology, specializing in software solutions for storage management, systems management and change management. John Hill is director of product management for z/os storage at CA. He has nearly 40 years of experience in IT, mostly in storage-related areas. He has held a variety of positions, including systems programmer, application programmer, technical support manager, operations manager, systems engineer and senior systems consultant. WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE 7

10 Notes 8 WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE

11 Notes WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE 9

12 CA (NSD: CA), one of the world s leading independent, enterprise management software companies, unifies and simplifies complex information technology (IT) management across the enterprise for greater business results. With our Enterprise IT Management vision, solutions and expertise, we help customers effectively govern, manage and secure IT