BLOG: Securing Any Data, Anytime from Everyone with IBM Z

November 19th, 2021 BLOG: Securing Any Data, Anytime from Everyone with IBM Z
Marianne Eggett
IBM Z Solutions Consultant


We have all been there. Requesting replacement credit cards, changing bank accounts, buying subscriptions to monitor our financial accounts in an attempt to prevent hackers from accessing our financial data.
What if you discovered that there was a way to prevent the hackers from ever getting to your data?

What if it meant you could achieve data security without making changes to apps?

The industry is frantically designing solutions that not only detect hackers but prevent hackers from getting to our sensitive data. IBM’s Hyper Protect Data Controller, recently announced May 11, 2021(1) , is one of those products that is architected to prevent unauthorized access to sensitive data. And it only runs on IBM Z. So, let’s look at why.


IBM Z Unique Security


IBM is proud of the unique security capabilities built into the IBM Z and LinuxONE servers.

Inherent hardware features include:

  • Hardware accelerator with a specialized instruction set for cryptographic execution called the CP Assist for Cryptographic Function (CPACF). CPACF provides improved encryption performance compared to other solutions. It executes on the IBM Z’s traditional Central Processors (CPs).
  • Specialized Cryptographic Coprocessor is delivered in the Crypto Express card (IBM CXE7S). This card offloads the encryption function from the traditional Central Processors (CPs) to specialized processors thereby improving performance while eliminating the overhead on IBM Z Central Processors.
  • Secure Service Containers secure prebuilt application images bundled with the operating system, security mechanisms, and other features for simplified install and application image lockdown.
  • Hyper Protect for Virtual Servers offers the highest security defined in the industry, U.S. National Institute of Standards and Technology (NIST) FIPS 140-2 Level 4, for containers. FIPS 140 defines security requirements for cryptographic modules. FIPS 140-2 Level 4 defines protection from external and internal sources including system administrators.

Hyper Protect Data Controller exploits all of these security features on IBM Z and LinuxONE servers. No other security product has this level of security because no other security product exploits all these IBM Z security features.

Bottom line, the Hyper Protect Data Controller executes in a tamper resistant environment, preventing the application itself from being accessed by hackers or malicious administrators. That’s why IBM Z and LinuxONE servers make sense for this application.

Let’s now look at this data protection solution.


Hyper Protect Data Controller (HPDC)


Hyper Protect Data Controller (formerly IBM Data Privacy Passports) is a data-centric auditable protection (DCAP) product that secures data wherever it resides. This very unique capability secures the data even when it leaves the system of record and is stored in an external data base management system(DBMS). An example may be the ETL process which extracts data for loading into a data lake. That data is secured even after leaving the system of record at the field level by inserting metadata on the field that travels with the data stored in the external DBMS. When that data is accessed, HPDC deciphers the appropriate security clearances at the field level for all user requests whether that request is from the system of record or from the external DBMS. In fact, the system of record does not have to be IBM Z data. It will apply its security methodology to all JDBC addressable data throughout the enterprise, including data in the clouds.

How does it do this?

Hyper Protect Data Controller enforces its security through a central Data Controller. Policies are defined on each sensitive data field thereby defining authorized access. Access may result in masked data, such as all or part of a social security number. Data may be encrypted, such as encrypting a bank account number, hashed or in the clear. These policies are defined for authorized applications and users. Where a data owner may see the whole record in the clear, the data scientist may see the social security number encrypted.

Requests to Hyper Protect Data Controller are through JDBC or Rest APIs calls against SQL structured data sources. When the policy defines that the data is encrypted when stored at a target DBMS, the central Data Controller creates an Encrypted Data Object (EDO) which contains metadata instructions on how to use the EDO. This EDO is stored with the data at the target DBMS. So, when a user queries either the external DBMS or the system of record, the Data Controller intercedes the request, sending that request to the database, then once the DBMS fulfilled the query, HPDC applies the appropriate access rights to the data before delivering the data. In either case, the end user has no knowledge that Hyper Protect Data Controller is protecting access to the data fields. This continues for the life of the data field until the access policy is revoked. All activity is logged for auditing purposes.


Hyper Protect Data Controller Technical Requirements


The Hyper Protect Data Controller runs in a Secure Service Container utilizing Hyper Protect Virtual Server environment as described above. Therefore, the HPDC can be installed on an IBM z14, IBM z15, LinuxONE Rockhopper, LinuxONE Emperor, LinuxONE III, and LInuxONE Express servers. The Container Hosting Foundation feature code (0104) or equivalent software enablement is required. The starting configuration is four (4) IFLs processors on an IBM Z or LinuxONE.


The industry continues to develop security solutions to outsmart the ever-evolving sophistications of the data intruders. The HPDC is one of those solutions. It offers policy driven security for the life of the data, no matter where it resides, on the system of record or anywhere in the enterprise or clouds. The IBM Z and LinuxONE servers offer the most secure server in the industry, making this combination a perfect marriage of technologies toward achieving that goal.

Get More Information
As an IBM Platinum Business Partner, Mainline has extensive experience with IBM systems including IBM Z mainframe systems and operating systems (z/OS, z/VM, z/VSE, and Linux) and we can help you with Hyper Protect Data Controller on IBM Z and LinuxONE. To set up an in-depth discussion about exploiting these technologies, please contact your Mainline Account Executive directly or click here to contact us with any questions.


(1) IBM Hyper Protect Data Controller 1.1 was formerly known as IBM Data Privacy Passport.

You May Be Interested In:

Blog: Zero Trust – Fact or Fiction? Avoiding the Hype

Blog: Making LinuxONE Easy – IBM Hyper Protect for Virtual Servers

Blog: IBM Secure Execution on IBM LinuxONE and IBM Z

Submit a Comment

Your email address will not be published. Required fields are marked *