Quantum-safe security for IBM Z® involves the use of cryptographic methods designed to protect data from future quantum computer threats.
Quantum-safe security, built into the IBM z16™ platform, uses cryptographic methods that protect against attacks from both classical and quantum computers, helping ensure long-term data safety. As quantum computing advances, traditional encryption might be at risk. This makes quantum-safe security crucial for industries like banking, healthcare and defense.
Pervasive encryption offers a comprehensive solution for extensively encrypting both data in-flight and data-at-rest, significantly simplifying the adoption of quantum-safe encryption.
Integrated with your pervasive encryption framework, quantum-safe encryptions give you added security to your encryption framework. Protect your data against both current and future threats. This approach not only reduces the costs related to data protection but also enhances the mitigation of risks associated with emerging quantum threats.
Review potential threats to classical cryptography by way of quantum computers and learn how to make best use of today’s quantum-safe capabilities on the IBM Z platform.
NIST’s postquantum cryptography standards are here
What you can do
As you prepare to adopt new quantum-safe standards, there are several key milestones to follow. Each step is explained in chapter 2 of the IBM Redbooks®, "Transitioning to Quantum-Safe Cryptography on IBM Z".
Allow IBM expert lab services to conduct a holistic quantum risk assessment by creating a comprehensive inventory of cryptographic materials, including keys, certificates and algorithms. This helps identify and mitigate vulnerabilities like weak encryption and poor key management. The following domains are covered by the assessment:
- Infrastructure encryption services
- z/OS® ICSF encryption services
- Key Management Services
- Network encryption services
- Data at rest encryption services
- Application encryption services
IBM z16 offers several tools to help you discover how cryptography is used in applications and can help with migration and modernization planning.
As you create your crypto inventory, IBM z16 provides new instrumentation that can be used to track cryptographic instruction execution in the CP Assist for Cryptographic Functions (CPACF). CPACF accelerates the execution of cryptographic operations, such as encryption and decryption, by offloading them from the main processor. This helps improve the speed and efficiency of data security tasks on the system.
ADDI can discover where and how cryptography is used in applications. It enhances quantum-safe readiness by assessing and modernizing applications to support advanced encryption methods. ADDI identifies applications needing updates, analyzes compatibility and maps out risks, helping ensure smooth integration of quantum-safe technologies and strategic modernization. This prepares your systems to effectively handle emerging security challenges.
UKO for IBM Z enhances quantum-safe readiness by providing centralized, streamlined key management that supports advanced encryption standards. It simplifies the deployment and management of quantum-safe encryption keys across the IBM Z environment, helping ensure robust and compliant data protection. By facilitating efficient key operations and integration with quantum-safe algorithms, UKO helps organizations transition smoothly to future-proof security measures.
A feature in IBM z/OS that enhances quantum-safe readiness by providing tools and features designed to support the transition to quantum-safe encryption standards. It helps ensure that data encryption mechanisms are up-to-date and capable of addressing future quantum threats, facilitating seamless integration of advanced cryptographic solutions into the z/OS environment and helping organizations stay ahead of emerging security challenges.
A software component of IBM z/OS that enhances quantum-safe readiness by providing advanced cryptographic services essential for securing data against emerging quantum threats. It supports quantum-safe algorithms and key management via CEX8S, enabling organizations to transition to new encryption standards seamlessly. ICSF’s robust capabilities help ensure that data protection and encryption practices remain resilient and compliant with evolving security requirements.
An optionally priced feature that is obtained through a services contract and is part of the IBM UKO that was developed to help provide up-to-date monitoring of crypto-related information on IBM Z in the enterprise. It collects security-relevant information to assist in building your cryptographic inventory and use the graphical client for easy analysis of security information.
Authentication verifies identity or authorship, helping ensure the integrity of data, software or firmware. Techniques like code signing confirm that only legitimate vendor-supplied code is executed. Strengthen your authentication with the IBM PCIe Cryptographic Coprocessor (HSM in CEX8S) and ICSF, which seamlessly integrate with IBM Z systems for robust, secure data protection.
As quantum-safe algorithms are integrated into industry standards, core banking applications benefit from enhanced security. For example, AES encryption is now supported for PIN point-of-sale transactions and PIN block protection. With the Integrated Cryptographic Service Facility and the IBM 4770 Cryptographic Coprocessor, IBM Z can handle essential tasks like PIN translation, PIN verification and unique key management, helping ensure secure and compliant payment processing.