To bring an original perspective to data security and information technology issues, PKWARE® will periodically publish “Topics & Trends” in our bi-monthly eNewsletter. We’ll profile topics that we believe have valuable insight into the direction and application of data security in the enterprise.

In this Topics & Trends, Jeff Cherrington, PKWARE’s Vice President, Product Management, writes about the fact that “tough times mean nothing to your auditors” and adding encryption for strong data protection to existing compression jobs requires only negligible additional operational overhead.

Tough Times Mean Nothing to Your Auditors

Economic downturns impact budgets, causing businesses to feel they are required to “do more with less.” Nowhere is this unpleasant dynamic felt more intensely than meetings with auditors and compliance officers. While profit and cost centers adjust plans and budgets to reflect changes in economic conditions, people in these governance roles do not make such allowances. They look to protect the organization from poor decisions and cost-cutting measures that can lead to significant problems later.

Even while budgets are cut in reaction to reduced revenue, governance requires that additional protections be applied and new processes instituted. This places managers in the position of do more to meet these needs, even as budgets for personnel, capital investment, and expense are reduced. This is particularly painful in data center operations where mainframe hardware upgrades represent significant costs. Still, huge aggregations of mainframe data represent major risk; therefore, governance call-to-action to better protect this data, even beyond the existing minimum requirements¹, is mandatory.

Strong Data Protection for Next-to-no Operational Overhead

PKZIP® for z/OS® customers are finding surprising answers to some of their most critical data protection needs, once thought to be the most costly. In January 2009, a PKWARE® customer wanted to document the increase in operational capacity required to convert their existing PKZIP data compression jobs to SecureZIP® jobs that compressed and strongly encrypted their data.

The organization felt environment risks and regulation impacts required the large volume of data be managed through their mainframe. They needed to provide additional levels of protection to both data at rest and, more importantly, data in transit, without impacting existing service level agreements (SLAs). In addition, budget was not available to increase mainframe capacity. It seemed an impossible goal, until the results of the tests came in.

The customer installed SecureZIP on the same mainframe that PKZIP had been running² and worked with PKWARE to modify the existing JCL that compressed the target data using PKZIP. The project team was pleased to find that installation of SecureZIP required only a morning’s effort and less than five lines of code were required to modify the existing JCL. Then, using a one-gigabyte input file of data, representative of data processed daily, the team ran multiple jobs so that variations would be averaged away. Jobs were paired, with one run only compressing the data (setting the baseline for comparison) and the second compressing and encrypting the data. The outcome was remarkable.

For this single file input of representative data, only an additional 0.24 CPU second was required to strongly encrypt the target. In the context that the customer is already using PKZIP to compress this data in production, this means they can add strong data protection to their existing workflows for virtually no additional operational burden!

• Input: One GB of clear text
• Output: 23MB of unreadable cipher text
• Capacity metrics

This gratifying outcome is a result of SecureZIP’s integration with the IBM® Integrated Cryptographic Services Facility (ICSF) which, on contemporary mainframes, provides direct access to the CPACF hardware encryption acceleration available directly from the instructions of the CPU chipset. With SecureZIP for z/OS, taking advantage of the encryption capabilities natively available from the IBM mainframe is quick, easy, and extremely useful to existing PKZIP for z/OS customers and others. As a result, only 0.47% additional capacity is required to protect one GB of the target data.

More Than Just a Fluke

As impressive as these results were, impacts on elapsed time were also a concern, as the customer’s batch update windows left very little room for additional processing. The results documented confirmed the solution could meet their needs:

The results showed that less than one additional second per gigabyte of data is required to protect the target data.

The project team wanted further confirmation that the results were reproducible and not simply an artifact of a single file input or the input file data type. Accordingly, two additional sets of jobs were performed. The first replaced the one gigabyte text file used in the first runs with a one gigabyte binary file. The second used 10 files, five each of binary and of text data type (with a much lower cardinality³ of repeatable patterns than the representative production data file) that totaled one gigabyte in aggregate. Those results reinforced the conclusion that adding encryption for strong data protection to existing PKZIP jobs could be implemented very quickly and requires only negligible additional operational overhead.

While the cardinality of given data will affect specific CPU second results, and time sharing and priority always impacts elapsed time, other PKZIP for z/OS customers can expect similar results.

For more information on how you can evaluate the impact adding strong encryption for data protection would have on your workloads, please contact PKWARE.

About the Author

Jeff Cherrington serves as PKWARE’s Vice President, Product Management. In previous positions, he was the Vice President at Bank One, focusing on data security aspects, strategic outsourcing relationships, and multi-million dollar contract negotiation for the bank’s highly profitable credit card division; Director of Product Management & Consulting Services for WorkPoint, Inc., a leader in the market for enterprise workflow software; and worked with top US and international financial institutions in a variety of positions while at First Data Corporation. Jeff has an Executive MBA degree from the University of Nebraska. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it. .