On Aug 2, 2005, at 9:32 PM, Joel C. Ewing wrote:
Has anyone else out there looked at the overhead of encrypting all
tapes, which seems to be the approach some are advocating? The
obvious problem from the standpoint of efficiency is that good
encryption of the data, which destroys apparent patterns in the data,
will make tape hardware compression perform poorly. It seems at
present that if one wants to do tape encryption under MVS, you are
also pretty much also forced to also do data compression (first) to
avoid tripling the amount of physical tape required. You incur not
only the CP overhead of of the encryption, but that of compression as
well.
We recently did a limited experiment with a software tool that can
front-end DFDSS to encrypt dumps before they are written to a device.
For a full volume dump of a 3390-3 the CPU time (on z/900-106) went
from around 5 secs for uncompressed dump to around 38 secs for a
compressed and encrypted dump, and that was with using the crypto
engine. That's a pretty significant bump if you are talking about
hundreds of volumes - in our case it adds an additional load
equivalent to about one CP for the duration of our nightly 4-hour DR
dump cycle.
It would seem like the best place to perform encryption if you really
needed it for most tapes is at the tape subsystem level, so you can
also let the tape hardware compression do its thing. Has IBM or
anyone else yet considered putting a crypto engine in the tape
subsystem, so both compression and encryption could be done at this
level?
Short of that, the most hardware-cost-effective technique would be to
at best only encrypt sensitive fields in datasets, or lacking that
capability only encrypt datasets with sensitive records. But, taking
that approach places a non trivial burden of correct data
classification and implementation on application development, and some
things are sure to fall through the cracks.
Joel,
I think the auditors would be happy if any tapes leave the "glass
house" would be encrypted. Any other tapes would not be. This would be
my answer to any request from auditing department. In House NO (unless
special circumstance like payroll or other special requirements) any
tape that leaves the glass house yes, unless the data is PUBLIC
already. I would defer to the auditors as they are keepers of the keys
so to speak.
Ed
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html