https://www.smh.com.au/national/the-brazen-airport-computer-theft-that-has-australias-anti-terror-fighters-up-in-arms-20030905-gdhc5q.html
2 mainframes. Convinced that lots of important files were stolen. Since most computers (but not most mainframes) have internal file storage. On Sat, Jun 11, 2022 at 1:52 PM Rob Schramm <rob.schr...@gmail.com> wrote: > > Yeah for as funny as that sounds about taking off of an entire unit I seem > to remember a post some years ago with somebody rolling off a disc and > mainframe out of an Australian data center maybe? > > Rob > > On Tue, May 10, 2022, 01:58 Timothy Sipples <sipp...@sg.ibm.com> wrote: > > > Echoing some other comments, there’s security merit in having redundant > > external key managers with your IBM DS8000 systems (external to the storage > > device). As IBM explains, the Local Key Manager won’t protect the drives if > > someone manages to grab the whole IBM DS8000 unit — a law enforcement > > agency, co-location data center owner, invading army, etc. — regardless of > > whether your servers are up or down. Anything on the storage device that > > can be read will be readable in that event. And “grab” doesn’t really mean > > “cart away.” > > > > An external key manager allows for some separation of duties. For example, > > storage administrators can be responsible for the IBM DS8000 systems while > > your security organization is responsible for the EKMs. If the security > > team shuts down the EKMs then the DS8000 systems cannot (re)start up and > > come online. In other words, at least two people in this equation have to > > be involved in providing (or at least maintaining) access to storage. > > > > EKMs can also provide services to other devices and environments. For > > example, IBM Security Guardium Key Lifecycle Manager not only provides key > > management services for IBM DS8000 and other IBM/non-IBM storage devices, > > it also provides KMS to VMware environments (as a notable example). > > > > I’m not arguing the LKM is “bad.” It’s convenient, and that counts. It > > provides some security, really for addressing the risks of individual drive > > thefts and storage retirement. (Remove the keys and the encrypted drives > > are safe to transfer/repurpose/sell.) But having EKMs is more secure by > > design because they address those risks and a few more. However, if you’ve > > implemented comprehensive z/OS Data Set Encryption (and Linux > > dm-crypt/LUKS2 and/or Spectrum Scale encryption) then I think the LKM could > > be reasonable even with demanding security requirements. > > > > Yes, IBM recommends having a redundant pair of EKMs. But they don’t > > necessarily have to be your “on premises” EKMs. In fact, one fairly popular > > pattern now is to have one “primary” EKM on your premises and an alternate > > running in IBM Cloud Hyper Protect. > > > > — — — — — > > Timothy Sipples > > Senior Architect > > Digital Assets, Industry Solutions, and Cyber Security > > IBM zSystems and LinuxONE > > sipp...@sg.ibm.com > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN