We looked at dataset encryption to please our auditors. Just trying to see the benefit, honestly. If you are a permitted user of the dataset by any means, then you have to be permitted to the encryption key profile as well.
So who are you protecting the data from? Storage managers? Storage managers don't need access to datasets to manage them. Additionally, I think IBM dropped the ball a bit in that nothing stops a permitted user to copy that data to an un-encrypted dataset. IMO, once encrypted any copies inherit the same encryption. The technology that I see as beneficial is one that I think is in the works with ibm in that data will never be decrypted including during execution. I forget the term used for that. Other parts of PE we are doing, focusing mostly on encrypted IP connections, encrypted ficon, and possibly encrypted cf structures. Dave Jousma Vice President | Director, Technology Engineering Fifth Third Bank | 1830 East Paris Ave, SE | MD RSCB2H | Grand Rapids, MI 49546 616.653.8429 ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Steve Estle <sest...@gmail.com> Sent: Saturday, January 13, 2024 11:28:58 AM To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> Subject: Technical Reason? - Why you can't encrypt load libraries (PDSE format)? Everyone, Our team is knee deep into pervasive encryption rollout on ZOS 2. 5 and despite the fact such functionality has been out for years by IBM to do this, it is quite surprising how many software vendors when you contact them they have Everyone, Our team is knee deep into pervasive encryption rollout on ZOS 2.5 and despite the fact such functionality has been out for years by IBM to do this, it is quite surprising how many software vendors when you contact them they have no clue what you're talking about - that is a complete aside - I'm not going to name vendors here but if you want some examples you can contact me offline. My true reason for composing this is that we've discovered the inability to encrypt load libraries - even in PDSE format. I've yet to get a straight answer from IBM on why this is?... Is this a "giant" technical hurdle for IBM? Or is it just cause there hasn't been anyone who raised the need yet? If the latter does this capability interest others here if I were to raise as an IBM idea - would you vote for it? I know this seems innocuous, but we'd like to encrypt as much as possible in our environment and due to Top Secret deficiencies we have to encrypt at high level qualifier level (HLQ) (all or nothing under each HLQ unfortunately). Given we have load module libraries under many differ HLQ's this is posing difficulties in moving forward with our rollout when an HLQ does have one or more load module libraries as part of that HLQ. You can only imagine the pain of renaming a load library given all the JCL, etc that is referencing that library name. Also, while encrypting load module libraries might seem a little far fetched, there are of course many malicious viruses that have been launched by injecting code into a suspecting piece of code. So two questions: 1. Why has IBM not already provided such functionality - can anyone speak to the technical hurdles to provide? 2. If I were to submit an IBM idea, can I count on this community for some backing here to help in upvoting such an idea submission? Thanks for your indulgence, Steve Estle sest...@gmail.com Peraton systems programmer ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
