Programs are data. Keys are data. IEFBR14 code is datum.
However there are different needs and requirements for data.
Auditor always asked me about financial (application) data security.
Never about programs.
Of course one would like to have everything SECURE. Encryption is on of
means. What to encrypt? EVERYTHING.
Is it possible? No.
It is possible to encrypt some kinds of data. For other the encryption
can be impossible, too complex or just too expensive in terms of
performance.
Would I like to have encrypted programs? Actually I don't care.
IMHO the pervasive encryption provide little advantage when used in
properly secured (with RACF) environment. I mean business data. However
I understand requirements and implement it everywhere when ordered.
BTW: One of datasets where encryption provide real value is RACF db.
Yes, it should be protected. However I have seen many shops (as external
consultant) where I was able to copy it or even overwrite. Not to forget
about backup copies.
With encryption the stolen copy is just unusable. Of course KDFAES makes
it much less usable than previously.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 14.01.2024 o 00:40, Seymour J Metz pisze:
Programs are data.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר
________________________________________
From: IBM Mainframe Discussion List<IBM-MAIN@LISTSERV.UA.EDU> on behalf of Radoslaw
Skorupka<00000471ebeac275-dmarc-requ...@listserv.ua.edu>
Sent: Saturday, January 13, 2024 12:06 PM
To:IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Technical Reason? - Why you can't encrypt load libraries (PDSE
format)?
I can imagine technical reason to not encrypt such libraries.
However encryption is a kind of data protection. Data. Not programs.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 13.01.2024 o 17:28, Steve Estle pisze:
Everyone,
Our team is knee deep into pervasive encryption rollout on ZOS 2.5 and despite
the fact such functionality has been out for years by IBM to do this, it is
quite surprising how many software vendors when you contact them they have no
clue what you're talking about - that is a complete aside - I'm not going to
name vendors here but if you want some examples you can contact me offline.
My true reason for composing this is that we've discovered the inability to encrypt load
libraries - even in PDSE format. I've yet to get a straight answer from IBM on why this
is?... Is this a "giant" technical hurdle for IBM? Or is it just cause there
hasn't been anyone who raised the need yet? If the latter does this capability interest
others here if I were to raise as an IBM idea - would you vote for it?
I know this seems innocuous, but we'd like to encrypt as much as possible in
our environment and due to Top Secret deficiencies we have to encrypt at high
level qualifier level (HLQ) (all or nothing under each HLQ unfortunately).
Given we have load module libraries under many differ HLQ's this is posing
difficulties in moving forward with our rollout when an HLQ does have one or
more load module libraries as part of that HLQ. You can only imagine the pain
of renaming a load library given all the JCL, etc that is referencing that
library name.
Also, while encrypting load module libraries might seem a little far fetched,
there are of course many malicious viruses that have been launched by injecting
code into a suspecting piece of code.
So two questions:
1. Why has IBM not already provided such functionality - can anyone speak to
the technical hurdles to provide?
2. If I were to submit an IBM idea, can I count on this community for some
backing here to help in upvoting such an idea submission?
Thanks for your indulgence,
Steve Estle
sest...@gmail.com
Peraton systems programmer
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
