We use SKLM/GKLM for data-at-rest encryption of DS8000/TS7000 devices,
all internal disk storage, no external cartridge tapes. So what does
that do for the customer, since (unless you're using an additional form
of encryption on the mainframe) the data is still spit out of the
devices unencrypted (not counting the additional feature that allows
FICON-in-transit encryption).
I have a few theories on this:
#1 If someone gets into the datacenter and steals disks (or the entire
DS/TS box), the encrypted contents should be useless.
#2 When a DS/TS box is decommissioned, a customer could "potentially"
skip any further destruction of the data in the box. Still, what I've
seen in reality for decom is to run the IBM SDO (secure data overwrite
to blot out the disks) and sometimes even shred the individual disks
(I'd sure like to see that in action!)
#3 If you steal a DS/TS box, make sure you steal the associated key
server unit too.
I'd appreciate any comments on these theories.
On 4/12/2024 9:21 AM, Jousma, David wrote:
To place a bit more focus on what Rick says….. You lose/destroy the key(s),
you have lost your data. There is a lot of discussion about the scope/use of
the keys. One key, or one per application, or one per dataset, etc. There
is no right/wrong answer (well just one key for everything is probably not
advisable).
I personally am still having a hard time wrapping my head around the “real
benefit” of dataset encryption. Everyone who has READ or more access to the
dataset, must also be permitted to the Key. Those same people are still able
to copy/print/steal that data. So who does that leave? Those that are not
permitted to the dataset, and those who administer the storage. Those that
don’t have access to the dataset aren’t going to get the data, encrypted or
not. Those who administer the storage usually have access to move/manage the
installations data. These are the people who dataset encryption is
protecting against. That is a very small population to go to this effort on.
Dave Jousma
Vice President | Director, Technology Engineering
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Rick
Troth <0000058ff5c2d0a7-dmarc-requ...@listserv.ua.edu>
Date: Friday, April 12, 2024 at 10:59 AM
To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU>
Subject: Re: IBM key management products
Not discounting Luke's excellent response: key management is hard. Look for
utilities with reliable import/export capability. Be prepared to OWN your keys.
I say this again as a CISSP, own your keys. This is your bread and butter, so
to speak,
Not discounting Luke's excellent response: key management is hard.
Look for utilities with reliable import/export capability. Be prepared
to OWN your keys.
I say this again as a CISSP, own your keys. This is your bread and
butter, so to speak, the family jewels.
So take care when using these products to ensure that they do what you
want them to do and that you know what they're doing.
One shop where I recently worked had a great slogan, "crypto is easy;
key management is hard".
It's not that the crypto was easy but that it's done already,
implemented, coded, packaged. But the keys *must* be managed by you and
your team, not the kind of thing which can be outsourced.
Keys and certs cannot be installed and forgotten. And sadly, some of the
expirations we are given are too short to be practical. (Various
government issued IDs and licenses commonly last FIVE years. Why do PKI
certs last only two? ... or ONE?)
But I'm getting off topic. Sorry.
The point is, keys are fundamentally different than any other software
or data that we have to manage.
And it's a good idea to limit keys to individuals when you can. (Like
the combination to the bank vault.)
It's all about trust.
This e-mail transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it in any
manner. If you are not the intended recipient, any disclosure, copying,
distribution or use of the contents of this information is prohibited. Please
reply to the message immediately by informing the sender that the message was
misdirected. After replying, please erase it from your computer system. Your
assistance in correcting this error is appreciated.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
