Hi Tom, Regarding #2, at a former job I got to decommission an HDS box that was shared between the mainframe and Unix boxes. Unencrypted disk in it. Mgmt wanted the data destroyed so they asked me to take the individual drives home and drill through each of them. That was when I found out that this particular disk drive had glass platters. There was no getting data off them when the drill bit shattered every platter in every spindle. đ
Rex -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Tom Brennan Sent: Friday, April 12, 2024 1:41 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: IBM key management products We use SKLM/GKLM for data-at-rest encryption of DS8000/TS7000 devices, all internal disk storage, no external cartridge tapes. So what does that do for the customer, since (unless you're using an additional form of encryption on the mainframe) the data is still spit out of the devices unencrypted (not counting the additional feature that allows FICON-in-transit encryption). I have a few theories on this: #1 If someone gets into the datacenter and steals disks (or the entire DS/TS box), the encrypted contents should be useless. #2 When a DS/TS box is decommissioned, a customer could "potentially" skip any further destruction of the data in the box. Still, what I've seen in reality for decom is to run the IBM SDO (secure data overwrite to blot out the disks) and sometimes even shred the individual disks (I'd sure like to see that in action!) #3 If you steal a DS/TS box, make sure you steal the associated key server unit too. I'd appreciate any comments on these theories. On 4/12/2024 9:21 AM, Jousma, David wrote: > To place a bit more focus on what Rick saysâŚ.. You lose/destroy the key(s), > you have lost your data. There is a lot of discussion about the scope/use > of the keys. One key, or one per application, or one per dataset, etc. > There is no right/wrong answer (well just one key for everything is probably > not advisable). > > I personally am still having a hard time wrapping my head around the âreal > benefitâ of dataset encryption. Everyone who has READ or more access to the > dataset, must also be permitted to the Key. Those same people are still > able to copy/print/steal that data. So who does that leave? Those that > are not permitted to the dataset, and those who administer the storage. > Those that donât have access to the dataset arenât going to get the data, > encrypted or not. Those who administer the storage usually have access to > move/manage the installations data. These are the people who dataset > encryption is protecting against. That is a very small population to go to > this effort on. > > Dave Jousma > Vice President | Director, Technology Engineering > > > > > > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on > behalf of Rick Troth <0000058ff5c2d0a7-dmarc-requ...@listserv.ua.edu> > Date: Friday, April 12, 2024 at 10:59âŻAM > To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> > Subject: Re: IBM key management products Not discounting Luke's > excellent response: key management is hard. Look for utilities with > reliable import/export capability. Be prepared to OWN your keys. I say > this again as a CISSP, own your keys. This is your bread and butter, > so to speak, > > > Not discounting Luke's excellent response: key management is hard. > > Look for utilities with reliable import/export capability. Be prepared > > to OWN your keys. > > I say this again as a CISSP, own your keys. This is your bread and > > butter, so to speak, the family jewels. > > So take care when using these products to ensure that they do what you > > want them to do and that you know what they're doing. > > > > One shop where I recently worked had a great slogan, "crypto is easy; > > key management is hard". > > It's not that the crypto was easy but that it's done already, > > implemented, coded, packaged. But the keys *must* be managed by you > and > > your team, not the kind of thing which can be outsourced. > > Keys and certs cannot be installed and forgotten. And sadly, some of > the > > expirations we are given are too short to be practical. (Various > > government issued IDs and licenses commonly last FIVE years. Why do > PKI > > certs last only two? ... or ONE?) > > But I'm getting off topic. Sorry. > > > > The point is, keys are fundamentally different than any other software > > or data that we have to manage. > > And it's a good idea to limit keys to individuals when you can. (Like > > the combination to the bank vault.) > > It's all about trust. > > > > This e-mail transmission contains information that is confidential and may be > privileged. It is intended only for the addressee(s) named above. If you > receive this e-mail in error, please do not read, copy or disseminate it in > any manner. If you are not the intended recipient, any disclosure, copying, > distribution or use of the contents of this information is prohibited. Please > reply to the message immediately by informing the sender that the message was > misdirected. After replying, please erase it from your computer system. Your > assistance in correcting this error is appreciated. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
