If they hadn't had glass platters I would have seriously considered it! I didn't want to have the glass mess.
-----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Jousma, David Sent: Monday, April 15, 2024 2:22 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: IBM key management products Would have been fun to line them up on a fence, and do some target practice!!! Dave Jousma Vice President | Director, Technology Engineering From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Pommier, Rex <rpomm...@sfgmembers.com> Date: Monday, April 15, 2024 at 2:33 PM To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> Subject: Re: [EXTERNAL] Re: IBM key management products Didn't phase the drill bit one bit (sorry for the bad pun). I just had to be careful not to punch a hole in the bottom of the drives so as to not get glass shards dropping on my (very messy) shop floor. -----Original Message----- From: IBM Didn't phase the drill bit one bit (sorry for the bad pun). I just had to be careful not to punch a hole in the bottom of the drives so as to not get glass shards dropping on my (very messy) shop floor. -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Tom Brennan Sent: Monday, April 15, 2024 12:57 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: IBM key management products Nice! That's the first I've heard of glass platters. Hope your drill bit survived the trauma :) On 4/15/2024 8:33 AM, Pommier, Rex wrote: > Hi Tom, > > Regarding #2, at a former job I got to decommission an HDS box that > was shared between the mainframe and Unix boxes. Unencrypted disk in > it. Mgmt wanted the data destroyed so they asked me to take the > individual drives home and drill through each of them. That was when > I found out that this particular disk drive had glass platters. There > was no getting data off them when the drill bit shattered every > platter in every spindle. 😊 > > Rex > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > Behalf Of Tom Brennan > Sent: Friday, April 12, 2024 1:41 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: [EXTERNAL] Re: IBM key management products > > We use SKLM/GKLM for data-at-rest encryption of DS8000/TS7000 devices, all > internal disk storage, no external cartridge tapes. So what does that do for > the customer, since (unless you're using an additional form of encryption on > the mainframe) the data is still spit out of the devices unencrypted (not > counting the additional feature that allows FICON-in-transit encryption). > > I have a few theories on this: > > #1 If someone gets into the datacenter and steals disks (or the entire DS/TS > box), the encrypted contents should be useless. > > #2 When a DS/TS box is decommissioned, a customer could "potentially" > skip any further destruction of the data in the box. Still, what I've > seen in reality for decom is to run the IBM SDO (secure data overwrite > to blot out the disks) and sometimes even shred the individual disks > (I'd sure like to see that in action!) > > #3 If you steal a DS/TS box, make sure you steal the associated key server > unit too. > > I'd appreciate any comments on these theories. > > On 4/12/2024 9:21 AM, Jousma, David wrote: >> To place a bit more focus on what Rick says….. You lose/destroy the key(s), >> you have lost your data. There is a lot of discussion about the scope/use >> of the keys. One key, or one per application, or one per dataset, etc. >> There is no right/wrong answer (well just one key for everything is probably >> not advisable). >> >> I personally am still having a hard time wrapping my head around the “real >> benefit” of dataset encryption. Everyone who has READ or more access to >> the dataset, must also be permitted to the Key. Those same people are >> still able to copy/print/steal that data. So who does that leave? Those >> that are not permitted to the dataset, and those who administer the storage. >> Those that don’t have access to the dataset aren’t going to get the data, >> encrypted or not. Those who administer the storage usually have access to >> move/manage the installations data. These are the people who dataset >> encryption is protecting against. That is a very small population to go to >> this effort on. >> >> Dave Jousma >> Vice President | Director, Technology Engineering >> >> >> >> >> >> From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on >> behalf of Rick Troth <0000058ff5c2d0a7-dmarc-requ...@listserv.ua.edu> >> Date: Friday, April 12, 2024 at 10:59 AM >> To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> >> Subject: Re: IBM key management products Not discounting Luke's >> excellent response: key management is hard. Look for utilities with >> reliable import/export capability. Be prepared to OWN your keys. I >> say this again as a CISSP, own your keys. This is your bread and >> butter, so to speak, >> >> >> Not discounting Luke's excellent response: key management is hard. >> >> Look for utilities with reliable import/export capability. Be >> prepared >> >> to OWN your keys. >> >> I say this again as a CISSP, own your keys. This is your bread and >> >> butter, so to speak, the family jewels. >> >> So take care when using these products to ensure that they do what >> you >> >> want them to do and that you know what they're doing. >> >> >> >> One shop where I recently worked had a great slogan, "crypto is easy; >> >> key management is hard". >> >> It's not that the crypto was easy but that it's done already, >> >> implemented, coded, packaged. But the keys *must* be managed by you >> and >> >> your team, not the kind of thing which can be outsourced. >> >> Keys and certs cannot be installed and forgotten. And sadly, some of >> the >> >> expirations we are given are too short to be practical. (Various >> >> government issued IDs and licenses commonly last FIVE years. Why do >> PKI >> >> certs last only two? ... or ONE?) >> >> But I'm getting off topic. Sorry. >> >> >> >> The point is, keys are fundamentally different than any other >> software >> >> or data that we have to manage. >> >> And it's a good idea to limit keys to individuals when you can. (Like >> >> the combination to the bank vault.) >> >> It's all about trust. >> >> >> >> This e-mail transmission contains information that is confidential and may >> be privileged. It is intended only for the addressee(s) named above. If >> you receive this e-mail in error, please do not read, copy or disseminate it >> in any manner. If you are not the intended recipient, any disclosure, >> copying, distribution or use of the contents of this information is >> prohibited. Please reply to the message immediately by informing the sender >> that the message was misdirected. After replying, please erase it from your >> computer system. Your assistance in correcting this error is appreciated. >> >> --------------------------------------------------------------------- >> - For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO >> IBM-MAIN >> >> > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > The information contained in this message is confidential, protected from > disclosure and may be legally privileged. If the reader of this message is > not the intended recipient or an employee or agent responsible for delivering > this message to the intended recipient, you are hereby notified that any > disclosure, distribution, copying, or any action taken or action omitted in > reliance on it, is strictly prohibited and may be unlawful. If you have > received this communication in error, please notify us immediately by > replying to this message and destroy the material in its entirety, whether in > electronic or hard copy format. Thank you. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
