On 5/08/2019 3:08 pm, Timothy Sipples wrote:
Lennie Dymoke-Bradshaw wrote:
My first reason for PE for data sets is that encryption
protects the data when it is accessed outside of its normal
environment (i.e. not via the data's normal RACF
environment).
Some other examples, in no particular order: anything IPL'ed on the system
(or that could be) that isn't z/OS with its security manager fully
operating (e.g. ZZSA, standalone dump, Linux raw track access mode, Linux
zdsfs, z/VM, the Customized Offerings Driver), some of the stuff Innovation
Data Processing can do for backups, or a misconfigured program properties
table (NOPASS). RACF is excellent, but you cannot assume it'll always be
fully on guard.
Isn't RACF also required to protect the keys? What stops something else
IPLed on the system from accessing the keys using the same interfaces
z/OS uses?
Andrew Rowley
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
