Phil Smith III wrote: >I feel that IBM inadvertently caused the confusion by calling >the data set encryption "PE" at first: the fact that this >thread refers to it as such actually supports that, no?
You've made this assertion a couple times now, and it's not actually true as far as I can tell. IBM announced z/OS Data Set Encryption on February 21, 2017, in the z/OS 2.3 preview announcement. Refer to IBM Announcement Letters 217-085. Even if you believe IBM caused some confusion -- I cannot find much evidence in the historical record of official IBM communications, but if that's what you believe -- that's certainly NOT a reason to add any more. I've asked you to help reduce terminology confusion, not to increase it. Thanks. >>Obviously IBM is not opposed to application-level encryption! >>It's right there, at the top of the pyramid. Shouldn't you be >>happy with that? >I have seen that. I'm happy that IBM says that; I'd be happier >if z/OS Data Set Encryption wasn't being touted as providing >much more protection than it actually does. Doing so is not >helping customers or IBM. OK, I think that's pretty ridiculous. We (the world) could wait at least a couple decades before application developers finish adding application-level encryption everywhere it's needed, assuming they even do that well and correctly (competently, without malice) and in a way that facilitates rapid progression to more secure algorithms as cryptography advances (big assumptions). But have you actually noticed what's going on in the real world? Substantial, real progress that doesn't require application changes has strong merit. Shouldn't this be obvious? The world cannot wait decades to rise to the many security challenges. I don't know anybody at IBM (or elsewhere, for that matter) claiming that z/OS Data Set Encryption is the *only* security-related capability that customers should adopt. The "pyramid" certainly doesn't say that, and it's a popular diagram by now. But it is quite important, and turning it on doesn't require application changes. We had a similar dialog in 2017 (or thereabouts), and you had the same basic complaint as I recall. But I really don't know why you cannot point to the "pyramid" -- happily so! -- and promote your particular product if it has value to help add application-level encryption. "We solve this part!" if that's what you do. What on earth is wrong with that? I don't get it. Maybe you disagree with where particular customers are spending their always finite resources first, but those are debates to have with your prospective customers, surely and hopefully in a thoughtful, friendly way. IBM, for its part, is clearly and repeatedly saying "application-level encryption is important too." (Is the top of the "pyramid" a bad place?!?!) How a particular customer prioritizes implementation of application-level encryption, and where, is situational, of course. My views are my own, as a reminder. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z & LinuxONE -------------------------------------------------------------------------------------------------------- E-Mail: sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
