Re: Crypto-DASD?
Ron, Can't disagree with a thing you said. Not sure where I've argued to the other side of any of this. Thanks! Scott T. Harder Tech Support & Product Development ASPG, Inc. Ph: 239-649-1548 / Ext. 203 Fax: 239-649-6391 General Support Email: aspgt...@aspg.com -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Ron Hawkins Sent: Thursday, February 12, 2009 5:57 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Crypto-DASD? Scott, Has your Storage Vendor ever replaced a failed or failing drive? Do you know where that drive is now? I know of several customer that purchase and stored their failed drives because they cannot be erased using commercial software once they stop working. I also know of one customer that has an annual "bash and burn" session. A normal DASD init does not securely overwrite data on the disk drive. It is no longer easy to read, but neither is it completely masked. Writing over a track on disk is like driving over someone else's tire tracks - you never completely cover up the first set of tracks unless you drive over them a few times. Secure Erasure is built into the latest HDS controllers, or you can use software like the FDR/ERASE. However, that doesn't protect data on replaced drives, hence the requests by customers for vendors to look at encryption of data at rest. Ron > -Original Message- > From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of > Eric Bielefeld > Sent: Tuesday, February 10, 2009 11:31 AM > To: IBM-MAIN@bama.ua.edu > Subject: Re: [IBM-MAIN] Crypto-DASD? > > Scott, > > I still can't see why if you have a box in your datacenter, that will never > leave your datacenter until after its useful life is over, should be > encrypted. How are you going to access that data accept by the z/OS operating > system? That's why we have security systems. When the box is done, and you > sell it or scrap it, you can always initialize all the disks. > > I asked my boss at P&H Mining if he wanted me to init all the disks, or if he > just wanted to let Hitachi do the initialize they do whenever a box is sold, > and he said just let Hitachi do it. There was sensitive data in many files, > but I highly doubt if anyone could have recovered any of it after it was > initialized by Hitachi. This was when P&H shut down z/OS for good. > > I can see the value of encrypting data on PC hard drives, after all of the > problems people have had with stolen PCs with sensitive data on them, but > mainframe dasd? I just can't see it, or any regulations requiring it. > > Eric > > -- > Eric Bielefeld > Systems Programmer > Washington University > St Louis, Missouri > 314-935-3418 > > "Scott T. Harder" wrote: -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Scott T. Harder Tech Support & Product Development ASPG, Inc. Ph: 239-649-1548 / Ext. 203 Fax: 239-649-6391 General Support Email: aspgt...@aspg.com -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Russell Witt Sent: Wednesday, February 11, 2009 4:42 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Crypto-DASD? Scott, >Okay, if you think data stored on disk is "data at rest"; please define >"disk". Does a SSD (Solid-State Drive) count as a disk drive? What about a >RAM drive (using either SRAM or DRAM)? If a RAM drive using SRAM or DRAM is >a disk; then what is the difference between a RAM drive and memory in a >computer? I think what the regs mean by "data at rest" is "where the data lives" or "it's home location". As you say, the term "disk" is quite interchangeable these days. >And of course as Phil said, the decryption should not be done on an >"automatic" basis; but rather based on rules. And who will control those >rules; the external-security system. So, if the external-security system >will control who can access the data via automatic decryption; how is that >different than having the external-security system control access to the >data in the first place. Agreed. But is access to encryption keys (whether stored in ICSF hardware or otherwise) not controlled by the security system (CSFKEYS / CSFSERV)?? I think you could make this argument about any data you encrypt on the system. If you have the key, you can get to the cleartext and access to the key is controlled by RACF, CA-ACF2, CA-TSS, etc. >Just my opinion, but PCI really needs to do a better job of defining what >needs to be done. This is the real rub of it all, isn't it? Absolutely agreed. Thanks! Scott -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu]on Behalf Of Scott T. Harder Sent: Wednesday, February 11, 2009 11:46 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Crypto-DASD? Now, that's what I'm talkin' about. Thanks, Timothy, for the info. FWIW... to me, data stored on disk is data at rest. It may not be all the time, but I think that the intent of that phrase, as used in the regulations, is pretty clear. Whether they were correct in using it can be argued, for sure, but Thanks to everyone. Scott T. Harder -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Russell, I'm not familiar with the wording of the standard, but it seems to me that data at rest can be defined as data stored at its ultimate media location. To this end data in cache, data in channels and memory, etc is not at rest because it requires further handling or processing before it reaches the ultimate storage media location - disk, tape, or flashdrive. For most disk arrays this means Encrypt/Decrypt of the data occurs as it is moves between the cache to the drive. Any overhead will be carried by the Cipher ASIC, and will not affect the line speed of the FCAL, SATA or SAS interface used to access the drives. Any degradation would depend on the where and how the ASIC for is situated in the processor path to the storage media, and would mainly affect read cache misses, write destage, and sequential pre-fetch. As for rules, my take on this is that if 2 out of 10 applications require encryption, and the most cost effective way to do it is to store it all as encrypted, then what rule has been broken? I don't think that the standard is intended to grant or deny access to data, but rather to deny access to data on storage media when it is removed from those access security controls. Ron > -Original Message- > From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of > Russell Witt > Sent: Wednesday, February 11, 2009 1:42 PM > To: IBM-MAIN@bama.ua.edu > Subject: Re: [IBM-MAIN] Crypto-DASD? > > Scott, > > Okay, if you think data stored on disk is "data at rest"; please define > "disk". Does a SSD (Solid-State Drive) count as a disk drive? What about a > RAM drive (using either SRAM or DRAM)? If a RAM drive using SRAM or DRAM is > a disk; then what is the difference between a RAM drive and memory in a > computer? > > And of course as Phil said, the decryption should not be done on an > "automatic" basis; but rather based on rules. And who will control those > rules; the external-security system. So, if the external-security system > will control who can access the data via automatic decryption; how is that > different than having the external-security system control access to the > data in the first place. > > Just my opinion, but PCI really needs to do a better job of defining what > needs to be done. > > But again, just my 2-cents > Russell > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Scott, Has your Storage Vendor ever replaced a failed or failing drive? Do you know where that drive is now? I know of several customer that purchase and stored their failed drives because they cannot be erased using commercial software once they stop working. I also know of one customer that has an annual "bash and burn" session. A normal DASD init does not securely overwrite data on the disk drive. It is no longer easy to read, but neither is it completely masked. Writing over a track on disk is like driving over someone else's tire tracks - you never completely cover up the first set of tracks unless you drive over them a few times. Secure Erasure is built into the latest HDS controllers, or you can use software like the FDR/ERASE. However, that doesn’t protect data on replaced drives, hence the requests by customers for vendors to look at encryption of data at rest. Ron > -Original Message- > From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of > Eric Bielefeld > Sent: Tuesday, February 10, 2009 11:31 AM > To: IBM-MAIN@bama.ua.edu > Subject: Re: [IBM-MAIN] Crypto-DASD? > > Scott, > > I still can't see why if you have a box in your datacenter, that will never > leave your datacenter until after its useful life is over, should be > encrypted. How are you going to access that data accept by the z/OS operating > system? That's why we have security systems. When the box is done, and you > sell it or scrap it, you can always initialize all the disks. > > I asked my boss at P&H Mining if he wanted me to init all the disks, or if he > just wanted to let Hitachi do the initialize they do whenever a box is sold, > and he said just let Hitachi do it. There was sensitive data in many files, > but I highly doubt if anyone could have recovered any of it after it was > initialized by Hitachi. This was when P&H shut down z/OS for good. > > I can see the value of encrypting data on PC hard drives, after all of the > problems people have had with stolen PCs with sensitive data on them, but > mainframe dasd? I just can't see it, or any regulations requiring it. > > Eric > > -- > Eric Bielefeld > Systems Programmer > Washington University > St Louis, Missouri > 314-935-3418 > > "Scott T. Harder" wrote: -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Scott, Okay, if you think data stored on disk is "data at rest"; please define "disk". Does a SSD (Solid-State Drive) count as a disk drive? What about a RAM drive (using either SRAM or DRAM)? If a RAM drive using SRAM or DRAM is a disk; then what is the difference between a RAM drive and memory in a computer? And of course as Phil said, the decryption should not be done on an "automatic" basis; but rather based on rules. And who will control those rules; the external-security system. So, if the external-security system will control who can access the data via automatic decryption; how is that different than having the external-security system control access to the data in the first place. Just my opinion, but PCI really needs to do a better job of defining what needs to be done. But again, just my 2-cents Russell -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu]on Behalf Of Scott T. Harder Sent: Wednesday, February 11, 2009 11:46 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Crypto-DASD? Now, that's what I'm talkin' about. Thanks, Timothy, for the info. FWIW... to me, data stored on disk is data at rest. It may not be all the time, but I think that the intent of that phrase, as used in the regulations, is pretty clear. Whether they were correct in using it can be argued, for sure, but Thanks to everyone. Scott T. Harder -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Now, that's what I'm talkin' about. Thanks, Timothy, for the info. FWIW... to me, data stored on disk is data at rest. It may not be all the time, but I think that the intent of that phrase, as used in the regulations, is pretty clear. Whether they were correct in using it can be argued, for sure, but Thanks to everyone. Scott T. Harder Tech Support & Product Development ASPG, Inc. Ph: 239-649-1548 / Ext. 203 Fax: 239-649-6391 General Support Email: aspgt...@aspg.com -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Timothy Sipples Sent: Wednesday, February 11, 2009 8:29 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Crypto-DASD? Yes, IBM announced full disk encryption for several DS8000 series storage models: http://www.ibm.com/common/ssi/rep_ca/0/897/ENUS109-120/ENUS109-120.PDF Lots of other interesting stuff in that announcement (and other announcements on February 10th), including Solid State Disk (SSD) support. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Based in Tokyo, Serving IBM Japan / Asia-Pacific E-Mail: timothy.sipp...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Back when a disk drive was a single entity we used CDEP (certified data erasure program/product) to clear data to DOD specifications. Then IKCDSF with the correct parameters could do the job and CDEP went away. Then came the array DASD and no more disk drives as we knew them. Data was compressed and striped across several drives and you had to have a map to determine which ones and in what order. This was good in that when one failed, a spare took over and the "lost" data was rebuilt on the spare. The failed drive was hot-swapped and no outage taken. The vendor could take the drive without worry of data exposure because the collection of bits made no sense without the map and other drives. Releasing the box is still a problem. Most vendors have the ability to clear the drives to DOD standards. If you are concerned about the date, the fee is probably worth it. The only other solutions are to magnetically erase the data - vendors do not like this as it can damage other electronics. The other solution is to pull the drives and have a lieutenant watch a group of privets with sledge hammers take out their frustrations on the drives. Really hated by vendors, but I have used it in the past. Dennis Roach GHG Corporation Lockheed Marten Mission Services FDOC Contract 2100 Space Park Drive LM-15-4BH Houston, Texas 77058 Voice: (281) 336-5027 Cell:(713) 591-1059 Fax: (281) 336-5410 E-Mail: dennis.ro...@lmco.com All opinions expressed by me are mine and may not agree with my employer or any person, company, or thing, living or dead, on or near this or any other planet, moon, asteroid, or other spatial object, natural or manufactured, since the beginning of time. > -Original Message- > From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On > Behalf Of Tom Marchant > Sent: Tuesday, February 10, 2009 2:53 PM > > > >When the box is done, and you sell it or scrap it, you can always > >initialize all the disks. > > Search the archives. The topic of effectively erasing the data on DASD > has come up several times over the years. > > Tom Marchant > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Yes, IBM announced full disk encryption for several DS8000 series storage models: http://www.ibm.com/common/ssi/rep_ca/0/897/ENUS109-120/ENUS109-120.PDF Lots of other interesting stuff in that announcement (and other announcements on February 10th), including Solid State Disk (SSD) support. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Based in Tokyo, Serving IBM Japan / Asia-Pacific E-Mail: timothy.sipp...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
On Tue, Feb 10, 2009 at 1:48 PM, Bohn, Dale wrote: > Encrypted DASD is seen by some as a simple solution to the PCI standard > requiring the PAN (credit card number) to be encrypted when the data is at > rest ( written to media). It would not require alteration of either system or > application software to implement. Several vendors are working on this, but > are waiting for the adoption of the IEEE standard on key management. And of course they're wrong -- encrypted DASD does not meet the requirements of PCI, which include role-based access control. If the data is automatically decrypted on access, then there's no additional security from the PCI perspective. The only added security, as others have noted, is that if you accidentally leave your DS8100 at the airline gate, the kid who finds it can't trivially read the VSAM data ... ;-) (And no, I'm not suggesting that you, Dale, thought it was a real solution!) Since Scott Harder started mentioning products, I'll add that Voltage SecureData provides full PCI-compliant encryption -- without requiring changes to most applications or to database schema. -- ...phsiii Phil Smith III p...@voltage.com Voltage Security, Inc. www.voltage.com (703) 476-4511 (home office) (703) 568-6662 (cell) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Thompson, Steve wrote: [...] Well, it seems that there are some requirements (by Auditors?) to have data encrypted on DASD. Something about belt-suspenders kinda thing. Well, we often hear about completely stupid auditor requirements. (Of course it doesn't mean that all requirements are unreasonable.) While I might have access to a file, I do not have authority to know its specific contents. My reason for having access is so that I may delete, define, etc. the container (DSN), but I am not specifically authorized to know the contents. RACF, TSS, and ACF2, to my knowledge, do not give that kind of access. Yes, they give. For example see DASDVOL class. Last, but not least: if you really want to see part of file content, i.e. given fields of record or selected records - then you don't need access to the file. You need access to *application* which in turn has the access to the file. But the application filters data you can see. Think PINs, medical info, SSNs, and other sensitive data that can be contained in files of, say, Hospital, Court System, Credit Card Processor, etc. Sensitivity of data has nothing to do. The methods and techniques remains the same. When I teach RACF classes always start with the following "layers" of security (in a few words): 1. Physical security - devices have to be secured. Even encrypted disk - when stolen - does not work (think about DOS attack). For unencrypted media and cable transmission physical security is even more important. Maybe that's why our datacenters are not wide open... 2. System integrity. Before I use any of the rules provided by RACF I have to be sure that any program(mer) can bypass these rules by "hacking" the system. 3. Resource access control. RACF, ACF2, other. Here we decide that program(mer) who wants access some data is able to do that. Want to browse SYS1.PAYROLL ? No problem as long as you are authorized to. 4. Encryption. No RACF rule, no system integrity can prevent tape from being stolen and read. No method to prohibit out-of-the-building data transmission from being tapped. The only known way is to make the data unreadable. And now we can decide what layer will be used for our DASD: 1. or 4. Is my DASD well protected by physical means ? If not then encryption is a must. For notebooks it seems obvious. But for DASD arrays residing in well protected datacenter? I doubt. One could say "why not combine 1. and 4. - it doesn't hurt". Unfortunately *it hurts*. It hurts performance. We want our DASD to be *fast*, so encryption of data stream could be a bottleneck. There is still issue of DASD withdrawal. Encryotion ...does not help to much! Encryption means you need at most n hours of time to decrypt it using brut-force method, doesn't it? So I would want to wipe out data from disk platters doesn't matter it is encrypted or not. OK, it does matter: leaving unencrypted data is a crime, leaving encrypted data is minor security breach. Regards -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA wynosi 118.642.672 zote i zosta w caoci wpacony. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Tom Marchant wrote: On Tue, 10 Feb 2009 13:04:42 -0600, Hal Merritt wrote: Every record of every file is in a unpublished, often proprietary format. Security by obscurity? It often is easy to figure out. Agreed. Security by obscurity is no security. Encryption is not obscurity (known, proved algorithm, secret key). The data is then compressed and written in yet another proprietary format over several physical devices. Iceberg and RVA compress data. Other DASD subsystems don't, AFAIK. Does STK still market the SVA? Yes, but it's Sun now. SVA is still produced because this is the same box which works as VSM (kind of virtual tape server). -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA wynosi 118.642.672 zote i zosta w caoci wpacony. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Excellent point. I guess 10,000 rpm might mean that the data is still "moving". .. must... be .. fly on wall.. during PCI auditor exchange concerning "at rest" with Russell explaining. I suppose that "at rest" is at best a relative concept. Since everything is always moving... even if cooled to absolute zero... still moving thru space. Cheers, Rob Schramm -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
There is the real issue. The PCI standard required that data needs to be encrypted when the "data is at rest". But of course, they do NOT define what "data is at rest" means. Some say "written to any media"; but that is NOT what the PCI standard says. If it did, then no question. But the PCI standard says to encrypt "data at rest". Is online DASD "at rest"? In my opinion (and this is strictly my own personal opinion) is no. To my way of thinking, "data at rest" would imply it is on some type of removable media that is not cable-attached directly to a machine. For example, data on a tape/cartridge? Definitely at-rest. Data on a USB thumb drive? Definitely at-rest. Data on a laptop that is powered off? Ah, this gets harder. My opinion, yes. Data on a dasd device in a secure location that is cable attached to a mainframe? Again, in my opinion no. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu]on Behalf Of Bohn, Dale Sent: Tuesday, February 10, 2009 12:48 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Crypto-DASD? Encrypted DASD is seen by some as a simple solution to the PCI standard requiring the PAN (credit card number) to be encrypted when the data is at rest ( written to media). It would not require alteration of either system or application software to implement. Several vendors are working on this, but are waiting for the adoption of the IEEE standard on key management. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
I really didn't want this to turn into an argument over whether this is necessary. Sarbanes Oxley, PCI, and other government regulations say it's necessary to comply, so anyone needing to comply with a whole host of these regs has the need to encrypt data at rest. Now... you don't need DASD that has encryption built-in to do it, of course. In fact, you could purchase MegaCryption from ASPG, Inc. and use it very nicely *and* get the additional benefits of being able to use it for B2B exchange of encrypted data, as well as to easily encrypt DSS and/or CA-DISK backups; all taking advantage of ICSF and/or CPACF hardware when it makes sense to do so. ;-) Sorry... I couldn't resist. Scott T. Harder Tech Support & Product Development ASPG, Inc. Ph: 239-649-1548 / Ext. 203 Fax: 239-649-6391 General Support Email: aspgt...@aspg.com -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hal Merritt Sent: Tuesday, February 10, 2009 2:05 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Crypto-DASD? I been reading about such, but only in a PC context. IMNSHO, DASD encryption does not add any real security value. Every record of every file is in a unpublished, often proprietary format. The data is then compressed and written in yet another proprietary format over several physical devices. Encrypted data would defeat most all compression algorithms, increasing raw storage requirements substantially. That's serious dollars to mitigate a near nonexistent threat. Encryption is being pushed by auditors in response to sensitive data on PC hard drives. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Scott T. Harder Sent: Tuesday, February 10, 2009 11:23 AM To: IBM-MAIN@bama.ua.edu Subject: Crypto-DASD? Just curious if anyone has heard anything about new DASD coming out any time soon (or not so soon) that will have encryption built in, where anything written to a volume on a unit supporting this would automatically get encrypted; and decrypted when read, of course. Thanks! Scott Scott T. Harder Tech Support & Product Development ASPG, Inc. Ph: 239-649-1548 / Ext. 203 Fax: 239-649-6391 General Support Email: aspgt...@aspg.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
On Tue, 10 Feb 2009 13:04:42 -0600, Hal Merritt wrote: > >Every record of every file is in a unpublished, often proprietary format. Security by obscurity? It often is easy to figure out. >The data is then compressed and written in yet another proprietary >format over several physical devices. Iceberg and RVA compress data. Other DASD subsystems don't, AFAIK. Does STK still market the SVA? >Encrypted data would defeat most all compression algorithms, >increasing raw storage requirements substantially. That would only apply if the compression was done after the encryption. If it was compressed first, then encrypted, it would not. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
On Tue, 10 Feb 2009 19:31:16 +, Eric Bielefeld wrote: > >When the box is done, and you sell it or scrap it, you can always >initialize all the disks. Search the archives. The topic of effectively erasing the data on DASD has come up several times over the years. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
-Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of John McKown Sent: Tuesday, February 10, 2009 1:48 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Crypto-DASD? On Tue, 10 Feb 2009 19:31:16 +, Eric Bielefeld wrote: >Scott, > >I can see the value of encrypting data on PC hard drives, after all of the problems people have had with stolen PCs with sensitive data on them, but mainframe dasd? I just can't see it, or any regulations requiring it. > >Eric > >-- >Eric Bielefeld And there you have it, my friend. People can understand why it is a good idea on a PC. Therefore it is a good idea everywhere. After all, "there is no difference, right?" Management by fiat (I wonder what the Fiat management thinks about that statement). Don't think about differences. One size fits all. Manage everything consistently, even if it doesn't really make sense technically. Well, it seems that there are some requirements (by Auditors?) to have data encrypted on DASD. Something about belt-suspenders kinda thing. While I might have access to a file, I do not have authority to know its specific contents. My reason for having access is so that I may delete, define, etc. the container (DSN), but I am not specifically authorized to know the contents. RACF, TSS, and ACF2, to my knowledge, do not give that kind of access. Think PINs, medical info, SSNs, and other sensitive data that can be contained in files of, say, Hospital, Court System, Credit Card Processor, etc. Regards, Steve Thompson -- Opinions expressed by this poster may or may not reflect those of poster's employer. -- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
On Tue, 10 Feb 2009 19:31:16 +, Eric Bielefeld wrote: >Scott, > >I can see the value of encrypting data on PC hard drives, after all of the problems people have had with stolen PCs with sensitive data on them, but mainframe dasd? I just can't see it, or any regulations requiring it. > >Eric > >-- >Eric Bielefeld And there you have it, my friend. People can understand why it is a good idea on a PC. Therefore it is a good idea everywhere. After all, "there is no difference, right?" Management by fiat (I wonder what the Fiat management thinks about that statement). Don't think about differences. One size fits all. Manage everything consistently, even if it doesn't really make sense technically. In the past, here, there was a pseudo-rule for us in IT. "Never come in a little late or leave a little early. Always come in at least an hour late or leave an hour early." Why? Because we have hourly employees who would scream like a gut-shot panther if they saw anybody come in a bit late or leave a little early. Even if that somebody worked 5 hours overtime the previous day. -- John -- John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Scott, I still can't see why if you have a box in your datacenter, that will never leave your datacenter until after its useful life is over, should be encrypted. How are you going to access that data accept by the z/OS operating system? That's why we have security systems. When the box is done, and you sell it or scrap it, you can always initialize all the disks. I asked my boss at P&H Mining if he wanted me to init all the disks, or if he just wanted to let Hitachi do the initialize they do whenever a box is sold, and he said just let Hitachi do it. There was sensitive data in many files, but I highly doubt if anyone could have recovered any of it after it was initialized by Hitachi. This was when P&H shut down z/OS for good. I can see the value of encrypting data on PC hard drives, after all of the problems people have had with stolen PCs with sensitive data on them, but mainframe dasd? I just can't see it, or any regulations requiring it. Eric -- Eric Bielefeld Systems Programmer Washington University St Louis, Missouri 314-935-3418 "Scott T. Harder" wrote: > Hi Eric, > > I think the main reason would be to comply with govt. regulations that > say "thow must encrypteth data at rest that contains personal/private > information". Credit card numbers, medical records... the usual stuff. > > > Now it won't help B2B exchange; only situations where a company is > required to encrypt data where it lives. It will automatically be > encrypted and decrypted; I imagine via a symmetric key stored in the > hardware. It could be good, also, for DR situations where data is > mirrored to DASD at the DR site. Not sure why there, because nobody > seems worried about data mirrored to offsite disk, where they are very > worried about tape during transport. But, again, if the requirement is > that the data at rest be encrypted, then that requirement - I would > think - would extend to DR sites, as well. > > I asked the original question only because I had heard that crypto-DASD > was coming next (after the tape hardware encryption, which is obviously > already in the field). I haven't been able to find any information on > the crypto-DASD topic, so I just thought I'd see what the list had > heard. Just fishing. > > Thanks! > Scott > > Scott T. Harder > Tech Support & Product Development > ASPG, Inc. > Ph: 239-649-1548 / Ext. 203 > Fax: 239-649-6391 > General Support Email: aspgt...@aspg.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
I been reading about such, but only in a PC context. IMNSHO, DASD encryption does not add any real security value. Every record of every file is in a unpublished, often proprietary format. The data is then compressed and written in yet another proprietary format over several physical devices. Encrypted data would defeat most all compression algorithms, increasing raw storage requirements substantially. That's serious dollars to mitigate a near nonexistent threat. Encryption is being pushed by auditors in response to sensitive data on PC hard drives. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Scott T. Harder Sent: Tuesday, February 10, 2009 11:23 AM To: IBM-MAIN@bama.ua.edu Subject: Crypto-DASD? Just curious if anyone has heard anything about new DASD coming out any time soon (or not so soon) that will have encryption built in, where anything written to a volume on a unit supporting this would automatically get encrypted; and decrypted when read, of course. Thanks! Scott Scott T. Harder Tech Support & Product Development ASPG, Inc. Ph: 239-649-1548 / Ext. 203 Fax: 239-649-6391 General Support Email: aspgt...@aspg.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
We had the same question about a year ago, and the only answer we could find was two pieces of hardware The first box was essentially an escon/ficon converter that could emulate 3390's on SAN storage. The second box sat between the first box and the SAN storage and did the encrypt/decrypt. The doc said it would work, so it must, but we never had to try it. Jim Wangler 214-502-6445 -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Scott T. Harder Sent: Tuesday, February 10, 2009 11:23 AM To: IBM-MAIN@bama.ua.edu Subject: Crypto-DASD? Just curious if anyone has heard anything about new DASD coming out any time soon (or not so soon) that will have encryption built in, where anything written to a volume on a unit supporting this would automatically get encrypted; and decrypted when read, of course. Thanks! Scott Scott T. Harder Tech Support & Product Development ASPG, Inc. Ph: 239-649-1548 / Ext. 203 Fax: 239-649-6391 General Support Email: aspgt...@aspg.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Encrypted DASD is seen by some as a simple solution to the PCI standard requiring the PAN (credit card number) to be encrypted when the data is at rest ( written to media). It would not require alteration of either system or application software to implement. Several vendors are working on this, but are waiting for the adoption of the IEEE standard on key management. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Is it so some hardware vendor to make more money by offering DASD Encryption? Sort of like when you buy a new car and they offer to undercoat your car for a price? Lizette > > I haven't heard anything about this new dasd, but I have a question. Why > would you > want everything encrypted? If you have a dasd box in your datacenter, what > is the > reason to encrypt all your data? I can see that maybe for mirroring where > the data > gets sent long distances over communication lines, but why would the average > datacenter need this? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
"I asked the original question only because I had heard that crypto-DASD was coming next (after the tape hardware encryption, which is obviously already in the field). I haven't been able to find any information on the crypto-DASD topic, so I just thought I'd see what the list had heard. Just fishing." Of course, if you are under any kind of NDA or CDA, I don't want to hear from you. ;-) Thanks! Scott Scott T. Harder Tech Support & Product Development ASPG, Inc. Ph: 239-649-1548 / Ext. 203 Fax: 239-649-6391 General Support Email: aspgt...@aspg.com -Original Message- From: eric-ibmm...@wi.rr.com [mailto:eric-ibmm...@wi.rr.com] Sent: Tuesday, February 10, 2009 12:58 PM To: IBM Mainframe Discussion List Cc: Scott T. Harder Subject: Re: Crypto-DASD? I haven't heard anything about this new dasd, but I have a question. Why would you want everything encrypted? If you have a dasd box in your datacenter, what is the reason to encrypt all your data? I can see that maybe for mirroring where the data gets sent long distances over communication lines, but why would the average datacenter need this? Eric -- Eric Bielefeld Systems Programmer Washington University St Louis, Missouri 314-935-3418 "Scott T. Harder" wrote: > Just curious if anyone has heard anything about new DASD coming out any > time soon (or not so soon) that will have encryption built in, where > anything written to a volume on a unit supporting this would > automatically get encrypted; and decrypted when read, of course. > > > > Thanks! > > Scott > > > > Scott T. Harder > > Tech Support & Product Development > > ASPG, Inc. > > Ph: 239-649-1548 / Ext. 203 > > Fax: 239-649-6391 > > General Support Email: aspgt...@aspg.com > > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
In a message dated 2/10/2009 12:08:45 P.M. Central Standard Time, joa...@swbell.net writes: No worries if a unit is removed and replaced, or the entire array sold off. The data should be unrecoverable if it is all encrypted. Many data centers have sensitive information sprinkled around in various files. >> Still ruminating over today's announcements. Makes mine head hurt! Looks like they been saving up for SHARE. Maybe with something like ProtecTIER and data de-duplicator can do faster backups and shrink the batch window while achieving data compression on the fly. Doesn't say anything about encryption as far as I can tell. The other shoe was sub-capacity licensing for DB/2 9.5 for z/Linuz, UNIX, Windows, and Imformix. Maybe more protein is required **A Good Credit Score is 700 or Above. See yours in just 2 easy steps! (http://pr.atwola.com/promoclk/10075x1218550342x1201216770/aol?redir=http://www.freecreditreport.com/pm/default.aspx?sc=668072%26hmpgID=62%26bcd=fe bemailfooterNO62) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
Hi Eric, I think the main reason would be to comply with govt. regulations that say "thow must encrypteth data at rest that contains personal/private information". Credit card numbers, medical records... the usual stuff. Now it won't help B2B exchange; only situations where a company is required to encrypt data where it lives. It will automatically be encrypted and decrypted; I imagine via a symmetric key stored in the hardware. It could be good, also, for DR situations where data is mirrored to DASD at the DR site. Not sure why there, because nobody seems worried about data mirrored to offsite disk, where they are very worried about tape during transport. But, again, if the requirement is that the data at rest be encrypted, then that requirement - I would think - would extend to DR sites, as well. I asked the original question only because I had heard that crypto-DASD was coming next (after the tape hardware encryption, which is obviously already in the field). I haven't been able to find any information on the crypto-DASD topic, so I just thought I'd see what the list had heard. Just fishing. Thanks! Scott Scott T. Harder Tech Support & Product Development ASPG, Inc. Ph: 239-649-1548 / Ext. 203 Fax: 239-649-6391 General Support Email: aspgt...@aspg.com -Original Message- From: eric-ibmm...@wi.rr.com [mailto:eric-ibmm...@wi.rr.com] Sent: Tuesday, February 10, 2009 12:58 PM To: IBM Mainframe Discussion List Cc: Scott T. Harder Subject: Re: Crypto-DASD? I haven't heard anything about this new dasd, but I have a question. Why would you want everything encrypted? If you have a dasd box in your datacenter, what is the reason to encrypt all your data? I can see that maybe for mirroring where the data gets sent long distances over communication lines, but why would the average datacenter need this? Eric -- Eric Bielefeld Systems Programmer Washington University St Louis, Missouri 314-935-3418 "Scott T. Harder" wrote: > Just curious if anyone has heard anything about new DASD coming out any > time soon (or not so soon) that will have encryption built in, where > anything written to a volume on a unit supporting this would > automatically get encrypted; and decrypted when read, of course. > > > > Thanks! > > Scott > > > > Scott T. Harder > > Tech Support & Product Development > > ASPG, Inc. > > Ph: 239-649-1548 / Ext. 203 > > Fax: 239-649-6391 > > General Support Email: aspgt...@aspg.com > > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
On Tue, 10 Feb 2009 11:58:08 -0600, Eric Bielefeld wrote: >I haven't heard anything about this new dasd, but I have a question. Why would you want everything encrypted? If you have a dasd box in your datacenter, what is the reason to encrypt all your data? I can see that maybe for mirroring where the data gets sent long distances over communication lines, but why would the average datacenter need this? > >Eric > >-- >Eric Bielefeld No worries if a unit is removed and replaced, or the entire array sold off. The data should be unrecoverable if it is all encrypted. Many data centers have sensitive information sprinkled around in various files. -- John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Crypto-DASD?
I haven't heard anything about this new dasd, but I have a question. Why would you want everything encrypted? If you have a dasd box in your datacenter, what is the reason to encrypt all your data? I can see that maybe for mirroring where the data gets sent long distances over communication lines, but why would the average datacenter need this? Eric -- Eric Bielefeld Systems Programmer Washington University St Louis, Missouri 314-935-3418 "Scott T. Harder" wrote: > Just curious if anyone has heard anything about new DASD coming out any > time soon (or not so soon) that will have encryption built in, where > anything written to a volume on a unit supporting this would > automatically get encrypted; and decrypted when read, of course. > > > > Thanks! > > Scott > > > > Scott T. Harder > > Tech Support & Product Development > > ASPG, Inc. > > Ph: 239-649-1548 / Ext. 203 > > Fax: 239-649-6391 > > General Support Email: aspgt...@aspg.com > > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Crypto-DASD?
Just curious if anyone has heard anything about new DASD coming out any time soon (or not so soon) that will have encryption built in, where anything written to a volume on a unit supporting this would automatically get encrypted; and decrypted when read, of course. Thanks! Scott Scott T. Harder Tech Support & Product Development ASPG, Inc. Ph: 239-649-1548 / Ext. 203 Fax: 239-649-6391 General Support Email: aspgt...@aspg.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html