View previous topic :: View next topic
|
Author |
Message |
vasanthz
Global Moderator
Joined: 28 Aug 2007 Posts: 1742 Location: Tirupur, India
|
|
|
|
Hi, I think with z/OS 2.2 we have the optional feature of 'Dataset Encryption'.
This link - www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.idak100/encryption23.htm
says,
Quote: |
With data set encryption, you are able to protect data residing on disk from being viewed by unauthorized users in the clear. |
If the underlying hard disks are already hardware encrypted(lets say VMAX with back-end encryption), then why do we need dataset encryption.
Quote: |
It also says "With z/OS data set encryption, you can encrypt data without requiring application changes." |
I believe this means that any job/ISPF/program would be able to read the encrypted dataset unhindered, as same as the unencrypted version.
Then why do we need this? RACF already guards access requests from programs, JCL, etc.
We have not enabled dataset encryption yet, but trying to understand its capability.
Simply put, how is it possible for someone to gain access to unencrypted dataset and not to an encrypted dataset.
Regards,
Vasanth.S |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8696 Location: Dubuque, Iowa, USA
|
|
|
|
Quote: |
Simply put, how is it possible for someone to gain access to unencrypted dataset and not to an encrypted dataset. |
If you send data (such as a tape) offsite (to a disaster recovery facility, for example, or to an offsite storage company), data set encryption can protect that data even if it is stolen while travelling to or from the offsite location. If that tape is loaded on another system, it is not that hard to be able to read it (with or without standard labels) -- unless the data is encrypted. In such a case, RACF would not be doing anything to protect the tape data since it is on a completely different system without the RACF rules you're used to. |
|
Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007 Posts: 1742 Location: Tirupur, India
|
|
|
|
Thanks Robert, I understand to some extent how it applies to tape.
But would this still apply, if the tapes are all virtual tapes and then the underlying hard disks are hardware encrypted.
Even if someone breaks into a datacenter and steals a bunch of hard disks, they still would not be able to read them, since its encrypted at hard disk level.
It need not be dataset level right? |
|
Back to top |
|
|
dneufarth
Active User
Joined: 27 Apr 2005 Posts: 419 Location: Inside the SPEW (Southwest Ohio, USA)
|
|
|
|
May protect different LPARS from viewing certain datasets on shared dasd.
Google search on "why z/os encryption for datasets" revealed some applicable ideas/reasons. |
|
Back to top |
|
|
|