|
View previous topic :: View next topic
|
| Author |
Message |
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India
|
|
|
|
Hi, I think with z/OS 2.2 we have the optional feature of 'Dataset Encryption'.
This link - www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.idak100/encryption23.htm
says,
| Quote: |
| With data set encryption, you are able to protect data residing on disk from being viewed by unauthorized users in the clear. |
If the underlying hard disks are already hardware encrypted(lets say VMAX with back-end encryption), then why do we need dataset encryption.
| Quote: |
| It also says "With z/OS data set encryption, you can encrypt data without requiring application changes." |
I believe this means that any job/ISPF/program would be able to read the encrypted dataset unhindered, as same as the unencrypted version.
Then why do we need this? RACF already guards access requests from programs, JCL, etc.
We have not enabled dataset encryption yet, but trying to understand its capability.
Simply put, how is it possible for someone to gain access to unencrypted dataset and not to an encrypted dataset.
Regards,
Vasanth.S |
|
| Back to top |
|
 |
Robert Sample
Global Moderator
Joined: 06 Jun 2008
Posts: 8696
Location: Dubuque, Iowa, USA
|
|
|
|
| Quote: |
| Simply put, how is it possible for someone to gain access to unencrypted dataset and not to an encrypted dataset. |
If you send data (such as a tape) offsite (to a disaster recovery facility, for example, or to an offsite storage company), data set encryption can protect that data even if it is stolen while travelling to or from the offsite location. If that tape is loaded on another system, it is not that hard to be able to read it (with or without standard labels) -- unless the data is encrypted. In such a case, RACF would not be doing anything to protect the tape data since it is on a completely different system without the RACF rules you're used to. |
|
| Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India
|
|
|
|
Thanks Robert, I understand to some extent how it applies to tape.
But would this still apply, if the tapes are all virtual tapes and then the underlying hard disks are hardware encrypted.
Even if someone breaks into a datacenter and steals a bunch of hard disks, they still would not be able to read them, since its encrypted at hard disk level.
It need not be dataset level right? |
|
| Back to top |
|
|
dneufarth
Active User
Joined: 27 Apr 2005
Posts: 419
Location: Inside the SPEW (Southwest Ohio, USA)
|
|
|
|
May protect different LPARS from viewing certain datasets on shared dasd.
Google search on "why z/os encryption for datasets" revealed some applicable ideas/reasons. |
|
| Back to top |
|
|
|
|
