IBM Mainframe Forum Index
 
Log In
 
IBM Mainframe Forum Index Mainframe: Search IBM Mainframe Forum: FAQ Register
 

What is the purpose of z/OS dataset encryption?


IBM Mainframe Forums -> All Other Mainframe Topics
Post new topic   Reply to topic
View previous topic :: View next topic  
Author Message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1693
Location: Tiruppur, India

PostPosted: Fri Aug 31, 2018 12:56 am
Reply with quote

Hi, I think with z/OS 2.2 we have the optional feature of 'Dataset Encryption'.

This link - www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.idak100/encryption23.htm
says,
Quote:
With data set encryption, you are able to protect data residing on disk from being viewed by unauthorized users in the clear.

If the underlying hard disks are already hardware encrypted(lets say VMAX with back-end encryption), then why do we need dataset encryption.
Quote:
It also says "With z/OS data set encryption, you can encrypt data without requiring application changes."

I believe this means that any job/ISPF/program would be able to read the encrypted dataset unhindered, as same as the unencrypted version.
Then why do we need this? RACF already guards access requests from programs, JCL, etc.

We have not enabled dataset encryption yet, but trying to understand its capability.
Simply put, how is it possible for someone to gain access to unencrypted dataset and not to an encrypted dataset.

Regards,
Vasanth.S
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8584
Location: Dubuque, Iowa, USA

PostPosted: Fri Aug 31, 2018 1:20 am
Reply with quote

Quote:
Simply put, how is it possible for someone to gain access to unencrypted dataset and not to an encrypted dataset.
If you send data (such as a tape) offsite (to a disaster recovery facility, for example, or to an offsite storage company), data set encryption can protect that data even if it is stolen while travelling to or from the offsite location. If that tape is loaded on another system, it is not that hard to be able to read it (with or without standard labels) -- unless the data is encrypted. In such a case, RACF would not be doing anything to protect the tape data since it is on a completely different system without the RACF rules you're used to.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1693
Location: Tiruppur, India

PostPosted: Fri Aug 31, 2018 1:54 am
Reply with quote

Thanks Robert, I understand to some extent how it applies to tape.
But would this still apply, if the tapes are all virtual tapes and then the underlying hard disks are hardware encrypted.
Even if someone breaks into a datacenter and steals a bunch of hard disks, they still would not be able to read them, since its encrypted at hard disk level.
It need not be dataset level right?
Back to top
View user's profile Send private message
dneufarth

Active User


Joined: 27 Apr 2005
Posts: 335
Location: Inside the SPEW (Cincinnati OH USA)

PostPosted: Fri Aug 31, 2018 2:22 am
Reply with quote

May protect different LPARS from viewing certain datasets on shared dasd.

Google search on "why z/os encryption for datasets" revealed some applicable ideas/reasons.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic View Bookmarks
All times are GMT + 6 Hours
Forum Index -> All Other Mainframe Topics

 


Similar Topics
Topic Forum Replies
No new posts Multiple find/replace on the same dat... DFSORT/ICETOOL 4
No new posts Is it possible to allocate DA dataset... All Other Mainframe Topics 5
No new posts Map VSAM Dataset to a Table/Tablespace DB2 5
No new posts SSHA256 Encryption using ICSF COBOL Programming 0
No new posts ADR324E-VOL/DATASET SPECIFIED BY DDNA... JCL & VSAM 6
Search our Forums:

Back to Top