I would agree. It is very dependent on what your are doing and WHY you are doing it. Regulations, laws, guidelines all vary wildly. The interaction between them may lead you to items that were not part of the original design.
For key management, there is an IBM product which the original name was DKMS. If you have to manage a bunch of keys, need to communicate them to the outside world, need help rotating them .. it is a really nice product and addresses all the mainframe intricacies. http://www-03.ibm.com/security/cccc/products/dkms.shtml Key material management can get pretty weird. Even more so for those heading down the path for the first time. A lot of the weirdness comes from the need to document every little action, keeping at least dual control or split control can also drive one to distraction. Master key management is also fun... it is always fun when you need a "ceremony" to do anything! <VBG> Once you've done it once, it seems pretty straightforward. My own experience setting up a TKE for the first time and trying to secure it was a true adventure. I am curious, what is the compuware encryption product for the mainframe? Rob Schramm Senior Systems Consultant Imperium Group On Wed, Nov 30, 2011 at 9:00 AM, Galambos, Robert < robert.galam...@compuware.com> wrote: > List > > Well the first item I need to disclose is that I work for a ISV that does > offer a Enterprise wide solution to Data Privacy. > > BUT the thing I want to bring up is not that, BUT a cautionary note. While > on the surface JUST encrypting one item/key may seem relatively easy there > are far reaching consequences that need consideration. > > > For example. > > 1) are there other applications (whereever) that need to be kept insysnce > with this encryption (keyed or not) > 2) what method to be used > 4) on the fly or static > 5) other fields that need consideration. PII (personnel indentifiable > information) > 6) ETC > > > The contents of this e-mail are intended for the named addressee only. It > contains information that may be confidential. Unless you are the named > addressee or an authorized designee, you may not copy or use it, or > disclose it to anyone else. If you received it in error please notify us > immediately and then destroy it. > > > From: IBM Mainframe Discussion List on behalf of Phil Smith > Sent: Tue 15/11/2011 12:23 PM > To: IBM-MAIN@bama.ua.edu > Subject: Re: Data encrypt > > > > Hal Merritt wrote: > >Many seem to think that encryption is easy to do. It is hard, very > expensive, and carries a risk of irrevocable loss of data. I would think > that management should select a team to plan the implementation. > > >An early step in the planning process is to select the encryption > algorithm to be used. A part of that selection process should include an > understanding of how the encryption keys are to be managed. > > >The key management issues include how to change the key, and how to make > the key available to programs that have to have it. Of course, you don't > want the key to flow anywhere in the open, so the key itself should be > encrypted. And now you need a key for the key. > > >You'll need some guidance from the authority asking for the encryption. > > Well-said, although I'll add that there's usually no reason to use > anything other than one of the modes of AES nowadays. > > Voltage SecureData would be an idea solution to this (yes, we're a vendor, > and yes, this is our product). It would allow you to encrypt the primary > key and still use it as a primary key, without changing most of your > applications. > > If you see this in time, we have a webinar in 38 minutes: > http://www.voltage.com/zprotect will let you register. > -- > .phsiii > > Phil Smith III > p...@voltage.com > Voltage Security, Inc. > www.voltage.com > (703) 476-4511 (home office) > (703) 568-6662 (cell) > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
