I was looking through this thread, and I never saw any suggestion of using an external box! There was a RYO solution with fieldproc, using native DB2 v8 (wow, very nice!), and the solution I stated using Protegrity with views/triggers/UDFs. I perhaps was unclear when I spoke about DTP - DTP allows encrypted data stored in DB2 to be used with Open Systems and vice versa. Very handy when dealing with EDI/FTP/Flat files being transferred between the disperate systems. At no time is sensitive data in an unencrypted state at rest on any of the systems.
On Sat, 11 Mar 2006 00:15:05 -0700, Timothy Sipples <[EMAIL PROTECTED]> wrote: <snip> >I respectfully disagree with the commenter that suggested an external box >of some kind for this mission. Perhaps it works for them, but I'd have >some hard questions to overcome. You're going to take a big I/O hit for >every read/write (increasing latency and, ironically, mainframe >processing), the data would flow unencrypted over the wire to/from the box >anyway (and that doesn't seem to pass muster with the PCI auditors I've >heard about), and you've just created a really tough DR and key recovery >problem. Remember, lose the keys (or the box that handles them) and >you've lost the data. ICSF is the best key steward, and we're talking >enterprise data here. > >If I were to do something like that I'd want a z/OS fallback option for >processing and for key management with ICSF. And I'd probably want >production crypto not on a separate box (over a wire) but on an IFL >(Linux) over a Hipersocket. And I'd want to test and measure that setup a >lot to make sure it's worth the bother versus a simpler (and less labor >intensive) approach. Labor costs money, too. > >- - - - - >Timothy F. Sipples >Consulting Enterprise Software Architect, z9/zSeries >IBM Japan, Ltd. >E-Mail: [EMAIL PROTECTED] > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
