Been awhile since I saw this list so asked Tim if I could update it. I added and update (See the (*) ) a few things I know about. I did not verify that all the old links and information are still correct. Please feel free to correct if you know something to be wrong. I also left Tim's comments at the bottom as they still seem appropriate.
Software -------- ASE SLiKZiP http://www.slikzip.com/szabout.htm CA (*) Brightstor-BTE http://www3.ca.com/Solutions/Product.aspx?ID=5764 Data21 ZIP/390 http://www.data21.com/products/zip/default.asp IBM (*) Encryption Facility for z/OS http://www-03.ibm.com/servers/eserver/zseries/zos/encryption_facility/ Innovation Data Processing (*) FDRCRYPT http://www.innovationdp.com/products/fdrcrypt/index.cfm McAfee E-Business Server for OS/390 ("PGP") http://www.mcafeesecurity.com/us/products/mcafee/encryption/ebusiness_server_os390.htm Online Technical Productions MegaCryption/MVS http://www.megacryption.cc OpenTech Systems (*) CopyCrypt http://www.opentechsystems.com/copycrypt.php PKWARE SecureZIP for zSeries http://pkzip.com/products/enterprise/zseries/sz/index.php (*) Supports ICSF hardware crypto acceleration (if available), relieving some processing overhead from CPs. Hardware -------- CentricStor CentricStor-Decru Encryption Appliance http://www.centricstorusa.com/English/Products/CentricStor_DataFort.html IBM (*) TS1120 Tape Drive http://www-03.ibm.com/servers/storage/tape/ts1120/index.html NeoScale and Luminex http://www.luminex.com/about/press/pr082205a.html http://www.neoscale.com/English/Collaterals/Press_Releases/2005/20050822_Luminex.html Peakdata and Decru http://www.peakdatallc.com/English/Collaterals/Press_Releases/2005/20050816_SecureMainframe.php SecureAgent Software SecureTape Solution http://www.secureagent.com/securetape/securetape2.htm Sun/StorageTek (*) T10000 Tape Drive http://www.sun.com/storagetek/tape_storage/tape_drives/t10000/ NOTES and COMMENTS ------------------ 1. Products vary in whether they use ICSF for key management services (in addition to crypto acceleration). Regardless, careful planning is required for key management to assure authorized recoverability, especially in DR situations. Loss of keys means data loss! Treat the key database just like any other precious security resource, such as RACF (or ACF2 or TopSecret) databases. Some products support simple passwords as encryption keys. 2. In some sense encryption of backup tapes is philosophically incompatible with rapid and easy data access in the event of an emergency, so many organizations will initially opt for tape encryption only when tapes leave the data center (e.g. for partner exchange). 3. Hardware-based approaches typically require compatible equipment at recovery and recipient sites, although some may offer a lower performance software fallback option. Bear in mind that hardward-based solutions, when applied to data archiving, must themselves be durable, i.e. available and working to support decryption many years hence. 4. Products vary in whether they support pre-compression (and in the effectiveness and processing intensity of that pre-compression) prior to writing to tape. Encrypted data arriving at the tape drive will typically not compress well, so plan accordingly. 5. Products may vary in their ability to generate tape formats readable on non-zSeries systems. However, nearly all use standard encryption formats such as AES that generally interoperate cross-platform. 6. None of these solutions will solve the problem of tape recipients who then intentionally or inadvertantly lose authorized custody of data once unencrypted. (If the data lands on somebody's notebook computer which is then stolen, same problem.) In other words, data protection involves end-to-end planning and procedures. 7. ICSF crypto performance will vary according to chosen encryption algorithm and server model. For example, every zSeries system has at least two types of hardware acceleration: crypto card-based (such as the CryptoExpress2 PCI adapters) and PU-based (CPACF a.k.a. CP Assist). If the goal is to offload as much processing work from main CPs, then, generally, storage-related encryption (including tape) works best on the CP Assist hardware. Network-related encryption (e.g. SSL) does well with the crypto cards. CP Assist has a more limited set of supported encryption algorithms, so choose carefully. 3DES is available, but the System z9 adds AES (and SHA-256) into CP Assist. Organizations starting to use more AES, especially for storage-related encryption, should factor that into capacity planning and model upgrade decisions to see if a System z9 would offer any financial savings. Most monitoring products (Tivoli OMEGAMON, TMON, MainView, etc.) offer standard or optional ICSF monitoring to keep tabs on resource utilization. 8. I've concentrated on z/OS-related products in this list. I'd very much like to add options for the other operating systems to this list if someone has done homework on that. (Some on this list do.) 9. Many organizations are attempting to shift certain tape exchanges toward secured network exchanges. That shift may be viable in many situations, and z/OS already has ample support for network-related encryption, such as SFTP and SSH. But please note that FTP, despite its popularity, has some quality of service weaknesses. For example, unless FTP'ing between two very recent z/OS releases (where there's some special handshaking), there's no guarantee an entire file will arrive. (FTP has some problems signaling end of file.) You should run an independent after-verification of some sort to make sure a file arrives complete and intact. Also, FTP is NOT a good way to integrate applications (again, despite its popularity in that role). Sit down with a zSeries software architect if you're in that situation to do some good planning. 10. Organizations will need to consider whether "data recentralization" makes sense -- that is, not to copy whole files/datasets in the first place. In pure statistical terms, the more copies of data "out there," the more likely data privacy will be compromised. It is simply more difficult to assure that every copy has appropriate authorization/access controls in force when there are many copies. 11. IBM DB2 UDB V8 for z/OS and IBMs Data Encryption Tool for IMS and DB2 may have some relevance to tape encryption for those products (DB2 and IMS). For more information, see the article in the August, 2005, z/OS Hot Topics newsletter: http://www.ibm.com/servers/eserver/zseries/zos/bkserv/hot_topics.html Jeffrey Deaver, Engineer Systems Engineering [EMAIL PROTECTED] 651-665-4231(v) 651-610-7670(p) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
