Russell, I'm not familiar with the wording of the standard, but it seems to me that data at rest can be defined as data stored at its ultimate media location. To this end data in cache, data in channels and memory, etc is not at rest because it requires further handling or processing before it reaches the ultimate storage media location - disk, tape, or flashdrive.
For most disk arrays this means Encrypt/Decrypt of the data occurs as it is moves between the cache to the drive. Any overhead will be carried by the Cipher ASIC, and will not affect the line speed of the FCAL, SATA or SAS interface used to access the drives. Any degradation would depend on the where and how the ASIC for is situated in the processor path to the storage media, and would mainly affect read cache misses, write destage, and sequential pre-fetch. As for rules, my take on this is that if 2 out of 10 applications require encryption, and the most cost effective way to do it is to store it all as encrypted, then what rule has been broken? I don't think that the standard is intended to grant or deny access to data, but rather to deny access to data on storage media when it is removed from those access security controls. Ron > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of > Russell Witt > Sent: Wednesday, February 11, 2009 1:42 PM > To: [email protected] > Subject: Re: [IBM-MAIN] Crypto-DASD? > > Scott, > > Okay, if you think data stored on disk is "data at rest"; please define > "disk". Does a SSD (Solid-State Drive) count as a disk drive? What about a > RAM drive (using either SRAM or DRAM)? If a RAM drive using SRAM or DRAM is > a disk; then what is the difference between a RAM drive and memory in a > computer? > > And of course as Phil said, the decryption should not be done on an > "automatic" basis; but rather based on rules. And who will control those > rules; the external-security system. So, if the external-security system > will control who can access the data via automatic decryption; how is that > different than having the external-security system control access to the > data in the first place. > > Just my opinion, but PCI really needs to do a better job of defining what > needs to be done. > > But again, just my 2-cents > Russell > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
