Scott T. Harder Tech Support & Product Development ASPG, Inc. Ph: 239-649-1548 / Ext. 203 Fax: 239-649-6391 General Support Email: [email protected]
-----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Russell Witt Sent: Wednesday, February 11, 2009 4:42 PM To: [email protected] Subject: Re: Crypto-DASD? Scott, >Okay, if you think data stored on disk is "data at rest"; please define >"disk". Does a SSD (Solid-State Drive) count as a disk drive? What about a >RAM drive (using either SRAM or DRAM)? If a RAM drive using SRAM or DRAM is >a disk; then what is the difference between a RAM drive and memory in a >computer? I think what the regs mean by "data at rest" is "where the data lives" or "it's home location". As you say, the term "disk" is quite interchangeable these days. >And of course as Phil said, the decryption should not be done on an >"automatic" basis; but rather based on rules. And who will control those >rules; the external-security system. So, if the external-security system >will control who can access the data via automatic decryption; how is that >different than having the external-security system control access to the >data in the first place. Agreed. But is access to encryption keys (whether stored in ICSF hardware or otherwise) not controlled by the security system (CSFKEYS / CSFSERV)?? I think you could make this argument about any data you encrypt on the system. If you have the key, you can get to the cleartext and access to the key is controlled by RACF, CA-ACF2, CA-TSS, etc. >Just my opinion, but PCI really needs to do a better job of defining what >needs to be done. This is the real rub of it all, isn't it? Absolutely agreed. Thanks! Scott -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]]on Behalf Of Scott T. Harder Sent: Wednesday, February 11, 2009 11:46 AM To: [email protected] Subject: Re: Crypto-DASD? Now, that's what I'm talkin' about. Thanks, Timothy, for the info. FWIW... to me, data stored on disk is data at rest. It may not be all the time, but I think that the intent of that phrase, as used in the regulations, is pretty clear. Whether they were correct in using it can be argued, for sure, but.... Thanks to everyone. Scott T. Harder ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
