Kekronbekron wrote: >Thinking about it ... it would be far simpler (than anti-ransomware >capability in storage, or lock-all behaviour) if there were a RACF >HealthChecker that looks for abnormal enc/dec activity. What 'normal' >is can be learnt from a year's worth of actual enc/dec-related SMF >data.
There are tools with capabilities like the ones you're describing. I have a couple comments: 1. There are some excellent ransomware (and similar non-ransomware disaster scenario) defenses available based on "out of band" controls and lockouts. IBM DS8000 SafeGuarded Copy is one such example, a really important one that's the foundation for some other valuable resiliency capabilities. However, I have worked with some organizations that still (also) want to maintain total physical and electronic (wired, wireless) separation for certain data. You can achieve total separation in a few ways, such as physical tape cartridges (usually WORM, preferably encrypted) ejected from tape libraries and vaulted "afar." Of course the costs include elongated Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs), but in some cases the costs are tolerable or at least tolerated. You cannot really keep data completely, absolutely separate if you care about retrieving it. You can only maintain separation with at least one adjective added, such as "physically and electronically separate storage media," which is not the same as "storage media separated from all possible human contact." The Voyager space probes, I think it's fair to say, will "never" be vulnerable to human contact. They contain tape drives and tape media, and they are currently electronically connected via NASA's Deep Space Network. Anyway, it depends on what you're trying to accomplish, but lots of options are available, not necessarily mutually exclusive. 2. If you need secure software build and deployment processes (yes, you do), I suggest contacting my employer. IBM has some super exciting new capabilities in this area, very cutting edge. They're grounded in mainframe technologies, whether in your data center, in the public cloud, or both. Mainframes often pioneer new capabilities that didn't exist in the entire industry. Here, too, that's what's happening. Ransomware is one clearcut demonstration that it doesn't particularly matter how terrific your data-focused defenses are if you have compromised applications, for it's applications -- program code -- that process(es) data. So you've got to approach security challenges holistically. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
