W dniu 16.01.2024 o 03:13, Michael Stein pisze:
On Mon, Jan 15, 2024 at 02:41:45PM -0600, Walt Farrell wrote:
On Mon, 15 Jan 2024 16:15:38 +0000, Eric D Rossman <edros...@us.ibm.com> wrote:
For encryption, the analogous method might be: Once a jobstep has
Opened an encrypted data set to read it, they cannot write to, nor Open,
an unencrypted output data set. You just mark the jobstep, and have a
bit in the DEB indicating encryption, and for a marked jobstep you don't
allow a write to a DEB that doesn't have the bit set.
So I could write the secret decrypted data out to an encrypted dataset
which had a different encryption key -- one which I had easier access
to?
Security is hard, especially read security.
Yes, you can have open for input and/or output many datasets. Any of
them may be unencrypted, encrypted with key A, or key B, C, etc. You can
copy data between those datasets.
Assumption:
1. you are authorized to each of the datasets in DATASET class.
2. You have READ access to key A, B, C, etc.
Note: Dataset Encryption (DSE) is *not* a replacement for RACF or other
security system.
It is a solution to keep data secret even if you have (unintended)
access to the dataset. Bad RACF authority? NO!
It could be administrative access via STGADMIN, shared DASD, etc.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
