Re: Encryption of data written to disks FICON channels

Sat, 20 Jul 2013 00:13:28 -0700 

Radoslaw,

I agree with your question up to a point. Encryption of data at rest covers
most of the disk related scenarios to do with data protection. It especially
makes my favorite soapbox of erasing  disks with multiple overwrites a
redundant task.

But it is not encryption of data in flight. Data on the channel, in cache,
and transmitted from cache to cache by remote copy products is not encrypted
by controllers that support encryption of data at rest.

I don't have any problem with field, record or file level encryption, but
there is a downside if you are doing remote copy over a network, as it
encrypted data usually compresses very poorly. It's not a problem for
everyone.

Arye, Decru used to provide encryption devices for SCSI on Fibre Channel,
but I don't know if they ever extended that support to FICON.

Ron

> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of R.S.
> Sent: Thursday, July 18, 2013 3:12 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [IBM-MAIN] Encryption of data written to disks FICON channels
> 
> W dniu 2013-07-18 21:08, Phil Smith pisze:
> > Arye Shemer wrote:
> >> I am looking for an Encryption solution for 'Data in Rest' for old
> >> disks (disks without self encryption capability).
> >> One of the options we thought of, was to encrypt the data through
> >> some FICON facility which sit on the FICON channel.
> >> I could not find provider for such device on the internet (maybe I
> >> used wrong semantics).
> >> If someone is using or know about such solution willing to send me a
> >> link of the web site's manufacturer ?
> > So you want whole-disk encryption, not encryption of specific fields?
> What's the use case/problem you're trying to solve? We're strong believers
> in field-level data protection, as it provides the best security. I'd be
> interested in hearing more details...
> >
> >
> Well,
> I vaguely remember such device for ESCON and (emulated) tape CU. (Note, I
> don't mean encryption feature on tape drives.) I'm not aware of any such
> device for FICON.
> BTW: What's wrong with whole disk encryption? Why field-level encryption
is
> better? IMHO it addresses different needs.
> 
> BTW2: There is an option for whole disk encryption, but this is a feature
of
> DASD box, so "old disk without self-encrypting facility" need to be
replaced.
> 
> BTW3: There are other solutions, like Encryption Facility, SecureZip,
which
> encrypt datasets, the dataset can be a addrdssu dump, so it can containt
any
> dataset or whole volume. Note, that costs license and consumes CPU cycles.
> 
> --
> Radoslaw Skorupka
> Lodz, Poland
> 
> 
> 
> 
> 
> 
> --
> Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku
> przeznaczone wycznie do uytku subowego adresata. Odbiorc moe
> by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie
> jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym
> do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie,
> kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze
> jest prawnie zabronione i moe by karalne. Jeeli otrzymae t
> wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc
> wysyajc odpowied oraz trwale usun t wiadomo wczajc w to
> wszelkie jej kopie wydrukowane lub zapisane na dysku.
> 
> This e-mail may contain legally privileged information of the Bank and is
> intended solely for business use of the addressee. This e-mail may only be
> received by the addressee and may not be disclosed to any third parties.
If
> you are not the intended addressee of this e-mail or the employee
> authorised to forward it to the addressee, be advised that any
dissemination,
> copying, distribution or any other similar activity is legally prohibited
and may
> be punishable. If you received this e-mail by mistake please advise the
> sender immediately by using the reply facility in your e-mail software and
> delete permanently this e-mail including any copies of it either printed
or
> saved to hard drive.
> 
> BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00,
fax
> +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl
> Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego
> Rejestru Sdowego, nr rejestru przedsibiorców KRS 0000025237, NIP: 526-
> 021-50-88.
> Wedug stanu na dzie 01.01.2013 r. kapita zakadowy BRE Banku SA (w
> caoci wpacony) wynosi 168.555.904 zotych.
> 
> 
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to