Phil, Interesting discussion. But taken another step, wouldn't the same also apply then to encrypted physical tape? As well as encrypted virtual tape? I believe that all physical tape encryption is done in a fashion similar; if you have authority to the data the volume will be decrypted for you. Would it follow that tape encryption should also follow and require unique encryption keys that are only available to authorized users in order to read the data?
Russell Witt -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Phil Smith Sent: Sunday, May 17, 2015 1:39 PM To: [email protected] Subject: Re: PCI DSS compliance for z/OS Warning: long post ahead, and of course it’s pushing the hammer that we sell, but (I believe) there are universal truths included. Frank, You’re asking the right questions. The basic followup question I’d ask is, “Do you want to pass an audit, or do you want to be secure?” Because those answers are different—as Target, Sony, Neiman Marcus, and a host of other companies who were PCI compliant and had passed audits can testify. Industry opinion agrees with Peter Farley’s post: we do not believe that disk-level encryption satisfies PCI DSS, in part because it does not meet the Separation of Duties (SoD) requirements: if you read the DASD, you get the data. That’s not SoD. In the “lattice of coincidence” department, I *just* read the following: https://pciguru.wordpress.com/2015/05/15/whole-disk-encryption-explained/ I know you said you didn’t like the idea of application-level encryption, but that’s the only real way to get security. If you think of a stack: · Applications · Middleware · Database · OS/filesystem · Hardware ...snip.... ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
