Russell Witt wrote: >Interesting discussion. But taken another step, wouldn't the same also apply >then to encrypted physical tape? As well as encrypted virtual tape? I believe >that all physical tape encryption is done in a fashion similar; if you have >authority to the data the volume will be decrypted for you. Would it follow >that tape encryption should also follow and require unique encryption keys >that are only available to authorized users in order to read the data?
I don’t think it’s the same problem: you can control access to the tape keys much more closely. If they’re data tapes that contain the PCI data, then you’d obviously only let authorized users fetch those keys. If they’re backup tapes, the access list is different, but still closely controlled. And both are going to be relatively easy to audit, which falls into the “compensating controls” category. Looked at from another direction: if you had an encrypted filesystem on, say, Linux, and the ONLY thing on that encrypted filesystem was your PCI data, then by only allowing controlled access to THOSE keys, you’d have some SoD. The problem with DASD-level encryption on z/OS is that you can’t tell the RVA “This file is encrypted, this one isn’t, and oh, btw, the one that IS encrypted can only be read by THESE folks”. Yes, SAF lets you control who can read a data set—but PCI doesn’t know about SAF, and if access controls were considered to be sufficient, you wouldn’t need encryption at all. Sorry, Shane, more glazeage…and yes, HP bought Voltage back in February. …phsiii ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
