Phil Smith wrote:
> ... and when decommissioning hardware-no more "How many DSEs should
we > do? or "Should we take the drives out back, shoot ‘em with a
12-gauge, > and then drop ‘em in the ocean?".
Now you're spoiling all the fun! But that's a really good point I never
heard before.
As a side note, I bought a couple Western Digital "Passport" drives that
connect via USB to my PC (for mailing data). I copied data to the drive
and oops, I forgot to encrypt before mailing. So I ran through the
encryption process which suprised me because it only took a second for a
terabyte of data. I guess that gives me a clue as to how the thing
operates. Maybe data is *always* encrypted on the device even if you
don't specify encryption, and when you do specify it, only the key is
encrypted with the password you choose.
Phil Smith wrote:
Todd Arnold wrote:
The article you referenced seems to assume whole-disk encryption is always implemented
using software on your computer, since it says "the operating system has the
decryption key to access the disk". That is not true, of course, for
self-encrypting disk drives (or tape drives) where the encryption key never leaves the
hardware device in unencrypted form. As I recall, the key is served to the mainframe
disk drives using a secure process such that it is never available in the clear.
Sure…but that doesn’t make it any better: there’s still zero SoD involved.
“Transparent” is appealing because it means “Easy to implement”. Alas, it
doesn’t mean “secure”. I don’t think that assumption matters any to the value
of whole-disk encryption (which, btw, has two other very valuable use cases: in
outsourced data centers, where it isolates your data better from the other
outsourcing customers’ data; and when decommissioning hardware—no more “How
many DSEs should we do? or “Should we take the drives out back, shoot ‘em with
a 12-gauge, and then drop ‘em in the ocean?”).
Regardless, it is true that the #1 benefit of encrypted disk and tape drives is
the case where the device can be stolen. For tape, the usual example is that
someone loses or steals a tape when it is going out of your facility for
off-site backup. For disk, the biggest risk scenario is a laptop, which can be
stolen or lost. Obviously, it's a lot less likely that someone is going to
walk out of your data center with a disk drive that was in use by your
mainframe. I think whole-disk encryption has value in all cases, but it has
the most value for devices or media that can easily move around.
Yeah, as I say in presentations: When was the last time you left a DS-8000 at
an airline gate? (Though it does bring to mind a fellow who, a decade or so
ago, had been promised a free 3274, and asked on a list whether he’d be able to
bring it home on the subway…)
--
…phsiii
Phil Smith III
Senior Architect & Product Manager, Mainframe & Enterprise
HP Security Voltage
[email protected]<mailto:[email protected]>
T 703-476-4511
M 703-568-6662
Hewlett-Packard Company
Herndon, VA
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
