Timothy Sipples wrote:
>Phil, I don't know anybody arguing against application-based encryption and
>hashing. Certainly IBM is all in favor of that (also). Encryption facilities
>have been available since the early 1970s, arguably -- certainly for a long
>time. Application programmers have been able to code to encryption APIs for
>many, many years. Some have, sometimes.
>The problem is they haven't done it enough nor done it flawlessly, on any
>platform. And I suppose we could all wait another couple decades for that fact
>to change.
>We -- the whole IT industry -- desperately need better defense in depth.
>That's what IBM is doing here, with deep *application transparent* encryption
>at scale, with high performance. It's another potent weapon in the fight to
>protect businesses and governments. It's not the only weapon, but it's a very
>important and unique one. (Or set of weapons, to be more accurate.)
>Yes, please keep pushing developers to add encryption and/or hashing to their
>programs. That's well worth doing, and to keep doing. (Encryption algorithms
>evolve and improve, so "once and done" probably won't work.) But these
>approaches are complementary, not in opposition. And we're living in a world
>with tremendous data privacy problems that are getting worse, much worse.
>These new defensive weapons are really, really helpful, and they're easy to
>implement. The weapons we've had for many years are also helpful, although we
>have a great deal of evidence now that they aren't being implemented as
>rapidly and comprehensively as necessary.
>We really need to make sure that as few people as possible still think that
>single "perimeter" defense ("us versus them") works in the real world, or that
>"double encryption" (or triple encryption, or...) is "bad" and unnecessary.
>Nothing could be further from the truth! Effective data defenses must be
>multilayered. Yes, that means "double" (or more!) encrypting data, but each
>time with a different purpose (and key). Field, row, index, dataset, paging,
>coupling, volume, network (incl. SAN), storage devices, etc., etc. -- they all
>have a role. If an infiltrator can somehow penetrate one layer of defense in
>this hierarchy, it's not nearly enough for a successful attack.
Well said, agree 100%. What I worry about (as do you) is that folks will say
"Well, we encrypted files, we're done". Having a whole encryption ecosystem
that interoperates cross-platform in this modren [sic] era is also important,
as otherwise you wind up with a dozen or more point solutions-none of which
interoperate, each of which requires separate and different management, and
which result in huge attack surface at the (many!) boundaries. IBM has done a
nice job with the z parts, but offers little or nothing in the way of
enterprise-wide services.
--
...phsiii
Phil Smith III Senior Architect & Product Manager, Mainframe & Enterprise
Distinguished Technologist HPE Security
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
