Mike Baldwin wrote: >It would be helpful to know if there is an intent to extend this feature to the >tape device class,or if customers need to differentiate between datasets written >to disk (potentially encrypted) and tape (needing a different encryption technique, >or change to disk and then backup to tape).
The journey continues. In the meantime, enforce some reasonable security policies that make sense for your situation, that's all. For example, you could require data set creation (of at least "sensitive" data) on 3390 type devices, not on something else. [And "something else" is not only virtual tape and tape. It could be NFS, as another example. Or a card/paper tape punch, I suppose. :-)] If encrypted data sets are then HSM migrated to/from virtual tape and tape, that's perfectly fine. I don't think this particular idea is a new one. Haven't security desks (and z/OS security managers) been enforcing "don't write THAT to THAT (walkable) media" policies for decades now -- if they wish, as they wish to enforce such policies? Well, they can continue to do that. Or not. But, to reiterate, "the journey continues." Edward Gould wrote: >Let us say you create a simple sequential data set on disk. >DFHSM comes along and it is eventually migrated to tape. Is the >dataset de-encrypted while on tape and then if it is recalled does >it get encrypted again? No. In my original reply to Mike I explained that encryption is maintained. z/OS DFSMShsm shifts the bits back and forth across storage but does not alter them, so encrypted data stays encrypted. HSM is a "mover," not a "shaker," so to speak. :-) It's "business as usual" in that respect. Dan Little wrote: >The question has also been asked "if a person has access to dataset and key >label in RACF what has been accomplished"? If you only have access to the dataset >and not the key then that is something. If a disk has to be sent offsite you don't >have to worry about datasets but we use full disk encryption which already covers >that. To inspire some imagination, as a start, here's a question: what about the storage team? (Hint, as a start: What is a point-in-time copy/FlashCopy? It's all the bits on some set of volumes, right?) Full disk encryption is great stuff, and you should continue using it. But it's uni-level and protects the physical device as it walks out the door. That's as far as it goes, and it's not far enough. Think like an adversary, "internally" and "externally," and that'll help. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
