Greg Boyd wrote: >And some IBMers don't like it when I say this, but z/OS is finally catching >up ... In Linux, you can define an encrypted file system and anything that gets >written to that file system will automatically be encrypted. And you can >configure Windows so that data written to your hard drive is automatically >encrypted.
That's probably because you're attempting to compare *file system* encryption with *data set* encryption, and you're headed off the rails quickly if you try to do that. They're quite different, and glossing over important differences isn't a good idea, especially when it comes to security. Critically, data set encryption is much, much more granular than file system encryption. With file system encryption (e.g. Linux dm-crypt/LUKS and eCryptfs) it's realistic to have "a few" file systems with a few separate keys. And then you -- who is "you"? -- have to be very careful where to create and store files. I doubt that's viable in practice once you get past even basic security "zoning." You really don't get much security separation this way, at least not in the real world and particularly among administrators and other insider. (One partial "workaround": create and manage more virtual machines, with narrower roles and responsibilities, and with separate file systems. But that can easily result in "virtual server sprawl.") With z/OS Data Set Encryption it's realistic to have millions of data sets with millions of separate keys, within one z/OS instance (or z/OS Sysplex). The details really do matter here. Fortunately most of the analyst community, security researchers, CSOs, and others have figures out these differences. That said, Linux dm-crypt/LUKS and eCryptfs enjoy wonderfully, uniquely high performance on the IBM z14 and LinuxONE Emperor II machines, and with Crypto Express strong key protections and IBM Secure Service Container support, too. It's lovely. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
