Timothy Sipples wrote: >Even if you believe IBM caused some confusion -- I cannot find much
>evidence in the historical record of official IBM communications, but if >that's what you believe -- that's certainly NOT a reason to add any more. >I've asked you to help reduce terminology confusion, not to increase it. >Thanks. Never said it was official. I'm talking about how it was presented in the real world-at SHARE, IBM Z shows, and IBMers talking directly to customers-and how the customers have interpreted it. How am I adding more confusion by pointing out the confusion? Now I'm confused! Fundamentally, I don't think we're disagreeing here, except that, again, I'm commenting on how the customers seem to be interpreting things, not how IBM officially wants them positioned. As I said, it has gotten better. But I've *heard* IBMers say "With PE [not "data set encryption", but that was the topic at hand) you're protected against attacks." And that's just not true. (Yes, they didn't *say* "all attacks", but nor did they qualify the statement explicitly.) >We (the world) could wait at least a couple decades before application >developers finish adding application-level encryption everywhere it's >needed, assuming they even do that well and correctly (competently, without >malice) and in a way that facilitates rapid progression to more secure >algorithms as cryptography advances (big assumptions). But have you >actually noticed what's going on in the real world? Substantial, real >progress that doesn't require application changes has strong merit. >Shouldn't this be obvious? The world cannot wait decades to rise to the >many security challenges. I think you're missing one of my main points: "Substantial, real progress" isn't what data set encryption provides. It provides a LITTLE BIT of protection for a FEW minor attack vectors. Worthwhile, because it's cheap. But "substantial"? No. Read about data-centric protection, note the analysts and standards bodies saying that container-level protection is just not very useful. And (to beat a dead horse) if folks think it's The Solution, it's perhaps worse than doing nothing, as they do it, solving a small part of the problem, and say "Well, that's done" and then won't discuss further steps to address the rest of the problem, because hey, it's done. Re the pyramid: yes, we've been showing a version of that for a decade, and it's a useful illustration. IBM started doing so recently; that's a good thing. And yes, we solve that top part. But again, if you talk to IBM field folks and to customers, what we're hearing is not "application-level is the goal"; we're hearing "data set encryption [by whatever name] is cheap, easy, and solves the problem". Surely not all IBM field folks, but more than a few. That's what I'm irritated about, on behalf of the customers. I'm at SHARE this week, and just looked at SHARE session titles. It has gotten better: the last few SHAREs have used PE correctly. But if I go back further, it gets murkier. And in a SEC session I was just in, several people-including principals in the SEC project-in mentioning possible use of data set encryption for a ransomware attack, referred to it as "PE" and talked about "PE keys", again clearly meaning data set encryption [keys]. Bottom line: we've had customers tell us, "IBM says that PE [definitely meaning data set encryption] is sufficient to protect us". That doesn't mean IBM meant to say that, or even that a specific IBMer actually said that. But it is how the message was received. Of course my perspective is colored by the fact that we're selling in this space. But that doesn't make the observations invalid; I've had conversations with other folks outside our company who have made the same observations. Let me turn this around and ask: how do we reduce confusion if we don't acknowledge that it exists? .phsiii ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN