Echoing some other comments, there’s security merit in having redundant external key managers with your IBM DS8000 systems (external to the storage device). As IBM explains, the Local Key Manager won’t protect the drives if someone manages to grab the whole IBM DS8000 unit — a law enforcement agency, co-location data center owner, invading army, etc. — regardless of whether your servers are up or down. Anything on the storage device that can be read will be readable in that event. And “grab” doesn’t really mean “cart away.”
An external key manager allows for some separation of duties. For example, storage administrators can be responsible for the IBM DS8000 systems while your security organization is responsible for the EKMs. If the security team shuts down the EKMs then the DS8000 systems cannot (re)start up and come online. In other words, at least two people in this equation have to be involved in providing (or at least maintaining) access to storage. EKMs can also provide services to other devices and environments. For example, IBM Security Guardium Key Lifecycle Manager not only provides key management services for IBM DS8000 and other IBM/non-IBM storage devices, it also provides KMS to VMware environments (as a notable example). I’m not arguing the LKM is “bad.” It’s convenient, and that counts. It provides some security, really for addressing the risks of individual drive thefts and storage retirement. (Remove the keys and the encrypted drives are safe to transfer/repurpose/sell.) But having EKMs is more secure by design because they address those risks and a few more. However, if you’ve implemented comprehensive z/OS Data Set Encryption (and Linux dm-crypt/LUKS2 and/or Spectrum Scale encryption) then I think the LKM could be reasonable even with demanding security requirements. Yes, IBM recommends having a redundant pair of EKMs. But they don’t necessarily have to be your “on premises” EKMs. In fact, one fairly popular pattern now is to have one “primary” EKM on your premises and an alternate running in IBM Cloud Hyper Protect. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cyber Security IBM zSystems and LinuxONE [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
