You can and should *cryptographically* isolate z/OS data sets using z/OS Data Set Encryption, preferably with protected key cryptography if available. You can find out more about this feature (and how to implement it) here:
https://www.ibm.com/docs/en/zos/2.5.0?topic=sets-data-set-encryption https://www.redbooks.ibm.com/abstracts/sg248410.html With z/OS Data Set Encryption any/all encrypted data sets are encrypted before I/O. By the time the data (inside the encrypted data sets) reach the FICON Express adapters they're already encrypted. These cryptographic separation/isolation boundaries are per individual data set if desired, so they're highly granular. Whereupon you can ask *them* why they aren't encrypting all (or most) individual files with separate keys (if/as merited), and/or why they're using clear key encryption. :-) — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
