I too struggled with why we need data set encryption. Someone pointed out data in transit, for example FTPing it or copying it to a non z/OS system Colin
On Fri, 12 Apr 2024 at 17:22, Jousma, David < [email protected]> wrote: > To place a bit more focus on what Rick says….. You lose/destroy the > key(s), you have lost your data. There is a lot of discussion about the > scope/use of the keys. One key, or one per application, or one per > dataset, etc. There is no right/wrong answer (well just one key for > everything is probably not advisable). > > I personally am still having a hard time wrapping my head around the “real > benefit” of dataset encryption. Everyone who has READ or more access to > the dataset, must also be permitted to the Key. Those same people are > still able to copy/print/steal that data. So who does that leave? > Those that are not permitted to the dataset, and those who administer the > storage. Those that don’t have access to the dataset aren’t going to get > the data, encrypted or not. Those who administer the storage usually have > access to move/manage the installations data. These are the people who > dataset encryption is protecting against. That is a very small population > to go to this effort on. > > Dave Jousma > Vice President | Director, Technology Engineering > > > > > > From: IBM Mainframe Discussion List <[email protected]> on behalf > of Rick Troth <[email protected]> > Date: Friday, April 12, 2024 at 10:59 AM > To: [email protected] <[email protected]> > Subject: Re: IBM key management products > Not discounting Luke's excellent response: key management is hard. Look > for utilities with reliable import/export capability. Be prepared to OWN > your keys. I say this again as a CISSP, own your keys. This is your bread > and butter, so to speak, > > > Not discounting Luke's excellent response: key management is hard. > > Look for utilities with reliable import/export capability. Be prepared > > to OWN your keys. > > I say this again as a CISSP, own your keys. This is your bread and > > butter, so to speak, the family jewels. > > So take care when using these products to ensure that they do what you > > want them to do and that you know what they're doing. > > > > One shop where I recently worked had a great slogan, "crypto is easy; > > key management is hard". > > It's not that the crypto was easy but that it's done already, > > implemented, coded, packaged. But the keys *must* be managed by you and > > your team, not the kind of thing which can be outsourced. > > Keys and certs cannot be installed and forgotten. And sadly, some of the > > expirations we are given are too short to be practical. (Various > > government issued IDs and licenses commonly last FIVE years. Why do PKI > > certs last only two? ... or ONE?) > > But I'm getting off topic. Sorry. > > > > The point is, keys are fundamentally different than any other software > > or data that we have to manage. > > And it's a good idea to limit keys to individuals when you can. (Like > > the combination to the bank vault.) > > It's all about trust. > > > > This e-mail transmission contains information that is confidential and may > be privileged. It is intended only for the addressee(s) named above. If > you receive this e-mail in error, please do not read, copy or disseminate > it in any manner. If you are not the intended recipient, any disclosure, > copying, distribution or use of the contents of this information is > prohibited. Please reply to the message immediately by informing the sender > that the message was misdirected. After replying, please erase it from your > computer system. Your assistance in correcting this error is appreciated. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
