I clipped this to get to what I think is the real question being
asked.
Suppose that I am a person who has access for D/R purposes to all
data sets in a data center. I only need to be able copy files. I
don't have a need read the data in the file, just get it to the
D/R system/LPAR/data center.
The data is encrypted and stored (data at rest), and I can copy
it but now I can't decrypt it so I can read it.
Now suppose that someone makes a copy of that data over on the
D/R system. The data is still encrypted. So how long will it take
for them to decrypt that data when they don't have any access to
any of the keys?
How long will it take them to decrypt that data so it is useful
to them?
This is why data is being encrypted at rest.
How would someone get to that data set so they can read it? Bad
actor with access to an APF library and a system utility?
So to cut that type of exposure off, the data is encrypted at
rest. Now, Malware gets loaded and it copies files
surreptitiously to Timbuk3. How long will it take them to crack
the encryption?
This is what we want to avoid. And the old truck carrying back up
tapes that crashes and your data is being carried off by who ever.
I hope this helps you with your question.
Steve Thompson
On 4/12/2024 12:21 PM, Jousma, David wrote:
I personally am still having a hard time wrapping my head around the
“real benefit” of dataset encryption. Everyone who has READ or more
access to the dataset, must also be permitted to the Key. Those same
people are still able to copy/print/steal that data. So who does that
leave? Those that are not permitted to the dataset, and those who
administer the storage. Those that don’t have access to the dataset
aren’t going to get the data, encrypted or not. Those who administer
the storage usually have access to move/manage the installations data.
These are the people who dataset encryption is protecting against.
That is a very small population to go to this effort on.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
