Todd Arnold wrote: >The article you referenced seems to assume whole-disk encryption is always >implemented using software on your computer, since it says "the operating >system has the decryption key to access the disk". That is not true, of >course, for self-encrypting disk drives (or tape drives) where the encryption >key never leaves the hardware device in unencrypted form. As I recall, the >key is served to the mainframe disk drives using a secure process such that it >is never available in the clear.
Sure…but that doesn’t make it any better: there’s still zero SoD involved. “Transparent” is appealing because it means “Easy to implement”. Alas, it doesn’t mean “secure”. I don’t think that assumption matters any to the value of whole-disk encryption (which, btw, has two other very valuable use cases: in outsourced data centers, where it isolates your data better from the other outsourcing customers’ data; and when decommissioning hardware—no more “How many DSEs should we do? or “Should we take the drives out back, shoot ‘em with a 12-gauge, and then drop ‘em in the ocean?”). >Regardless, it is true that the #1 benefit of encrypted disk and tape drives >is the case where the device can be stolen. For tape, the usual example is >that someone loses or steals a tape when it is going out of your facility for >off-site backup. For disk, the biggest risk scenario is a laptop, which can >be stolen or lost. Obviously, it's a lot less likely that someone is going to >walk out of your data center with a disk drive that was in use by your >mainframe. I think whole-disk encryption has value in all cases, but it has >the most value for devices or media that can easily move around. Yeah, as I say in presentations: When was the last time you left a DS-8000 at an airline gate? (Though it does bring to mind a fellow who, a decade or so ago, had been promised a free 3274, and asked on a list whether he’d be able to bring it home on the subway…) -- …phsiii Phil Smith III Senior Architect & Product Manager, Mainframe & Enterprise HP Security Voltage [email protected]<mailto:[email protected]> T 703-476-4511 M 703-568-6662 Hewlett-Packard Company Herndon, VA ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
