The bottom line is this: stolen encrypted data is much harder to use, or it takes time and effort to crack it. But no encryption seals all the attack vectors, many of which would bypass encryption.
E.G. z/OS Data Set Encryption is so transparent, many users won't even know the data *is* encrypted. (in my experiments with it, it's actually more difficult to get a glimpse at the encrypted data than to see it in the clear). So a bad guy who breaches the system in a way that impersonates an authorized user won't be bothered by the encryption at all. Crypto-wizards know exactly how hard it is to crack particular forms of encryption. It's nothing to IBM's shame if someone builds a powerful enough machine to do it; or far less likely a mathematical genius finds a better algorithm. Now, if their implementation has some fatal back-door that gets exploited, then they'd deserve much more than embarrassment. sas On Wed, Sep 13, 2017 at 8:54 AM, Elardus Engelbrecht <[email protected]> wrote: > Peter Relson wrote: > >>Isn't the answer really: no, it would not have prevented the breach but it >>would have prevented the breach from having the undesirable effects (e.g., >>exposing sensitive data)? > > Actually in my humble opinion, there are TWO answers - Yes and No. > > It depends on how the breach took place in the first place. > > If breachers are insiders themselves, you're basically out of luck and > goodbye to your [sensitive and unencrypted] data. > > If breachers can install nefarious software on your z/OS users workstation, > they can mis-use those workstations to steal [and perhaps decrypt] whatever > they want. > > If you are leaving a hole somewhere where (non-SSL) application, FTP and > TELNET for example, are open to the outside world, then you deserves to be > punished. > > ... etc ... > > >>If breached data is encrypted, I believe that there is not a regulatory >>requirement to report the breach. > > I don't know about rules and regulations, but I believe ALL breaches should > be reported somehow. Of course, red faces will follow despite the encrypted > data. > > Perhaps if someone can really decrypt it, then big blue has a red face... > > Groete / Greetings > Elardus Engelbrecht > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN -- sas ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
