There was a lot of discussion at SHARE this summer about the impact of the new EU regulation that imposes Draconian penalties on a company that fails to report data breaches *very* quickly. (Who was Dracon anyway, and why such a hard *ss?) The EU rule stipulates that if breached data is encrypted, then there is no obligation to report and no penalty. The difference in cost to a large company ought to pay for several z14s.
. . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Steve Smith Sent: Wednesday, September 13, 2017 6:15 AM To: [email protected] Subject: (External):Re: Would encryption have prevented known major breaches? The bottom line is this: stolen encrypted data is much harder to use, or it takes time and effort to crack it. But no encryption seals all the attack vectors, many of which would bypass encryption. E.G. z/OS Data Set Encryption is so transparent, many users won't even know the data *is* encrypted. (in my experiments with it, it's actually more difficult to get a glimpse at the encrypted data than to see it in the clear). So a bad guy who breaches the system in a way that impersonates an authorized user won't be bothered by the encryption at all. Crypto-wizards know exactly how hard it is to crack particular forms of encryption. It's nothing to IBM's shame if someone builds a powerful enough machine to do it; or far less likely a mathematical genius finds a better algorithm. Now, if their implementation has some fatal back-door that gets exploited, then they'd deserve much more than embarrassment. sas On Wed, Sep 13, 2017 at 8:54 AM, Elardus Engelbrecht <[email protected]> wrote: > Peter Relson wrote: > >>Isn't the answer really: no, it would not have prevented the breach but it >>would have prevented the breach from having the undesirable effects (e.g., >>exposing sensitive data)? > > Actually in my humble opinion, there are TWO answers - Yes and No. > > It depends on how the breach took place in the first place. > > If breachers are insiders themselves, you're basically out of luck and > goodbye to your [sensitive and unencrypted] data. > > If breachers can install nefarious software on your z/OS users workstation, > they can mis-use those workstations to steal [and perhaps decrypt] whatever > they want. > > If you are leaving a hole somewhere where (non-SSL) application, FTP and > TELNET for example, are open to the outside world, then you deserves to be > punished. > > ... etc ... > > >>If breached data is encrypted, I believe that there is not a regulatory >>requirement to report the breach. > > I don't know about rules and regulations, but I believe ALL breaches should > be reported somehow. Of course, red faces will follow despite the encrypted > data. > > Perhaps if someone can really decrypt it, then big blue has a red face... > > Groete / Greetings > Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
