Let me try it this way. Is df/SMS encryption a pre-requisite to the z/14 "PERVASIVE ENCRYPTION"?
Thanks for all you time and effort, -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Timothy Sipples Sent: Tuesday, April 2, 2019 1:06 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Pervasive encryption and batch temporary datasets Allan Staller wrote: >My understanding is that this was a "hardware" feature and did not >depend on DFSMS (except as possible an on/off switch). >In you post you refer to PERVASIVE ENCRYPTION (z/14?) vs pervasive >encryption (df/SMS). Can you comment on the prior posts requiring >DF/SMS extended format as a pre-requisite? I don't fully understand the question. Let's see how IBM explains these terms.... OK, here's how IBM defined Pervasive Encryption (and other terms) in October, 2017: "Pervasive encryption is a consumable approach to enable extensive encryption of data in-flight and at-rest to substantially simplify encryption and reduce costs associated with protecting data and achieving compliance mandates.... "The IBM z14 platform provides the hardware infrastructure, in a balanced system design, with the encryption capabilities that now make it possible to create a fortified perimeter around critical business data.... "The IBM Z operating environments, such as z/OS®, are designed to take advantage of the z14 platform imbedding the use of the z14 cryptographic engines within the operating environment to help create an environment where policies can be enforced that govern intrinsic data protection, helping clients build the perimeter around business data.... "z/OS V2.3 and z14 can help drive pervasive encryption efforts within an enterprise by supporting clients in their objective to meet complex compliance mandates by creating a fortified perimeter around core business data. z/OS is designed to provide new policy-based encryption options that take full advantage of the improvements in the z14 platform and can help clients protect their critical business data. These new capabilities include: • Enhanced data protection for many z/OS data sets, FS file systems, and Coupling Facility structures gives users the ability to encrypt data without needing to make changes to applications to imbed encryption APIs within applications • New z/OS policy controls make it possible to use pervasive encryption to help protect user data and simplify the task of compliance • z/OS Communications Server includes encryption-readiness technology to enable z/OS administrators to determine which TCP and Enterprise Extender traffic patterns to and from their z/OS systems meet approved encryption cr iteria and help simplify the task of compliance...." OK, so let's pick this apart again. Oversimplifying only slightly: Pervasive Encryption -- and I'll capitalize the second word, too -- is the "approach," the applied concept. In another era IBM might have called this concept an "Architecture." Maybe something like "Enterprise Encryption Architecture" (EAA). With a forward slash somewhere for good measure. :-) The z14 models (and second generation LinuxONE machines, I would add -- they featured in separate announcements) are the first (and only to date) hardware enablers of Pervasive Encryption. As with the z14 machine, z/OS Data Set Encryption is one (but only one) important enabler of Pervasive Encryption as applied to z/OS. Yes, you can implement Pervasive Encryption without z/OS; the concept applies to other operating systems, including Linux. You *can* pervasively encrypt (adverb, lowercase) data on machines prior to the z14, and for that matter without z/OS Data Set Encryption. Encryption, and the ability of application programmers to use it, even pervasively, has been an evolving fixture of IBM Z (and prior) platforms since the 1970s. And if you had/have a particularly energetic and dedicated application development team, well managed and supervised, you can pervasively encrypt data. Nobody I've encountered actually did this (pervasively encrypt all data), which is why Pervasive Encryption is quite important and revolutionary. You can also use z/OS Data Set Encryption, even pervasively, on IBM z196/z114 and newer machines. There will be processing overhead and possible service level implications pre-z14, but you can, and you probably should, at least to some degree. (Make forward progress, always.) However, in IBM's view, Pervasive Encryption -- the "architectural level set," as it were -- requires IBM z14 (or second generation LinuxONE machines), and it requires adopting multiple z/OS features if you have z/OS, including but not limited to z/OS Data Set Encryption. Does all that make sense now? Or, if you want the short official version, here's what IBM wrote in its z/OS Data Set Encryption FAQ: "What is the difference between data set encryption in z/OS V2.2 and pervasive encryption in the July 2017 IBM Z announcements? "Data set encryption, which is one aspect of pervasive encryption, is available in z/OS V2.2 when the requisite service is applied." Too simple. I would have added "which is one aspect of Pervasive Encryption as applied to z/OS," but that would have required 4 more words. :-) Yes, lots of people ask questions such as, "We're implementing Pervasive Encryption on z/OS. Does it support zFS?" I know what the questioner *means*: z/OS Data Set Encryption here, not Pervasive Encryption. The pronoun "it" in this example actually, in reality, refers to z/OS Data Set Encryption. Sometimes it helps to be precise, but as long as I understand the question, I'm fine. I won't quibble. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z & LinuxONE -------------------------------------------------------------------------------------------------------- E-Mail: sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
