Hello Matt, I am not sure about backups. This is Pervasive Encryption. So, again my understanding is that IF your RACFID can access the file, you will read the data and it will be presented to you as unencrypted. Now, if you write it to DASD and encryption is on for that device it will be encrypted, otherwise not encrypted. And if you write it to TAPE, then it depends what your tape systems does.
I am just trying to find that corner case where someone you don't want to have access, could possibly be able to gain access to the data when the file is already protected with RACF? I cannot see a blackhat breaking into the mainframe. If they did manage that, I cannot see them bypassing RACF. If they did, manage to get by RACF, then regardless of whether or not the file was encrypted, they ought to be able to read it, since they have somehow gotten RACF access. Same is true for an internal compromise. If you can get RACF access to the file, it will not matter whether or not the data is encrypted. Maybe I am missing something. Physically taking a drive is the only one I have come up with so far. I like the idea of encryption. If we decommission a drive and somehow it ends up on eBay, the data is useless. But, there would need to be a lot of processes that are ignored/bypassed to get that far. On Sat, Aug 3, 2019 at 1:25 PM Matt Hogstrom <m...@hogstrom.org> wrote: > One use case is backups. If someone can access a backup outside of the > controls the system it resides on employs they could not compromise the > data. Consider potential data services that host backups offsite for > instance. Your protecting your data while entrusting someone with ensuring > its available > > That’s a strong use case I think > > Matt Hogstrom > +1 (919) 656-0564 > > > On Aug 3, 2019, at 12:48, Cameron Conacher <conac...@gmail.com> wrote: > > > > Hello everyone, > > I have a curiousity question about Pervasive Encryption. > > If we are already protecting resources with RACF, what additional benefit > > do we get from Pervasive Encryption? I think it is a good idea, since > > encrypted data lets me sleep better. Pervasive Encryption appears to be > > very simple to implement. > > My understanding (which may be incorrect) is that RACF will be used to > > control encryption key access based on dataset profile rules and RACF > rules. > > If a RACF ID does not have access to the encryption keys then they cannot > > access the dataset. > > But at the same time, if a RACF ID does not have access to the dataset, > > they cannot access it. > > > > So, if the underlying file is encrypted, what addition security is in > place? > > Maybe if someone breaks into the data centre and steals the disk drives? > > > > If a hacker gets a RACF ID, and the RACF ID allows them to access the > > dataset, then they can read the data. > > But, isn't that where we are today? No RACF ID = no access. > > > > Obviously I am missing something here. > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
