Data security is making the news these days far too often, and for all the wrong reasons. Because the data in your IBM® z/OS® system is the most valuable and useful data in the enterprise, it is also the data cybercriminals want most. So while it has to remain available for your business to run, it must also be completely secure.
In our September 2021 Webinar, DTS Software CTO Steve Pryor discussed, from a storage management perspective, some of the practical steps involved in making Pervasive Encryption a reality in your z/OS environment. IBM’s Pervasive Encryption initiative aims to achieve these availability and security goals by making encryption so seamless for the user that it’s implemented by default.
But as easy as IBM’s intentions might be, you still must consider the following:
- Are you sure you’re taking the proper steps when encrypting datasets? And,
- How are you ensuring (and verifying) that it’s encrypted?
A few highlights of Pryor’s overview of encryption and z/OS storage management:
Why Encrypt?
Some of the reasons are obvious, such as regulations and data breaches. But there are other, less obvious reasons. Accidental (or intentional) exposure of sensitive data and insider attacks are two very real threats that must be considered.
Who Encrypts (or Decrypts)?
Pryor identifies three primary personas typically involved with encryption: the security administrator (most often the RACF security administrator), who’s responsible for system security policies; the storage administrator, who’s responsible for managing the data sets – the creation of the data sets and which device they’re allocated on; and, ultimately, the end-user uses encryption (or decryption) to read and write data.
Encryption in z/OS
The concept of “pervasive encryption” is simply that everything is encrypted. This includes at-rest, in-use and in-flight data. While this may seem like overkill, the upside is that by encrypting everything, regulatory requirements are met 100% of the time. Furthermore, existing security policy mechanisms are used to provide dataset-level encryption and allow access by user privileges for added security.
Crypto Hardware
Crypto hardware for z/OS consists of two possible components as well as ZPDT emulated adjunct process. How does each function and what are the features and benefits? Pryor clears up any questions with a quick overview.
Deep Dive in a Live Demo
Once the baseline is set, Pryor dives into the nuts and bolts of dataset encryption with a live demonstration and on-screen explanation of options and elements. He then addresses one of the most important aspects of encryption: key distribution. How do you distribute the keys for those people who need them and control the use of the keys? How do you rotate the keys and avoid compromised keys? How do you audit the system? All are crucial questions that must be considered carefully.
Secure Data for Everyone – Pervasive Encryption and z/OS Storage Management is an informative, educational look at a timely topic in the mainframe space. If you weren’t able to attend, you can view it on-demand and download a copy of the slide deck used in the presentation by using this link.