Discussion:
IBM-MAIN Digest - 11 Sep 2017 to 12 Sep 2017 (#2017-255)
Add Reply
Timothy Sipples
2017-09-13 04:58:24 UTC
Reply
Permalink
Raw Message
And some IBMers don't like it when I say this, but z/OS is finally
catching
up ... In Linux, you can define an encrypted file system and anything that
gets
written to that file system will automatically be encrypted. And you can
configure Windows so that data written to your hard drive is automatically
encrypted.
That's probably because you're attempting to compare *file system*
encryption with *data set* encryption, and you're headed off the rails
quickly if you try to do that. They're quite different, and glossing over
important differences isn't a good idea, especially when it comes to
security. Critically, data set encryption is much, much more granular than
file system encryption.

With file system encryption (e.g. Linux dm-crypt/LUKS and eCryptfs) it's
realistic to have "a few" file systems with a few separate keys. And then
you -- who is "you"? -- have to be very careful where to create and store
files. I doubt that's viable in practice once you get past even basic
security "zoning." You really don't get much security separation this way,
at least not in the real world and particularly among administrators and
other insider. (One partial "workaround": create and manage more virtual
machines, with narrower roles and responsibilities, and with separate file
systems. But that can easily result in "virtual server sprawl.") With z/OS
Data Set Encryption it's realistic to have millions of data sets with
millions of separate keys, within one z/OS instance (or z/OS Sysplex).

The details really do matter here. Fortunately most of the analyst
community, security researchers, CSOs, and others have figures out these
differences.

That said, Linux dm-crypt/LUKS and eCryptfs enjoy wonderfully, uniquely
high performance on the IBM z14 and LinuxONE Emperor II machines, and with
Crypto Express strong key protections and IBM Secure Service Container
support, too. It's lovely.

--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: ***@sg.ibm.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Timothy Sipples
2017-09-13 05:20:19 UTC
Reply
Permalink
Raw Message
Timothy Sipples had indicated earlier that the primary difference
between the unpaid and paid offerings was the existence of "how to"
support.
SoftwareXcel, and its successors, provide additional support services
above
and beyond Program Services, notably including some "how-to" support.
I try to choose my words carefully, and at least on this occasion I did. I
wrote "notably including." I did not write "the primary difference." I also
did not write "SoftwareXcel Basic Edition" or "SoftwareXcel Enterprise
Edition." I wrote "SoftwareXcel."

Anyway, you started this thread because you were concerned about not being
able to obtain support services you want, affordably. I and others have
painstakingly pointed out that you actually have access to the support
services you want, after clarifying in a follow-up post: electronically
opening PMRs (for suspected defects), obtaining PTFs and release updates,
and searching for APARs. As far as I can tell, everything you asked for,
you get with your MLC and S&S. We've provided the Web links already, and
multiple people confirm they work. Isn't this good news? Haven't we
addressed all your concerns now? "May we close this PMR as RESOLVED?" :-)

--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: ***@sg.ibm.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Ed Jaffe
2017-09-13 15:16:29 UTC
Reply
Permalink
Raw Message
Post by Timothy Sipples
Anyway, you started this thread because you were concerned about not being
able to obtain support services you want, affordably. I and others have
painstakingly pointed out that you actually have access to the support
services you want, after clarifying in a follow-up post: electronically
opening PMRs (for suspected defects), obtaining PTFs and release updates,
and searching for APARs. As far as I can tell, everything you asked for,
you get with your MLC and S&S. We've provided the Web links already, and
multiple people confirm they work. Isn't this good news? Haven't we
addressed all your concerns now? "May we close this PMR as RESOLVED?" :-)
If you had actually read my updates, you would already know that our IBM
support contract expires January 27, 2018 and that last week I gave the
order that it not be renewed.

I intend to report to SHARE (and to the community at large) via the Bit
Bucket, my experiences thereafter with attempting to obtain
usable/convenient program support for z/OS, z/VM and z/VSE. I'll likely
provide only a brief "Heads Up. Here's what we're doing..." in
Sacramento and then follow up five months later in Salt Lake City with
all of the gory details...

Feel free to watch the post-conference video(s) on YouTube if you're
interested.
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Tony Harminc
2017-09-13 15:53:43 UTC
Reply
Permalink
Raw Message
Post by Timothy Sipples
That said, Linux dm-crypt/LUKS and eCryptfs enjoy wonderfully, uniquely
high performance on the IBM z14 and LinuxONE Emperor II machines, and with
Crypto Express strong key protections and IBM Secure Service Container
support, too. It's lovely.
I'm sure it's lovely. But "wonderfully, uniquely high performance"? As
compared to what? An earlier generation of IBM z machines, perhaps?
But surely not to an Intel server like the IBM (sorry - Lenovo) x3650
with a Xeon E5-2600 v2 processor from 2014 or so? The one Lynn Wheeler
likes to talk about on this list.

Tony H.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...