IBM Systems Magazine, Mainframe - January/February 2018 - 36

ADMINISTRATOR

cryptographic domains to
virtualize physical coprocessors
and enable cross-LPAR sharing
of adapters. Each domain can
contain one or more master keys
that encrypt and protect other
cryptographic keys in use in that
domain. A key encrypted by a
master key (i.e., secure key) in one
domain can't be used in a domain
with a different master key.

*

*

Cryptographic
Key Management
Cryptographic keys and
algorithms are the heart
of pervasive encryption.
Cryptographic algorithms
are public and standardized;
therefore, the security of any
encryption operation lies in the
security of its keys. Thus, key
management is among the most
important considerations for
pervasive encryption.
Consider what happens if:
*
*

*

*

A key is accidentally deleted:
Do you have a backup?
A key is compromised: Do
you need to re-encrypt the
data? Can you locate every
place that key is used?
The entire key repository is
exposed: Were the keys stored
in the clear or encrypted?
Keys are needed for disaster

recovery: Are master keys
available (preferably under
lock and key)? Do you have
copies of key stores?
A Crypto Express adapter
needs to be taken offline:
Do you have hardware
redundancy? Are those
adapters loaded with the
current master key?
The master key is forgotten:
Do you have a process for
master key rotation?

Key management includes the
entire lifecycle from creation
to archival or deletion. Think
of it in terms of master key and
operational key management:
*

*

Master keys reside in Crypto
Express adapters and are
used only to encrypt and
decrypt operational keys.
Master key management
includes assigning multiple
custodians (ensuring no
one person has an entire
master key), generating
material, loading material
onto Crypto Express adapters
and changing master keys
periodically.
Operational keys don't reside
in Crypto Express adapters
and are used in various
cryptographic operations.

Operational key management
includes generating,
exporting and importing key
material, archiving keys,
expiring keys and more.

y

Cryptographic
algorithms are
public and
standardized;
therefore, the
security of any
encryption
operation lies in
the security of
its keys

The z/OS Integrated
Cryptographic Services Facility
(ICSF) provides basic key
management capability for both
operational key and master key
management. Advanced tools
include:
*

*

*

The Trusted Key Entry
Workstation, which
provides the most secure,
hardware-based master key
management including dual
control, master key loading
with smart cards and smart
card reader functions
Enterprise Key Management
Foundation, which provides
extensive operational key
management capability
including a GUI-based
browser, key templates and
key distribution to a variety
of platforms
Security Key Lifecycle
Manager, which provides
operational key management
for self-encrypted devices
including key generation,
import, export and key serving

Encrypting Data at Rest
Figure 1: Multiple Layers of Encryption

36 // JANUARY/FEBRUARY 2018 ibmsystemsmag.com

Pervasive encryption includes
capabilities such as disk and
tape encryption, data set and file
encryption, database encryption
and application encryption.
These technologies can be layered
to ensure broad coverage and
protect data from different attack
vectors (see Figure 1, left).
Full disk and tape encryption
forms the broadest level. With 100
percent of the data encrypted,
it helps protect data from
physical removal. If disk or tape
is physically lost or stolen (e.g.,
removed from the data center),


http://www.ibmsystemsmag.com

Table of Contents for the Digital Edition of IBM Systems Magazine, Mainframe - January/February 2018

Table of Contents
Editor's Desk: Encryption Importance
Partner POV: Protect Your Assets: An application view of data is important for a point-in-time recovery
Currents: A Human-Centric Approach: IBM Design Thinking leads to an elevated user experience
Feature: Battle-Tested Tools: USAA integrates applications and data across platforms using RESTful APIs
Cover Story: Enterprise Peace of Mind: IBM z14 pervasive encryption protects all data
Feature: Worldwide Preparation: How IBM Z addresses GDPR compliance with pervasive encryption
Special Report: Rising to the Challenge: Survey shows opportunities for Linux on POWER
TECH Showcase: A Plan in Place: Determine which of the 7 levels of business continuity is right for you
Administrator: Improved Protection: Pervasive encryption features include integrated cryto hardware, key management, encryption of data at rest and data in flight, and Secure Service Container support
StopRun: Enthusiastic Education: Instructor brings the mainframe to eager students
Reference Point - Global Events, Education, Resources for Power Systems
2018 Mainframe Solution Edition
IBM Systems Magazine, Mainframe - January/February 2018 - Intro
IBM Systems Magazine, Mainframe - January/February 2018 - Cover1
IBM Systems Magazine, Mainframe - January/February 2018 - Cover2
IBM Systems Magazine, Mainframe - January/February 2018 - 1
IBM Systems Magazine, Mainframe - January/February 2018 - Table of Contents
IBM Systems Magazine, Mainframe - January/February 2018 - 3
IBM Systems Magazine, Mainframe - January/February 2018 - 4
IBM Systems Magazine, Mainframe - January/February 2018 - 5
IBM Systems Magazine, Mainframe - January/February 2018 - Editor's Desk: Encryption Importance
IBM Systems Magazine, Mainframe - January/February 2018 - 7
IBM Systems Magazine, Mainframe - January/February 2018 - Partner POV: Protect Your Assets: An application view of data is important for a point-in-time recovery
IBM Systems Magazine, Mainframe - January/February 2018 - 9
IBM Systems Magazine, Mainframe - January/February 2018 - Currents: A Human-Centric Approach: IBM Design Thinking leads to an elevated user experience
IBM Systems Magazine, Mainframe - January/February 2018 - 11
IBM Systems Magazine, Mainframe - January/February 2018 - 12
IBM Systems Magazine, Mainframe - January/February 2018 - 13
IBM Systems Magazine, Mainframe - January/February 2018 - Feature: Battle-Tested Tools: USAA integrates applications and data across platforms using RESTful APIs
IBM Systems Magazine, Mainframe - January/February 2018 - 15
IBM Systems Magazine, Mainframe - January/February 2018 - 16
IBM Systems Magazine, Mainframe - January/February 2018 - 17
IBM Systems Magazine, Mainframe - January/February 2018 - Cover Story: Enterprise Peace of Mind: IBM z14 pervasive encryption protects all data
IBM Systems Magazine, Mainframe - January/February 2018 - 19
IBM Systems Magazine, Mainframe - January/February 2018 - 20
IBM Systems Magazine, Mainframe - January/February 2018 - 21
IBM Systems Magazine, Mainframe - January/February 2018 - Feature: Worldwide Preparation: How IBM Z addresses GDPR compliance with pervasive encryption
IBM Systems Magazine, Mainframe - January/February 2018 - 23
IBM Systems Magazine, Mainframe - January/February 2018 - 24
IBM Systems Magazine, Mainframe - January/February 2018 - Special Report: Rising to the Challenge: Survey shows opportunities for Linux on POWER
IBM Systems Magazine, Mainframe - January/February 2018 - 26
IBM Systems Magazine, Mainframe - January/February 2018 - 27
IBM Systems Magazine, Mainframe - January/February 2018 - 28
IBM Systems Magazine, Mainframe - January/February 2018 - 29
IBM Systems Magazine, Mainframe - January/February 2018 - 30
IBM Systems Magazine, Mainframe - January/February 2018 - TECH Showcase: A Plan in Place: Determine which of the 7 levels of business continuity is right for you
IBM Systems Magazine, Mainframe - January/February 2018 - 32
IBM Systems Magazine, Mainframe - January/February 2018 - 33
IBM Systems Magazine, Mainframe - January/February 2018 - 34
IBM Systems Magazine, Mainframe - January/February 2018 - Administrator: Improved Protection: Pervasive encryption features include integrated cryto hardware, key management, encryption of data at rest and data in flight, and Secure Service Container support
IBM Systems Magazine, Mainframe - January/February 2018 - 36
IBM Systems Magazine, Mainframe - January/February 2018 - 37
IBM Systems Magazine, Mainframe - January/February 2018 - 38
IBM Systems Magazine, Mainframe - January/February 2018 - 39
IBM Systems Magazine, Mainframe - January/February 2018 - StopRun: Enthusiastic Education: Instructor brings the mainframe to eager students
IBM Systems Magazine, Mainframe - January/February 2018 - Cover3
IBM Systems Magazine, Mainframe - January/February 2018 - Cover4
IBM Systems Magazine, Mainframe - January/February 2018 - Reference Point - Global Events, Education, Resources for Power Systems
IBM Systems Magazine, Mainframe - January/February 2018 - SE
IBM Systems Magazine, Mainframe - January/February 2018 - 2018 Mainframe Solution Edition
IBM Systems Magazine, Mainframe - January/February 2018 - SECover2
IBM Systems Magazine, Mainframe - January/February 2018 - SE3
IBM Systems Magazine, Mainframe - January/February 2018 - SE4
IBM Systems Magazine, Mainframe - January/February 2018 - SE5
IBM Systems Magazine, Mainframe - January/February 2018 - SE6
IBM Systems Magazine, Mainframe - January/February 2018 - SE7
IBM Systems Magazine, Mainframe - January/February 2018 - SE8
IBM Systems Magazine, Mainframe - January/February 2018 - CT1
IBM Systems Magazine, Mainframe - January/February 2018 - CT2
IBM Systems Magazine, Mainframe - January/February 2018 - SE9
IBM Systems Magazine, Mainframe - January/February 2018 - SE10
IBM Systems Magazine, Mainframe - January/February 2018 - SE11
IBM Systems Magazine, Mainframe - January/February 2018 - SE12
IBM Systems Magazine, Mainframe - January/February 2018 - SE13
IBM Systems Magazine, Mainframe - January/February 2018 - SE14
IBM Systems Magazine, Mainframe - January/February 2018 - SE15
IBM Systems Magazine, Mainframe - January/February 2018 - SE16
IBM Systems Magazine, Mainframe - January/February 2018 - SE17
IBM Systems Magazine, Mainframe - January/February 2018 - SE18
IBM Systems Magazine, Mainframe - January/February 2018 - SE19
IBM Systems Magazine, Mainframe - January/February 2018 - SE20
IBM Systems Magazine, Mainframe - January/February 2018 - SE21
IBM Systems Magazine, Mainframe - January/February 2018 - SE22
IBM Systems Magazine, Mainframe - January/February 2018 - SE23
IBM Systems Magazine, Mainframe - January/February 2018 - SE24
IBM Systems Magazine, Mainframe - January/February 2018 - SE25
IBM Systems Magazine, Mainframe - January/February 2018 - SE26
IBM Systems Magazine, Mainframe - January/February 2018 - SE27
IBM Systems Magazine, Mainframe - January/February 2018 - SE28
IBM Systems Magazine, Mainframe - January/February 2018 - SE29
IBM Systems Magazine, Mainframe - January/February 2018 - SE30
IBM Systems Magazine, Mainframe - January/February 2018 - SE31
IBM Systems Magazine, Mainframe - January/February 2018 - SE32
IBM Systems Magazine, Mainframe - January/February 2018 - SE33
IBM Systems Magazine, Mainframe - January/February 2018 - SE34
IBM Systems Magazine, Mainframe - January/February 2018 - SE35
IBM Systems Magazine, Mainframe - January/February 2018 - SE36
IBM Systems Magazine, Mainframe - January/February 2018 - SE37
IBM Systems Magazine, Mainframe - January/February 2018 - SE38
IBM Systems Magazine, Mainframe - January/February 2018 - SE39
IBM Systems Magazine, Mainframe - January/February 2018 - SE40
IBM Systems Magazine, Mainframe - January/February 2018 - SE41
IBM Systems Magazine, Mainframe - January/February 2018 - SE42
IBM Systems Magazine, Mainframe - January/February 2018 - SE43
IBM Systems Magazine, Mainframe - January/February 2018 - SE44
IBM Systems Magazine, Mainframe - January/February 2018 - SE45
IBM Systems Magazine, Mainframe - January/February 2018 - SE46
IBM Systems Magazine, Mainframe - January/February 2018 - SECover3
IBM Systems Magazine, Mainframe - January/February 2018 - SECover4
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/relevantz_20190102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/2019mfse
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20181112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/2018mfse
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20171112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_sesupp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_linuxsupp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20161112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/MainframeSecurity
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20151112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150910_se
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150910
http://www.ibmsystemsmagmainframedigital.com/MFSkills
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150506_supp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20141112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_gt_201405
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/BigData
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20131112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20121112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/buyersguide2013
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/ibmsystems_mainframe_2012bg
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20111112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20101112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100910_bg
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20091112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090506
http://www.nxtbook.com/nxtbooks/ibmsystemsmag/mainframe_20090304
http://www.nxtbook.com/nxtbooks/mspcomm/ibmsystems_mainframe_200901
http://www.nxtbookMEDIA.com