Front cover Getting Started with z/OS Data Set Encryption Bill White Philippe Richard Cecilia Carranza Lewis Romoaldo Santos Eysha Shirrine Powers Isabel Arnold David Rossi Kasper Lindberg Eric Rossman Andy Coulson Jacky Doll Brad Habbershaw Thomas Liu Ryan McCarry Version 7 Redbooks Draft Document for Review January 30, 2021 7:14 pm 8410edno.fm IBM Redbooks Getting Started with z/OS Data Set Encryption December 2020 SG24-8410-01 8410edno.fm Draft Document for Review January 30, 2021 7:14 pm Note: Before using this information and the product it supports, read the information in “Notices” on page ix. Second Edition (December 2020) This edition applies to the required and optional hardware and software components needed for z/OS data set encryption. This document was created or updated on January 30, 2021. © Copyright International Business Machines Corporation 2020. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Draft Document for Review April 28, 2021 12:46 pm 8410TOC.fm Contents Notices . ix Trademarks . .x Preface . xi Authors. xi Now you can become a published author, too! . xiii Comments welcome. xiii Stay connected to IBM Redbooks . xiv Chapter 1. Protecting data in today’s IT environment. 1 1.1 Which data . 2 1.1.1 Data at-rest . 2 1.1.2 Data in-use . 2 1.1.3 Data in-flight . 2 1.1.4 Sensitive data . 2 1.2 Why protect data . 3 1.2.1 Accidental exposure . 3 1.2.2 Insider attacks. 3 1.2.3 Data breaches. 3 1.2.4 Regulations . 3 1.3 Standards and regulations overview . 4 1.3.1 PCI Data Security Standards (PCI-DSS) . 4 1.3.2 General Data Protection Regulation (GDPR) . 4 1.3.3 California Consumer Privacy Act (CCPA). 4 1.3.4 The Sarbanes-Oxley Act of 2002 (SOX). 5 1.3.5 ISO/IEC 27001 . 5 1.3.6 Federal Information Security Modernization Act of 2014 (FISMA 2014). 5 1.3.7 Payment Card Industry (PCI) PTS HSM Security Requirements (PCI-HSM) . 5 1.3.8 German Banking Industry Committee (GBIC). 6 1.3.9 Australian Payments Network (Auspaynet). 6 1.3.10 Common Criteria. 6 1.3.11 FIPS PUB 140-3 (Security Requirements for Cryptographic Modules). 6 1.3.12 HIPAA/HITECH. 6 1.3.13 eIDAS (electronic IDentification, Authentication and trust Services). 7 1.4 How to protect data . 7 1.4.1 Defining the perimeter. 7 1.4.2 Methods to protect data . 7 1.4.3 Encryption . 7 1.4.4 Forms of encryption . 7 1.4.5 Cryptographic keys . 8 1.5 IBM Z pervasive encryption. 9 1.5.1 Encrypting above and beyond compliance requirements . 9 1.5.2 Encryption pyramid (data at rest) . 10 1.5.3 Managing the pervasive encryption environment . 11 1.6 Understanding z/OS data set encryption . 12 1.6.1 Challenges and use cases . 14 1.6.2 IBM Z cryptographic system . 15 1.7 How z/OS data set encryption works . 17 1.8 Administrator’s perspective of z/OS data set encryption. 19 © Copyright IBM Corp. 2020. iii 8410TOC.fm Draft Document for Review April 28, 2021 12:46 pm 1.8.1 Security administrator . 20 1.8.2 Storage administrator . 20 1.8.3 Cryptographic administrator . 21 1.8.4 Key manager. 21 Chapter 2. Identifying components and release levels . 23 2.1 Starting a z/OS data set encryption implementation . 24 2.2 Required and optional hardware features . 25 2.2.1 IBM Z platform: Optimized for data set encryption . 25 2.2.2 Central Processor Assist for Cryptographic Function . 26 2.2.3 Crypto Express adapters . 26 2.2.4 Trusted Key Entry workstation . 27 2.2.5 IBM Enterprise Key Management Foundation . 27 2.3 Required and optional software features . 28 2.3.1 IBM z/OS DFSMS . 28 2.3.2 IBM z/OS Integrated Cryptographic Service Facility. 29 2.3.3 IBM System Authorization Facility. 30 2.3.4 IBM Resource Access Control Facility for z/OS . 31 2.3.5 IBM Multi-Factor Authentication for z/OS . 31 2.3.6 IBM Security zSecure Suite . 31 2.3.7 IBM Security QRadar . 32 2.3.8 IBM zBNA and zCP3000. 33 2.4 Cost and performance effect. 33 Chapter 3. Planning for z/OS data set encryption . 35 3.1 Creating an implementation plan . 36 3.1.1 Distinguishing roles and responsibilities . 37 3.2 Data set administration considerations . 38 3.2.1 Supported data set types . 38 3.2.2 Data set compression . ..