Adabas Encryption for z/OS is a new, out-of-the-box, selectable unit of Adabas that encrypts database container datasets (ASSO, DATA, WORK, and so on) at the dataset level. It leverages the security and performance benefits of hardware-based encryption and the key management facilities provided by the IBM Z platform.
Encryption of datasets on DASD is an effective way to strengthen their security:
Separate one user’s authorization to access sensitive data in datasets from another user’s authorization to manage those datasets. Dataset management includes tasks like backing up, migrating, or replicating datasets.
Protect datasets on shared DASD against accesses from other systems that can have different access control rules (in RACF, for instance). This is important, for example, when the datasets reside in a storage area network (SAN).
Ensure dataset security across all storage tiers, from a single DASD device up to cloud storage.
The use of Adabas Encryption is transparent to existing Adabas application programs. No application changes are required for installing and using Adabas Encryption.
Adabas Encryption encrypts datasets on DASD (namely, the database container datasets). It does not encrypt datasets on tape (for example, save tapes) or data in memory (for example, the Adabas buffer pool).
Adabas Encryption provides for the following:
Integration into z/OS Dataset Encryption —
Leveraging z/OS Dataset Encryption for the creation and use of encrypted databases and for high-performance, hardware-based encryption and decryption operations (using CPACF).
Integration into enterprise key management —
Managing the Adabas encryption keys the same way as the other encryption keys used in the organization.
Transparent access to encrypted databases for application programs —
No changes or adjustments to application programs for working with encrypted databases.
Full support of encrypted databases by the Adabas nucleus and utilities —
No functional restrictions for the application programming interface or administrative functions.
Support for encrypting databases initially and for encryption key rotation —
Migration to encrypted databases with little downtime.
zIIP support —
Offloading of encryption and decryption operations to zIIP processors.
Adabas Encryption applies to the database container datasets on DASD (data-at-rest). To secure the traffic flowing to and from Adabas (that is, Adabas calls) through your network (data-in-flight), use Encryption for Entire Net-Work. Together, the two keep your Adabas data encrypted whenever it is not being actively used by Adabas or your application programs.
Encrypting your database keeps your data secret when it is accessed directly, without going through Adabas. To protect your data when it is accessed through Adabas, you need access control. This can be established using Adabas System Authorization Facility (SAF) Security. With Adabas SAF Security, you can do the following:
Define resource profiles that establish and enforce rules defining which Adabas users have permission to perform which operations (for example, search, read, and update) on which Adabas resources (for example, databases, files).
Maintain and administer these rules in the same access control system (RACF, ACF2, TopSecret) that you use for the other resources (for example, datasets, encryption keys) in your z/OS system.
Adabas Encryption and Adabas SAF Security complement each other to allow only those accesses to your Adabas data that are permitted by your access control system, and to prevent all other accesses. They make your access control system the central point for governing your Adabas security.