Various organizations, such as those running Adabas on IBM z/OS, have generated decades’ worth of valuable information, including financial data, personal files, and proprietary business material. These organizations have a critical need to protect this data against ever-increasing cybercrime, and to comply with growing regulations (HIPAA, SOX, PCI DSS, GDPR and others).
Encryption is an effective way to protect data against unauthorized inspection or undetected manipulation. Encryption uses a secret key to transform readable data (“plaintext”) into unreadable, meaningless noise (“ciphertext”) that can only be understood using the correct secret encryption key. Done properly, encryption makes it practically impossible for someone without the secret key to tell the difference between encrypted data and purely random data.
Datasets on z/OS are customarily protected using an access control system like RACF®, ACF2® or TopSecret®. These systems prevent unauthorized accesses to protected datasets for all access paths under their control. They are not effective on access paths outside their control, though, such as when a dataset has been copied to another system or resides on shared DASD and is accessed from another system.
Encryption protects datasets wherever they reside. Encrypted datasets can be read in plaintext only on systems that have been provisioned with the required encryption keys. On those systems, the encryption keys can (and should) be protected from unauthorized use via the access control system.
Data-in-flight is data that is flowing across a public network (such as the internet) or a private network (such as a corporate LAN). Data-at-rest is data stored in datasets that are written to storage devices such as disk or tape, and data-at-rest persists even when the associated application is no longer running. Organizations that encrypt their data, especially data-at-rest, must carefully manage all their encryption keys across the entire key life cycle: from the creation of a key, through its use, and to its retirement and eventual destruction. Sharing a key with an unauthorized person means losing the protection provided by the encryption. Losing a key means losing the data it protects. Encryption key management is a challenging topic on its own and is not done by Adabas.