Cybersecurity is top of mind for every enterprise today. Pervasive encryption encrypts data when that data is transit and when it is at rest in a storage device. It's a solid foundation on which to build a layered security strategy. Security and storage administrators are tasked with protecting consumer data, and data set encryption can provide additional security without requiring application changes. In their SHARE Washington, D.C., session, “Cybersecurity and Data Set Encryption - Top-Level Protection for Your Data,” Cecilia Lewis, senior technical staff member (STSM) software engineer at IBM, and Albert Martinez, Data Facility Storage Management System (DFSMS) software engineer at IBM, explored data set encryption.
As businesses continue to navigate a landscape of increasing data-security requirements and regulatory compliance standards, the IBM z/OS Data Facility Storage Management System (DFSMS) plays a critical role in ensuring that mainframe data is both secure and efficiently managed. Some of the latest advancements in DFSMS focus on data set encryption, compression, and essential performance enhancements. Encryption enhancements help enterprises meet strict security requirements, such as compliance with PCI-DSS V4.0, which refers to host-based encryption for applications.
Understanding DFSMS Data Set Encryption
Data set encryption is designed for a broad range of data sets, including extended format sequential data sets, sequential basic and large format data sets, Partitioned Data Set Extended (PDSE), and Virtual Storage Access Method (VSAM) Extended Format, which includes extended format linear data sets. This encompasses systems like DB2, Information Management System (IMS), JES2 spool space, and Resource Access Control Facility (RACF), among others. These encryption capabilities ensure that sensitive data is protected while stored on mainframe systems, addressing the growing need for secure data storage in various industries.
Challenges of Data Compression and Encryption
“It is important to note a critical challenge when dealing with encrypted data is compression efficiency,” explain Lewis and Martinez. “Both security and storage administrators must remember that encrypted data does not compress well.” Because encryption transforms data into a seemingly random stream, compression methods relying on consecutive equal bytes have difficulty reducing encrypted data’s size significantly. To optimize storage and improve data transfer speeds, they recommend converting data sets to a compressed format, where available.
Data Set Encryption Restrictions
Additionally, it is essential to remember the restrictions around encryption size. Data areas smaller than 16 bytes cannot be encrypted. Therefore, non-compressed format sequential data sets should not be created with a block size less than 16 bytes. If such a sequential data set is opened with the Queued Sequential Access Method (QSAM), an ABEND 213-89 error will occur. Similarly, attempts to write a block smaller than 16 bytes with the Basic Sequential Access Method (BSAM) will result in an ABEND 002-F2 error. These limitations highlight the importance of maintaining appropriate data block sizes when implementing data set encryption.
Enhancements for Availability: Conversion to Non-Encryption on First Open
In the second quarter of 2024, the Continuous Delivery (CD) release of APAR OA66122 included an enhancement focused on availability. “IBM has introduced the ability to convert encrypted data sets to non-encrypted ones on the first open under certain circumstances,” according to Lewis and Martinez.
This feature is supported for empty encrypted sequential basic and large format data sets. Lewis and Martinez explain, “When certain restrictions are detected during open processing, these data sets will be converted to non-encrypted data sets when the support is enabled via a new FACILITY class resource, thus avoiding potential application outages due to open abends and improving system flexibility.”
Performance Enhancement: Optimized Copying for Encrypted Data Sets
A new interface for managing VSAM encrypted data sets and sequential encrypted and/or compressed extended format data sets enables an application to optimize the copying process. This can lead to performance improvements when handling encrypted data.
According to Lewis and Martinez, “This advancement allows users to manage encrypted data as efficiently as non-encrypted data when the source and target data sets have similar characteristics. This is because the data can be copied without the need to be decrypted and re-encrypted.” They add, “In the second quarter of 2025, this support will be available with APAR OA63434 and associated prerequisite APARs.”
Tape Data Sets Encryption: Ensuring Compliance and Performance
Another critical area of improvement in DFSMS, which will become available this year, is access-method encryption and compression for tape data sets. This support may be staged with the initial deliverable with APAR OA66326 and associated pre-requisite APARs. As regulatory frameworks like PCI-DSS V4.0 evolve, businesses are evaluating the need to move beyond hardware-level encryption and implement host-based encryption to ensure full compliance. “The new host-based encryption feature allows organizations to meet these requirements for tape data sets while maintaining the same client value and user experience as with other data set types already supported by data set encryption,” they explain.
Key features of data set encryption, which will also apply to the tape data set encryption enhancement, include:
- Data Set Level Granularity: Encryption is applied at the data set level, ensuring that each data set has separate access control for both the data set itself and its encryption key label.
- Resource Access Control Facility (RACF) and System Managed Storage (SMS) Policy Integration: Encryption is enabled through seamless integration with RACF and SMS policies for more granular control over data security.
- Audit Readiness: Organizations can maintain a high level of audit readiness, ensuring compliance with data security regulations.
- Compress Data Before Encryption: For data set types that support compression, data can be compressed before encryption, which optimizes both storage and processing times, as well as enhances overall performance.
Tape Compression and Encryption Features
For tape data sets, with the upcoming support, additional features such as compression and encryption will then be supported through both hardware and host-based compression. “Hardware compaction for tape data sets has been available for decades, but now with separate access method compression, administrators can more flexibly manage encrypted and compressed format tape data sets. The access methods will have to first compress the data before encrypting it,” according to Lewis and Martinez.
They further explain, “When using Execute Channel Program (EXCP) for tape access, data integrity throughout the compression/decompression and encryption/decryption processes will require changes to the application to include calls to the new IGGCOMP API to perform compression/decompression and the existing IGGENC API to perform encryption/decryption.”
New Tape Labels for Compressed and Encrypted Data
A major change in the way tape data sets are handled with the upcoming support involves the introduction of new tape labels, which will identify which data sets are in encrypted or compressed format. These labels also make it easier for tracking.
- Type 1 and Type 2 Labels: These are existing tape labels. The type 2 label is enhanced to identify whether the data set is encrypted and/or compressed format. This is critical information regarding the encryption and compression status of the data set.
- Type 3 and Type 4 Labels: These are new tape labels created to maintain enhanced attributes of a tape data set, which includes encryption and compression-related information. The type 3 label primarily contains encryption-related data, such as the encryption key label, which is crucial for managing encryption keys associated with the data sets. The type 4 label primarily contains compression-related data, ensuring that compressed data is properly tracked.
Additional Enhancements
DFSMSrmm (Removable Media Manager) maintains information about data sets on tape volumes. It is enhanced to record a data set’s encryption and compression details, such as key labels, encryption algorithms, modes, ICV (Integrity Check Value), compression algorithms, and data read/written statistics. They indicate that these features “will ensure that enterprises have detailed records of their encryption and compression activities, which will improve compliance and enhance security.”
DFSMSrmm TSO subcommands and z/OSMF plugin improvements also can provide easier access to encryption and compression data, which allows users to better manage their data sets and comply with security standards. Lewis and Martinez also note, “The enhancements offer greater transparency into the state of enterprise data.”
System Management Facility (SMF) Type 14 and Type 15 records are extended to have a new section for tape enhanced attributes. Lewis and Martinez say, “This will help with tracking of encryption and compression details.”
DFSMS enhancements feature host-based tape encryption, improved compression capabilities, and advanced tracking and auditing tools that enterprises can use to meet security standards for data encryption. At the same time, enterprises will optimize data management processes and storage. Embracing these improvements can ensure optimal performance and security of mainframe data sets into the future.
Want more education content? Register for SHARE Cleveland and visit SHARE'd Knowledge.