ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: don t aynone know anything about Encryption in TSM.

2002-04-04 10:18:58
Subject: Re: don t aynone know anything about Encryption in TSM.
From: David Longo <David.Longo AT HEALTH-FIRST DOT ORG>
Date: Thu, 4 Apr 2002 10:18:19 -0500 
We aren't using encryption here - yet, nor have I used in the past.
It seems to me with this specifc scenario and the discussion in general
about this in the last few days, that the main problem is -PROCEDURES.

If you loose the key and therefore can't restore your data, then there
should be "key management" as part of you DRM procedures.

An Admin at some level should have/store in elecronic or hardcopy
form in a "safe" place onsite and at least one additional copy should be
stored at offsite vault.  Just like when you change passwords etc., this
information should be updated, so if all your Admins got to lunch in one
car and ..., someone can get passwrods and get access to your systems!

Also no one should be using encryption unless some higher level admin
or manager knows about it and has the specific info.

My 2 cents.


David B. Longo
System Administrator
Health First, Inc.
3300 Fiske Blvd.
Rockledge, FL 32955-4305
PH      321.434.5536
Pager  321.634.8230
Fax:    321.434.5525
david.longo AT health-first DOT org


>>> WMansfield AT SOLUTIONTECHNOLOGY DOT COM 04/04/02 08:12AM >>>
My favorite scenario is the disgruntled employee: maintains critical 
corporate data on his system, backs it up using encryption, deletes the 
data from his system, then walks off holding the key hostage (paranoid, 
aren't I).  There isn't any way to know somebody is out there using 
encryption.  You can create a forced "exclude.encrypt *" entry in a client 
option set, but who thinks to do that?

The other issue is, what happens if the key is stolen?  There is no way to 
"change the password" for existing backed up files.  And if you change the 
key at the client, you wind up in a situation where a point in time 
restore will require different keys for files that were backed up at 
different dates.

_____________________________
William Mansfield
Senior Consultant
Solution Technology, Inc





"Joshua S. Bassi" <jbassi AT IHWY DOT COM>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
04/03/2002 05:28 PM
Please respond to "ADSM: Dist Stor Manager"

 
        To:     ADSM-L AT VM.MARIST DOT EDU 
        cc: 
        Subject:        RE: don t aynone know anything about Encryption in TSM.


Andy,

What could a customer do for DR of a client which lost it's encryption
key and needed to restore data from the TSM backup (encrypted).


--
Joshua S. Bassi
Joshua S. Bassi
Sr. Solutions Architect @ rs-unix.com
IBM Certified - AIX/HACMP, SAN, Shark
Tivoli Certified Consultant- ADSM/TSM
Cell (415) 215-0326
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: don t aynone know anything about Encryption in TSM., David Longo <=
Previous by Date:  dsm.opt domains not working, Pucky, Todd M.
Next by Date:  DR: Priming disk pools, Kliewer, Vern
Previous by Thread:  dsm.opt domains not working, Pucky, Todd M.
Next by Thread:  DR: Priming disk pools, Kliewer, Vern
Indexes:  [Date] [Thread] [Top] [All Lists]