Selecting Tape Files for Encryption Using DFSMS › Encryption Policy Planning

Encryption Policy Planning

To effectively implement tape encryption in your environment, you must analyze your tape encryption needs. This analysis will help you to determine how to structure the DFSMS data classes that CA Tape Encryption uses to recognize tape data that requires encryption or decryption. The security administrator must work closely with application managers and auditors to determine the encryption policy for the organization as a whole. Questions to consider include the following:

• What data must be encrypted? Encryption uses resources, so not all data should be encrypted. Be judicious in selecting data to encrypt.
• Should all users have access to all encryption keys? If not, considering using the CA Tape Encryption SAF Interface to restrict access to these resources.
• Does your data contain personal information? Is the data considered sensitive? If so, encrypt it. Information that should be encrypted includes any information that contains private personal data such as social security numbers and other identifying information. This includes personnel, payroll, and banking records, for example.
• Is your organization required to meet particular security standards? Do you need to adhere to FIPS standards? Consider the security standards required for your industry. Certain local laws may also apply.
• What encryption strength should be used? It can be helpful to categorize data into groups to determine the level of sensitivity of the data. Categorizing your data will suggest the type of encryption strength that may be required and let you determine a specific class for the data.
• Cryptographic hardware provides encryption and decryption services for some, but not all, encryption strengths of all algorithms. If you choose an algorithm or encryption strength that is not supported by your cryptographic hardware, the encryption or decryption must be performed by your CPU. This may substantially affect your performance.
• Does the tape leave the physical control of your organization? Is the tape sent to business partners? If so, use B2B encryption for your tapes.
  • You must coordinate this process of sending B2B tapes with the business partners who will receive the tapes.
  • Any recipient of a tape encrypted by CA Tape Encryption must:
    • Provide you an exported version of their digital certificate with their public key before you encrypt the tape, or you must provide them with an exported version of a code book along with a passkey to decrypt the code book.
    • Install either the free decryption-only version of the product or any of the CA Tape Encryption options to decrypt a tape sent by you, or install the Java-based Multiplatform Decryption Utility.
• Is the data only used internally? If so, use in-house encryption for your tapes.