The Need for Erase

vultures-400x268

By Bill Wilkie, Dino-Software (5-minute read)

An interesting scenario challenging the security of temporary data sets and sort work areas was brought to our attention, so we are conducting some market research on the subject and request readers to weigh in with their opinions.

 

Is There an Exposure?

When the topic of erasing data for security purposes comes up, a common question may be, “Is it Necessary? Especially in a secure environment.”  It is well known that any data set that contains sensitive information must be secured. There are several layers to the fortress in effort to make it impenetrable for the protection of data, and if there should be a breach, that data is rendered unusable. The IT arsenal is loaded with the use of firewalls, RACF, Top Security, data encryption, etc.  However, is there an area of vulnerability that is being overlooked?  Are there some potential flaws lurking in the protection hierarchy? If any of this data is breached, there can be financial consequences to a company that far exceed the cost of prevention.

 

Temporary Data Sets & Sort Work Areas

When the protections afforded sensitive data are removed by an authorized user simply supplying the correct password and decryption key, and that data is then read into a sort work area, it has been presented that those sort work areas now contain decrypted and readable sensitive data.  Furthermore, at the end of the sort, when the sort work areas are programmed for deletion, “delete” only erases the pointer to where the data resides from the disk’s table of contents.  It does not erase the data. The actual data written in that space still exists until it is eventually overwritten in its entirety by another requestor for space on that volume.

To add more food for thought, let’s say that the sort used 6 work areas of 10 cylinders each. Someone comes along and asks for 10 cylinders worth of data, and they are assigned the same space formerly assigned to SORTWORK01.  But that application doesn’t use the entire 10 cylinders; it only uses 1 track.  This means that there are now 149 tracks worth of sensitive data after the Last Block pointer for the new data set that are now still owned by the new data set.  Potentially, anyone who can print the disk after the Last Block pointer is now able to see the raw data, and it will remain there as long as that new user holds onto that space. The same would be true for all the other work areas from that sort.  Further, multiply that by the number of times that scenario is carried out by that same application and all other applications operating in the same manner.  These accumulating remnants of unprotected data sets expose a vulnerability.

 

Based upon the aforementioned scenario, DINO would like to gauge how it is perceived by our readers.  Please (anonymously) answer the following questions and submit them in our online poll.

1. In the case of a password protected or encrypted data set, if that data set is read in and written out to a temporary data set, is the data in that temporary data set still encrypted, or is it now in raw form?
If "I don't know," please explain:
2. If a pw or encrypted data set is read into a sort, is the data in the sort work area encrypted, or has it been decrypted?
If "I don't know," please explain:
3. If a sort work data set of 10 cyl is used with an allocation of (, delete ) and the next user requests 10 cyl and gets the same area used by the sort but only writes 1 cyl, do the remaining 9 cylinders still contain the original data between the last block ptr for the new data set and the end of extent?
If "Maybe," please explain:
4. When copies are made of a data set containing sensitive information, can that copied data set be printed and the raw data would be viewable?
If "Maybe," please explain:
5. Even if sensitive data was left in the sort work areas, it doesn’t matter because it eventually should all be overwritten.
If "Maybe," please explain:
6. Would your corporation’s security regulatory agency be satisfied that sensitive data left in the sort work areas does not pose a risk because it should eventually all be overwritten?
If "I don't know," please explain:
7. Would adding ERASE to the end of a JCL jobstream take a long time to implement because it would require getting approval through change control?
If "Maybe," please explain:
8. Temporary and sort work area data erases have never been done historically, but corporations should still be concerned that sensitive data could still exist in them and present an exposed risk.
If "Maybe," please explain:
9. Do you think there is an exposed risk with sort work area data?
If "Maybe," please explain:
Word Verification:

 

Bill Wilkie is the Sr. Product Developer of DINO’s XTINCT which provides fast, secure, and permanent disk and tape erasure.  XTINCT meets DoD standards for cleaning and purging data.  For more information on XTINCT, visit http://www.xtinctdinosoftware.com.

About Dino-Software

Dino-Software Corporation develops enterprise-wide solutions for the management, analysis, protection, and repair of complex z/OS mainframe environments.  Dino-Software has long been acknowledged for its superiority in ICF catalog management and technical support, helping organizations ensure their business-critical assets remain online and recoverable in a disaster.  Learn more about Dino-Software and its z/OS mainframe storage solutions at http://www.dino-software.com.