On Saturday, August 20, 2022 at 12:05:38 PM UTC-5, Stephen Hoffman wrote:
> On 2022-08-18 22:50:38 +0000, Rich Jordan said:
>
> > Wee!, its audit time again!
> >
> > I reviewed the VSI site and didn't see mention but thought I would ask
> > here also.
> If you have VSI support, open a support call. That'll get this
> discussion added to whatever escalation and enhancement and scheduling
> discussions are underway within VSI, and might also get some
> documentation created and reviewed.
> > Last time I looked, VMS, even current VSI versions, can do manual
> > per-file encryption/decryption, but not whole disk. That means you
> > couldn't encrypt production files and have them usable; you'd have to
> > decrypt, use, re-encrypt, then delete the unencrypted version; a no go
> > save perhaps for small critical files sync'd by human usage.
> Correct. You'll need outboard encrypting storage to meet this
> requirement, either as a guest in a VM that can encrypt its backing
> storage, or using encrypting storage hardware.
>
> If SSD storage hardware is involved, ensure it supports
> erase-on-zero-sector writes, and also ensure that OpenVMS highwater
> marking and erase-on-delete are enabled, and that no site-local $ERAPAT
> service is loaded.
>
> For those unclear on the purpose of and usefulness of full-disk
> encryption (FDE) in this and other OpenVMS contexts, FDE is intended to
> make server decommissioning and server repairs much less likely to leak
> data, as well as cases of server or storage theft. You can't
> necessarily erase a failed storage component, but somebody inclined to
> try might be able to access any data remaining on the device. With FDE,
> any remaining data will be inaccessible without the key.
> > And backup savesets can be encrypted, but at the cost of both increased
> > time and the loss of compression (which is often a substantial time and
> > space saver itself).
> If BACKUP is encrypting data before performing data compression, that's
> a design bug in BACKUP.
>
> Properly encrypted data is not compressible, but properly compressed
> data can be encrypted.
>
> And yes, OpenVMS systems are comparatively slow, and supported
> processors prior to x86-64 are lacking in encryption acceleration
> hardware features.
>
>
https://en.wikipedia.org/wiki/AES_instruction_set
>
> While most (all?) recent x86-64 hardware does have hardware
> acceleration support for encryption, I'd assume OpenVMS x86-64 is not
> (yet?) using that.
> > I presume that is still the current state of things?
> Correct.
>
> The OpenVMS security-related documentation—both for server management,
> and for app development—is unfortunately also outdated, too.
>
> Auditors can be difficult to deal with and can miss other issues, but
> FDE and basic data security discussed here is not an unusual, onerous,
> nor even remotely questionable requirement.
>
> TL;DR: waivers and maybe FDE HW/SW support incoming.
>
>
>
>
> --
> Pure Personal Opinion | HoffmanLabs LLC
Hoff, thanks for responding again.
Right now its a question, not a requirement or so far as we know, an impending requirement.
Our HyperV guy says that once VSI VMS is available for HyperV that the underlying files can be on encrypted storage. Still waiting to hear about VMWare, but Virtualbox does support encrypting its storage (files? disks?) directly if I understand their docs from a very quick overview, so that might be a future option too (unless the auditors don't like virtualbox because its not HyperV or VMWare).
I don't consider the decommissioning thing to be an issue at our level; it certainly might be for a site that has tons of servers and high turnover, but in this case, VMS hardware lives for 10 years, PC hardware at least 5, and we're talking about decomming maybe 2 servers per year on average, maybe 20-40 related disks. The customer contracts out storage destruction and hardware recycling to a bonded company, though in the case of the last VMS server, we did the destruction and recycling. Nice magnets in those hard drives (though I had to do that after hours... ;)
Your point on auditors and data encryption is well taken, but we have had to deal with some in the past who literally could not understand anything not microsoft based and had to be kindergarten level shown the security features that were available and implemented, system auditing and how it worked, etc because they were otherwise going to report that the VMS box didn't have any security and was wide open and anyone could connect and brute force it and it wouldn't stop them from trying... that was at a publicly traded company, the underlying reason for the audit along with S-OX.
Thanks again.