Planning For Full-Disk Encryption Activation; Planning For User Accounts And Passwords; Managing Secure User Accounts - IBM DS8882F Introduction And Planning Manual

IBM Security Key Lifecycle Manager for z/OS generates encryption keys and
manages their transfer to and from devices in an IBM Z environment.

Planning for full-disk encryption activation

Full-disk-encryption drives are standard on the storage system. These drives
encrypt and decrypt at interface speeds, with no impact on performance.
Full disk encryption offerings must be activated before use, as part of the system
installation and configuration. This installation and activation review is performed
by the IBM Systems Lab Services team. To submit a request or inquiry, see the
Storage Services website(www-03.ibm.com/systems/services/labservices/
platforms/labservices_storage.html), and click Contact us.
You are responsible for downloading or obtaining from IBM, and installing
designated machine code (such as microcode, basic input/output system code
[BIOS], utility programs, device drivers, and diagnostics that are delivered with an
IBM system) and other software updates in a timely manner from the ibm.com
website (www.ibm.com) or from other electronic media, and following the
instructions that IBM provides. You can request IBM to install machine code
changes; however, you might be charged for that service.

Planning for user accounts and passwords

Planning for administrative user and service accounts and passwords ensures that
you use the best security practices.

Managing secure user accounts

Follow these recommended practices for managing secure user accounts.
Procedure
Complete the following steps to achieve the level of secure access for users that is
required for your storage system.
1. Assign two or more storage administrators and two or more security
2. Create one user account for each user who is authorized to access your storage
3. Assign appropriate user roles and scopes to user accounts in accordance with
4. Review configurable user ID policies, and set the policies in accordance with
5. For applications that require network access to the storage system, assign a
administrators to manage your storage system. To preserve the dual control
that is recommended for recovery key management, do not assign both storage
administrator and security administrator roles to the same user. Change the
password for both the default storage administrator and default security
administrator user accounts, or delete the default user account after user
accounts for other administrators are created.
system. Do not share a single user account between multiple users.
the storage management responsibilities of the user.
your security objectives. The default settings are consistent with IBM
recommended user ID and password policies and practices.
unique user ID (an ID that is not assigned to any other user). You can assign
different user IDs for different software applications or different servers so that
actions can be distinguished by user ID in the audit logs.
113
Chapter 9. Security