Data at rest

In a security context, data at rest refers to data in storage devices, such as data in VSAM or Db2®. You must consider how to protect the integrity and confidentiality of this data.

For information about other situations in which data must be protected, see How it works: Confidentiality and integrity in CICS.

Although data sets that CICS® uses must be protected from unauthorized access, this protection extends beyond just the CICS region user IDs that handle the data. For example, a system programmer might need access to the data sets for backup and other functions.

To protect this data from unauthorized viewing, data sets can be encrypted. Keys can be defined, and the CICS region user IDs given access to these keys so that the data can be accessed and updated by CICS, but not by anyone else. This control exists even if they somehow managed to obtain a copy of the data.

CICS supports this capability for all VSAM and VSAM RLS data sets, and also the QSAM data sets used as TD queues, and BSAM data sets used for sequential devices. BDAM datasets are not supported.

Only data sets that contain sensitive information need to be encrypted. Planning for data set encryption provided information about the recommended CICS data sets to encrypt.

For more information about data set encryption, see Data Set Encryption in z/OS® DFSMS Using Data Sets .

The keys for data set encryption are stored securely in ICSF. The keys are referenced by a key label. This is in itself not secure. It is made secure by only allowing authorized users, such as the region user ID, to use the key label to decrypt the data. For more information, see Managing Cryptographic Keys Using the Key Generator Utility Program in z/OS Cryptographic Services ICSF Administrator's Guide.