Data set protection

The data in a Db2 subsystem is contained in data sets. The data sets can be accessed without going through Db2. To protect your data, you need to control all access routes by using different access control methods and mechanisms. For example, you can determine who can use offline utilities by assigning appropriate access.

RACF for data set protection

If you want to use RACF® for data set protection outside of the Db2 subsystem, define RACF profiles for data sets and permit access to the data sets for certain Db2 IDs. For more information, see Protecting data sets through RACF.

Data encryption

You have the following encryption options for protecting sensitive data:

z/OS® DFSMS data set encryption. For more information, see Encrypting your data with z/OS DFSMS data set encryption.
IBM® System Storage DS8000® support for data encryption with the IBM Full Disk Encryption drives
IBM System Storage TS1130 encryption solution
Secure Socket Layer (SSL) protocol through the z/OS Communications Server IP Application Transparent Transport Layer (AT-TLS) service
IBM Encryption Facility for z/OS
Advanced Encryption Standard (AES) for encrypting user IDs and passwords over network connections
Db2 edit procedures or field procedures, which can use the Integrated Cryptographic Service Facility (ICSF)
IBM InfoSphere® Guardium® Data Encryption for Db2 and IMS Databases
Encryption tools and facilities that used outside of Db2

You can consider compressing your data sets before encrypting the data. Data compression is not a substitute for encryption. In some cases, the compression method does not actually shorten the data. In those cases, the data is left uncompressed and readable. If you encrypt and compress your data, compress it first. After you obtain the maximum compression, encrypt the result. When you retrieve your data, first decrypt the data. After the data is decrypted, decompress the result.