Hi Rick,
I agree with the premise "Good tight security DEMANDS both technical and
managerial participation.".
I don't know any of the major software vendors that would be willing to
supply source code for OCO parts including SVC's and if they did of what
use it would be? Auditing and understanding the authorized parts of
large OEM products would quickly become a career perhaps even an
adventure ... "You are in a maze of twisty little passages, all alike"
:-) Escrow agreements are one thing forking over the family jewels for
inspection by persons unknown at a customer site is another. As an
aside escrow for authorized vendors tools of any size is IMHO a waste of
time since the escrowed code doesn't come with a fully staffed
development lab, tools, build and test environment it is just a tourist
postcard not worth much in the real world. Most vendor code today
requires only an APF library and dynamically install mechanisms perhaps
PC routine(s) to provide entry into the vendors authorized services.
Private SVC's are not much of a consideration and SVC's can be installed
dynamically (and are) without your explicit permission or configuration.
ISV's dynamic hooking practices have been the subject of discussion here
before. The good news is that generally the folks providing these parts
are old and capable hands. The bad news is this is not always true and
some irresponsible choices have been made by some vendors in order to
ship new function or save development costs which would be incurred to
implement infrastructure properly.
The bottom line is that you place as much trust in any vendor as in IBM
once you install their products in an APF library.
It is hard enough to properly secure z/OS and harder still with just a
limited set of IBM core components. It takes a small miracle to hold
the line on security and integrity after throwing in a hundred vendor
products which run APF. The tome "Close Look at MVS Systems:
Mechanisms, Performance and Security" by Ronald Paans suggested that it
was not possible to fully secure an MVS system with OEM monitor tools
and development tools installed on it. It may be possible but I venture
to say it is not accomplished completely by many who think they have
accomplished it.
Best Regards,
Sam Knutson, GEICO
Performance and Availability Management
mailto:[EMAIL PROTECTED]
(office) 301.986.3574
Clarke's First Law: When a distinguished but elderly scientist states
that something is possible, he is almost certainly right. When he states
that something is impossible, he is very probably wrong.
-----Original Message-----
----------------------------<unsnip>---------------------------------
At my last position, we had a policy of requiring a statement of
security from outside vendors. They had to certify that their authorized
software was not going to look in places other than defined by the
software's purpose AND would not cause any system outages, directly or
indirectly, AND would not create a situation such that security might be
breached. And we were VERY TOUCHY about it. And the only persons allowed
to update authorized libraries were a select few of the Systems
Programming staff. Private SVC's had to be supplied to us in SOURCE form
so we could check for "back doors", etc. These policies were derived by
a team of management, legal and Systems Programming staff members. And
NO VENDOR was allowed to install ANYTHING on our systems; they could
oversee while our staff did the work, so we were constantly "in the
loop" and knew what libraries were created and/or modified. We found
that serious vendors were more than cooperative, even (ugh) CA. Some did
require confidentiality agreements, but our legal department found them
acceptable.
Good tight security DEMANDS both technical and managerial participation.
Period.
Rick
---
====================
This email/fax message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution of this
email/fax is prohibited. If you are not the intended recipient, please
destroy all paper and electronic copies of the original message.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
