On Thu, 31 Jan 2008 10:28:35 -0800, Ron Hawkins <[EMAIL PROTECTED]> wrote:>Thanks for correcting me. I am a MF bigot, but I am also a realist. Do you >know if z/OS with RACF is the only server/software combination that has >these certification?
[snip] >My real point is that z/OS is not necessarily streets ahead in security >anymore. To use this as an argument to maintain the mainframe may backfire >when Solaris, AIX or HP-UX leapfrog z/OS, which I'm sure they do on >occasions. Security is just one dimension of an operating system, so it should never be used as the sole reason for keeping any operating system, including z/OS. Good security is necessary, but never sufficient. The certifications allow you to establish a level of ... confidence ... in the security functionality of the product. If Solaris AND z/OS have EAL 4+ with CAPP and LSPP, then within the functional confines of CAPP and LSPP the two have very similar functionality: - discretionary access controls (RACF PERMIT) - that can be overriddent by mandatory access controls (MLS) - audit trails - documented designs and test case evidence - a secure development environment - a way to fix it in the field if needed Of course, the way you do those things is different in each operating system, but the functionality and the processes that created it are assured by an overseeing government agency to be present. So don't get hung up on trying to justify z/OS (or z/VM or Linux) based on Common Criteria. Instead, consider whether the Goodness and Light that come from such a certification should be part of the security requirements for the products you purchase from ANY of your vendors. It can help to eliminate an entire area of discussion and speed up purchase decisions. For comparison, LPARs are rated at EAL 5 (the scale is 1 to 7). Up to EAL 4, the government signatories to the Common Criteria will accept each others' certifications. At EAL 5, they don't - the certificaiton must be earned in each country separately, a significant financial commitment. Alan Altmark Common Criteria Architect for z/VM IBM ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
