David Cole wrote:
My issue is mainframe security and what seems to me to be a rather
complacent and unfounded attitude that MVS security is bulletproof. It
is not bulletproof for the reasons that I discussed in my prior post.
<snip>
We prefer the phrase "bullet resistant." ;-) (Sorry, I couldn't resist.)
Several years ago, I visited a state-run data center in the USA's
tornado belt. They had searched high and low for a building design that
was "tornado proof" but nobody would certify that. They had to settle
for a building that was "missile proof." The "missile" in this case was
a utility pole hitting end-on at 200mph. I have no idea whether a
tornado ever hit that building, but I do know there are few other
buildings I would rather be inside. (Well, Cheyenne Mountain would
probably be OK, if you call that a building. ;-)
What we said in the z/OS R9 GA announcement was:
"Specifically, z/OS "System Integrity" is defined as the inability of
any program not authorized by a mechanism under the installation's
control to circumvent or disable store or fetch protection, access a
resource protected by the z/OS Security Server (RACF®), or obtain
control in an authorized state; that is, in supervisor state, with a
protection key less than 8, or Authorized Program Facility (APF)
authorized. In the event that an IBM System Integrity problem is
reported, IBM will always take action to resolve it."
Tornado proof? Probably not. Good enough? Up to you, but who else
offers more than that? (I do know of some other vendors whose code runs
on z/OS who have made similar statements.)
To me, it seems that this statement does not address authorized code or
authorized users for the same reason the manufacturers' warranties on
new cars do not include the consequences of driver error or abuse.
But, what do I know? I'm not exactly a security expert.
--
John Eells
z/OS Technical Marketing
IBM Poughkeepsie
[email protected]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
