It may be worth looking at the Common Criteria certifications for z/OS and/or PR/SM.
>From memory, the certifications for LPAR security separation required that >distinct LPARs in distinct security zones used separate devices. This included >(and hence outlawed) the sharing of DASD devices (such as entire DS8xxx) and >the sharing of Channel paths. The Certification Reports and the Security Targets are available here, https://www.commoncriteriaportal.org/products/ The most current ones I could see were for z/OS 2.4 and for the IBM z15. There is also one for z/VM 7.2. I stress that I have not read these latest reports and I am working on knowledge of earlier version of z/OS and PR/SM. Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Laurence Chiu Sent: 15 June 2022 03:07 To: [email protected] Subject: RIsks of sharing FICON adapters between LPARs on the same host We had an interesting question raised recently in my work place by our security team. They said, if you have multiple LPARs on a Z box and you share FICON adapters going to the same DS8K is there any data leak issue that could occur? That is, could LPAR1 inadvertently see traffic to the SAN that is defined for LPAR2 but sharing the same FICON adapter. Maybe somebody mixed up the IODF or something like that? I thought not and said, isn't that how VMware and Hiper-V work. The hypervisors share out FC cards etc. to the various VM's and it doesn't seem to be an issue and z/OS (or is PR/SM) is likely to be a much hardier OS security wise. Anyway I would get the view of the experts on the forum. Thanks ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
