I have been generally watching the topic on having your tape and dasd external
unit authorizations under outside control and have at least 2 cents to add to
the conversation.
1. Do you really log in to your peripherals that much for it to be an issue?
Is this a case of 'We have LDAP, everything must use it'?
2. What is wrong with a small self contained local authentication method? No
one will stumble across YOU while they are hacking your corporate LDAP or AD.
3. Security Begins At Home. What happens when your disk system needs a
quick adjustment or command to Save your z/OS (or even LDAP or Linux) IPL and
Recovery?
Not staying local can lead you to the equivalent of 'locking the keys to your
piggy bank INSIDE your piggy bank' -- ALSO don't save the only copy of the
master FDE encryption key inside the disks protected by FDE encryption (piggy
bank model 2)
If my key system is in a small, self contained, and properly backed up system,
I feel better than if I have to go to other organizations and other
platforms and other networks to support the basic functions of the device.
I was recently forced to move my SKLM key servers from hardware under my
control to Virtual Machines that they Promise will be available. I did bring
up the point that one screwup that is now out of my control will DESTROY the
ability to open the DS8K data arrays.
I was so happy to find that SKLM functionality became an internal feature on
USB sticks, BUT the hardware they purchased still does it the old way.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
