Radoslaw Skorupka writes: >1. I see essential difference between mobile phone and mainframe server.
So do I. The mainframe contains more and more sensitive information, and provides more and more critical services, to more users. Consequently the mainframe is in *more* urgent need of timely security updates than the smartphone, ceteris paribus. I am acutely concerned about so-called "Zero Day" vulnerabilities across all system types. >2. I know some horror stories related to the iphone updates - maybe you >don't believe, but sometimes things go wrong... Yes, and that's why z/OS system programmers ought to have the most rapid, streamlined access to security (and integrity) updates to test them and to place them into production as quickly as possible no matter what testing policies and practices are in force. If you review what I wrote, I recommend having at least one *non-production* z/OS LPAR (or z/VM z/OS guest) able to retrieve updates from IBM (and from other vendors, as applicable). >3. Some updates require restart, DYNACT, reIPL or other outage. While it >is not a problem for majority of iphones I would bet it is problem for >most mainframes. An excellent reason to have at least a basic Sysplex supporting at least critical business services, to reduce or eliminate the impact of an individual LPARs' inevitable planned outages. Planned (and unplanned) outages are a problem for all iPhones. They don't have Sysplex. Occasionally, e.g. iOS 8.0.1, an update has been known to "brick" an iPhone. >4. Some of us would like to know what, when and why is installed. Yes, and presumably you'd like to know that *as soon as possible* in your installation, not wait for a time consuming (if nothing else) side trip through physical postal/courier distribution and/or a (potentially malware-infested) PC. Again, if you read what I wrote, I did not recommend automatic updates. (Automatic versus manual updates are a user selectable option on iPhones.) >5. Installation of security patches do not require direct Internet >connectivity. Right, and iPhone owners can download iOS updates to media, transfer the media to another (potentially malware-infested) machine, connect their iPhone via iTunes to that other machine, and then update their iPhone. They could do that, and some do. The "only problem" is that that particular elongated path unavoidably increases the time to deployment of important security and integrity updates. In my personal view, to reduce security and integrity risks let's start with not elongating the path to deployment. >6. Most (I guess so) mainframes have no direct connection to Internet, >but usually it is NOT decision of mainframe administrator. They usually >work for corporations and have to respect corporate rules, including >those "less-wise" ones. Sometimes it's simply easier to circumvent such >problem. I did not necessarily recommend a "direct connection" to the Internet. Let's not overinterpret what I wrote. I outlined the (incredibly highly restrictive) connection type required for non-production z/OS instances to pull updates from IBM. Maybe it's time for a new, better informed, intelligent conversation about year 2015 (and onward) business risks? I should also point out that my comments have nothing particularly to do with *initial* distribution of z/OS and associated software nor *necessarily* about release/version updates (versus security and integrity updates, in particular). Obviously one has to start with something physical. I would vote for DVD, as it happens, subject to periodic review as physical media types and capabilities evolve. Though I'd point out that even permanently write-protected USB flash is not as durable as factory-made DVDs, and media durability is useful here. I also like the idea of built-in system bootstrap. My views are my own, as always. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
