[Default] On 3 Jun 2019 09:41:54 -0700, in bit.listserv.ibm-main sme...@gmu.edu (Seymour J Metz) wrote:
>This whole thread has consistently confused several very different issues: I agree and have questions in each of the areas. > > 1. How secure is z/OS itself? I recall reading that Multics was more secure than the concurrent MVS was at the time and wonder if that would have been a better base going forward. Does the design of z/OS and the tools for implementation make it more difficult to create and maintain a secure system? How secure are VM and TPF relative to z/OS? Does anyone have a feel for how secure and securable the Unisys and any other mainframe operating systems are relative to z/OS? > > 2. How secure is 3rd party software? 30 years ago people were complain about some of the holes in CA software. While much has changed and I assume those holes were plugged long ago, the question remains as to how we evaluate 3rd party software that by its nature has to have system hooks and run APF authorized and / or key zero (system monitors, tape management systems, etc.)? Could and should changes to z/OS be made that would allow some of this software run unauthorized and key 8? How much vulnerability do we introduce by having such things as monitors, report management systems, etc? How much security and vulnerability is at the application level where it is the application that has to determine whether access is authorized (online banking anyone)? > > 3. How secure is the typical shop running z/OS? Given the need to consider security at not only the operating system level but also the application level and the number of things that have to be controlled, I suspect that most organizations are less secure than they think they are. The problem starts with keeping the authorities that people have current as they change roles in an organization and leave that organization. Are the test system as secure as the production systems? Have all of the people involved including operators, people doing report distribution, application developers and maintainers etc. been properly vetted? How do we monitor to make sure people haveen't been compromised? The list goes on. Clark Morris ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN