On Thursday, 12/02/2010 at 09:32 EST, Richard Troth <[email protected]>
wrote:
> RXSSL comes to mind. As it happens, a couple of us were discussing
RXSSL
> off-list within the past day. Seems that it may need some attention to
get it
> working with the new VM SSL.
As I'm sure you have discovered, the challenges with SSL are many:
- Certificate updates without taking applications out of service
- Allowing different applications to use the same certificate
- Protecting a server certificate's private key
- Tying user certificates to VM user IDs so that people can be identified
and two-factor authentication enabled
- Keeping user certificate private keys away from the users (think about
it)
- Implementation of a flexible policy for the validation of incoming
certificates
- Keeping up with advancements in the protocol and the introduction of new
encryption suites
- Required industry and government certifications such as FIPS
I would have thought that everyone's IT host & network security
departments would be turning the screws on unencrypted and unauthenticated
transmission to/from VM of any sensitive data and/or passwords. ("You
mean you let MAINT's password flow in clear-text over the company's
network?!?") And that you all, in turn, would be squeezing IBM for a
supported, manageable solution.
It's kind of scary, actually. My biggest fear is that folks are trying to
fly under the radar in the hopes of not being discovered and are taking
too many undocumented or ill-understood risks.
But perhaps I am too paranoid. Maybe these all just trivial transmissions
of today's cafeteria lunch menu and cannot be used by some disgruntled or
creative employee to discredit, steal, corrupt, or destroy your fave
virtualization platform or the data it holds.
There are large corporations who are finally starting to look at z/VM
management policies (incl. security) to ensure that they are mitigating
the risks inherent in any virtualization strategy. It's easy to say,
"We'll deal with that later." Tick, tock, tick, tock.....
Alan Altmark
z/VM and Linux on System z Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
[email protected]
IBM Endicott
