Yes - CMS is the operating system used to run 'z/VM applications' -- if that's what you mean. At one time - every IBMer had a z/VM CMS guest -- it's how they got their email (PROFS/OfficeVision), submitted expenses, claimed time, etc. Those apps have mostly moved off z/VM - but some still exist, mostly as back ends. CMS guests would link to minidisks containing the application code and data -- would send files (punch/reader) back and forth, etc.
But that doesn't have much to do with readable passwords - including minidisk passwords - which can be used by a guest to gain access to another guest minidisk if they are used and known, regardless of the OS they are running. Same with allowing any guest access to a network path (our vswitch conversation). To 'just keep those systems isolated' - an ESM is the only way you can avoid violating most modern security requirements to be considered 'isolated'. Do you control access or don't you? Do you do it with open text passwords or don't you? You have to think about all the layers -- not just your guest OS. Scott Rohling On Fri, Dec 10, 2010 at 7:15 AM, Tom Huegel <[email protected]> wrote: > Does anyone run applications in z/VM? Isn't the 'protected data' owned by > some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security > effort belongs in those OS's. z/VM just needs to keep those systems isolated > and NOT be able to circumvent their security procedures. > > On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler <[email protected]>wrote: > >> Back in the old days, I recall a finance type person saying something >> like: The Gold Standard is that it should take collusion between two or more >> people to defraud the company. >> >> If we apply that to IT, then shouldn't pswds for privileged userids that >> can access/change financial data be long enough that TWO sysprogs can each >> be given half a pswd so they both have to be present to make a change? >> >> Les >> >> >> Alan Altmark wrote: >> >>> On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel <[email protected]> >>> wrote: >>> >>>> Does it really matter? SOX is just another way congress has come up with >>>> >>>> >>> to >>> >>>> destroy the American economy, and in fact the American way of life. >>>> >>> >>> When you read the law, you find that SOX is "simply" a way to hold >>> executives responsible for the financial statements issued by their >>> companies. Assuming no ill intent (no comments, please!), that means >>> trustworthy data. That flows downhill, as all such things must, until we >>> start talking about access controls and audit mechanisms for financial data. >>> That is, knowing who has the means and the opportunity to access the data, >>> and knowing who has actually done so. (I leave it to others to talk about >>> motive.) Who, what, where, when. >>> >>> Unfortunately, IT security industry consultants have mangled this >>> laudable concept into a paranoia-inducing behemoth that has people screaming >>> in terror as it rampages across the country, flogging every sysadmin in its >>> path. Why? Because financial status is inferred from many other data >>> sources and no one wants to spend the time it takes to follow all the data >>> flows. Result: Secure Everything. >>> >>> With HIPAA and PCI running alongside, the "Secure Everything" policy >>> looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. >>> >>> Alan Altmark >>> >>> z/VM and Linux on System z Consultant >>> IBM System Lab Services and Training >>> ibm.com/systems/services/labservices office: 607.429.3323 >>> [email protected] >>> IBM Endicott >>> >>> >
