On Tuesday, 04/05/2011 at 06:44 EDT, Karl Huf <k...@ntrs.com> wrote: > Are there good reasons or am I making mountains where there are no > molehills?
When two disjoint entities have access to the same resources, there are mountains that must be scaled. As others have noted, giving Entity One access to the resources managed by Entity Two is a decision that you need to *explicitly* make. Would you do it on other platforms? Is there a policy? Do you need an approved waiver? A.k.a "Get Out of Jail Free card." I ran across a problem when z/OS had access to z/VM dasd, and a *tape* volser matched one of the z/VM *dasd* volsers. The tape mount on z/OS failed. I was using the approved dasd naming convention - the Keepers of the Convention had overlooked this issue. The MVS folks said, "Just relabel all your disk volumes." I scoffed in their general direction and told them to take VM dasd offline to MVS. But at some point the issue has to be resolved because z/OS will be taking dasd backups of the z/VM system, which is why it is shared. Now, on to Hollywood. Wednesday nights at 9pm on the CBC (Chuckie Broadcasting System). This episode of "CSI: IT" opens with a VM systems programmer sitting in a jail cell. We can tell he's a sysprog, btw, because the guards keep rolling shiny balls in front of the cell, stopping the sysprog in his tracks. (A bit of opening inside-joke humor while the intro credits roll by.) As we watch, we find that: 1. An MVS application is running, containing financial and personal information of millions of people. Priceless. (exciting, huh?) 2. A call from a throwaway cell phone (natch, don't bother checking) comes into the CEO's office demanding $500M for the "return" of the above data we now realize has been stolen. The voice is unfamiliar, but we recognize an MVS accent. I think it's the way the caller said "dataset" as all one word. [Obviously the story writer had been in the biz at some point.] 3. There is a mad scramble to study the MVS SMF records. Nothing is found. Squeaky clean. 4. The Class A IT Forensics team (night shift) is called in. [IT forensics are best done at night, in the dark with the world's smallest flashlight.] 5. They discover shared dasd. Mangement says, "Is that a problem, Inspector?" (go to commercial for some new IT Security Software) 6. We "learn" that VM access to the dasd is not mediated by MVS security controls (duh) 7. We "discover" that the jailed sysprog had unlimited power on VM (yawn ... duh x 2) (wow...20 more minutes to solve the crime!) 8. Everyone involved gets an attorney and stops talking. (De rigeur for all police dramas) 9. CSIs establish Means and Opportunity of the hapless sysprog. 10. They lean on the sysprog's gum-chewing ex-girlfriend and find that the sysprog DID make some drunken statement at a party about the way Management treated him on his last appraisal. They learn from another ex-girlfriend that the sysprog spent 15 years working on MVS. They learn from his mother that "he was always a quiet boy; just played his video games." 11. Raising suspicions further, the sysprog did NOT advise Management of the risks of such a configuration. (go to commercial for platform-specific backup/restore software) And now you're caught up. You'll have to watch the rest of the episode to find out what happens next. <spoiler alert> It's not what you think.... </spoiler alert> Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
