On Jan 28, 2008, at 9:58 AM, Rob Wunderlich wrote:
On Sat, 26 Jan 2008 12:12:51 -0600, Ed Gould
<[EMAIL PROTECTED]> wrote:
That Windows data cannot be adequately secured is a canard. I'm not
disputing that RACF (and mainframe architecture) has some unique
strengths,
but organizations do securely maintain and operate data on Windows
and *nix
servers.
Hmmmm... well now we know how secure the the links are just wonder
how the 37 *MILLION* credit card numbers that got stolen... let me see
do I hear windows and unix were involved.... Hmmm..
Its *ACCESSING* MF data for all they know you could be updating it or
reading information that you(the user) are *NOT* supposed to
access ... oh lets say SSN#, payroll information, account balances or
accounts rec/pay the list goes on and on and on. There is *NO* record
of the user accessing the data and no check to be able to see if the
user is even allowed.
Windows security allows for fine grained permissions and full
auditing.
Administered by who some person that says just a moment and reboots
the system and not providfe specifics as to why it crashed.. or just
unplug a server and the entire network goes down and you at best get
an "oops"
Just because it comes from an "IP" address
doesn't mean squat and besides PCs are kept in open areas where
anyone can just walk up to it.
Don't confuse the desktop PC with the server. The desktop is a
terminal, just
like your 3270 session. The data and the access control is kept on
a server. I
would assume all organizations keep servers physically secured, as
they do
the mainframe.
Can I count the number of IP SPOOFERS out there .. 5 no 10 no 20 ...
now who are you going to call Billy G?
If there is no sign on then there is
no validation of what the user can do.
I'm sure all enterprise installations use signon.
MF security (I won't use the four letters you don't want to talk
about ) is a *KNOWN* quantity and auditors trust it, this PC you are
talking about has essentially zero security (not quite but close to).
If you can get the OK from an auditor I sure wouldn't want to have my
business(or personel) records anywhere near the company.
Our Windows based server security is validated (and approved) by the
auditors using the same criteria as mainframe data -- demonstration
of who
has access, audit trails, control of software and procedures etc.
Sorry to disappoint yoy this may be the case in a few shops but in
all. I don't think so. I have experienced an auditor trying to do his
job and he is twarted at every turn. The prima donna's of the PC
world would be thrown out on their ears if there ever was a complete
audit of a server and on top of that they would point the finger at
the auditor telling them they don't know anything let alone what
their server is doing.
The PC "gurus" have no idea what to do if you hand them a system dump
and are asked what went wrong. The most they *MIGHT* do is to install
the last OS. They do not really have a clue what goes on inside one
of their precious servers. Given A MF sysprogrammer they can
(usually) tell you exactly went wrong and why. Please note that some
dumps are extremely complicated and it might take a week or so but
usually a specific fix that is not on is the cure of the outage or
some fix would have stopped the problem from reoccurring. Can your
windows (or UNIIX) people do that? The standard answer is to reboot.
The list goes on and on. I am too tired to continue. Anyone ?
Ed
-Rob Wunderlich
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
