On Tue, Jul 21, 2009 at 9:07 AM, Shane <ibm-m...@tpg.com.au> wrote: > On Tue, 2009-07-21 at 09:55 -0400, John Eells wrote: > > > "Specifically, z/OS "System Integrity" is defined as the inability of > > any program not authorized by a mechanism under the installation's > > control ... > > This is the bit I have trouble with. > Just about every product demands an auth'd library for install. Given > that the product has been purchased and is presumably required, how's > that "under the installation's control" ?. > > As Dave says, this blows the whole idea of security to hell (sorry Dave, > my emphasis ... ;-)
It is under the installation's control because the installation chooses what resources to secure and how to secure them. Security and integrity depends on the whole chain of control. Break one link and you lose control altogether which is why some of us bang on endlessly about software integrity. What's amazing to me is that as near as I have been able to tell, barely anyone (neither vendors, nor customers) actually gives a damn about the software integrity part - which is by far the most important part - assuming of course that the installation doesn't allow the unwashed masses to update system datasets or APF libraries. All of the hand wringing that goes on over vendor use of authorized libraries is just so much uninformed hot air, PROVIDED that the installation maintains the security of those libraries. A product having an authorized library is literally no big deal and with z/OS design as it stands today there just isn't any other way to get most things done. It has been this way since the flood and it is highly unlikely it will ever change. There is of course a presumption that the product itself does not violate integrity which is unfortunately rarely a valid assumption. But again, nobody actually seems to give a damn, so we continue to live in glass houses. Kinda funny really. -- This email might be from the artist formerly known as CC (or not) You be the judge. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html