Vernooij, Kees - KLM , ITOPT1 wrote:
Of course, a logical measure. Taking a laptop out of the building, do something with it and take it back in again is just as 'safe' as bringing in a usb stick you found on the street. Both should be fully blocked.
<snip>
I don't agree that both are equally insecure. Downloads from at least IBM's servers (and probably those used by any number of other software vendors as well) use SSL. Thus, you at least "know," via the certificate-based chain of trust, that you are downloading things from an IBM server. You can also use firewall software and make the "hole" in your firewall specific to an IP address, to provide further assurance that it's an IBM server to which you are connected. Perfect? No. But likely more secure than USB.
Why? There is an architectural vulnerability in USB, and malware exploits are not detectable using AV software. I know that a number of clients ban the use of any USB-attached device outright for this reason. I'm told some even fill the USB ports with glue to assure compliance.
The larger issue, though, is the continued availability of acceptable external attachment hardware. By "acceptable" I mean to both clients and software vendors. We are withdrawing tape because few people use it any more, not because of cost alone, or because "IBM doesn't care" (and, to be frank, I rankle at that last suggestion).
We have no plans to support USB for z/OS platform software, and I would not support such a plan. Currently, I plan for us to support DVD for as long as it's viable; but, we foresee that optical drives will likely become unavailable for new builds on workstations (including laptops) in the next 5-10 years. This is not because of IBM, but because (surprise!) fewer people want to order them these days. While we have no current plans, I expect that when the DVD orders eventually drop low enough, we will withdraw that support too.
If we are all lucky, someone will create something new that lacks the vulnerability of USB, has the near-universiality that optical drives once enjoyed, has a far-off obsolescence horizon, and allows us to continue to use something we can put in an envelope or a box and send clients.
-- John Eells z/OS Platform Installation Strategy Owner IBM Poughkeepsie ee...@us.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
