Multics... MVS and CA products 30 years ago...
I strongly believe that prehistory is not good argument for discussion
about contemporary systems.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 2019-06-03 o 20:28, Clark Morris pisze:
[Default] On 3 Jun 2019 09:41:54 -0700, in bit.listserv.ibm-main
sme...@gmu.edu (Seymour J Metz) wrote:
This whole thread has consistently confused several very different issues:
I agree and have questions in each of the areas.
1. How secure is z/OS itself?
I recall reading that Multics was more secure than the concurrent MVS
was at the time and wonder if that would have been a better base going
forward. Does the design of z/OS and the tools for implementation
make it more difficult to create and maintain a secure system? How
secure are VM and TPF relative to z/OS? Does anyone have a feel for
how secure and securable the Unisys and any other mainframe operating
systems are relative to z/OS?
2. How secure is 3rd party software?
30 years ago people were complain about some of the holes in CA
software. While much has changed and I assume those holes were
plugged long ago, the question remains as to how we evaluate 3rd party
software that by its nature has to have system hooks and run APF
authorized and / or key zero (system monitors, tape management
systems, etc.)? Could and should changes to z/OS be made that would
allow some of this software run unauthorized and key 8? How much
vulnerability do we introduce by having such things as monitors,
report management systems, etc? How much security and vulnerability
is at the application level where it is the application that has to
determine whether access is authorized (online banking anyone)?
3. How secure is the typical shop running z/OS?
Given the need to consider security at not only the operating system
level but also the application level and the number of things that
have to be controlled, I suspect that most organizations are less
secure than they think they are. The problem starts with keeping the
authorities that people have current as they change roles in an
organization and leave that organization. Are the test system as
secure as the production systems? Have all of the people involved
including operators, people doing report distribution, application
developers and maintainers etc. been properly vetted? How do we
monitor to make sure people haveen't been compromised? The list goes
on.
Clark Morris
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
.
======================================================================
Jeśli nie jesteś adresatem tej wiadomości:
- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza)
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać
karze.
mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st.
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 0000025237,
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na
01.01.2018 r. wynosi 169.248.488 złotych.
If you are not the addressee of this message:
- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have
printed out or saved).
This message may contain legally protected information, which may be used
exclusively by the addressee.Please be reminded that anyone who disseminates
(copies, distributes) this message or takes any similar action, violates the
law and may be penalised.
mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital
City of Warsaw, 12th Commercial Division of the National Court Register, KRS
0000025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN
169,248,488 as at 1 January 2018.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
