On Tuesday, 12/09/2008 at 08:23 EST, Rob van der Heij <[EMAIL PROTECTED]>
wrote:
> But when you carve out the volume on your modern DASD subsystem, the
> volume will look like there is no residual data on it that would be
> read from it with normal channel programs? A second hand DS8000 you
> purchased on eBay? I expect that when a DASD subsystem is installed
> it will be initialized well enough for you. Equally when a new bank of
> drives is installed.
When the drive first emerges from its cocoon, feel free to skip the
data-clearing format (except for the label, of course). Subsequently,
when the drive is re-tasked, whether as a complete volume or when
assigning minidisks on it, you SHOULD have a procedure in place to assure
that the data container is empty before it is assigned to a new owner.
> Knowing that Linux will want to format it anyway, I would even skip
> the step where DIRMAINT does a CMS FORMAT for it.
I'm a security weasel and I don't trust to you to format the volume
without looking at it first. It's the same reason that it is Best
Practice to have FEATURES ENABLE CLEAR_TDISK in SYSTEM CONFIG.
> Whose residual data are you protecting? Your z/OS colleagues? Would
> their best practice not be to wipe out their sensitive data before
> they give up volumes (pure theory, z/OS rarely gives up volumes unless
> it's an ancient model :-) Your other Linux guest? (in that case your
> best practice would be to run ICKDSF also before it is given to the
> next guy).
What if it previously contained another Linux filesystem? Or USER DIRECT
(w/o ESM)? Customer data? Financial data from z/OS?
Obviously formatting once is sufficient. The security standard is to
clear an object immediately before use unless the object has been under
your sole control since since you last cleared it. ("Did you pack your
own luggage? Has it been in your posession at all times?")
But if the volume has been out of the control of whoever has
responsibility for allocating dasd to guests, then it is encumbent up that
person to perform the format or otherwise reasonably ascertain that the
volume is empty.
> Sorry, I think we're getting again into ancient rituals from the days
> where you could see a gigabyte drive through the hallway and it would
> barely fit through the door. Shall we just say that this layer of
> storage has been sufficiently virtualized that you need proper
> procedures on the hipervisor level and give up traditions that you had
> when data was stored on the bare (rusty) metal.
You're suggesting that the RISK of data exposure is sufficiently low that
it does not justify a data-clearing operation. I'm suggesting that the
COST of data exposure is sufficiently high to justify the FORMAT operation
BEFORE you give the disk away. Feel free to do that from your own Linux
guest so that the disk is already formatted before you give it to someone
else.
IF you are the person who allocates disk storage AND you are the person
who prepares the Linux guest for use, THEN you can skip the extra format
as the data never leaves your possession. Not all shops work that way,
however, and they must take extra precautions.
Just because it is an ancient ritual doesn't mean it's a bad idea, as long
as you understand WHY you're doing it. And even if you don't understand
it, you may choose to do it anyway. It's called "faith" and, when in
doubt, you can turn to it, even if is just a dumb old format like Grandpa
used to do.
Alan Altmark
z/VM Development
IBM Endicott
