>From an secure infrastructure view You can do everything right and have it go wrong. You can do everything wrong and never have an issue. Going forward, how do we make everything secure enough so a user writing down a password on a screen Post-it note, doesn't matter? I believe we have biometrics, but my experience shows problems with the cost, integrating it and manage it, beyond a small number of people. Then all the exceptions, both physical and ideological.
"You can't put a chip in me." "Okay. Here wear this RFID badge around your neck. Always have it on, or else." "Or else what" "Bad employee, bad employee." -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Seymour J Metz Sent: Monday, June 03, 2019 1:37 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Just how secure are mainframes? | Trevor Eddolls Certainly Multics as well hardened, and definitely more secure than contemporaneous MVS. I don't know how it compares to MVS in 2019. Multic would have been a better base going forward, but the S/360 architecture didn't have all of the facilities that would have been needed to port Multics. By the installation I don't mean just the software written or installed by the installation, but also the policies and enforcement. If key personnel are allow to write down passwords and leave them at their desks, don't expect to be invulnerable no matter how good the OS is. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Clark Morris <cfmt...@uniserve.com> Sent: Monday, June 3, 2019 2:28 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Just how secure are mainframes? | Trevor Eddolls [Default] On 3 Jun 2019 09:41:54 -0700, in bit.listserv.ibm-main sme...@gmu.edu (Seymour J Metz) wrote: >This whole thread has consistently confused several very different issues: I agree and have questions in each of the areas. > > 1. How secure is z/OS itself? I recall reading that Multics was more secure than the concurrent MVS was at the time and wonder if that would have been a better base going forward. Does the design of z/OS and the tools for implementation make it more difficult to create and maintain a secure system? How secure are VM and TPF relative to z/OS? Does anyone have a feel for how secure and securable the Unisys and any other mainframe operating systems are relative to z/OS? > > 2. How secure is 3rd party software? 30 years ago people were complain about some of the holes in CA software. While much has changed and I assume those holes were plugged long ago, the question remains as to how we evaluate 3rd party software that by its nature has to have system hooks and run APF authorized and / or key zero (system monitors, tape management systems, etc.)? Could and should changes to z/OS be made that would allow some of this software run unauthorized and key 8? How much vulnerability do we introduce by having such things as monitors, report management systems, etc? How much security and vulnerability is at the application level where it is the application that has to determine whether access is authorized (online banking anyone)? > > 3. How secure is the typical shop running z/OS? Given the need to consider security at not only the operating system level but also the application level and the number of things that have to be controlled, I suspect that most organizations are less secure than they think they are. The problem starts with keeping the authorities that people have current as they change roles in an organization and leave that organization. Are the test system as secure as the production systems? Have all of the people involved including operators, people doing report distribution, application developers and maintainers etc. been properly vetted? How do we monitor to make sure people haveen't been compromised? The list goes on. Clark Morris ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN DISCLAIMER: This email and any attachments may contain confidential information that is intended solely for use by the intended recipient(s). If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the communication. If you received this email in error, please contact the sender by reply email and immediately delete the communication. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
