Printable View
Hello all -
Have people run into a lot, if any questions on security about Mainframes and OS/390? Our organization has them, but when I question anyone on the security of those devices I am met the response of RACF. Being naturally suspicious, I am wondering if anyone works with security still for mainframes? I question it because while mainframe technology is out "there", it doesn't pop up much on the radar for security and I don't think it's discussed here.
Thoughts?
TIA
I worked with System 370, I'm guessing we are talking basically the same OS - it's been a few years..... They were never directly connected to the outside..... As I remember the rights and permissions of the connected terminal were pretty robust mainly because the cost of the mainframe were so high. I spent many hours talking to System Analysts etc. convincing them that my company's product was simple, wouldn't touch anything but the JES spool and redirect the output appropriately and would be totally managed at the lowest possible rights of anyone to the JES spool.
I don't know about OS/System 390 but I can't believe that it is any less secure or any more directly connected......
KuiXing-2005,
You might want to check here...
IBM announces new security technology on the mainframe with z/OS 1.5
http://www-1.ibm.com/servers/eserver/zseries/zos/
IBM: z/OS operating system
Or here...
This product is a port of our existing Security Toolkit for Java to the IBM ® OS/390 ® mainframe environment.
http://www.entrust.com/authority/java/faqs_os390.htm
Entrust Authority Security Toolkit for Java: OS/390 Edition Frequently Asked Questions
I have done some security assessments against zOS using RACF, as long as RACF has been implemented properly its damn good. What specific questions do you have? just the general security overall?
I've worked with OS/390 in the banking industry as it is the backend to alot of the ATM/EFTPOS applications that don't get seen.
The bank I worked for had RACF implemented beautifully, the system was tight as a drum so to speak.
The permissions were set from our HQ and operators from all around the country with the lowest access level were able to get in and monitor all the relevant process's with ease.
We never had a breach in the 3 years that I worked on it, so although this isn't definitive I think its a good start.
Hope this adds a little to the discussion.
Cheers,
DOHC
There is a lot of MF security admin out there. I am one, for exampleQuote:
Have people run into a lot, if any questions on security about Mainframes and OS/390? Our organization has them, but when I question anyone on the security of those devices I am met the response of RACF. Being naturally suspicious, I am wondering if anyone works with security still for mainframes? I question it because while mainframe technology is out "there", it doesn't pop up much on the radar for security and I don't think it's discussed here.
Thoughts?
TIA [/B]
why we didnt see news and/or discussion about mainframe security?
because:
a) Most of MF security admins are SO especialist that cant use anything else but Mainframes. :)
so You wont to see those guys around here often
b) MF security use to be discussed on closed forums. Just among MF guys. You cant see MF discussions about networking or databases either. Its a priviledge forum :)
MF security is a Myth. Mainframes are secure just as another platform, depending on basically of Admins Skills and Care. And a Mainframe can be unsecure just as my Dad' Windows 98 installation. In fact, A LOT of mainframe installations (i use to work as a consultant/auditor on that) ARE weak.
Why the mainframes spread this sensation of "security"? because instead of "distributed platforms" where (a lot of) security admins has near no training and just jump on market as
"windows security admin", after a MS course. On Mainframe area, it takes YEARS to be recognized as a "senior guy" and more YEARS to be a "security guy". And a lot, lot, lot of trainning.
Mainframes (im taking just about IBM) O.S.es doesnt have a security software built-in, as other O.S. IBM built it as an "open interface", to allow anyone build their own security subsystem. Nowadays, there is three tools on market:
RACF (IBM)
ACF2 (CA)
TOP-SECRET (CA)
MF OS is also very well developed and its very rare to find a "security flaw" on them. Yeap, IBM took more than 30 years to do that. Also is very rare (i saw very few times in 25 years working with them) to crash. z/OS (successor of MVS) has more than 70% of its code of recovery routines :). On some subsystems you can see 10,15 nested levels of recovery code on a single failure.
Altough you cant see us, we can see you.
Just security in general - as I stay on over time, more people will learn I'm an IT Auditor - so I may have a plethora of questions over time - some may be like this - a solid technology that maybe not too many people have experience with - or the one-off technologies. For this discussion, I am curious about general security overall - simply to help broaden my mainframe experience - which at this point is nill and I want to make sure I ask at least somewhat intelligible questions when I interview our auditees. :cool:Quote:
I have done some security assessments against zOS using RACF, as long as RACF has been implemented properly its damn good. What specific questions do you have? just the general security overall?
That's ok - I don't want to be privileged - it complicates things for me. I will just ask my questions and see if any MF experts wish to chime in - like you! No - seriously - I haven't run into many MF people - so finding a couple out here is great! :DQuote:
a) Most of MF security admins are SO especialist that cant use anything else but Mainframes. b) MF security use to be discussed on closed forums. Just among MF guys. You cant see MF discussions about networking or databases either. Its a priviledge forum
Thanks for all the great information so far - it's helping me out!