Enterprises using IBM’s premier Operating System (OS) for S/390 mainframes, z/OS, may have a false sense of confidence regarding the vulnerability of corporate assets. The protection offered by widely used security products can often be circumvented as a result of loopholes in other add-on software. Many such systems are frequently not nearly as resistant to security penetration as corporate management has been led to believe. New inspection, certification, and verification techniques must be implemented before MVS-based systems can be safely used for e-commerce and as a secure repository.
The nature of computer security concerns has changed significantly over the last several decades. From the mid-’70s until the mid-’80s, there was a significant focus on mainframe security-related issues. The major MVS-based security products — IBM’s RACF and Computer Associates’ ACF2 and TOP SECRET — were introduced during this period and eventually almost all MVS systems used one of these or a similar product for centralized protection of mainframe resources. As telecommunications usage increased, concerns over electronic wiretapping or eavesdropping were addressed by cryptography-based solutions. Then, along came personal computers, and for many years the focus of so-called hackers has been in the areas of viruses, worms, Trojan horses, etc.
With the advent of IBM’s WebSphere and other Web-based front-ends for legacy applications, the vulnerability of the traditional glass houses’ assets has significantly increased. Most recent concerns have focused on the increasing use of the Internet, the need for firewalls, and secure methods of transacting business.
More recently, there seems to be increasing concern regarding areas many of us may consider too futuristic to be taken seriously. Seminar discussions or research papers on topics, such as electronic economic espionage or the interests of organized crime in computer-related theft, may sound appropriate for scholarly research or speculation by criminologists, but of little concern for everyday corporate computing.
If you think these topics are far-fetched, you’ll undoubtedly be inclined to rank the topic of electronic warfare as totally science fiction. However, it appears that several highprofile organizations (primarily government and military, but far from exclusively these) are seriously considering such possibilities. In early September 2001, the Twelfth International Information Warfare Conference was held in Washington, DC. The conference title was “Techniques and Strategies for Securing Shared Infrastructures.” The introduction to the conference overview stated: “With cyber-attacks, technical sabotage, and international acts of terrorism on the rise, mission-critical infrastructures have never been more vulnerable.”
In retrospect, this was an eerie prediction for a conference held the week prior to the events of 9/11. If you examine the conference agenda, the list of session topics and speakers should help convince you that several agencies and corporations are treating the subject as more than a purely academic exercise. In spite of impressive (and sometimes scary) titles for several sessions, it appeared that none addressed the subject of attacks against mainframes or network servers by insiders.
Does everyone just assume that these systems are secure? Or, is the assumption that they’re not interesting to those who may pose a threat? Maybe the lack of interest is because those concerned think some other security-oriented organizations or agencies are addressing this area. Pinning your security expectations on any of these assumptions may be risky.
You may be inclined to think that the title of this article is a gross exaggeration, but the extent to which the term virtual overstates the security risk is largely a function of how vanilla your MVS system is. You’re probably pretty safe, though not guaranteed 100 percent secure, if:
- Your own trusted systems programming staff installed an IBM-supplied MVS integrated package (such as CBPDO or ServerPac)
- No other outside system or application software products have been installed
- No modifications or enhancements have been made.
Unfortunately, you can’t do anything productive or risky with such a system. Otherwise, the degree of safety or risk is a function of the particular software (yours or others) you’ve added to the base-level system. Some products provide no added security risks at all; others contain varying degrees of risks, some of which could give your auditors and security officers nightmares.
Evaluating MVS Security