Security

When thinking of System z, availability, scalability, reliability, and security come to mind. At the core of these strengths is system integrity. As the 40th anniversary of System z approaches, it’s fitting to examine some of the exciting enhancements and security improvements made over the years.

As System z has evolved, IBM’s commitment to system integrity has also advanced in two major ways to meet customer needs. 

First, processes have been adjusted to account for new technologies and evolving internal guidelines. We constantly see new types of threats, both internal and external to the enterprise. Internal threats are growing at customer sites as potentially disgruntled employees join the ranks of malicious employees. Across the world, terrorist threats continue to mount in the IT area and beyond, where many are enduring a difficult economy. In response, IBM has continued to adjust its processes to the times, allowing customers to be vigilant in how they maintain their systems with regard to system integrity and security. Changes in System z’s architecture and system integrity processes have addressed many threats. This process has evolved into a rigorous combination of automation, testing, and manual observation. 

Second, IBM continuously listens to customers about their needs; the company has implemented many improvements to the customer notification process. The process started years ago as letters were sent via mail to individuals at customer locations. Customers now receive an email when a new security or system integrity patch is available. They can then use the IBM Security Portal to obtain the information necessary to keep their systems up-to-date. Customers can also now get Common Vulnerability Scoring System (CVSS) data for each new fix.

Without system integrity, security could be defeated, scalability would be tenuous, availability could be temporary, and reliability could be a house of cards. Ensuring the security and system integrity of an enterprise requires a watchful eye across all operating system environments. This includes being vigilant about applying relevant security and system integrity Authorized Program Analysis Reports (APARs) for z/OS and z/VM. Maintenance of all operating systems deployed on System z should be part of an enterprise security policy. The z/VSE environment is no different. More information regarding the latest process and availability of security and system integrity for System z and general maintenance information is available at www.ibm.com/systems/z/advantages/security/integrity.html.

A Heritage of System Integrity

In the early ’70s, the need for computer security was recognized and increasingly became a required quality of service. Access to data and the ability to process it correctly are paramount. A new focus on privacy laws as they pertained to computers and other electronic processing equipment introduced the requirement for individual privacy.

System integrity has continued to evolve over the last 40 years. The birth of system integrity came in 1973 with the announcement of MVS. Former IBMer, W.S. McPhee, articulated in a whitepaper on system integrity in 1974 what he called “a major step in the direction of increased operating system security capability.” He introduced a definition of system integrity that remains fundamentally unchanged to this day. The only minor shift in the definition was to change from general password protection to a more overarching definition to contain the broader resource access control available in RACF, which would emerge later.

As time marched on, the platform continued to evolve. The ’80s introduced cross-memory services in ways that didn’t compromise address space boundaries. In the ’90s, IBM introduced parallel sysplex, which was built in a way that ensured system integrity wasn’t undermined. The move to 31-bit addressing in the ’80s and then 64-bit addressing in the 2000s brought additional challenges. The 2000s ushered in System z, continuing the legacy of system integrity that began with MVS in the ’70s, MVS/XA in the ’80s, and OS/390 in the ’90s. It now continues with z/OS.

As the System z platform evolved, new facilities were added and were appropriately restricted, using techniques such as limiting access to authorized programs, using System Authorization Facility (SAF), checking for restricting access to authorized users, and other technologies to guard the mediation of system resources. This ensures that fundamental principles, such as System z address space isolation, aren’t broken.

Besides the rigorous internal processes in place to discover and investigate potential security concerns internally, it’s possible that an external entity might uncover a system integrity vulnerability. Regardless of how easy or hard it is to exploit a system integrity vulnerability, IBM will accept APARs and fix vulnerabilities. Once accepted, further evaluation will occur, but it’s unlikely IBM will ever leave a known system integrity exposure uncorrected.

2 Pages