|
Pat, I think that everything you wrote was true. You effectively described the way things ought to be. The point that I am trying to make is that the original poster (Jose) gave us a pretty good indication of the way things actually are. You and I are in general agreement about the BEST way to secure a system. But within the context of the original question, I think that a discussion of implementing resource security is almost completely beside the point. To lead us off, Jose asked: "One of our VPs wants us to give users client access but our concern is the access they will have to the entire database. Has anyone come across a situation where they have end-users needing file transfer capability from client access yet needed to protect the rest of the live data. If so how did you handle limiting their access. We don't use Object level security." So yes we both agree that the BEST security possible would begin with a detailed Resource Security scheme but Jose's shop, like many other shops are not using it. If the only answer we can give Jose is "Go fix your security problem caused (most likely) by years of somebody else's bad software implementation", it just isn't going to happen. If Jose goes back to the VP and says, "OK, we'll install Client Access, but first we have to get a platoon of security consultants in here for 8 months to straiten out our security.", the VP is going to start believing .net ads and push for an MS solution. At the end of the day we both know that they'll be less secure, but they may not every figure that out - or at least not until it is too late. So encourage them to put exit programs in. It's a good first step. It's easy, it's fast, and it immediately raises the bar on security. The customer begins to get security aware at the same time they limit access to certain functions on the iSeries. It's the low hanging fruit that they can make real progress on. Now they have a little bit of breathing room with which to actually address security problems. And through this whole process, and even after it (theoretically) is done, the exit programs will always be there to protect access. I like our jobs Pat. You and I can build software and make proclamations about what we think is the correct way(s) to secure a system. When it comes to security I know that I am sometimes guilty of proposing perfect solutions for a perfect world. But Jose and his compadres are stuck in the day-to-day world of real security problems that are often have inherited from someone else. If they can get the organization moving towards security at a steady pace, they've done their organizations a real service. If security is going to get fixed out there, it is going to be done by system administrators, and it's going to be done incrementally. That's going to take some time and a whole lot of education. JMHO, jte -- John Earl | Chief Technology Officer The PowerTech Group Seattle, WA 98032 (253) 872-7788 x 302 john.earl@powertechgroup.com www.powertech.com > John...while I might quibble with some of your points, I agree resource > access control and the management of it is hard to do (on any machine...). > Vendors get it screwed up on all machines. I used to see it all the time > during my 12 years of UNIX system adminstration and applications > support/development. > > But you missed my point...I didn't argue that resource access control was > easy. I said it was required. > > My point was that if you don't have resource access control correct, > adding > an exit point product doesn't fix the problem either. Neither did I say > exit point programs were irrelevant. > > The way to control who can get to your mission critical data starts with > resource access control. It is a necessary condition. It is arguable > whether it is sufficient or not. But you must satisfy this condition, or > you don't have reliable access control. IBM has preached that for years; > even when green screen was dominant. > > Lets say I was a prison warden, and I installed a vendor product to open > and shut doors. Then I found out it didn't work unless it left the doors > unlocked. Is it just the vendor's fault? Or am I at least partly to blame > for installing something that affected security but I didn't know it? > > By the way, I still think it is easier to get resource access control > right > on OS/400 than on other platforms. And IBMis working on some of things you > complained about which we actually control. > > Patrick Botz > > > > _______________________________________________ > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > list > To post a message email: MIDRANGE-L@midrange.com > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo.cgi/midrange-l > or email: MIDRANGE-L-request@midrange.com > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
