I suspect that everyone who is in information security has, at one time or another heard questions like this: Is it perfectly safe to <insert activity>? It doesn't really matter what activity is. It could be use online banking, creating a web site, skydiving, or posting on Facebook. There's only one correct answer: No, it's not.
Surprising? It shouldn't be. I'd have the same answer to driving, walking, bicycling, taking a cooking class, reading a blog entry, or pretty much any other activity. Everything has risks. Practicing "good security" means understanding and managing those risks. It's an art as much as it is a science.
Consider the wise words of renowned security expert Eugene Spafford. To paraphrase something that he said years ago, the only system which is truly secure is one which is switched off, unplugged, locked in a titanium safe, buried in a lead-lined concrete vault at the bottom of the sea, and surrounded by highly paid armed guards. And even then, he wouldn't bet on it.
So, it's impossible to be "completely safe" (whatever that might mean). It is much easier to approach "completely unsafe". However, for most of us, it makes no sense to be there. :-) Security is the art of picking where you want to be on the "safe" vs. "unsafe" continuum. That's where the art comes in. One first has to understand the risks and the rewards for taking those risks as well as the cost of the counter measures which mitigate the risk.
The good news is that many times, the cost of the counter measure is dwarfed by the risk that it avoids. It's often better than what the "Pareto Principle" predicts: Sometimes you can get more than 80 percent of the benefit with far less than 20 percent of the work. The key is to find those activities. Fortunately, in security, there are many opportunities to get the "80 for the 20."
One of these opportunities is the "IBM Security Portal for z". Maintaining your system is a partnership among you and your hardware and software vendors. They should be doing their part by finding and fixing flaws and you need to be doing your part by implementing those fixes and following recommended "best practices". The IBM Security Portal for System z allows a management-designated representative of your organization to access information critical for the secure operation of your System z environment. Check out http://www.ibm.com/systems/z/advantages/security/integrity_sub.html to find out more.
Mark Nelson, CISSP®, CSSLP® is a Senior Software Engineer with IBM's z/OS® Security Server Design and Development Team in Poughkeepsie NY, where he has spent the past 26 years working on RACF®. Mark's focus with RACF has been on auditing and data analysis (IRRDBU00, IRRADU00, RACFICE), RACF's Health Checks, RACF/DB2, and RACF's support for digital certificates.
Mark is an active speaker on RACF, having spoken to user groups and IBM field representatives on four continents, and has received several SHARE "Best Session" awards, four "Top Gun/Best Session" awards from the Vanguard Enterprise Security Expo, and was the 1999 recipient of the Vanguard "Chairman's Award". Mark is a co-author of the book "Mainframe Security for Security Experts: A Introduction to RACF", has helped write several Redbooks, and has published articles in NaSPA's Technical Support, z/Journal, and IBM's Hot Topics. Mark is the director of the Mid-Hudson Valley IBM Club Chorus and a private pilot.
No comments:
Post a Comment