Hot Topics - Messmer The Brain House
Hot Topics - Messmer The Brain House
Hot Topics - Messmer The Brain House
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
DFSMSdss . This enables tapes to be<br />
encrypted that might be shared with<br />
business partners or get stored within<br />
a vault for disaster recovery purposes.<br />
Should these tapes, inadvertently, get in<br />
the wrong hands, it will be extremely<br />
difficult, if not impossible, to access the<br />
information on them. <strong>The</strong>se utilities have<br />
Java counterparts for other systems to<br />
ensure a cross platform approach for<br />
securely sharing this removable media.<br />
Moreover, these offerings meet the<br />
requirements of several new privacy laws<br />
that state consumers would not have to be<br />
informed of the loss of encrypted media.<br />
<strong>The</strong> network protections, authentication<br />
services and tape encryption utilities are<br />
all examples of stepping up to addressing<br />
security exposures that are beyond the<br />
walls of the glass house. Are they enough?<br />
No, there are still other areas to consider.<br />
Virtualization and integration<br />
Open standards have allowed applications<br />
and data to be easily moved from one<br />
platform to another. While this has<br />
provided tremendous flexibility in choice<br />
of deployment and development effort, it<br />
also has increased security management<br />
domains and complexity. But have you<br />
considered that where you deploy a new<br />
application can dramatically change the<br />
operational characteristics?<br />
In the distributed world, most<br />
applications and middleware reside in<br />
server images that are independent of the<br />
database servers that they access.<br />
<strong>The</strong>se can be deployed in two<br />
basic ways: separate servers that are<br />
connected by a network or separate<br />
server images hosted as virtual images<br />
on the same hardware box. <strong>The</strong>re are<br />
important distinctions between these<br />
two implementations. <strong>The</strong> virtual images<br />
may share a virtual LAN (VLAN) or<br />
HiperSocket network connection which is<br />
implemented within the hardware of the<br />
box. That means no external connection<br />
points, that reduces security intrusion<br />
points and points of failure, end to end. A<br />
virtual server Hypervisor, such as z/VM ®<br />
or a PR/SM LPAR on zSeries ® , can<br />
enable some operations and security set up<br />
changes to further simplify the complexity<br />
of the environment.<br />
Additional integration is available on<br />
z/OS: hosting the application server and<br />
database server in the same operating<br />
system environment. This could be<br />
considered the Interstate Highway or<br />
Autobahn model of integration versus the<br />
local road or parkway styles identified<br />
above. In addition to the virtualization<br />
Network protections, authentication services<br />
and tape encryption utilities are all examples<br />
of stepping up to addressing security<br />
exposures.<br />
savings listed above, a single user<br />
authentication and access control flow<br />
can be utilized compared to one for each<br />
platform. This saves time, processing<br />
capacity and registration and audit control<br />
points.<br />
Business continuity and recovery<br />
is easier through Parallel Sysplex ®<br />
technology. zSeries architecture, such<br />
as storage protection keys and process<br />
isolation enable a greater level of business<br />
process integration with a level of integrity<br />
not available on alternative architectures.<br />
Besides inhibiting one application from<br />
inadvertently affecting the operations of<br />
another application, multiple middleware<br />
servers, such as CICS ® , WebSphere ®<br />
Application Server, IMS and DB2 ® Stored<br />
Procedures can be run simultaneously,<br />
which again, simplifies business process<br />
integration, security, business resilience<br />
and workload management of an<br />
enterprise.<br />
Putting security all together<br />
So how can you put this into production<br />
in your business? <strong>The</strong>re are a number of<br />
options:<br />
1. Eliminate those tortured data flows.<br />
You won’t eliminate them all, but<br />
any reduction should reduce the risk<br />
of inadvertent disclosure, as well<br />
as the cost of managing regulatory<br />
compliance.<br />
2. Integration, either through<br />
virtualization or co-location of<br />
applications and database servers can<br />
further reduce operational risk.<br />
3. Consider end-to-end costs, from a<br />
variety of perspectives, such as floor<br />
space, risk management, business<br />
continuity versus the same costs for<br />
individual piece parts. In many cases,<br />
the incremental addition of a new<br />
function to an existing server can be<br />
less expensive than the addition of a<br />
server dedicated to the new function.<br />
4. And the last area to consider is<br />
collaboration across operations<br />
and application deployment teams.<br />
Working together, towards the<br />
elimination of stove pipes or islands<br />
of computing, may be the most<br />
difficult problem to solve, as it<br />
probably has a more organizational<br />
focus, than technological. However,<br />
opening up communications and<br />
operations across organizations might<br />
be the most effective way to improve<br />
on meeting business goals versus<br />
server centric goals.<br />
Regardless of how many servers are<br />
deployed, there will always be multiple<br />
administration points of control. <strong>The</strong> above<br />
examples help to demonstrate it’s not just<br />
security technology, such as RACF and<br />
network technologies, that influences the<br />
security of a business operation. It is also<br />
the levels of integration available through<br />
virtualization hypervisors, data sharing,<br />
middleware integration and hardware<br />
systems architecture, such as in the zSeries<br />
servers, that can dramatically influence the<br />
overall operational risk of an environment.<br />
You can move full speed ahead toward<br />
securing your business. Let’s hope your<br />
next headline focuses on positive business<br />
growth and not on data losses!<br />
February 2006 z/OS HOT TOPICS Newsletter, Issue 14 5