HP OpenVMS Guide to System Security > Chapter 1 Understanding System Security

Building a Secure System Environment

  Table of Contents

  Glossary

  Index

There are two sources of security problems outside the operating system domain: employee carelessness and facility vulnerability. If you have a careless or malicious employee or your facility is insecure, none of the security measures discussed in this guide will protect you from security breaches.

Most system penetration occurs through these environmental weaknesses. It is much easier to physically remove a small reel of tape than it is to break access protection codes or change file protection.

HP strongly encourages you to stress environmental considerations as well as operating system protection when reviewing site security.

This book discusses operating system security measures. When deciding which of these measures to implement, it is important for you to assess site security needs realistically. While instituting adequate security for your site is essential, instituting more security than actually necessary is costly and time-consuming.

When deciding which security measures to apply to your system, remember the following:

  • The most secure system is also the most difficult to use.

  • Increasing security can increase costs in terms of slower access to data, slower machine operations, and slower system performance.

  • More security measures require more personnel time.

The operating system provides the basic mechanisms to control access to the system and its data. It also provides monitoring tools to ensure that access is restricted to authorized users. However, many computer crimes are committed by authorized users with no violation of the operating system's security controls.

Therefore, the security of your operation depends on how you apply these security features and how you control your employees and your site. By first building appropriate supervisory controls into your application and designing your application with the goal of minimizing opportunities for abuse, you can then implement operating system and site security features and produce a less vulnerable environment. For an example of one organization's security plan, see Chapter 6 “Managing the System and Its Data”.

If you require your system to meet the United States government rating of a C2 secure operating system, please refer to Appendix C “Running an OpenVMS System in a C2 Environment” in this manual.

If you need a higher level of computer security for your OpenVMS secure system, HP offers SEVMS, which is the security enhanced version of OpenVMS that provides mandatory access controls to enforce a systemwide security policy.

SEVMS is a U.S. Department of Defense B1-rated secure operating system.