When people in the DevOps world hear the word “containers,” most of the time they imagine the lightweight, standalone, executable Docker binaries that have become commonplace in today’s cloud infrastructure. It might come as a surprise, however, that the world of mainframe computing not only supports traditional Docker containers, but also expands the concepts of isolation and safety into another type of containerization technology called IBM Secure Service Container. For companies running Linux on an IBM Z, Secure Service Container brings a new dimension of security to mainframe computing.
Mainframe computing already offers a lot of power that is difficult to match in a commodity x86 environment. For example, the IBM z14 mainframe can store up to 32TB of memory. It has a 10-core z14 CPU that can run at speeds up to 5.2 GHz, which is considerably faster than the ~4 GHz of a 4-core Intel i9 processor. With this power, the mainframe can perform 30 billion RESTful transactions a day running Node.js and MongoDB in standard Docker containers. Mix in the versatility and code reuse that running Linux on a mainframe provides, and you get a level of computing power that’s hard to ignore.
In terms of application development, putting Linux on a mainframe allows applications written in popular languages such as Java, Python or Node.JS to run on an IBM Z system just as they would in a data center full of x86 machines. And the total cost of ownership of a mainframe can be surprisingly competitive when compared to a commodity system.
Despite these benefits, Linux on a mainframe faces many of the same security challenges that other platforms have, both in terms of hardware and software intrusion. The difference is that IBM Z is more secure out of the box and offers a number of additional technologies to address these challenges—100 percent application data encryption, isolated workloads for multi-tenant environments, full lifecycle encryption key management with encrypted keys and tamper-responding cryptographic hardware. But many times, safety boils down the security acumen of the system administrator and the overall security discipline instilled within an organization. Some organizations have excellent security practices. Others are challenged. Regardless of the degree of competency, it is difficult to lock up a box in a bulletproof manner. This is where Secure Service Container technology comes in to play.
Working with Secure Service Container
Secure Service Container combines hardware virtualization, applications and data into a secure, encrypted “container” (partition). The encryption keys are protected in the Secure Service Container partition. Should a key become compromised or attempts are made to tamper with the keys, the Secure Service Container will invalidate the key and the encrypted contents will become inaccessible.
Once the Secure Service Container is deployed (via the physically secure hardware and firmware), everything inside it is fully encrypted. The boot sector becomes tamper-proof and memory access is disabled. Also, access to the system via SSH is also removed. As a result, hardware and operating system SysAdmins have no direct way to tamper with the environment beyond RESTful interfaces for communication and management.
Using SSH to administer a system leaves a lot of opportunity for catastrophe: While Linux allows you to limit access to commands according to group and user permissions, just one unsecured executable mistakenly installed in the environment can cause a mishap.
On the other hand, the only way to access an Secure Service Container-enabled environment is via a set of APIs. Each piece of administrative functionality associated with the Secure Service Container API is represented as an endpoint with an access method. Thus, the advantage of secure access via an API is that work is done over a common interface on a task-by-task basis. A distinct security policy can be applied to each endpoint and associated access method. This is a very fine-grained security model.
Using an “API only” approach for access means that for all intents and purposes, the system is completely locked down. Even root users and SysAdmins are denied access that is not granted according to the security policy on the given endpoint. Thus, “Snowden-type” attacks are prevented.
The HSM—the physical device that encrypts and protects keys—is certified to FIPS 140-2 Level 4, which is the highest security standard defined in the Federal Information Processing Standard. Also, the individual Secure Service Containers are isolated to EAL5 and higher levels, giving you near-air gap isolation between containers to ensure that side-channel attacks won’t work. This is industrial-strength security that is designed to meet the needs of extremely security sensitive environments such as banks, power grids, the Atomic Energy Commission and the CIA. Secure Service Container is serious technology for serious enterprises. However, Secure Service Container can benefit any company that wants to dive into the world of mainframe computing, the costs of which can be surprisingly affordable.
A New Way of Thinking
When most people think about mainframe computing, they think of large companies with big budgets to spend on high-priced hardware. While this might have been the case in the past, today mainframe technology is well within the grasp of smaller companies. Today’s mainframes can be as much as 92 percent lower for total cost of information compared to their x86 competitors. And when you take into account the added agility, scale and security, setting up an on-premises cloud installation using an IBM mainframe as opposed to a rack of x86 machines seems very reasonable.
The mainframe offers significant benefits besides cost, particularly when Secure Service Container technology gets added to the mix. To start with, running Linux on a mainframe creates a common playing field in terms of application development. Most Linux-based application code can run on a mainframe as well as on a PC. This means that a single Java developer can leverage his or her expertise to write for a variety of environments—PC, Android or mainframe.
|Security Risks by the Numbers|
● Cybercrime damages will cost the world $6 trillion by 2021
● The average cost of a data breach in 2017 was $3.6M
● 60% of the victims of victims of cyber attacks run the risk of being put out of business
The mainframe also offers very large storage, incredibly high computing capability and a unified environment. Both applications and database can live within the same box, diminishing network latency and increasing overall processing speed.
Secure Service Container technology make security both robust and easier to manage. The “API only” access approach to system administration makes support a secure, standardized undertaking. From a DevOps perspective, the standardization provided by the “API only” approach is easy to automate and you avoid having to accommodate the peculiarities that go with system administration at a lower level of operation.
Finally, as mentioned above, Linux on IBM Z supports Docker. Integrating mainframe resources with the Docker ecosystem enables high-powered, high-volume, ephemeral computing within a single machine installation. A single Linux on IBM Z installation can support up to 1 million Docker containers. And, because these containers reside on the same machine, they can take advantage of co-location with other mainframe workloads and minimize the impacts of external network latency. As anybody who has worked with a distributed architecture can tell you, a containerized microservice is only as good as its availability. Putting all containers on a single computer reduces the risk of interservice communication failure significantly. This is a very big deal—especially considering the 99.999 percent uptime of IBM Z.
Putting It All Together
Containers are fast becoming the foundation of modern cloud computing. There’s more to containerization however, than creating instances of Docker images. The concepts behind containerization have broad application well beyond commodity based computing. Secure Service Container combines the best practices intrinsic to both hardware and software security to create a Linux-based environment that makes mainframe technology a first-class player in the world of modern cloud computing.
Given the decreasing costs and increasing benefits of technologies such as IBM Z and Secure Service Containers, mainframe computing can become a significant asset to any company. All that’s really required is taking the time to understand the power available and explore the possibilities at hand.
You can learn about about Linux on IBM and Secure Service Container at the following resources: