Secure by Design
The security of any infrastructure requires a proper balance of People, Process and Technology. The more People and Process, however, the greater the risk to the overall environment, due to errors of omission or sabotage. The base System z technology includes a number of built in technological features that reduce or mitigate risks. The following sections describe a subset of those capabilities.
System zEnterprise server – PR/SM LPAR
Considered one of the most secure general purpose servers in the industry, the IBM System zEnterprise server has achieved the Common Criteria’s EAL5 rating for the design and implementation of its logical partitioning capability. PR/SM LPAR is the brand name used by IBM for running multiple operating systems within a single server and being able to ensure that one virtual server cannot detrimentally affect the actions of another virtual server. There are no “knobs” to effect this. It is the basic design of the mainframe. Presently, up to 60 logical partitions can be operated simultaneously on a single server. Typically, the server can run at 100% utilization at all times. Service Level Agreements can be easily established to provide priority service to a specific partition. These SLA’s can be used to distinguish between the importance of Production, Test and Development partitions, as well as daytime vs. evening priorities of differing workloads. Partitions do not have to have processors, memory or storage dedicated to them, which consumes and limits scaling of the environment. Instead, these resources can be shared while maintaining the architectural boundaries and inhibiting partitions from conflicting from each other.
This is a second level of virtualization that can run within one logical partition of the IBM Mainframe. It has also been evaluated for the Common Criteria and has achieved an EAL4+ rating. System z has a processor facility that will enable z/VM to have direct control of underlying processors and memory without a lot of overheard. z/VM is capable of running 10’s of thousands of virtual guest images in a single partition. Realistically, however several thousand guests in a single partition running as virtual desktops or several hundred running as virtual servers can be a cost competitive alternative to other hardware architectures. Like PR/SM LPAR, z/VM can run at 100% utilization without fear of failover. Virtual guests cannot compromise the security of other virtual guests.
For both PR/SM LPAR and z/VM, new hardware processors can be brought online or removed from the server non-disruptively to provide the greatest scaling on demand. This also simplifies security as no new security definitions or domains created to allow for the capacity changes.
This is indeed another level of virtualization running within the z/VM environment. Several server instances are created to handle input/output processing to a shared file system and networking for virtual guests that are running x86 infrastructure within them. Each x86 guest runs as a separate virtual machine under z/VM with a small kernel of z86VM providing translation and management of x86 architecture within the System z architecture. Each x86 operating system image is protected from other guest images by the compartmentalization inherent within z/VM and through kernel segmentation done by z86VM itself. Security servers, such as Active Directory or LDAP servers should be running as independent x86 virtual machines within System z and can leverage internal communications between guests to reduce the network topology necessary for the x86 operating systems. We said Active Directory should be supported as Mantissa is currently testing Windows operating systems prior to supporting that functionality in a future Beta release.
How this compares to native x86 server virtualization
Security evaluation of the x86 hardware
Not all hardware architectures are created equal. For example, while not commercially successful, the Intel Itanium processor contains more basic security technology upon its chipset and architecture than the x86 varieties that are more prevalent. Both Itanium and x86 processors have far less security functionality and capabilities in their architectures than the System z server contains. x86 servers do not have the granularity of compartmentalization that System z has. Individual virtual machines on x86 may need to dedicate processors, memory, network connections and storage to an individual virtual machine to ensure compartmentalization or isolation of workloads. This reduces the scale possible on a single server. In addition, the processor utilization is typically less than 60% for fear of taking an outage at higher utilization when the server runs short on storage.
Security evaluation of x86 hypervisors
There are a variety of proprietary and open source hypervisors in the market today. When those vendors have their code evaluated, the target of evaluation is typically to a given hardware product. Because the combination of hardware server and software hypervisor is required to provide full compartmentalization, it is never to the scale possible with a System z server.
Additional products or features necessary for x86 hypervisors
When the hardware and hypervisor are developed by different corporations, the opportunity to fully embrace and design the security from the ground up is less likely to occur. As a result, for many x86 servers and hypervisors, additional priced products are required to achieve a greater level of security. Even then, those priced offerings may not have the capabilities that come with the basic System z server and z/VM hypervisor from IBM.
Scaling of solutions adds complexity to x86 operations
Anytime more than one server box is required to achieve scale, there are additional controls necessary for clustering and managing security. Each time another server node is added, additional knobs need to be tweaked. As described earlier, people and processes may lead to either unintentional or intentional errors that may compromise security. System z, with its ability to scale from a single processor to well over 100 processors, all running at 100% utilization and supporting more guest virtual machines per processor core provides an ability to host more work with less effort than alternative architectures. And probably most importantly, at a lower cost than alternatives as there are far few parts and costs associated with System z.
Collaboration vs. Compartmentalization
No server is an island.
No single server is ever going to satisfy the needs of an end user or business, whether it is an x86 system, UNIX or mainframe computer. How’s that true? You might say a Small or Medium Business might survive on a single server. While that may appear true, those servers are accessed by PC’s or Smartphones. As a result, the security of the end users’ devices is also going to dictate how good the security of the backend servers is. There have been many known hacks where an end user’s device has been compromised and, in turn, that device is then used to attack other server infrastructure. One significant retail case had one IT group managing store systems and another group managing inventory and transaction processing. When the retail stores were hacked, the back end server team felt glad that they were not responsible for the IT that was compromised. However, upon forensic examination, it was demonstrated that the compromise of the retail IT had also compromised the back end IT as well. This form of IT Security compartmentalization has led to breaches in finance and public sector businesses as well.
How many copies are enough?
Anytime that data and applications are copied or moved to another system, security policies need to be inherited as well. Because of separate IT organizations and lack of communication, mistakes are often made. So regardless of architectures, the fewer organizations and control points involved, the lower the opportunity to make mistakes and compromise the overall security of an end to end workflow.
System z, with its ability to run large transaction and database servers, as well as many virtual guests, including both the z architecture and now x86 32 bit architecture, can greatly simplify the operational environment for end to end business. Some may say this is “too many eggs in one basket”. But let’s recall that System z stands for zero down time. While not theoretically possible to run non-stop forever, it does have a mean time between failure of over 60 years at the hardware level and there are customers, that through clustering using System z architecture, have run continuously for over ten years. That includes servicing individual members of a cluster while other members continue to run non-disruptively. That’s a far cry longer than any x86 server can demonstrate.
System z, a safe and secure home for multiple workloads and multiple architectures
All IT budgets have expenses associated with hardware, software and environmental components. When using System z, including z86VM, as part of an end to end solution, any business should be able to:
■ Reduce initial acquisition costs by taking some costs out of the solution
■ Reduce operational costs and deployment risks
■ Improve the security and resilience of the deployed solution
■ Leverage existing investments wherever possible
■ Provide investment protection and continued cost benefits through future technology deployment