In-Depth

How IBM’s Updated z/OS Improves Security

Big Blue’s vision: a System z-centered security hub—along the lines of the mainframe-based Information hubs it’s been touting for a year now.

• By Stephen Swoyer
• 08/28/2007

It’s been a great month for mainframe boosters. Two weeks ago, IBM Corp. announced the latest-and-greatest release of its z/OS operating system, z/OS version 1.9, along with another quarter of strong mainframe revenue growth. Then, last week, market watcher International Data Corp. (IDC) confirmed that Big Iron accounted for 10 percent of all server revenues—outpaced only by sales of higher-volume Linux and Windows servers.

That’s not all. IBM officials have been talking up a number of z/OS 1.9 improvements that could be catalysts for additional platform growth. Most of these additions focus on security, says Mary Moore, System z security initiative leader with IBM.

The idea, she says, is to market the mainframe as a secure hub for enterprise information management. This should not be much of a stretch, because for many large customers Big Iron has filled that role for several decades, Moore argues.

"Our customers for 40 years have been positioning their mainframes as their security hubs, and security and availability have been the two most important features that we continue to invest in and ensure that we’re leading the industry," she indicates. "These [security enhancements] are all just a continuation of this. With many of these features, we were doing [them in the past] for our most aggressive customers. They are now being used and taken up by the average or typical mainframe z/OS customer."

The new z/OS 1.9 security enhancements include improved support for network security policy management, enhanced Public Key Infrastructure (PKI) services, and extension of the z/OS Integrated Cryptographic Facility (ICSF) to support the popular PKCS #11 security standard.

Moore and IBM seem most excited about z/OS 1.9’s new network security policy management capabilities, which are enforced via the z/OS Communications Server. In addition to features such as network security services (NSS) and policy-based routing (PBR), z/OS 1.9 supports centralized policy services for network Intrusion Detection Services (IDS), Quality of Service (QoS), IPSec (IP Security), and Application Transparent-Transport Layer Security (AT-TLS). NSS and PBR allow organizations to establish and enforce network security policies across multiple instances of z/OS, according to Moore. Administrators can define one centralized policy to enforce network encryption rules and intrusion detection for all z/OS systems. What’s more, these policies can also be enforced against distributed systems that attempt to connect to z/OS.

"We have a lot of that [today] in z/OS, particularly in RACF, but [these enhancements] constitute significant improvements in managing networking policy," she explains. "The z/OS Communication Server Policy Agent allows network administrators and people concerned with network security to define encryption rules, intrusion detection rules and policies, and let the z/OS system automatically manage that. This not only applies to z/OS systems but to distributed systems—if they’re connecting to z/OS."

This kind of functionality is unique to the mainframe, Moore says—at least to the degree that it’s actually built into z/OS. "It is included in the OS. When you’re looking at security in most platforms other than the System i, most of it is add-ons and attachments to the basic OS. This is integrated into all of the basic networking capabilities of the z/OS operating system."

Big Blue continues to tinker with z/OS PKI support in each new release. z/OS 1.9, for example, boasts PKI technology and usability improvements.

Moore says this is a strong cost-of-ownership feature of System z and allows customers to be their own digital-certification authority. “What we’ve been doing with every release is continuing to improve it based on what our customers are telling us. [In z/OS 1.9,] usability is significantly improved, and our ability to work and integrate with other certificate environments is also improved. There are also some technical improvements, too."

PKCS #11 is a popular API used by cryptographic devices. z/OS 1.9 can host PKCS #11-compliant applications as well as provide centralized key storage capabilities, too. "This is the first time we’ve natively supported this within z/OS, so any systems or devices or applications that are using this programming interface for encryption can be ported and brought to z/OS and therefore take advantage of the native z/OS encryption features," she explains.

Last year, IBM announced its zSeries Integrated Information Processor (zIIP), a low-cost specialty engine it hoped would recast the mainframe as a more attractive—and affordable—host platform (or hub) for information processing. With z/OS 9.1, IBMers are now talking up System z as an ideal security hub, too.

"Our customers already use their mainframes as data hubs, and we actually prefer the term ‘secure data hubs.’ What you need to manage [this data] is access to that system, and so a lot of these [enhancements] are designed to not only [facilitate] access [to that data] but to more securely store and manage it," Moore indicates. "So we have management of the different encryption options that you have, or we give you the ability to make sure that data is encrypted as it flows across your networks."