The European Court of Justice has ruled that “Safe Harbor” provisions as they’ve existed for about 15 years are not adequate to protect Europeans’ data privacy interests. The BBC has posted a fairly extensive story on the ruling, and IBM has an official reaction.

If I understand IBM’s official reaction correctly (and the reactions of other technology companies), there’s great concern about regulatory uncertainties and, in particular, inconsistencies. That’s perfectly understandable and sensible. Nobody wants to deal with 28 or more unique data protection rulesets and legal regimes. According to the BBC’s report, the European Commission seems at least aware of that potential problem, which is encouraging.

In the wake of the ruling, businesses and other organizations must have “model contract clauses” in place (and obey those clauses!) in order to transfer personal data from Europe to the United States (and, I assume, to any other countries outside the EU/EEA/Switzerland). Those model clauses require the parties to take due care in how they use and secure Europeans’ personal data — the “rules of the road” for protecting privacy. For about a decade and a half, between Europe and the U.S. specifically, businesses could rely on a single “master” set of rules called “Safe Harbor,” but no more. Fifteen years ago European regulators feared that commercial entities would abuse personal data, inspiring “Safe Harbor.” Now the ECJ recognizes that governments are potentially or actually infringing individuals’ privacy rights, so the Court ruled that “Safe Harbor” isn’t enough.

So what does all this regulatory turmoil have to do with mainframes? As I’ve written before in various ways, businesses and other organizations handling personal data simply need to become much better stewards and protectors of those data. That was true before the ECJ ruling, and it’s even more true now. Mainframes and their middleware (e.g. DB2 for z/OS) are extraordinarily powerful, effective tools to help protect personal data and only to authorize access strictly according to complex, evolving rulesets. Mainframes uniquely minimize data movement and data duplication since they facilitate complex, concurrent information and application processing across a single instance of data. They are also excellent “cloud outposts” if/when they need to be. A single mainframe, even the smallest zBC12 model, is a whole “data center in a box.” The mainframe uniquely offers strict (and certified) security “zones” to preserve personal data separations within a single footprint. So if you build at least the privacy-protecting “System of Record” parts of your cloud infrastructure on IBM z Systems, you can much more easily and cost-effectively roll with evolving regulatory punches.

That’s not to say people like to have to worry about regulatory turmoil, especially if you already haven’t been adequately protecting personal data. (The IT industry has a lot to answer for in this respect, and so do regulators. There’s much work ahead, though only some of that work is a result of this ruling.) Fortunately there are some powerful tools available, mainframes included. Regulators (and courts) get concerned and act when industry fails, so, first and foremost, let’s not fail. Hopefully everybody can agree that privacy and protection of personal data are really, really important. Consistently important we also hope.

IBM has a particularly big load of Big Data-related announcements this week (the first full week of October, 2015). It seems like a great time to take stock of what IBM has been up to lately.

  • IBM is unveiling Version 5.1 of the IBM DB2 Analytics Accelerator (IDAA) with new in-database analytics, in-database transformation, and accelerator-only tables. There’s literally nothing else like IDAA and its marriage of the world’s best, most secure Online Transaction Processing (OLTP) database with state-of-the-art, real-time analytics, warehousing, and business intelligence in a single, integrated information system. I literally don’t know of anybody who isn’t thrilled with their IDAA since it’s so thoroughly democratizing real-time, every-time analytics all the way out to end-users and mobile devices. This might be IBM’s biggest “killer app,” so do check it out.
  • Is DB2 12 here already? Almost. Yes, IBM is previewing its latest version of the flagship DB2 for z/OS. Among my favorite new features, DB2 12 will significantly improve its in-memory database capabilities and take more advantage of those many terabytes of system memory in the IBM z13 machines. There’s a great deal of emphasis on improved cloud provisioning capabilities including “SQL as a Service” (SQLaaS) RESTful interfaces. The new SQL TRANSFER OWNERSHIP statement is intriguing and mighty useful for maintaining security control over sensitive data. (And what isn’t sensitive data?) The efficiency improvements look unusually impressive, too, with IBM tossing out some bigger numbers than I’ve seen before. This’ll be a version you’ll have even more reason to get onto as quickly as possible even if only to pick up the efficiency gains, though you will likely have to allocate some more memory — an excellent trade to make. (Over-economizing on memory is false economy and a very bad idea.) If you’re interested in getting an early start on DB2 12 then IBM is putting out the call to sign up for the Early Support Program (ESP).
  • Version 8.8 of IBM’s Operational Decision Manager should be generally available in a couple months. Not only is this version particularly lucky in China, it’s particularly useful everywhere for its new “Decision Server Insights” feature that helps improve ODM’s ability to make snap decisions based on even complex rules and events. ODM for z/OS at least starts to imbue new, emerging cognitive computing and analytic capabilities into enterprise transactions and concurrent batch flows. As before it’s also a powerful, high performance way to cut down on application maintenance and, again, to democratize what used to be traditional application development. ODM is available for several platforms, but it’s an exceptionally strong fit with unique run-time benefits on z/OS and on Linux on z.
  • CICS Transaction Server Version 5.3 for z/OS is particularly notable for its new and enhanced cloud services capabilities, and the Java-related improvements are also impressive. No matter what programming languages you prefer — or non-programming approaches to building solutions — CICS TS probably has you covered and covered extremely well.
  • IMS Version 14 becomes generally available later this month, and (in particular) it includes several improvements that help assure continuous business service in what are among the most critical business and government systems in the world.
  • z/VSE users, this is your week, too: a new version of z/VSE and of CICS Transaction Server for z/VSE, both with lots of useful improvements. As before, I recommend pairing your z/VSE environments with Linux on z and/or z/OS to tap into those solution portfolios too, and IBM has a lot of options built into z/VSE to help you do that cost effectively.

To read up on these and other IBM announcements, visit IBM’s announcements Web site at

Posted in IBM.

My “(Blank) Needs a Mainframe” series of posts, such as the most recent Needs a Mainframe entry, are periodic reminders that there are effective, potent IT solutions that can help prevent catastrophic and costly security breaches: mainframes. Yes, I’m being deliberately provocative, but it’s time to shake some IT people out of complacency and their prejudices. We, the IT community (and its management, including business managers), are failing miserably, repeatedly. We are not protecting our users’ privacy and security. So let’s roll out more mainframes, now, because that’s going to help, a lot.

That said, it’s important to understand that security “magic” isn’t for sale. Most people would agree that mainframes, particularly those with the latest z/OS releases, are the most securable server platforms. They are also often the most secure, but that’s not a given and not automatic. Boeing and Airbus commercial airliners offer the safest mode of passenger transport, but if you’re either determined or careless enough then even those safe airplanes are crashable. Likewise, z/OS is chock full of wonderful security features and securability, but its operators cannot be complacent about security. Achieving and maintaining secure computing requires both the right technologies and talented people, preferably people who are at least slightly paranoid. Often, but not always, so-called “mainframe culture” includes a reasonable, healthy dose of security paranoia.

Another big reason z/OS is so securable is because it’s the only consequential operating system (and probably even the only operating system) that, within a single instance, is inherently multi-tenant and that so smoothly handles mixed workloads with differing SLAs. Other UNIXTM operating systems — yes, z/OS is a certified UNIX operating system — had different development heritages with different demands and development pressures. z/OS evolved in a unique way that’s quite helpful in promoting security. Moreover, because mainframes (and z/OS) are “I/O monsters” supporting mixed workloads, they make it possible to centralize (and recentralize) information, especially personally identifiable information (PII), authorizing (or not) every access, every time. They also uniquely facilitate true continuous business service when suitably configured and operated, and that capability also makes information centralization viable.

Think of it this way. If you’re trying to keep a secret, is it easier to keep a secret if 85 people know the secret or if one person knows the secret? Of course the latter situation is more securable. Likewise, mainframes uniquely facilitate thoroughly centralized information architectures with hundreds or even thousands of authorized application consumers/producers, and they do it with just one (or a couple, for continuous service) z/OS instances. With mainframes you can store, manage, and secure information “once and once well.” You do not have to copy your precious data to 85 (or 855) servers and try to manage that inherently unmanageable security nightmare.

….You can design and implement information architectures in highly centralized fashion with mainframes, and many mainframe owners do, with great results. Unfortunately, many do not. “Oh, just copy that data over here…” may be the spark that eventually ignites a security breach. Another problem: “Oh, just give us a RACF server ID that has access to the whole database….” See the problem?

But aren’t those mainframes impossible to work with and develop for? Expensive? No, and no. If there’s a major (or even minor), industry standard application development technology that a mainframe cannot run (and typically well), let me know. It’s at least hard to think of one. And of course it’s possible and highly desirable to authorize (at least) each and every data access request. For example, the base z/OS operating system comes with its own thoroughly standards-compliant, high volume LDAPv3 server (with TLS-encrypted connectivity) at no additional charge. So why aren’t you using it? I can’t think of a good or even mediocre reason why not.

I’m not happy with the wider IT community’s security performance right now, and I hope you’re not either. Let’s get our act together starting today.

Posted in IBM.