My “(Blank) Needs a Mainframe” series of posts, such as the most recent Needs a Mainframe entry, are periodic reminders that there are effective, potent IT solutions that can help prevent catastrophic and costly security breaches: mainframes. Yes, I’m being deliberately provocative, but it’s time to shake some IT people out of complacency and their prejudices. We, the IT community (and its management, including business managers), are failing miserably, repeatedly. We are not protecting our users’ privacy and security. So let’s roll out more mainframes, now, because that’s going to help, a lot.

That said, it’s important to understand that security “magic” isn’t for sale. Most people would agree that mainframes, particularly those with the latest z/OS releases, are the most securable server platforms. They are also often the most secure, but that’s not a given and not automatic. Boeing and Airbus commercial airliners offer the safest mode of passenger transport, but if you’re either determined or careless enough then even those safe airplanes are crashable. Likewise, z/OS is chock full of wonderful security features and securability, but its operators cannot be complacent about security. Achieving and maintaining secure computing requires both the right technologies and talented people, preferably people who are at least slightly paranoid. Often, but not always, so-called “mainframe culture” includes a reasonable, healthy dose of security paranoia.

Another big reason z/OS is so securable is because it’s the only consequential operating system (and probably even the only operating system) that, within a single instance, is inherently multi-tenant and that so smoothly handles mixed workloads with differing SLAs. Other UNIXTM operating systems — yes, z/OS is a certified UNIX operating system — had different development heritages with different demands and development pressures. z/OS evolved in a unique way that’s quite helpful in promoting security. Moreover, because mainframes (and z/OS) are “I/O monsters” supporting mixed workloads, they make it possible to centralize (and recentralize) information, especially personally identifiable information (PII), authorizing (or not) every access, every time. They also uniquely facilitate true continuous business service when suitably configured and operated, and that capability also makes information centralization viable.

Think of it this way. If you’re trying to keep a secret, is it easier to keep a secret if 85 people know the secret or if one person knows the secret? Of course the latter situation is more securable. Likewise, mainframes uniquely facilitate thoroughly centralized information architectures with hundreds or even thousands of authorized application consumers/producers, and they do it with just one (or a couple, for continuous service) z/OS instances. With mainframes you can store, manage, and secure information “once and once well.” You do not have to copy your precious data to 85 (or 855) servers and try to manage that inherently unmanageable security nightmare.

….You can design and implement information architectures in highly centralized fashion with mainframes, and many mainframe owners do, with great results. Unfortunately, many do not. “Oh, just copy that data over here…” may be the spark that eventually ignites a security breach. Another problem: “Oh, just give us a RACF server ID that has access to the whole database….” See the problem?

But aren’t those mainframes impossible to work with and develop for? Expensive? No, and no. If there’s a major (or even minor), industry standard application development technology that a mainframe cannot run (and typically well), let me know. It’s at least hard to think of one. And of course it’s possible and highly desirable to authorize (at least) each and every data access request. For example, the base z/OS operating system comes with its own thoroughly standards-compliant, high volume LDAPv3 server (with TLS-encrypted connectivity) at no additional charge. So why aren’t you using it? I can’t think of a good or even mediocre reason why not.

I’m not happy with the wider IT community’s security performance right now, and I hope you’re not either. Let’s get our act together starting today.

Posted in IBM.

IBM introduced its new LinuxONE systems this week, to widespread applause. They’re the world’s most massively scalable, reliable, and secure Linux servers, quite simply. A single LinuxONE machine can handle about 8,000 VMs and tens of thousands of Docker containers, for example. That’s important because there are many applications and information systems, particularly those involving analytics, that really don’t run well on smaller servers. Some applications take days or weeks to run on large numbers of smaller servers when they can run in hours or minutes on the new LinuxONE servers.

Then there are economic factors. It’s often, typically a heck of a lot less expensive to run one or a couple servers than it is to run hundreds or thousands, even when the software is “free.” Simplicity is powerful…and affordable. I also like how IBM is offering these machines even when you get one on premises: nothing to pay up front, then pay for what you use over 36 months. Subject to a simple minimum, of course. That’s exactly like public clouds and volume discounts — but on premises if you prefer.

Canonical is bringing Ubuntu to these new LinuxONE systems, joining Novell SuSE and Red Hat that are already there. Ubuntu Linux distributions are also getting popular, particularly in public clouds and in client devices (point of sale, kiosks, customer service desktops, etc.) More official options are good to have, obviously.

IBM explains more in this video.