Virtualization is all the rage today. But not all platforms are created equal when it comes to security, resilience and capacity management of the workloads being virtualized. On a mainframe, the same workloads that run on distributed can have a completely different operations model that can reduce cost and provide investment protection for the future.
1. Virtualization and Consolidation Options What makes z simple and better The future runs on System z Jim Porell IBM Distinguished Engineer IBM System z Business Development
2.
3.
4.
5. Virtualization and Security Should IT Managers Be Concerned? Known vulnerabilities across all of VMware’s products* “ It is clear that with the increase in popularity, relevance and deployment of virtualization starting in 2006, vulnerability discovery energies have increasingly focused on finding ways to exploit virtualization technologies.” “ ...in a virtual environment all your exploitation risks are now consolidated into one physical target where exploiting one system could potentially allow access and control of multiple systems on that server (or the server itself). In total, this adds up to a more complex and risky security environment.” Posted September 21, 2007 at http://blogs.iss.net/archive/virtblog.html Virtualization security risks being overlooked, Gartner warns Gartner raises warning on virtualization and security. Companies in a rush to deploy virtualization technologies for server consolidation efforts could wind up overlooking many security issues and exposing themselves to risks, warns research firm Gartner. “ Virtualization, as with any emerging technology, will be the target of new security threats,” said Neil MacDonald, a vice president at Gartner, in a published statement. – NetworkWorld.com, April 6, 2007 VMware Vulns by Year Total Vulns High Risk Vulns Remote Vulns Vulns in 1 st Party Code Vulns in 3 rd Party Code Vulns in 2003 9 5 5 5 4 Vulns in 2004 4 2 0 2 2 Vulns in 2005 10 5 5 4 6 Vulns in 2006 38 13 27 10 28 Vulns in 2007 34 18 19 22 12
6. Virtualization & Security Topics Adding Virtualization to: Virtualization Attributes: People and Identity Integrity Applications and processes Compartmentalization – guest/partition and multi level security Data and information Operational and process model changes Network TCO benefits with risk mitigation Risk and Compliance Certifications and branding – today and emerging Competitive posture
7.
8. CP1 CP2 CP3 CP4 IBM System z Physical CPUs Physical CPUs IBM System z Virtualization Leadership Extreme Levels of CPU Sharing IFL1 IFL2 IFL3 z/VM Linux Virtual 2 CPUs Linux LPAR1 z/OS LPAR2 z/OS LPAR3 z/VM LPAR4 z/VM Logical CPUs Logical CPUs IFL4 Linux Linux Virtual CPUs Linux Linux Linux
9.
10.
11.
12.
13. IBM Tivoli Virtualization Management for System z Helping Clients Manage and Control Their Virtualized IT Infrastructure IBM System z Virtualization Infrastructure Provisioning Management Monitoring for Virtualization Infrastructure Business Services Management … Automation for Virtualization Infrastructure Storage Network Security Extended Infrastructure Management Application Layer Management Resilience Management
14.
15.
16. Application Server Websphere Service Platform Database Connectors SQLJ Service Message Servlet Loan Applic. Bank Teller General Ledger Credit Card Processing Risk Analysis Service Service Connectors Current Accounts Batch Programs Bill Payment Database SQLJ MQ Currency Exchange Temp data to Electronic Data Warehouse Batch Process RMI/IIOP EJB WAS Bill Payment EJBs Authentication Server Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Mgt Authentication Alert processing Firewalls Virtual Private Networks Network Bandwidth Encryption of data Audit Records/Reports Provisioning Users/Work Disaster Recovery plans Storage Management Data Transformations Application Deployment Typical multi-system Design: Numerous Mgmt Domains Physical Appliance Model
17.
18.
19. Our premise: The market is at a tipping point – with the right investment in client consolidation and virtualization, IBM can re-shape the way our customers define their security strategy (and subsequent spend) Application Virtualization Desktop Virtualization Data Integration Data Center Consolidation Server & Storage Virtualization Presentation Virtualization IBM Strategy The Future Strategy to Date New Data Integration & Storage Virtualization Application Integration
20.
21. Payment Card Industry PCI DSS Requirements “The Digital Dozen” PCI DSS Ver. 1.1 Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data sent across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security – Connected Entities and Contracts
22.
23.
24.
25.
26. Payment Card Industry Compliance– How System z can help Build & Maintain a Secure Network Protect Cardholder Data Maintain Vulnerability Mgmt Program Implement Strong Control Measures Monitor & Test Networks Maintain Information Security Policy Tivoli zSecure Tivoli Identity Manager IBM Services: Penetration Testing IBM Services: Internet Security Solutions Security & Pr i vacy Consulting RACF and MLS System z integrity features System z integrity features z/OS Network Policy Agent z/OS Intrusion Detection Services Linux on z as a DMZ Encryption Infrastructure Database Encryption & Test Tools Network encryption: SSL/TLS, IPSec, OpenSSH Tape encryption z/OS Network Policy Agent z/OS Intrusion Detection Services z/OS Healthchecker Tivoli zSecure Tivoli Compliance Insight Manager z/OS Network Policy Agent EAL & FIPS Certifications IBM Internet Security Solutions *It is the customer's responsibility to identify, interpret and comply with any laws or regulatory requirements that affect its business. IBM does not represent that its products or services will ensure that the customer is in compliance with the law.
27.
28. IBM Tivoli zSecure Suite Policy enforcement solution that enforces compliance to company and regulatory policies by preventing erroneous commands Real-time mainframe threat monitoring allowing you to monitor intruders and identify mis-configurations that could hamper your compliance efforts Compliance and audit solution that enables you to automatically analyze and report on security events and detect security exposures Enables more efficient and effective RACF administration, using significantly less resources Reduces the need for scarce, RACF-trained expertise through a Microsoft Windows–based GUI for RACF administration Allows you to perform mainframe administrative tasks from a CICS environment, freeing up native-RACF resources Note: ACF2 and Top Secret are either registered trademarks or trademarks of CA, Inc. or one of its subsidiaries. Combined audit and administration for RACF in the VM environment
29. Rational AppScan & IBM Tivoli provide security that spans the application lifecycle Developers Developers Developers AppScan tests the application and RACF/Tivoli Access Manager secures access to them Provides Developers and Testers with expertise on detection and remediation ability Enables Chief Security Officers to drive remediation back into development & QA Ensures vulnerabilities are addressed before and after applications are put into production Provides user access control and can help remediate known vulnerabilities Build Coding Test Production
30. Server Printer ATM POS z/OS Network Device Network Device Server Printer ATM POS z/OS Network Device Network Device Unencrypted End-to-end encryption IPSec IPSec Unencrypted IPSec Encryption in network devices zIIP Growing requirement for companies that outsource some part of their network zIIP specialty engine support helps reduce the cost of adding IPSec protection End-to-end network encryption
31.
32. Optim Test Data Generation – leverage this to build test versions of Analytic DB’s for Operational Risk
System z has over 44 years of virtuaization. System z defined server and system virtualization and continues to set the standard. The above graphic illustrates the years of virtualization that System z introduced into it’s systems and also into the industry. The industry leaders such as VMWARE, Microsoft, and HP are focused in attaining the same level of virtualization that System z provides today. They are adding function at an accelerated pace, but they have not caught up in terms of granularity, scalability, and robustness of System z virtualization. But, at the same time, System z cannot afford to stand still and must continue to differentiate. We will do that from two aspects. First, is that we will continue to enhance the hardware (e.g. I/O), PR/SM, zVM, and the OSes. But, we are also turning a new page and taking a leap ahead in virtualization. While the industry leading servers and virtualization vendors are focused on homogeneous virtualization, System z will turn its sights on heterogeneous virtualization and take on a larger responsibility in managing composite applications. zFuture will embrace other architectures and management them from a single platform perspective to provide an integrated and coordinated experience. It will provide integrated platform, workload, performance, and image management across the resources that it controls, be it traditional z compute resources, or network attached accelerators and application servers.
The Dynamic Infrastucture will be support by each platform in STG via ensembles. Ensembles in this context are a homogeneous set of resources in which workloads can execute. The ensemble will be managed as a single resource pool and policy will dictate how and where workload is executed in that ensemble. Ensembles will have upward facing APIs such that enterprise management software such as Tivoli can consume the interfaces and manage the ensembles consistently. Hence Service Lifecycle Management will interact with the ensembles directly to provide a broader and richer set of enterprise management capabilities. The System z ensemble will be unique in that it will be comprised of heterogeneous resources, but it will manage and apply policy to those resources as one pool. The two key points here are that zFuture is a key part of Dynamic Infrastructure and fits into the Ensemble Strategy and that we will fully interact and integrate with Tivoli (or vendor) in SLM.
This graphic in some ways represents those islands of computing in that it represents the mainframe, application serving blades, and workload accelerators. The difference here is that via System z ensembles, we will manage those disparate resources as one resource pool in which we’ll understand the topology and capabilities of the individual resources and make decisions that are consistent across all the resources in the pool to obtain an orchestrated execution of workload consistent with its business requirements. On the left side of the chart, the mainframe is hosting it’ data and business logic that directly acts on that data. The Data is typically z/OS based, while the business logic or rather applications can be z/OS with CICS,IMS,Batch,WAS,etc.. and/or it can be Linux for z based. The right side of the chart are the servers that typically surround the mainframe today and interact with the mainframe or provide a service for the Mainframe such as Web Services accelerators. Today, these servers are managed independently of the mainframe, although they have major dependencies on it. The management of disciplines such as energy, workload, performance, security, and resilience are managed independently. However, it is evident that because of the affinity of these distributed servers to the mainframe workloads, that orchestration of the management would benefit the end to end execution of workloads and hence would lower the management costs and improve the QOSes of said envrionments. That’s where the middle of the charts comes in. zFuture will introduce capabilities that will allow accelerators that are critical to System z workloads as well Power and System x Blades to be managed at the platform level from System z to provide a consistent and orchestrated management experience. The end goal is to simplify the critical components that make up a composite application such that SLAs are attainable at a lower cost. Additionally, through extensive virtualization of all the components of the System z ensemble, less resources will be required. So, a System z ensemble will be the combination of a CEC with a set of complementary blades that can serve as accelerators or general purpose blades to host applications. The CEC and it’s blades can be clustered to really provide a massive and orchestrated resource pool. A very important message to relay to the audience is that ASBs will not replace applications on z/OS or zLinux. To the contrary, they will complement and strengthen those applications. Today, customers have the choice of z/OS or zLinux for WAS. From discussions with customers, it is a pretty even split between both OSes, where WAS is deployed. It all depends on the customer strategy and the workload requirements relative to it’s affinity to the data on z/OS. Even with this strategy, however, customers continue to host applications on distributed servers. The majority of application serving is on distributed servers, and especially for application serving, the trend is to host them on commodity servers such as blades. The zFuture strategy is to embrace this trend and provide a server that will manage the heterogeneous platforms as one platform to the extent possible. ASBs will provide another option for customers as they decide how to deploy their workloads. It will not detract from workloads on the z CEC, but rather provide more reason to put workloads on the mainframe.
This chart is complicated yet powerful because it pictorially depicts the capabilities of System z with zFuture. You’ll find the traditional virtualization capabilities of system z with PR/SM, zVM, and z/OS. We virtualize the hardware resources from the workloads and optimize them to provide unparalled efficiencies. We have application clusters across these environments today and we manage them as a single platform. This is not to say that zVM, zLinux, and z/OS will NOT benefit from zFuture,. To the Contrary, the environments that are hosted today on z will absolutely benefit from coordinated workload, energey, and availability management. Therefore, for customers that have a z/OS and zLinux environment today, we will enahnce that management experience by consistent and tighter coordination across the images of the zCEC and cluster of CECs. We will extend this coordination to non-z architected platforms. Specifically, Power and System x blades will be supported. These blades will be highly virtualized with PowerVM and KVM and together with zVM, we will have a set of federated hipervisors that will be managed consistently to one set of policies. The blades will appear to zFuture as resource pools that it will manage and provide additional application capacity for distributed applications. The red squares represent ‘agents’ in each hipervisor and potentially OS that will coordinate and report back to zFuture in terms of execution and goal attainment. zFuture will collect the information from all the agents and based on policy will make gobal ensemble decisions that will be consistent with the SLAs and priorities of the workloads executing in the ensemble. The decision will be optimized for all the components of the ensemble so that a decision cannot be made for one component that will have negative unintended consequences for another component. This is key because that is the way decisions are made today. They are made at the platform level, and by fixing that platform issue without knowledge of the upstream afffects is like driving blind.
Depending on your perspective, is this a collection of individual servers, tied together by a network, with each server having it’s own independent management domain?
Or is it a combination of the best of the scale out systems and scale up servers to meet their business needs?
Assess security posture Build and maintain a program to identify and manage significant threats and vulnerabilities across infrastructure and applications. Defend valuable assets Preemptively protect network assets Build and maintain secure applications and infrastructure. Build and maintain a program to manage application and infrastructure release, change, and configuration. Encrypt critical information in transit and at rest. Access control Define and maintain an Acceptable Use Policy (information security policy) Implement a program to manage identity and access Monitor the environment Monitor and measure effectiveness of controls, investigate and respond to significant failures
Efficiently runs the workloads that drive my business Transactions / Database UNIX / Linux ERP, CRM, Business Intelligence and more Is there when I need it Resilient hardware / software platform Minimizes planned and unplanned outage duration Can recover remotely in the event of a site shutdown Is manageable Can match processing goals to match business goals Can respond automatically to spikes in demand Can manage multiple operating environments and subsystems concurrently Is secure Can protect my data and programs from unauthorized access Can provide security without compromising responsiveness to users Is expandable, flexible, and adaptable Lets me add processor power conveniently when needed Let’s me define, provision, and execute virtual servers when business requires them Let’s me add the kind of processing power I need to perform the task economically Is Highly Virtualized Supports the sharing of physical resources, programming, and data Includes management and accountability functions Is affordable Is priced flexibly Has a variety of terms and conditions to suit different business models Includes hardware and software Efficiently runs the workloads that drive my business Transactions / Database UNIX / Linux ERP, CRM, Business Intelligence and more Is there when I need it Resilient hardware / software platform Minimizes planned and unplanned outage duration Can recover remotely in the event of a site shutdown Is manageable Can match processing goals to match business goals Can respond automatically to spikes in demand Can manage multiple operating environments and subsystems concurrently Is secure Can protect my data and programs from unauthorized access Can provide security without compromising responsiveness to users Is expandable, flexible, and adaptable Lets me add processor power conveniently when needed Let’s me define, provision, and execute virtual servers when business requires them Let’s me add the kind of processing power I need to perform the task economically Is Highly Virtualized Supports the sharing of physical resources, programming, and data Includes management and accountability functions Is affordable Is priced flexibly Has a variety of terms and conditions to suit different business models Includes hardware and software
Diving into more detail at a specific Dev team area, this is just an example of course. But you can imagine that there are various developers all contributing different components to the applications. At specific intervals there are typically BUILD processes happening – for regression testing and such. What we’re proposing is that a Dev Lead be responsible for performing Scans at the BUILD level. This of course can be altered – each Developer can also perform scanning of their individual pieces. But this graphic illustrates that a scan should take place iteratively at the build level. Build/QA - Provides Developers and Testers with expertise on detection and remediation ability Security - Enables Chief Security Officers to drive remediation back into development Production - Ensures vulnerabilities are addressed before applications are put into production
Unencrypted segment between the mainframe and the device – becomes an exposure for possible snooping. When there is network traffic that must be protected, this is a concern for many of our mainframe customers – they are looking for true end-to-end encryption – where the data is never in the clear between the mainframe and the final desitination. That destination may be a remote data center – a third party printing location ... Or a business partners server.
Difference from what hardware does vs tooling? DB2 9 extends traditional DB2 strengths in many areas like online schema evolution, Unicode, XML, DB2 family SQL, utilities, security and compliance, and 64-bit virtual storage. Increased security and regulatory compliance through implementation of roles, network-trusted contexts, and enhanced auditing. Synergy with IBM System z and z/OS in areas that include XML parsing, zIIP, I/O improvements, encryption, IPV6, and Secure Socket Layer (SSL). Query management enhancements to make accessing your data even faster and more accurate; indexing improvements that include index on expression, randomization, and larger index page sizes; optimization improvements that provide better data for the optimizer, improved optimization techniques, and better management with optimization services. IBM Data Encryption for IMS and DB2 Databases provides you with a tool for both IMS and DB2 in a single product. The tool enables you to leverage the power of Storage Area Networks (SANs) safely while complying with privacy and security regulations in place or being enacted worldwide. During encryption, IMS or DB2 application data is converted to database data that is unintelligible except to the person authorized by your security administrator. Sensitive data is protected at the row level for DB2 and the segment level for IMS. Encryption and decryption can be customized at these levels on the respective databases. The tool is implemented using standard DB2 and IMS exits. It exploits z/Series and S/390 Crypto Hardware features, resulting in low overhead encryption/decryption. IMS v10 includes several enhancements to improve programmer productivity and connectivity in performance, capacity, availability, recovery, security, and manageability. Additional security enhancements include: RACF error message reduction. Support for z/OS mixed-mode passwords. Faster RACF auditing. Conversational Security enrichment items. A mechanism on client input to the integrated IMS Connect function to change the password associated with the client ID. Customer-written applications will have the ability to change the client RACF password. You will be able to define to integrated Connect the aging value used by OTMA within IMS for the aging value of the ACEEs used by RACF. The current default value is "forever." RACF mixed-case passwords are supported, preserving the original password value rather than attempting to translate the password to uppercase. These items enhance security and reduce unnecessary error messages.