Securing the Future on the Solid Foundation of IBM Z

Security experts explore how and why security has always underpinned the mainframe platform

Part 1

By Reg Harbeck

Since the IBM System/360 was announced, its foundational security innovations have continued to uniquely position the mainframe as the system of record for the world economy.

Over the years between the System/360 and the modern IBM Z, people have struggled and innovated ways to make up for the lack of intrinsic security on other platforms. The mainframe continues to have proven to be the most securable platform by design, even as it adapted and often adopted innovations from other platforms to advance the leading edge of computing security.

 

Today, IBM Z is already positioned for the quantum and AI era, with integrated end-to-end functionality that allows key players in the global economy to proactively secure the world’s most critical data and processing.

 

In this Mainframe Master Innovations installment, we come face to face with the vision, the journey and the position that this historically definitive platform has manifested.

The Foundational Security of IBM Z

A Prehistoric Tapestry

We all need to do this together as a community and have better cybersecurity hygiene, better cybersecurity practices, and implement security.

—Steve Hosie, cybersecurity executive advisor and strategist at Broadcom Mainframe Software

Security is interwoven with the entire journey of humanity, and even of life itself. Predators and prey predate history, as do immune systems and sociological survival mechanisms. The most compelling historical and fictional narratives often include an essential element of security being threatened, either surviving or restored (in happy stories) or giving out (in tragedies).

 

Yet somehow security has always seemed an afterthought, much like immunity, which only occurs after the arrival of a given disease. Security exposures are theoretically limitless, but practically based on the behaviors of known threats. So it was with computing security that the lack of prior history of threats left the door open to innovations by malefactors to which integrity keepers had to respond.

 

Yet, somehow, the designers of the System/360 and its accompanying OSes had the intuitive sense of how the platform needed to be designed to enable such security once the need was discovered. Dr. Fred Brooks, who was responsible for its design, pointed out: “For the architecture team, the real System/360 was the Design Concept itself, a Platonic ideal computer.” (Jr. Brooks, Frederick P. Design of Design, The: Essays from a Computer Scientist (p. 24). Pearson Education. Kindle Edition.)

 

So, when locked doors and passwords were insufficient to prevent early hackers from misusing resources and modifying or deleting important data, new solutions were called for. The answer came forth loud and clear on the IBM mainframe: a fully documented description of what a properly secured computing system would entail. Within a decade, IBM had published its Statement of Integrity, promising the mainframe wouldn’t do anything you didn’t explicitly configure it to do.

The three mainframe external security managers (ESMs) had all arrived on the MVS OS (which evolved into today’s z/OS):

RACF from IBM

ACF2 from Broadcom

Top Secret Security from Broadcom

These three ESMs are now essential to the fabric of IBM Z when running z/OS, but their excellence is founded on the end-to-end integration of the platform, which starts with the design of the hardware and the various OS services, such as the security authorization facility (SAF) and the authorized program facility (APF).
 
Mark Wilson, technical director at Vertali, tells us, “So what IBM did many years ago is create a piece of the operating system called SAF—system authorization facility. And what this allows software to do is talk SAF and not have to worry about whether it's RACF, ACF2 or Top Secret.”
 
The APF provides another dimension of security. Brian Marshall, chief strategist at Vanguard Integrity Professionals, explains, “Everybody can't have access to everything. We need to come up with a way to start limiting access, and that starts with the system integrity statement. Without system integrity, you cannot have security. Once you establish system integrity then you have to start establishing boundaries.
 
“OK, we know that there are going to be system-started tasks. There are going to be daemons. There's going to be things that need to run on the system that need to have some sort of extraordinary privilege. But we also we need to come up with a way to allow for that, while recognizing that not everything should fall into that bucket, and recognizing that it should request for and then exit that special authority. And that's where we got things like the APF list.”
 
Underlying and also beyond this foundational hardware and software technology is an entire ecosystem and culture that enables proper stewardship and security of the global systems of record. While IBM is the developer of this mainframe, they will be the first to tell you that it is a direct expression of their customers’ wills.
 
In fact, that was manifested beginning in 1955 through the SHARE user group, the world’s first and oldest computer user group, which continues to work in partnership with IBM to advance the leading edge of computing and security.
 
As Steve Hosie, cybersecurity executive advisor and strategist at Broadcom Mainframe Software, makes clear, “We all need to do this together as a community and have better cybersecurity hygiene, better cyber security practices, and implement security.”

SPONSORED CONTENT

Opens in a new window.

Do You Have What You Need to Be Compliant?

Navigating the complexities of audit and compliance? Vanguard offers a comprehensive suite of tools meticulously designed to fit your organization's needs, no matter the scale or specific regulatory landscape. From automated assessments with Compliance Manager (VCM) to token agnostic authentication with Vanguard Multi-Factor Authentication (MFA), we've got you covered. Explore how our solutions can streamline your processes and ensure you're always audit-ready.
Prepare for Your Next Audit Today!Opens in a new window.
↓ Turn cards to learn more

Vanguard Compliance Manager (VCM) ↩

Performs CIS, NIST and custom compliance checks for internal and external regulations.

Policy Manager (VPM) ↩

Provides continuous enforcement, corrects commands in accordance with corporate policies, while controlling security administrators.

Software Application Monitoring & Malware Detection (SAMM) ↩

Continuously monitoring system software, file integrity and malware detection while providing real-time insights.

Multi-Factor Authentication (MFA) ↩

Supplies the most complete range of multifactor Token, Tokenless and PIV/CAC Card Authentication capabilities

Uniquely Optimal

Unique Strengths, Unique Opportunities

As a platform designed from the most basic hardware elements and architecture through the most advanced OS features, the mainframe has many unique characteristics that provide a uniquely secure environment.

 

Security is, of course, a multidimensional matter that touches every aspect of business and computing. Likewise, the uniquely powerful and positioned security of the IBM mainframe impacts every aspect of business computing.

 

In their book “Practical UNIX and Internet Security,” Gene Spafford and Simson Garfinkel tell us, “A computer is secure if you can depend on it and its software to behave as you expect.” It’s not about technology: it’s about reliably, consistently, and with integrity, enabling the systems of the world economy to continue functioning the way we expect them to.

 

Foundationally, there are the identity and access controls that the mainframe ESMs actualized and offer uniquely powerful and granular controls for. Marshall confirms, “Authentication, authorization, and audit are all extremely important on all platforms. And the mainframe actually led the way on this.”

The Promise of Mainframe

The fact that it began as an expression of the best thinking and design is a key part of this. But it has continued to advance, not merely to compete with alternatives, but to respond to the emerging requirements, particularly including security, from the key participants in the world economy.

It has done this while keeping a promise made with the announcement of the original System/360 that any software that would run on one IBM mainframe would run on any of them. IBM has held true to its vow, making it possible for clients to focus on innovation, rather than constantly rewriting functional software merely for new releases of the platform.

Mainframe Security Innovations

And there is so much more to security, and particularly to the uniquely powerful security of IBM Z. Before we even begin looking to the future, there are numerous dimensions of security enablement unique to the platform:

Comprehensive auditing and logging
​⟶

Comprehensive auditing and logging (including the system management facility or SMF) with real-time monitoring and alerting

Pervasive encryption

Pervasive encryption is the ability for z/OS to automatically encrypt relevant data in use or at rest

Modern approaches 

Modern approaches learned on other platforms, such as multi-factor authentication (MFA)

“Some of the ability to do real-time monitoring, real-time alerting,” Wilson enthuses, “what IBM has done with the SMF, and moving it from the [SYS1.MANx] data sets to the loggers and all these things to help us analyze all this data in real time. And then we start bolting on things like AI to this and say well, actually, we could do more here. As a platform for innovation that's benefited lots of other platforms, I think the mainframe is unparalleled in that respect.”
 
A key innovation that has been available on IBM Z for some time now, and continues to be enhanced, is pervasive encryption: the ability for z/OS to automatically encrypt relevant data in use or at rest to protect it from inappropriate exposure.

One of the things that we think about when we are considering what data is it important to encrypt, we think about the sensitivity of that data.

—Anne Dames, Distinguished Engineer at IBM

Anne Dames, Distinguished Engineer at IBM, explains that pervasive encryption is, “one of the things that we think about when we are considering what data is it important to encrypt, we think about the sensitivity of that data. We think about whether that data needs to be kept secure for a short time or for a long time. The kind of information that you want to keep secure are things like personally identifiable information. You want to keep secure health records. You want to keep secure IP - intellectual property. You want to keep secure information that is considered sensitive.

 

“Those are some of the kinds of things that you might be storing in a data set that you might want to keep secure. You want to keep secure communication between two parties. You want to make sure that that also is using algorithms that are secure.”

 

One aspect of this comprehensively secure environment is the seamless manner in which every other dimension of its functionality is intertwined with it. So, when the capacity of IBM Z to handle massive data storage, processing and throughput is combined with every kind of virtualization, from hypervisors to containers, all of it is protected in every degree, from memory protection to secure separation of address spaces and OS images to network connections, which are often kept entirely inside the physical mainframe using means such as HiperSockets.

 

Marshall says, “There's really a set of levels that you have to start from the operating system building your way up to the application, and then building your way up to the users. You've got the network interface, you've got all sorts of pieces that come into play. Security has to be baked into all of them.”

NEXT

About TechChannelSubscribe to TechChannel