Operating Systems

Is “Virtually Secure” Enough?

Virtualization is not new.  Virtualized environments were first introduced in the 1960’s.  Most notably was the experimental IBM M44/44X system.  This system was based on an IBM 7044 (the ‘M44’), and simulated multiple 7044 virtual machines (the ‘44X’), using both hardware and software.  The term Total Enterprise Virtualization (TEV) describes a growing trend towards enterprise wide deployment of a variety of virtualization technologies that ultimately contribute to business flexibility, cost reduction, productivity gains, and green IT.  “TEV extends the advantages of virtualization – greater availability, scalability and capacity with greater resource utilization – across the enterprise.  ”SHARE, the world’s largest association of corporate users of enterprise IT technology, conducted a survey in 2009 that revealed that the majority of participants recognize the advantages of TEV and are preparing to move forward with it.  However, all promising IT initiatives have their challenges and TEV is no exception.  The SHARE survey revealed that the biggest challenge organizations faced in deploying a TEV strategy was lack of expertise / available skills.  Not far behind that challenge was security issues.

In the February / March issue of z/Journal, under the column entitled “Laying the Security Groundwork,” columnist Stu Henderson examined six categories of questions related to mainframe security:  access to the network, access to the system, access to data sets and resources, operating system protection, organizational issues, and dealing with auditors.  Lets take one of these, operating system protection, and look at it a bit more closely.

In a distributed server environment, operating systems are typically “locked down” or “hardened” as a means of protecting the operating system from internal and external harm.  Wikipedia defines “hardening” as “the process of securing a system by reducing its surface of vulnerability.”  This is accomplished by removing unnecessary software, eliminating unused logins, and disabling unnecessary services.  This article goes on to point out that in principle, a single-function system is more secure than a multi-purpose one.  Consider a Linux mainframe environment where you have hundreds of Linux virtual machines running in a single IFL.  The beauty of running Linux on a mainframe is that it runs natively introducing a wide variety of new, mainstream applications to the mainframe world.  But just as a system administrator deploys some means of locking down each Linux operating system in a distributed server environment, mainframe Linux system administrators have the same responsibility, but in most cases, on a much larger scale.

IBM’s Redbook “Practical Migration to Linux on System z” recognizes the need to harden Linux VMs running on System z.  A newly installed operating system—whether running on an x86 server or a System z mainframe, by default—will have a variety of services enabled and disabled in order to ease the installation process.  Changing the base Linux VM to a production-ready state, or hardening it, provides a baseline for security.  According to the Redbook, “if a hardened Linux image does not already exist, then you should create and maintain one.”  Once you have a hardened image, the real challenge comes in maintaining the base hardened Linux VMs.  The Redbook states, “kernels change and security patches are issued, so you need to develop a plan for maintaining the base image and assigning the resources to accomplish it. Thus, successive migrations will benefit from a properly maintained base hardened Linux VM.”

Today, there are a variety of tools and services that can assist Linux system administrators in creating hardened Linux images and maintaining the hundreds of VMs that run on the mainframe.  Some organizations rely on outsourced services exclusively, to achieve this security but others find that approach to be very expensive and without effective knowledge exchange.  Several years ago, a tool called Security Blanket was introduced as a means of automating the hardening of an operating system.  Today Security Blanket runs on the IBM System z and provides the user with the ability to manage and harden all Linux VMs from a single management console.  Linux VMs can be grouped according to like production security requirements, assessed against a number of industry standard guidelines, including the CIS Security Configuration Benchmarks, and configured to meet the guidelines in a matter of minutes.  Organizations have discovered that automating the hardening process saves vast amounts of time and resources, and provides reliable, manageable, and consistent security across their Linux System z environment.