Once considered the bastion of securely stored data, mainframe storage may not be as secure in the future as it has been in the past. With IBM’s decision to make FICON the recommended mainframe storage connection, mainframe storage managers can’t be faulted for suddenly feeling a little nervous.
The latest FICON enhancements, and particularly the introduction of multi-protocol FICON directors, raise the security stakes by potentially opening the mainframe storage system to access from the open systems Storage Area Network (SAN). With that will come all the vulnerabilities of open networks and open storage systems, vulnerabilities that mainframe storage managers have never before seriously considered. Nevertheless, they shouldn’t expect much sympathy, much less help, from their open systems storage manager counterparts. SAN managers themselves are only just now beginning to deal with the security threats associated with SANs.
“We haven’t even started to consider all the security implications of FICON. It scares the daylights out of us,” said an IT manager at a major Midwest financial services firm that operates multiple S/390 mainframes with hundreds of terabytes of storage currently connected through ESCON.
Capitalizing on FICON-Enabled Connectivity Assets
Although that is a natural reaction from mainframe managers charged with protecting their organization’s most vital information and systems assets, it may prevent the organization from fully capitalizing on those assets in the long run. FICON-enabled connectivity to the growing pools of storage being collected on open systems SANs is central to realizing the vision of a true enterprise storage utility. When that happens storage capacity can be dynamically allocated among all of the organization’s storage resources. In the process, such a storage utility will enable administrators to efficiently manage the entire enterprise storage pool through a single interface and allow systems and applications to access whatever storage they need regardless of where it is physically stored. It will play an important role in IBM’s own On-Demand computing initiative. Therefore, the knee-jerk, no-way reaction, while understandable and even prudent now, will need to be reassessed in the future.
Instead, enterprise storage managers will need to work with vendors to implement appropriate and effective security mechanisms if organizations are to realize the vision of leveraging a seamless stored enterprise data asset through the network. “Managers are just starting to think about security and storage networks,” said Nancy Marrone, senior analyst, Enterprise Storage Group, Milford, MA. What they come up with in terms of networked storage security will determine how far they can go in realizing this vision and how fast it will come about. Unlike the mainframe storage manager at the financial services firm, other mainframe managers are welcoming the FICON option and the ability it brings to connect with open systems storage. “We added FICON to our Shark so we could connect with applications running on an RS/6000,” said Joe Poole, manager/technical support, at Boscov’s Department Store, a 39-store chain based in Reading, PA. The connection takes place across Fibre Channel.
With FICON, the company has so far avoided the need to set up a SAN. “We moved our file servers to Linux and use some of our regular Shark disk formatted for Linux, but it is all under VM,” he explained. Boscov’s operates one z900 system. Now that the company has Fibre Channel on both its Linux servers and the mainframe, it could set up an actual SAN, although it has no immediate plans to do so.
Poole certainly has concerns about security in this new environment. For that reason, each server has its own DASD allocation on the Shark. “We are very careful about allowing any sharing,” he said. Once storage is opened up for sharing, he fears, it can be compromised.
To the extent that SANs enable sharing, Poole’s concerns are valid. Storage security really became a priority with the advent of storage networks, notes Marrone. The SAN brought to the open systems world the kind of storage efficiency that has long characterized mainframe ESCON-based storage. Mainframe storage, in effect, represented the first SAN, enabling a set of highly secure hosts to share a large storage pool. However, the mainframe itself was highly secure and heavily protected.
The open systems SAN now makes it possible for the organization to do the same thing but among multiple, often far less trusted servers. The SAN eliminates much of the inefficiency of direct attached storage, which for now remains prevalent in the open systems world, although the clear trend, notes IDC, is toward networked storage. Through networked storage, particularly the SAN, organizations can dynamically allocate and reallocate storage to meet changing needs. In the process, storage managers are able to boost storage utilization rates typically hovering below 50 percent and achieve high utilization that compares favorably with mainframe storage. That’s the good news.