IBM mainframes plot course for container security market
Continuing efforts to make the mainframe technically fashionable, IBM offers a system promising rock-solid container security to compete against other container management tools.
IBM's mainframe modernization mission continues with a Linux-based system that offers tighter security for Docker containers and orchestration tools such as Kubernetes.
There have been precious few efforts to tie monolithic, transaction-based mainframe applications to container-based platforms and tools, but IT professionals are more interested than ever to connect these environments.
"Users are looking for ways to take advantage of containers, like creating microservices," said Ashok Reddy, general manager overseeing New York-based CA Technologies' mainframe business. "There's a lot of data on mainframes where containers can be used with MongoDB and Spark."
To appeal to those traditional users who want to make use of the latest container and container management technologies, IBM mainframes have spun off a variation of the pervasive encryption technology it introduced in its z14 mainframe this past July. The new system, called the LinuxOne Emperor II, protects against both external and insider threats, including the automatic encryption of data in-flight and at-rest, as well as during installation and runtime. It can manage up to 2 million Docker containers, scale to 170 cores, support MongoDB Enterprise instances of up 17 TB in a single system, and it has been specifically tailored to handle Java workloads, including integrated garbage collection and disposal.
What IBM calls a Secure Service Container framework within LinuxOne manages and secures both on-premises and cloud-based applications that can inherit the security capabilities of the new platform without any changes to the software, according to company officials. This relieves corporate developers from having to build security into internally developed applications, allowing them to focus on other competitive features.
"The key difference here is we don't let system admins come onto the command line with admin credentials in a [Secure Service Container] environment," said Mark Figley, IBM's director of LinuxOne offerings. "Every admin function in that environment needs to be exposed as a webpage or as a restful service that can be used by orchestration tools."
It remains uncertain how much of a dent IBM mainframes can make in the market for container security and management with a mainframe-based technology and facing a variety of well-established players, including Docker, CoreOS and Red Hat.
The cost of any mainframe-based technology and the scope of LinuxOne's capabilities will narrow its appeal to mostly large-scale deployments, said Charles King, principal analyst of Pund-IT. But it does give IBM mainframes a solid platform to explore the demand for container technologies in ways that others in the container security and management market cannot. In the largest global enterprise shops where mainframes still rule, armies of developers want to use the same tools as other developers, including containers, King said.
"Utilizing the encryption technologies [of the z14] for Docker Enterprise Edition that it employs for blockchain on LinuxOne, IBM has an opportunity to extend a proven security solution to a wider range of use cases," he said.
Others agreed that extending its pervasive encryption technologies to work in concert with its blockchain offering could give IBM mainframes an advantage over smaller security competitors when dealing with Fortune 500 companies. Companies, including IBM and CA, already have large shipping companies interested in blockchain and secure containers, for example, one longtime IBM consultant said.
The blockchain distributed database could be a killer app to help corporate IT shops accelerate their digital transformation.
"It's all about building trust. Trust is their new currency," CA's Reddy said. "I think this sort of encryption combined with secure containers could help create that trust."
At the same time, within these larger customers often are conflicting sentiments about the mainframe platform, so IBM must downplay the mainframe aspect and more strongly promote the LinuxOne brand to steer them toward a mainframe-based container security bundle, Figley said.
"It allows us to focus on the real value proposition [security], rather than have it become a religious war about the mainframe," he said.
IBM also must engage with different stakeholders inside IT organizations than it normally would. These include the chief information security officer, line-of-business executives and heads of internal development.
"Developers just want the resources to be there when they need them without having to worry about the IT group saying, 'No, we don't have the proper resources' for a particular internal development project," Figley said. "I think this system can provide those resources."