May 1 ’09

IT Virtualization: Achieving Data Security Using Linux on System z

by Editor in z/Journal

With the global economic slowdown and projections for a prolonged recession, funding those “must-have” IT development projects this year will be a challenge. In 2009, IT managers will be lucky to get a fraction of the resources they’ll need to keep up with their organizations’ growing information IT requirements, as many planned projects are likely to be dramatically delayed, severely cut, or eliminated outright. Not surprisingly, IT managers this year will focus on maximizing the performance and functionality of existing computing systems in any and every way possible, while avoiding situations that require additional resources.

One approach many IT managers favor to address this objective is IT virtualization, which enables a computer system to efficiently and transparently share resources so a single physical server can act as many virtual servers. A well-planned and executed virtualization deployment can provide a host of benefits sure to resonate with today’s budget-minded IT managers, including: IT cost reduction, reduced energy consumption, improved flexibility and remote access, and a simplified computing model.

Just about every major IT system and application vendor today is touting some type of virtualization solution. Virtualization is expected to remain an IT bright spot this year despite the bleak IT budget outlook. Mark Bowker and Jon Oltsik, analysts with Enterprise Strategy Group (ESG), put it this way in a January 2009 report titled “IBM System z: The Enterprise Server Virtualization Platform?”: “As the IT world prepares for cost-cutting in 2009, server virtualization seems like one of the few technologies bound for continued growth and success.”

However, as IT managers pursue virtualization, they must be careful to do so methodically and with adequate advanced planning. This is particularly important when it comes to securing the newly established virtualized environment. Too often, IT security is treated as an afterthought to the deployment of virtualization technology, which can have serious unintended consequences.

Data security should be at the forefront of any new enterprise IT virtualization initiative. IT managers must ensure they’ve explored every avenue and that their current security measures are strong and flexible enough to adjust to the dramatic changes in the way users will be interacting with critical data across their extended computing environments. This includes ensuring they implement a data security solution and associated policies that will protect their corporate assets in a virtualized environment. The ease and speed with which new hosts can be deployed in a virtual environment make it even more critical to apply due diligence and security measures comparable to those in the physical environment.

Linux on System z Advantages

As IT managers map out IT virtualization plans, they must determine which systems and platforms will best meet their needs, as well as the best way to ensure adequate levels of data security before, during, and after the transition.

Several industry experts believe combining the Linux operating system with the IBM System z makes an ideal virtualization platform. According to Bowker and Oltsik: “… the IBM System z may be the best enterprise-class virtualization platform available today. Organizations with mainframe investments, UNIX/Linux consolidation projects, or Web application development initiatives may find mainframe virtualization TCO [Total Cost of Ownership] especially attractive.”

Some key advantages to the Linux on System z combination include:

• Scalability: Linux on System z can run natively on the IBM System z hardware—or up to hundreds of virtual Linux servers can simultaneously run under z/VM (Virtual Machine)— providing massive scalability with a single server.

• Flexibility: In its simplest state of virtualization, a System z is a single Logical Partition (LPAR). In the next step of virtualization, the system can be expanded into 60 LPARs, each a separate virtual machine running a separate operating system.

• Cost reduction: Numerous small Linux and PC servers can be combined onto one mainframe, providing all the benefits of centralization, but still keeping a multitude of specialized servers (thanks to virtualization support). In addition, the physical “footprint” of a single mainframe is much smaller than that of a distributed server farm, and therefore is less expensive from an environmental perspective.

• System z security: Linux for System z can leverage the hardware cryptographic feature provided by the Peripheral Component Interconnect (PCI) card for Secure Sockets Layer (SSL) acceleration, providing support for e-business applications that use enhanced hardware security.

• Greater efficiency and reduced complexity: The Linux on System z solution enables dynamic sharing of physical resources and resource pools, resulting in higher resource utilization. Also, it eliminates the complexity inherent in adding new resources to the infrastructure.

• Improved Quality-of-Service (QoS): Linux on System z leverages advanced mainframe QoS capabilities, most notably the System z reliability and security features, to support continuous business operations, including transparent use of redundant processor execution steps, integrity checking, and “hot” processor replacement.

Maintaining IT Security in a Virtualized World

While virtualization can consolidate services, promote organized IT standards and optimize business processes, the challenge to secure data in a mainframe- based enterprise takes on new, different forms.

Deploying virtualization using Linux and the IBM System z lets IT managers take advantage of several strong security hardware capabilities. However, the new, varied ways in which data is stored, accessed, and transferred in a virtual environment requires that IT managers keep security a top priority. Their best bet is to follow several time-proven security principles:

• Robust encryption: Encrypting data or files in transit in a virtual environment is equally or more important than in a “traditional” environment given the expanded points of access to sensitive mainframe data. Securing files and data transmissions from the server to all workstations, and from the workstations back to the server, is essential.

• Multi-platform support: IBM System z servers can run mixed workloads, including numerous operating systems in addition to Linux, through virtualization. In addition, given that many organizations utilize a variety of computing platforms, including Windows, UNIX, Linux, and IBM mainframe systems, the enterprise security solution selected must be able to integrate data communications across all types of heterogeneous IT environments.

• User authentication: With increased remote access to mainframe data, user authentication becomes increasingly critical. When organizations implement virtualization using Linux on System z, they must take the proper steps to authenticate the host and client machines in addition to authenticating the user through ID, password, or other means.

• Auditing/logging capabilities: If an existing mainframe system lacks logging functionality, it’s imperative for the IT manager to acquire this capability before transitioning into a virtual computing system.

• Continued compliancy: Existing and emerging privacy, security, auditing, and risk management regulations and standards can help enterprises protect their data from more frequent, highly developed security threats or attacks, regardless of the computing environment or platform. So, IT managers must maintain compliance with such measures as the Sarbanes-Oxley Act (SOX), the Payment Card Industry (PCI) Data Security Standard (DSS), and the Federal Information Security Management Act (FISMA), as necessary, before, during, and after the virtual environment is established.

Time Will Tell

There’s little doubt IT virtualization is becoming an increasingly popular, viable solution for many efficiency-minded organizations. The cost savings and efficiencies alone may be enough to tip the scales in favor of virtualization.

It remains to be seen if the Linux/ IBM System z combination will become the dominant virtualization platform. However, migration to a virtualized IT enterprise can be a complicated, time-consuming process, particularly for heterogeneous enterprise IT environments with mainframe and client/server systems running scores of complex applications. A host of new security threats face those bold enough to charge ahead into the new virtualized world. The biggest mistake any IT manager could make would be to move forward without a parallel data security migration path and roadmap. They should carefully weigh the benefits and impending security threats before committing to IT virtualization. Once they decide to proceed, they should identify and deploy a robust, iron-clad IT security solution that’s powerful and flexible enough to continuously protect all company, customer, and partner data, no matter how the IT infrastructure ultimately evolves.