The heart of the UF Mobile Web is the Integrated Student Information System, which keeps students on track with class schedules, required textbooks, academic dates and information, grades and important announcements. In addition, a live interactive map of the campus shows where buildings are located and where a bus is on its route, while an emergency feature allows users to contact the UF Police or the operator in two clicks.

The UF Mobile Web was developed using the Mobile Web Open Source Project, but users are actually accessing data via the university’s IBM CICS Transaction Server, which runs on IBM System z.

UF realized that by taking advantage of its IBM System z environment, it could mitigate risks such as poor application quality, inconsistent connectivity across devices and lack of security. With System z, the application performs to the highest standards, while maintaining the integrity of personal and confidential data.

With its ability to scale, deliver high levels of availability and offer the highest levels of security available on a commercial platform, System z can meet the demands for data integrity when communicating with mobile applications. And with the widespread growth of Linux to power these applications, it’s the logical place to start.

For companies interested in mobile apps, there are three common goals identified, which also offer the most opportunity for System z:

Build and connect. Connecting to and running back-end systems in support of mobile. Businesses are struggling to bridge the gap between mobile devices and enterprise data and services by using services that extend network applications and capabilities to the increasing diversity of mobile devices. This can allow them to maximize worker productivity and deliver more satisfying customer engagement. Key capabilities include building Web applications that can be connected to System z. 

IBM solutions: IBM Worklight Studio with Rational Developer on System z gives customers a common set of tools for end-to-end mobile development for System z. Companies get the advantages of native app development, and then use WebSphere MQ and WebSphere Message Broker to connect back-end applications with mobile devices.

Manage and secure. Managing mobile devices and applications and securing mobile business. With millions of employees expected to join those already following a Bring Your Own Device (BYOD) policy at work, this is an especially critical challenge. Enterprises are looking for ways to enable secure transactions from virtually any device and any location, while keeping the network protected and running efficiently.

IBM solutions: IBM Endpoint Manager enables businesses to adopt BYOD strategies and supports security of mobile devices. It provides a single view for visibility, management and automation to simplify administration and reduce total cost of ownership as employees connect back to data on System z.

Extend and transform. Extending existing business capabilities to mobile devices and transforming business by creating new opportunities. There’s more to the mobile app than building, managing and securing it—and it offers more potential than simply looking up information. Companies want to redefine the customer experience at every touchpoint, including the moment of decision.

IBM offers solutions, such as Cognos, that link mobile with analytics and social business. It will help clients reinvent the customer experience, extend customer marketing to mobile devices, and empower employees and Business Partners with anywhere-anytime information and collaboration.

IBM solutions: IBM Rational Tools allow IT to integrate requirements, planning and quality management into the mobile app development lifecycle.

Mobile is a transformational business model that’s changing the way we work. IBM’s goal is to be the number one provider for enterprise mobile solutions, and clearly, System z will play a strong role in this success.

Top 3 Mobile Concerns

According to a 2011 “IBM Tech Trends Report,” these are the top concerns:

1. Security/Privacy (53 percent)
2. Cost of developing for multiplatform (52 percent) 
3. Integrating cloud service with mobile (51 percent).

The IT industry is undergoing a mobile transformation as the explosion of mobile devices in the marketplace has driven service providers, such as banks and utility companies, to offer mobile applications. The proliferation of mobile devices brings a new raft of challenges to application developers as they do battle with competing platforms, frameworks and technologies—and this is just on the mobile device. This doesn’t even begin to address the additional complexity of connecting to existing enterprise services, many built long before mobile devices appeared on the scene.

Thankfully, a revolution of this sort isn’t uncommon in IT. Think back 10 years before the mainstream uptake of Service-Oriented Architecture (SOA), which led to the service-enablement of many existing back-end applications, extending their reach and transforming business flexibility in the process. Mobile is similar in this respect, offering business another transformational step, broadening the reach, flexibility and immediacy of the services they offer.

The challenge facing mobile developers today is to create a compelling mobile solution without having to re-architect the enterprise to achieve it. Businesses worldwide already have a huge investment in IT solutions, and when we look at the world of the mainframe, the applications and data they host are typically there to support core business. As businesses try to differentiate themselves from their competition, they often turn to IT solutions to find an advantage. It’s no surprise that businesses are seeking technology solutions to unlock the value of their mainframe assets and extend their reach onto the mobile platform.

Mobiles and Mainframes

What do we really mean by mobile? For most people, the term mobile is synonymous with a mobile phone. However, we shouldn’t limit our thinking; today, the term covers a broad range of form factors—from the smartphone to the tablet—and we’re even starting to see the convergence of the mobile platform with laptops. As we noted before, this represents a huge challenge to the mobile developer in determining which platform(s) they should support. Of course, the mobile transformation isn’t without its supporting frameworks; jQuery, Dojo and Sencha offer developers a simplified approach to building a common look and feel for their apps. However, these frameworks certainly aren’t the complete integration solution a developer needs to connect to their enterprise applications and resources residing on the mainframe.

So, we’ve looked at what mobile means, but what about the mainframe? What are we referring to when we use that term? The mainframe is home to critical enterprise applications and data. It’s common for mainframe applications to be hosted inside CICS Transaction Server (TS), with their accompanying data stored in DB2 or perhaps on VSAM files. In a modern enterprise, you might also expect the applications to be based on an SOA model, where subcomponents have been enabled as Web services. CICS TS provides a robust, scalable, secure transaction processing environment capable of handling millions of transactions per day. CICS TS also ensures updates to multiple data sources remain consistent, even when failures, such as crediting and debiting bank accounts, occur.

Bridging the Gap

Building a mobile offering around existing mainframe resources might sound like an unusual match, but we’ve already recognized that the mainframe represents the core business and IT investment, and the growth of the mobile application market can’t be ignored. Business requires a solution that can bridge the gap between the mobile and the mainframe in a way that makes it easy to support multiple mobile platforms.

The IBM Mobile Foundation provides the solution in the form of IBM Worklight. IBM Worklight provides a platform for developing and managing applications for mobile devices. It enables you to create rich mobile applications without relying on unpopular scripting languages and it supports all popular mobile platforms. More important, from the mainframe perspective, it also offers a middle-tier component, the Worklight Server. 

A common concern among data center managers and architects is mainframe security. Given the critical nature of the applications and data residing on the mainframe, being able to isolate it from the outside world is imperative. The Worklight Server acts as a gateway between the mobile and mainframe worlds, providing secure connections to the mainframe through its adapter-based architecture.

CICS Support for JSON Data

JavaScript Object Notation (JSON) is becoming the industry’s favored solution for mobile data exchange, thanks to its lightweight formatting rules that don’t require costly processing. The IBM CICS Transaction Server Feature Pack for Mobile Extensions V1.0 introduces native support for JSON data in CICS and is available at no additional cost. This immediately removes a significant barrier between the mobile device and the mainframe application, allowing them to communicate in a common language. The final piece of the puzzle is the Worklight Server, which provides an HTTP adapter that can be used to connect to CICS to send and receive JSON data, finally linking the mobile to the mainframe.

A Mobile-to-Mainframe Example

Let’s consider an insurance company that wants to offer its customers a mobile insurance solution. The company might have gone through an SOA transformation in the past, so it already has a componentized architecture for its core business services. It wants to bring these services to its customers without having to introduce new application components to do so.

Figure 1 illustrates the three core components we discussed earlier in a typical configuration pattern. The application running on the mobile device connects to the Worklight Server, passing a request in JSON format. The Worklight Server’s adapter validates the request before passing it on to CICS, again in JSON format or as a SOAP request. CICS receives the request and invokes the target service, converting the JSON data into the format expected by the target service. When the service responds, CICS packages the response in JSON format and returns it to the Worklight Server, which in turn passes it back to the mobile device. The beauty of this solution is twofold: The mobile application developer doesn’t need to worry about the native data format of the mainframe application, thanks to the JSON support, and the mainframe application developers don’t need to modify any application code to support the mobile offering.

JSON: Not Just for Mobile

JSON format isn’t restricted to use with just mobile devices. Its lightweight representation and ease of processing mean it has been widely adopted and supported. JSON extensions exist for a wide range of languages, and native support is now available in Web browsers. Many IBM products also have support for JSON, among them is WebSphere Message Broker. The CICS Feature Pack for Mobile Extensions opens up opportunities for connecting CICS to a vast spectrum of devices and technologies extending far beyond mobile.

Summary

The proliferation of mobile devices is a global phenomenon, and it’s having a profound effect on the way we go about our daily lives. Everything from reading the news, to checking stock markets, to transferring money between accounts can now be done on the move from a mobile device. As business starts to exploit new mobile service offerings, connecting to existing enterprise systems becomes increasingly important—especially doing so without excessive cost, disruption or a need to re-architect existing applications.

CICS TS is host to many core business applications; the challenge is finding a suitable solution to exploit these applications on mobile devices. In conjunction with Worklight Server, CICS TS provides a robust, scalable hosting environment capable of handling the most demanding mobile-driven workloads. The IBM CICS Transaction Server Feature Pack for Mobile Extensions V1.0, available at http://ibm.com/cics/mobile, provides improved integration with mobile devices, thanks to the JSON support it offers. If you want to deliver compelling mobile solutions that support all the major mobile platforms, integrated with your existing mainframe applications, then CICS TS combined with the new mobile feature pack and Worklight Server provide the robust platform you need.

For further information on CICS and mobile, watch the CICS goes Mobile Webcast, available at https://www.ibm.com/developerworks/mydeveloperworks/blogs/cicsdev/entry/cics_goes_mobile_
webcast_replay1?lang=en.

Bring the mainframe to your mobile by unleashing the value of your enterprise.

You may have in-house, non-cloud solutions that provide five 9s uptime and adhere to the strictest levels of security, but when moved to the cloud, public or private, you may be concerned that you won’t be able to get those same levels of service. This is especially true with the public cloud; for this reason, many companies are turning to internally hosted cloud solutions. The natural inclination is to push these solutions onto a sprawl of distributed servers, but in many cases, this isn’t the optimal place to host them. In fact, System z could easily be the most optimal platform for your deployments. Consider these five key reasons why:

1. Even cloud solutions need robust platforms. If you’re convinced that moving to the cloud is a good idea, and you’re hosting your solutions in a private cloud, then you need to determine which platform provides the optimum environment for your various applications and evaluate business requirements related to reliability, cost, security and performance.

For more and more organizations, these cloud service requirements are leading straight to the mainframe. No system is more robust than the System z, and compliance teams will agree the mainframe offers unmatched security. When it comes to performance and scalability, System z outperforms everything else in the data center. Sometimes the mainframe isn’t viewed as being the most cost-effective platform, but for Linux it absolutely can be.

2. It runs the same Linux you run on other platforms. There are many misconceptions about running Linux on the mainframe, the primary one being there’s something special about that version of Linux. Organizations tend to think of the mainframe as a place to run only z/OS-based systems, but by leveraging Integrated Facility for Linux (IFL) processors, you can run the exact same Linux systems you run in your distributed environment. Both SUSE and RedHat have equivalent System z Linux distributions.

3. It can be an extremely cost-effective platform. Another misconception when looking at Linux is that the mainframe is expensive. This is based on the thought that adding work to the mainframe will increase those MIPS-related costs; however, you can use IFLs, which cost a fraction of a System z general purpose processor. In fact, the mainframe can often be more cost-effective than the same distributed environment—especially if you have high uptime requirements.

If you already own a mainframe, then there’s a 60 percent chance it already has one or more IFLs installed, regardless of whether or not you’re using them. IFLs sit in the existing mainframe chassis, so even if you must purchase an IFL, you won’t be adding to your data center floor space, power consumption or cooling costs. Plus, you’re already managing the hardware, security, networking, etc.

On top of the infrastructure savings, the savings in license costs can be even more significant. One such example is an insurance company that has indicated their total costs for hardware, software and support were up to 80 percent less than in a distributed environment. This is especially true for software that’s licensed per core, such as Oracle.

One cost-savings approach we often see is server consolidation. This involves a company reducing its number of physical servers and using virtualization and load balancing to better utilize what resources they have. Typically, this also involves moving to a single vendor to gain better pricing leverage. If you take an extreme approach to this, you will have to find a platform that can host your mainframe-like applications and your distributed workloads; the truth is that the only platform capable of that is the mainframe. More typically, we’d expect to see companies move toward a single distributed platform plus the mainframe, but offloading work to Linux on System z can ease that transition.

4. Nothing virtualizes like a mainframe. So, we’ve established that we need a robust virtualization platform to support our cloud initiatives and the mainframe can run the same Linux operating system you run today. In comparison to a distributed environment, the mainframe has amazing resilience, can utilize its resources to a much higher level, is more secure and can cost significantly less to own.

A real-life example illustrates this: One company based in the Middle East was already running a mainframe replicated to a backup data center. The distributed team was told they needed to also add a backup data center for their business-critical Linux systems. To accommodate that many additional servers, they would have had to open a new backup data center, but instead they chose to simply move those x86-based Linux environments to System z. They inherited the mainframe’s highly available environment, and saved millions of dollars and huge headaches.

5. If you need to communicate with z/OS, then it’s unbeatable. Many companies make a great case to just run generic Linux applications on System z but if your Linux applications also need to communicate with the systems running on z/OS, then the value proposition becomes even clearer. If your Linux applications are running on an IFL and are communicating with systems on z/OS, such as DB2 or CICS transactions, then the network traffic never leaves the mainframe, which gives you superb performance and the ultimate in network security. Note that your Linux on System z environments can also communicate with other non-System z instances in the same way as a distributed system.

Accelerating System z in the Cloud

It’s worth noting that in mainframe terms, Linux is a high-growth area. According to IBM, 50 percent of all mainframe capacity shipping today comes from specialty processors, mainly IFLs, and 50 percent of all new mainframe customers take delivery of mainframes that only contain IFLs.
Application design tools that automate deployment of Linux applications to both x86 and System z can empower you to accelerate service delivery to the “best fit” platform, while also addressing the growing need for scalability, reliability and security across your enterprise. It’s also valuable to have cross-platform tools that enable you to dynamically reconfigure resources across the enterprise for optimum cost and performance based on changing workloads and business requirements. Look for solutions that not only provide this platform flexibility, but have also been designed to fully leverage all the unique benefits of the mainframe, including ease of communicating with back-end z/OS systems.

The ability to programmatically drive the provisioning of Linux systems is an important factor. One key difference between a virtualized environment and the cloud is the ability to support a self-service front-end. Your Linux deployment and management solutions need the flexibility to be driven by external systems—to include provisioning, maintenance and de-provisioning the running system. You need the ability to not just clone a Linux environment but to change key aspects of your application and, even better, change attributes and resource usage of your application components.

The final part of the equation—the ability to de-provision a system at the end of its lifecycle—is possibly the most important and often overlooked step in the Linux management world. You should be able to programmatically stop execution of an environment or destroy it entirely, returning all resources to the central pool. Provisioning Linux environments is just part of the equation, but without the ability to easily catalog and quickly de-provision, you’re actually contributing to the virtual server sprawl problem.

Cloud has become a critical part of many IT infrastructures and as such it needs a robust platform on which to run. System z will provide that platform in a cost-effective, secure and robust fashion. It really does behoove companies to look closely at the mainframe as part of their enterprise cloud strategy. 

Consider System z for the cloud because it’s:

1. Reliable. Even cloud solutions need robust platforms.
2. Flexible. It runs the same Linux that you run on lesser platforms.
3. Cost-effective. It can be an extremely cost-effective platform.
4. Virtualized. Nothing virtualizes like a mainframe.
5. z/OS-connected. It’s unbeatable if you need to communicate with z/OS.

Compuware APMaaS is the only solution that enables organizations to optimize user experience, manage performance, availability and service levels from a unified real-user and synthetic perspective, all within a single on-demand platform for fast and easy deployment.

"EMA's extensive research on User Experience Management shows that in a growing number of IT environments, UEM needs to address not just application performance, but capacity planning and business impact, while also shortening development and testing cycles," said Dennis Drogseth, Vice President at Enterprise Management Associates. "With APMaaS, Compuware has brought together web and mobile application performance, business impact, user behavior, and global ecosystem interdependencies into a unified, on-demand platform. This sets Compuware apart in a marketplace where fragmentation and clutter are still the norm."

Compuware APMaaS provides a single platform for managing performance, availability and service levels across web, mobile and cloud applications and sets a new bar for modern user experience management that includes:

• Real User Monitoring: Complete view of application performance and actual end user experience for all users, browsers, devices and geographies. Understands and quantifies "visits" for expanded use-cases such as help desk. Automatically identifies and monitors all landing pages for better SEO and measures every transaction, including JavaScript/AJAX page actions, mobile tap and swipe, 24/7 in production.
• Synthetic Monitoring: Provides an "outside-in" perspective of web, mobile and cloud application availability and service-levels. Identifies when key pages and transactions are slow or unavailable from multiple geographies around the world before customers are impacted. With PurePath® Technology, drill inline into transaction anomalies for faster problem resolution.
• Third-Party Services: Measures the performance of all third-party services like CDNs, ads, social media and video and enables companies to instantly determine if a problem's root cause is internal or due to a specific service provider. Capture sessions for off-line analysis with third-party provider.
• Business Impact: Quantifies the impact of application performance on real-user experience, customer satisfaction and business results. Track real-time conversions, abandonment and revenue alongside performance. Prioritize action based on business 'facts,' not IT guesswork.

"Go Daddy, the Web's top platform for small businesses, uses Compuware APM to manage the performance and availability of its most important applications," said Go Daddy Lead Performance Engineer Marcel Verkerk. "Now with Compuware APMaaS, we are able to bring next-generation real user monitoring and synthetic monitoring together into a single platform to quickly understand what, where and how, users are impacted by performance problems. It allows Go Daddy to address these issues quicker according to business impact, which ultimately leads to a better, more responsive experience for our customers every time they use our applications."

"Today more than ever, IT organizations are squeezed between mounting complexity, increased user and business demand, and the manpower and funding to keep up," said John Van Siclen, General Manager of Compuware's APM business unit. "Now, thanks to the convergence of two of our key industry-leading technologies—PurePath from dynaTrace and the Gomez Performance Network—into a single cloud-based environment, customers now have a complete, on-demand solution for application performance management from the user perspective."

Compuware APM is the leader in a new generation of application performance management. Unlike traditional APM solutions that are heavy, difficult and reactive, Compuware APM is light, smart and proactive. Compuware APM is built to manage the complexity of today's most challenging modern applications including mobile, cloud, big data and SOA. Compuware APM optimizes and monitors tens of thousands of applications for more than 4,000 customers, large and small, around the globe. Through the lens of end-user experience, our customers enjoy faster performance, proactive problem resolution, accelerated time-to-market and reduced application management costs through smarter analytics, advanced APM automation and a unique performance lifecycle foundation.

Compuware is recognized as a leader in the "Magic Quadrant for Application Performance Monitoring" report.

Compuware Corporation

Compuware Corporation, the technology performance company, makes technology make a difference by providing software, experts and best practices to ensure technology works well and delivers value. Compuware solutions make the world's most important technologies perform at their best for leading organizations worldwide, including 46 of the top 50 Fortune 500 companies and 12 of the top 20 most visited U.S. web sites. Learn more at: http://www.compuware.com.

Batch applications sometimes require exclusive access to resources in order to make them effi-cient to run and they typically share business logic online. Batch processing is usually accom-plished through automated processes that remove resources in CICS, run the batch process and finally restore the resources in CICS. This batch window, as it’s frequently called, can be minutes to hours long, during which time the CICS applications either aren’t available or may operate with reduced features.

CICS is a modern, general-purpose transaction processing environment for online applications, providing unparalleled qualities of service for mixed language workloads of business-critical data and processes. As companies provide access to their online services across more geographies and time zones, and customers require services at all hours of the day and night, there’s a growing need for online applications to be available continuously. This has led to pressure to minimize or even remove the window in which CICS resources are exclusively allocated to batch.

Here we discuss how these two conflicting interests can be aligned by allowing batch jobs to be architected in a way that allows them to run in parallel with online work, under the control of CICS.

A Modern Batch Paradigm

The key behavioral aspects of a batch application that can run alongside online transactional ap-plications are:

• The batch application must share access to resources with online applications.
• The batch application must be able to work with data that could be changing as the online applications process requests.
• The batch application must take regular checkpoints to free up transactional resources, so online applications aren’t blocked from completing for excessive amounts of time.
• If the batch application fails, it must be possible to restart it from its most recent checkpoint.

In addition to these key requirements, there are other important secondary requirements:

• The batch workload may have to complete by a certain time to meet service level agree-ments.
• The batch job may not be able to run until prerequisite processing has completed.
• It must be possible to manage the scheduling of the batch jobs and see the progress of a batch job.
• The solution must integrate well with existing traditional batch jobs and job schedulers.
• Development of batch applications should be as simple as possible and leverage widely available skills.
• It should be possible to share business logic between online transactional applications and batch applications.

IBM WebSphere Application Server (WAS) v8.5 includes the capability to schedule and process batch jobs using a paradigm that meets these requirements. It provides a multiplatform, Java-based batch solution that enables batch jobs to be executed across environments such as CICS and WAS.

WebSphere Application Server Network Deployment v8.5 for z/OS provides these key capabilities:

• A job scheduler, capable of dispatching batch jobs to run inside CICS and WAS
• The ability to break a large batch job into manageable parallel tasks in a controlled fashion to help ensure that batch jobs complete in time to meet their service level agreements.
• Integration with MVS JCL; JCL can be submitted, where one or more of the JCL jobsteps drive modern batch applications via the WAS job scheduler
• Integration with existing workload schedulers via the JCL integration.

To enable a modern batch application to be dispatched into CICS, CICS has provided a batch con-tainer that runs inside its Java Virtual Machine (JVM) server environment, enabling Java batch ap-plications to run and to use existing CICS programs and resources via the JCICS API.

The batch container is designed to let the user focus on writing business logic by taking care of things such as:

• Informing the scheduler of the batch jobs that can be hosted in the CICS region
• Starting and managing batch jobs, including viewing the job logs
• Providing an abstraction layer for access to various input and output resources to enable them to be used in a batch job step in a consistent manner
• Taking regular checkpoints to commit updated resources and release obtained locks
• Recovering a job from its last checkpoint in the event of a failure.

Figure 1 shows how a job can be submitted from JCL, sent through the job scheduler and executed inside CICS.

When Does It Make Sense to Run a Batch Job in CICS?

There are various reasons to run batch applications in CICS:

• When there’s pressure to reduce or eliminate the batch window and CICS applications are required to be available for longer each day
• When CICS has opened resources exclusively needed for batch
• When the batch application can tolerate changes to the resources it’s accessing, then the application may be able to run alongside online transactional work.
• When you want to reuse CICS business logic, or access CICS services from batch, running the batch job in CICS can help reduce duplication and make it quicker and easier to devel-op new applications.

The Benefits of Running a Batch Job Inside CICS

There are numerous benefits of running batch jobs in CICS:

• Your online CICS applications can be available longer, as there’s less need to take the CICS-managed resources offline.
• You can focus on business logic and let the batch container take care of checkpointing, re-covery, logging, etc.
• A common batch programming model makes it easier to develop applications across plat-forms and run-times.
• Parallel job management enables multiple application instances to process a batch job, minimizing the overall time needed to run the job.
• You can minimize cost through the use of Java, which can be offloaded to System z Appli-cation Assist Processors (zAAPs)
• Use of common industry or open source frameworks for functions such as preparing PDF invoices, which are commonly available in Java.

Conclusion

Batch processing has proved to be an efficient, manageable and reliable method for bulk pro-cessing of updates to data. As businesses expand, the volume of data to be processed also ex-pands. At the same time, the growth of online transactional workloads suggests that a new para-digm is needed to enable the two processing styles to work better together. The CICS batch con-tainer provides this new capability.

IBM has provided an initial implementation of the CICS batch container known as CICS Transac-tion Server support for the WebSphere Compute Grid. For more information on the CICS batch container, visit www.ibm.com/support/docview.wss?uid=swg24027213. For more information on WebSphere Application Server, visit www.ibm.com/software/webservers/appserv/was/.

Enterprise Executive sat down with Rich Guski, who recently retired from IBM, to get his insight into current and future security trends he sees. Rich was a key participant in RACF security development and also the architect of several CICS security functions that shipped with RACF for z/OS 1.10 during his 27-year tenure with IBM. He’s also a Certified Information Systems Security Professional (CISSP), as defined by the International Information Systems Security Certification Consortium (ISC)2. 
 
Enterprise Executive: Rich, what are you currently doing now that you’ve retired from IBM?

Rich Guski: I’m currently doing mainframe computer security consulting work.

EE: Do you continue to stay apprised of current security trends that would benefit mainframe professionals?

Guski: Yes. I still attend and speak occasionally at RACF User Group (RUG) meetings and Vanguard conferences.

EE: What current or future trends do you see in the realm of data security that affect the z/OS environment?

Guski: If you’re the manager of an IT organization, one of your responsibilities, as the custodian of your organization’s data, is to comply with requirements for the security and handling of sensitive data. For many years, the simplest way to demonstrate compliance was to use a well-known mainframe Access Control Product (ACP), such as IBM’s RACF, CA’s ACF2 or CA’s Top Secret, and use the associated ACP tools to generate reports to prove to auditors that you’re protecting the sensitive data. But lately, newly emerging standards for security of sensitive data are complicating this picture.

EE: Can you give us an example of such an emerging standard and what it means for the IT executive. 

Guski: Yes. Certain sets of security requirements, the Payment Card Industry Data Security Standards (PCI DSS), for example, have evolved their own requirements for the security and handling of sensitive data such as credit card numbers that are used by their industry. The PCI Security Standards Council has the responsibility of managing the PCI DSS standard. What makes the PCI DSS standard unique is that, unlike many other regulations, it comes from private industry rather than the government.

EE: Are there other standards and regulations besides PCI DSS that IT executives should be concerned about?

Guski: Yes, there are other compliance frameworks that, while not exactly the same as PCI requirements, nevertheless result in managerial action items similar to those driven by PCI DSS. However, for the sake of brevity, allow me to focus on PCI DSS for now, but be mindful that my conclusions will apply to other sets of sensitive information that a typical IT executive might be responsible for. Look at it this way: PCI DSS could be viewed as a “Standard of Due Care” in case a data breach ever goes to litigation.

EE: Most mainframe shops use mainframe security products such as RACF, CA-ACF2 or CA Top Secret. Don’t these provide all the security required for mainframe data?

Guski: No. What I’m saying is that these new standards and regulations such as PCI DSS are effectively raising the bar of mainframe security beyond the current reach of these products as they’re used today.

EE: Can you explain this rather strong statement?

Guski: Sure. Most mainframe ACPs are configured to use Discretionary Access Control (DAC), which is an access architecture whereby security administrators or data owners decide how the data should be protected. Users, who must access the data in order to use it as part of their job function, are granted at least READ authority to the data. Any user who can read the data, in effect, becomes a “custodian” of the data with direct control over the disposition of the data. As an example of how a custodian of data can change its security and disposition, consider the following: A user who’s authorized to READ certain data can make a copy of that data, giving the copy a different name with different access control rules. Therefore, they can give READ authority to other users without regard to the data content. Responsible managers know what they know about the location of production confidential and sensitive information, but they don’t know when the confidential and sensitive information is copied to unknown data repositories.

EE: You mean to say that “unknown” sensitive data may have proliferated inside the mainframe environment in such a way that IT organizations don’t know exactly where it is and how it’s protected? Wow! Could you explain how this might happen and provide some examples?

Guski: Yes, of course. Consider the following common scenarios:

• Your production support team is under pressure to fix a program abnormal termination (Abend) and get production back on schedule. To test a required fix, a team member copies production data to his or her own “user-ID prefixed data sets.” To expedite problem resolution, no time is spent sanitizing confidential and sensitive information, which may exist within the data. After the problem is resolved, for various valid reasons, the copied data isn’t deleted from the system.
• Another scenario is when a system user uploads confidential and sensitive information from a distributed platform to the mainframe into a repository that may be protected differently and is unknown to the manager who’s the responsible custodian of the data.
• A user is assigned to produce a report for executives and must do queries of a database containing sensitive information. He stores the query results in data sets under his userid prefix and then produces the report. He never deletes the data sets containing the query results, which contain sensitive information.

In each example, the copied data is inappropriately protected and logging attributes may be incorrectly configured. Again, the scenario continues downhill when the data isn’t promptly deleted, which is often the case. Additionally, some of the co-workers also routinely have access to this data since it’s stored in user-ID prefixed data sets, compounding the problem. These and similar scenarios are referred to as “data leakage,” which is now becoming a recognized risk by IT auditors. While the security experts are focusing on cyber security attacks, is anyone paying attention to the threat of insiders downloading improperly secured leaked data?  

EE: How about companies that have outsourced the management of their mainframes and sensitive data to third-party service providers?

Guski: This is an interesting question. Managers who are responsible for the security and disposition of sensitive data sometimes assume that since the processing of the data has been moved outside their organization, they’re no longer responsible for its security and disposition, but this isn’t so. Again, using PCI as an example, the organization is still responsible for ensuring the service provider performs certain control functions to ensure compliance with the PCI requirements regarding proper handling and security of data, and that the output of these control procedures is presented to the requesting organization to be added to their records for later perusal by their auditors.

A secondary problem that often shows up when an IT organization turns PCI cardholder data over to a service provider occurs when copies of the cardholder data, either complete or partial, are mistakenly left on the organization’s mainframe. PCI requirements state that the organization must be able to show that no such data exists outside of “known data repositories.” These scenarios show how sensitive data can leak outside the scope of a known data repository and become a security and audit risk to the organization.
 
EE: OK, I can see how data leakage can occur especially over a long period of time and with changes of personnel. But how does data leakage add risk to an IT organization’s bottom line?

Guski: Risk assessments are fundamental requirements found in almost all regulations and requirements, and they have long been a tool for mainframe security auditors. They’re important in determining how data should be protected whether it’s stored, transmitted or archived. Since data leakage has only recently begun to be recognized as a threat, it has only now begun to be included in mainframe risk assessments by auditors. To ignore data leakage in mainframe risk assessments presents an obvious loophole. If a mainframe risk assessment hasn’t been conducted at all, then it’s highly likely that little thought has been given to the mainframe data leakage problem.

Furthermore, if this risk wasn’t identified and included in a mainframe risk assessment, management isn’t positioned to make an intelligent decision regarding potential risk to the organization such as “accept the risk and associated consequences if a breach does occur,” or “demonstrate due diligence by initiating a data discovery project to scan and find all data repositories for unknown cardholder data.” Identifying and documenting mainframe data leakage in a risk assessment also removes the “plausible denial” factor.

To further expand on this point with PCI as the example, let’s consider an instance where all known cardholder data has been identified and is included in the scope of the Cardholder Data Environment (CDE), and any unknown cardholder data is considered to be outside the scope of the CDE.

The following excerpts are from the PCI DSS 2.0:

Scope of Assessment for Compliance with PCI DSS Requirements

The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope. To confirm the accuracy and appropriateness of PCI DSS scope, perform the following:

• The assessed entity identifies and documents the existence of all cardholder data in their environment to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE).
• Once all locations of cardholder data are identified and documented, the entity uses the results to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations).
• The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE unless such data is deleted or migrated/consolidated into the currently defined CDE.
• The entity retains documentation that shows how PCI DSS scope was confirmed and the results retained, for assessor review and/or for reference during the next annual PCI SCC scope confirmation activity.

To be a bit more specific, there are several PCI requirements that will be identified as “Not in Place” when “undiscovered” cardholder data exists outside the defined CDE on a mainframe. I will cite two of these requirements as examples, along with the risk associated with not knowing if and where all such data exists:

PCI Requirement 3.1.1.d: Verify that policies and procedures include at least one of the following: A programmatic process (automatic or manual) to remove, at least quarterly, stored cardholder data that exceeds requirements defined in the data retention policy. The risk associated with data leakage is that unknown cardholder data that leaks out of the confines of the known environment will be non-compliant with the PCI organization’s data retention policy.

PCI Requirement 9.10.2: Verify that cardholder data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing). The risk associated with data leakage is that on mainframes, electronic media includes data repositories residing on both DASD and tape. Unknown cardholder data won’t be identified and therefore may not be rendered unrecoverable via a secure wipe program.

Although PCI data has been used repeatedly as examples in this discussion, this same thought process should also be applied to any confidential and sensitive information stored on the mainframe.

EE: OK, I see now how data leakage can translate into a mainframe audit compliance risk. So, are there any commercially supported tools available that can help assess and mitigate the risks associated with data leakage on mainframes?

Guski: Your question uncovers another problem with conducting a risk assessment for data leakage on mainframes. Although data leakage discovery tools are presently in use for distributed platforms, they’re only just beginning to become available for the mainframe.

An example of a comprehensive and commercially supported data leakage discovery and prevention tool that runs on the mainframe is DataSniff from XBridge Systems. This product provides the capability to search for and discover confidential and sensitive data so that appropriate protection can be applied. This protection may include deletion, migration to removable media, encryption or validation of the access controls for this data. This action will significantly reduce the data leakage risk to any organization.

DataSniff can also be used to support projects such as “encrypt all social security numbers.” The first step is to find all files that contain social security numbers, including those files associated with data leakage. 

And after the encryption project is complete, running regular data vulnerability scans is important because social security numbers can creep back into the mainframe environment from external sources.

EE: Rich, in closing, can you summarize and possibly leave us with any additional suggestions for improving security for sensitive data of which we may be responsible?

Guski: Certainly. IT managers are responsible for the security of confidential and sensitive information that’s entrusted to their organization. Mainframe interaction with distributed environments and other factors, such as mergers and acquisitions, have added the new threat of data leakage to the existing responsibilities that IT management must address. The PCI standard, which is typical among recently emerged data security standards, implies that Data Leakage Prevention (DLP) must be addressed to prove compliance. Commercially supported discovery tools, such as DataSniff from XBridge Systems, have only recently become available for mainframes. IT organizations with mainframes should consider this tool in order to understand and significantly reduce the data leakage risk and to ensure audit compliance.

“Our customers integrate CICS applications with Web, cloud, and mobile resources,” Russ Teubner, HostBridge CEO, said, “and they always look for better ways to increase efficiency and reduce TCO. To help achieve these objectives, we maintain strong relationships with IBM product groups and engineer our technologies to exploit the best IBM technologies. HostBridge v6.62 offers a range of enhancements to help CICS customers save time, cut costs, and make money.”

HostBridge v6.62 improvements include:

• More robust HBz (HostBridge for zIIP) server. This component, enabling 100 percent of integration/Web services/SOA workloads to run on the zIIP, now runs faster to further reduce costs.
• Tighter integration between HostBridge Socket Support and HBz server. Organizations replacing CICS Socket Support (EZASOKET) with HostBridge Socket Support shift MIPS to specialty engines, cut general processor MIPS consumption, and reduce mainframe TCO.
• Improved DB2 integration. The HostBridge Web Services Engine improves support for direct access to DB2, enabling organizations to integrate anything mainframe with anything distributed.

“With HostBridge v6.62,” Teubner added, “organizations can improve the reliability, availability, and serviceability of critical IBM mainframe assets, particularly in integration with other enterprise applications, Web applications, SOAs, and clouds.”

To learn more about HostBridge v6.62 and CICS TS V5.1, attend a live IBM-HostBridge joint webcast on Wednesday, 5/15, 11 a.m. EDT. Ian Mitchell, Chief Architect for CICS and IBM Distinguished Engineer, and Russ Teubner, HostBridge CEO, present Tales from the Trenches highlighting real customers gaining efficiencies and lowering TCO using the latest CICS and HostBridge enhancements. Register at http://www.hostbridge.com/index.php/news/events.

About HostBridge

HostBridge Technology provides high-precision integration and optimization software for CICS® and other IBM System z® assets. Using our patented products, enterprises integrate anything mainframe with anything distributed, optimize mainframe performance, reduce mainframe TCO, improve processes, and make money. For more information visit http://www.HostBridge.com/ .

POWER7+ today is the most powerful chip IBM offers in the Power line. The plus version increases the number of virtual machines from 10 to 20 per core while it correspondingly decreases the minimum processor resource to 5 percent for software development. Each core experiences up to 25 percent frequency gain due to mapping into 32nm technology. The chip designers also increased the L3 memory capacity by 2.5 times, doubled single precision floating-point performance, and added POWER Gating regions for Core/L2 and L3 regions to increase granularity for power management purposes.

POWER7+ Specifications

The POWER7+ runs eight processor cores with 12 execution units per core. It delivers four-way Symmetrical Multi-Threading (SMT) per core with 32 threads per chip (four threads multiplied by eight cores) and 360GB per second Symmetric Multiprocessing (SMP) bandwidth/chip. It provides 256KB of L2 cache per core and 80MB (10MB per core) of on-chip embedded Dynamic Random Access Memory (eDRAM) for shared L3 cache.

As it did with previous recent plus variations, IBM may release versions of POWER7+ with their clocks turned way down so two processors can be squeezed into a single Power server socket, a technique referred to as double-stuffing. This isn’t available now but may become available in a few months, according to Satya Sharma, a senior IBM chip designer.

The chip includes 2.1 billion transistors and runs at up to 4.42 GHz. It also features an added Dynamic Platform Optimizer, an Active Memory Expansion Accelerator (see “Tuning POWER7 Active Memory Expansion for SAP” at http://entsys.me/k5t1o) and on-chip encryption for its AIX operating system (the Power series also runs iOS and Linux).

POWER7+ offers easy growth via Capacity on Demand (CoD) and has added more flexible elastic CoD (on/off CoD) enablement keys, allowing for what amounts to utility pricing. You will have to check with IBM for any initial day credits or any no-charge processor and memory day credits. Finally, POWER7+ comes with a slew of accelerators and is binary-compatible with POWER6/7.

POWER7+ has 13 different metal levels (almost as many as the zEC12 chip). The multiple metal levels help minimize cross-die latency but offer nothing a system administrator can use to tweak system performance. The 32nm die allows for the logic transistors to have three different threshold voltages, which enabled IBM to optimize each part of the POWER7+ chip for power and performance.

Finally, IBM has built in several accelerators that offload work from the CPU and speed performance of Secure Sockets Layer (SSL), encrypted file system and Active Memory Expansion (AME). They include:

• Accelerator for Asymmetric Math Functions (AMF) for use with Rivest, Shamir, Adleman (RSA) cryptography and Elliptic Curve Cryptography (ECC)
• Advanced Encryption Standard (AES)/Secure Hash Algorithm (SHA) for use with symmetric-key cryptography with combinational modes
• Random Number Generator (RNG) that provides a true hardware entropy generator that can’t be algorithmically reverse-engineered
• High-bandwidth and an area-efficient 842 proprietary compression algorithm (842 refers to the 8-byte, 4-byte and 2-byte parsings the algorithm supports for memory compression).

All these accelerators are integrated across silicon, Industry Standard Architecture (ISA), hypervisor and the operating system.

Using POWER7+

By putting so much in hardware, IBM makes the capabilities applicable to a broad range of workloads, and users get the benefits automatically, adds Sharma. That means no additional user configuration or integration is required. The RNG, however, is delivered to users as a standalone facility, too.

The accelerators are sophisticated and comprehensive. The AEX accelerator includes modes for ECB, CBC, CTR, CCM, CCA, GCM, GCA, GMAC, CM, F8 and XBC-MAC-96 and key lengths of 128b, 192b and 256b. The secure hash algorithm supports SHA-1, SHA-256, SHA-512, MD5 and HMAC for SHA. Accelerators support modular math functions for RSA and ECC, including mod add, mod subtract, mod inverse, mod reduction, mod multiplication, mod exponentiation, mod exponentiation CRT (integer only) functions and more. The RNG produces 64b random numbers accessible by Memory Mapped Input/Output (MMIO) load instructions with correctness verified against the National Institute of Standards and Technology (NIST) random number generator test suite.

Organizations using POWER7+ servers out-of-the-box will get most of the benefits of the enhanced chip automatically. According to Sharma, it requires no special configuration work on the part of the organization.

Java and database workloads, for example, will experience an immediate performance boost from the increased cache. There are, however, a few areas where users willing to do some additional configuration can benefit, especially when it comes to active memory expansion.

In addition, energy savings is an area where organizations can configure POWER7+ for the level of energy savings appropriate to their situations. Start with the chip’s three conservation modes: Nap, Sleep and Winkle.

• Nap stops clocks to only the processor core execution engines while leaving all caches running, effectively preserving cache coherency. This saves approximately 10 percent with 5us latency.
• Sleep turns off the core plus private L2 cache while leaving the shared L3 cache running. It requires restore/reinitialization to wake up; it saves approximately 80 percent of power with approximately 3ms latency.
• Winkle turns off the entire chiplet and takes offline one-third of the shared L3 cache. It provides maximum savings but at higher latency. It requires restore/initialization to wake up and saves more than 95 percent of the power consumption with less than 6ms latency.

For additional energy savings, you can drop the processor speed by 50 percent. This can be effective when your workloads don't require full chip speed. With POWER7+ power-gating, you can control the caches by regions in any combination, which allows you to configure the processor for the level of energy savings you need based on the trade-offs between energy savings and latency. POWER7+ can scale-up cores and cache segments as necessary and scale them back down again when the server is less busy.

The POWER7+ also deploys a Critical Path Monitor (CPM) for real-time detection of the available circuit timing power margin. CPM, built into the firmware, performs real-time detection of voltage levels and understands how levels change due to process variation, system power supply variation, workload-induced thermal and voltage variation, aging, random uncertainty and test inaccuracy. Without CPM, the margin lets the microprocessor operate correctly during worst-case conditions, but during typical conditions, it’s larger than necessary and wastes energy, according to IBM researchers.

The CPM—on-chip sensors that measure the timing margin available to circuits on the chip—adjust clock frequency within cycles in response to excess or inadequate timing margins and can achieve a specified average clock frequency target. The CPM is part of the POWER7+ overall real-time chip guardband management. By reducing voltage settings in this way, IBM can reduce average processor power by 24 percent with no performance loss while still meeting industry-standard benchmarks. Guardband management, however, is something Sharma advises administrators not to undertake.

Chip geeks have been buzzing about the POWER7+ since August 2012, when it was unveiled publicly at the Hot Chips conference. The single-socket POWER7+ implementation is aimed at customers who want the best possible single-thread performance. What generated the biggest buzz, however, was the possibility of the double-stuffed POWER7+ sockets. Any double-stuffed POWER7+ server will be aimed at workloads that need more cache per clock cycle and more threads per system. With a double-stuffed machine, reportedly, you could get 512 cores into a single system image.

More interesting may be what POWER7+ will do at the high end of the UNIX server market. Late in 2012, HP introduced a server based on the new Itanium chip. The Itanium 9500 chip boasts 3.1 billion transistors and supports up to eight cores—twice as many as the previous Itanium.

According to published specs, it offers up to 54MB of on-die memory and enables up to 2TB of low-voltage Dual In-line Memory Module (DIMMs) in four-socket configurations. The Itanium 9500 provides up to 2.4 times performance scaling and 33 percent faster I/O speed over the previous generation, with frequencies ranging from 1.73 GHz at a power level of 130 watts, to 2.53 GHz at 170 watts. This doesn’t match the zEC12 and, depending on the workload, it might not beat the 4.42GHz POWER7+ either despite more transistors.

The real question remains what the POWER8 chip will be like. All Sharma will say is that it will be very different and offer much more capability. This much IBM has publicly disclosed: The chip promises improved SMT, even better reliability, larger caches, more accelerators, more use of virtual memory and more cores. It will be built on 22nm silicon. There probably won’t be much tweaking left for administrators; IBM’s direction lately is to build more expertise and optimization into its systems at the factory.