Security

Is “Virtually Secure” Enough?

Virtualization is not new.  Virtualized environments were first introduced in the 1960’s.  Most notably was the experimental IBM M44/44X system.  This system was based on an IBM 7044 (the ‘M44’), and simulated multiple 7044 virtual machines (the ‘44X’), using both hardware and software.  The term Total Enterprise Virtualization (TEV) describes a growing trend towards enterprise wide deployment of a variety of virtualization technologies that ultimately contribute to business flexibility, cost reduction, productivity gains, and green IT.  “TEV extends the advantages of virtualization – greater availability, scalability and capacity with greater resource utilization – across the enterprise.  ”SHARE, the world’s largest association of corporate users of enterprise IT technology, conducted a survey in 2009 that revealed that the majority of participants recognize the advantages of TEV and are preparing to move forward with it.  However, all promising IT initiatives have their challenges and TEV is no exception.  The SHARE survey revealed that the biggest challenge organizations faced in deploying a TEV strategy was lack of expertise / available skills.  Not far behind that challenge was security issues.

In the February / March issue of z/Journal, under the column entitled “Laying the Security Groundwork,” columnist Stu Henderson examined six categories of questions related to mainframe security:  access to the network, access to the system, access to data sets and resources, operating system protection, organizational issues, and dealing with auditors.  Lets take one of these, operating system protection, and look at it a bit more closely.

In a distributed server environment, operating systems are typically “locked down” or “hardened” as a means of protecting the operating system from internal and external harm.  Wikipedia defines “hardening” as “the process of securing a system by reducing its surface of vulnerability.”  This is accomplished by removing unnecessary software, eliminating unused logins, and disabling unnecessary services.  This article goes on to point out that in principle, a single-function system is more secure than a multi-purpose one.  Consider a Linux mainframe environment where you have hundreds of Linux virtual machines running in a single IFL.  The beauty of running Linux on a mainframe is that it runs natively introducing a wide variety of new, mainstream applications to the mainframe world.  But just as a system administrator deploys some means of locking down each Linux operating system in a distributed server environment, mainframe Linux system administrators have the same responsibility, but in most cases, on a much larger scale.

IBM’s Redbook “Practical Migration to Linux on System z” recognizes the need to harden Linux VMs running on System z.  A newly installed operating system—whether running on an x86 server or a System z mainframe, by default—will have a variety of services enabled and disabled in order to ease the installation process.  Changing the base Linux VM to a production-ready state, or hardening it, provides a baseline for security.  According to the Redbook, “if a hardened Linux image does not already exist, then you should create and maintain one.”  Once you have a hardened image, the real challenge comes in maintaining the base hardened Linux VMs.  The Redbook states, “kernels change and security patches are issued, so you need to develop a plan for maintaining the base image and assigning the resources to accomplish it. Thus, successive migrations will benefit from a properly maintained base hardened Linux VM.”

Today, there are a variety of tools and services that can assist Linux system administrators in creating hardened Linux images and maintaining the hundreds of VMs that run on the mainframe.  Some organizations rely on outsourced services exclusively, to achieve this security but others find that approach to be very expensive and without effective knowledge exchange.  Several years ago, a tool called Security Blanket was introduced as a means of automating the hardening of an operating system.  Today Security Blanket runs on the IBM System z and provides the user with the ability to manage and harden all Linux VMs from a single management console.  Linux VMs can be grouped according to like production security requirements, assessed against a number of industry standard guidelines, including the CIS Security Configuration Benchmarks, and configured to meet the guidelines in a matter of minutes.  Organizations have discovered that automating the hardening process saves vast amounts of time and resources, and provides reliable, manageable, and consistent security across their Linux System z environment…

Read Full Article →

Some data protection challenges—such as business continuity and disaster recovery—remain familiar, but still require attention. Other challenges—such as data privacy issues within data security, new compliance demands, and management of information for civil litigation purposes (i.e., eDiscovery)—are clamoring for new attention. All in all, data protection (using a broad definition of the term) requires a strengthened commitment. Failure to do so can lead to the risks associated with having gaps in data protection coverage. For example, not protecting Personally Identifiable Information (PII) properly could be costly as well as generate unfavorable publicity…

Read Full Article →

System z customers run some of the most secure workloads in the world. To architect these secure workloads, they must have the building blocks necessary to integrate their business requirements into an end-to-end secure solution. This requires hardware and software to interact flawlessly to make use of the latest technologies available to System z…

Read Full Article →

This article describes the need for identity and resource access management on the mainframe to mitigate inappropriate use of applications and data. It will compare and contrast how such management is implemented by the three top security servers: IBM RACF, CA-Top Secret, and CA-ACF2. It points to the System z mainframe as the most secure platform, making it the best choice for hosting highly sensitive data, including electronic keys required to access encryption-protected data and to sign and authenticate sensitive data exchanges. Finally, it considers how the three security servers are evolving to manage such keys as well as their role in an enterprise Public Key Infrastructure (PKI)…

Read Full Article →

Mainframe modernization via Service-Oriented Architecture (SOA) and other means introduces certain risks to the quality and accuracy of data. Even though the mainframe has the most durable protections in the industry, necessary integration with small platform systems—to provide user productivity interfaces—opens the door to “man-in-the-middle” attacks and other threats far beyond those contemplated in the system’s initial design. …

Read Full Article →

Last December, I slipped on the ice, fell, and hit my head. I also banged up a shoulder, hip, and elbow, although I wasn’t really aware of those injuries until later. But I could tell immediately that my head had bounced off the icy concrete, so I did the sensible thing; I stayed on the ground and called someone to help me get up. Within minutes, I was inside, feeling warm and lucky that nothing was broken. Then a headache hit, hard and fast, and my friends insisted I go to the ER to get checked out…

Read Full Article →

This new column is targeted to security administrators and data security officers, but also will benefit CIOs, auditors, system programmers, and all IT staff. To lay the groundwork for this and future columns, and to help you focus on some of the top concerns in today’s data centers, I’ve listed several questions we may cover here, organized into six categories. I haven’t listed concepts common to all platforms (such as user security awareness), since they’re no different on the mainframe…

Read Full Article →

No longer solely the province of the mainframe, with its centralized repository and management, Identity and Access Management (IAM) has extended itself to distributed platforms such as UNIX, Linux, and Microsoft. As a result, enterprises are using multiple IAM systems on multiple platforms to manage identity and access. IT has to ensure it knows how to bring together all the IAM components running on desktops, LANs, the mainframe, and other platforms…

Read Full Article →