IBM Systems Magazine, Mainframe - July/August 2017 - 14

CURRENTS

° Accidentally, as in a botched
upgrade or misconfiguration
of some component of the
solution
° Through malice
° Through failure to properly
harden or maintain the
hardening of a server
* Side-channel attacks
attempting to exploit flaws in
solution implementation
* File system tampering,
damage, or the loss or
corruption of individual files
* The threat from neighboring
applications on several
levels in a virtualized
environment from attempting
to probe memory or storage
to simply negatively affecting
performance
For one to be fully confident,
the solution must:
* Be fully isolated at all levels
from all forms of influence
from neighboring solutions
* Encrypt data at rest and
in flight
* Be verifiably tamper-proof
* Require as close to zero
administrative attention and
requisite privileges as possible
for operation
SSC provides a uniquely
secure environment on IBM z or
LinuxONE, delivering on these
requirements in a way that would
be otherwise difficult and costly.

Isolation and
Guaranteed Service
The outermost level of the SSC
is the LPAR-in effect, a VM
hosted by the "bare-metal,"
firmware-based hypervisor
PR/SM*. LPARs define the
resources available to the OS
running within it (e.g., CPUs,
memory, etc). Resources,
like CPUs, may be dedicated,

shared or even over-committed.
This virtualization technology
in z Systems and LinuxONE
provides several advantages.
SSC benefits most from:
* Performance: PR/SM can
manage resources in a way
that maximizes utilization but
still meets service levels for
high-priority workloads, even
if lower-priority workloads in
another LPAR experience a
spike in demand
* Security: PR/SM is certified to
Common Criteria Evaluation
Assurance Level (EAL) 5+,
an international standard
(ISO/IEC 15408), and means
PR/SM isolates LPARs better
than any other hypervisor
isolates its VMs. With multiple
LPARs that must communicate,
workloads can be more secure
than two separate servers as
no vulnerable networking
gear needs to be employed to
connect them.
LPARs, therefore, provide
the performance and security
of a dedicated system, but
without the wasteful practice of
over-provisioning hardware to
account for periodic spikes in
demand, or the inferior security
isolation of other hypervisors.

Securing File Systems
The next "layer" of SSC is
storage encryption provided by
the Linux* OS running inside
the LPAR. Linux provides the
Linux Unified Key Setup (LUKS).
Several cyphers are available
for use with LUKS (e.g., AES,
Twofish and Serpent).
Linux offers a wide array of
file system options. SSC uses the
B-tree file system (i.e., Btrfs) for
its easily verified integrity via a
checksumming feature.
LUKS, however, can't be
extended to the boot partition.

B

Businesses face

2 types
of security risks:
regulatory and
existential

To secure the boot process, IBM
provides vendors (currently IBM
Blockchain, IBM z/VSE* Network
Appliance and IBM zAware) with
an IBM public key. Likewise,
the vendor provides its public
key to IBM. With these keys, the
contents of the boot partition are
encrypted; the integrity of the
boot partition and process are
established when the container
is created, and that integrity is
verified at boot time. For example,
the LUKS key required to unlock
storage is encrypted with IBM's
public key and decrypted at boot
time using IBM's private key,
securely stored in a hardware
security module on the hosting
server. Likewise, signatures and
checksums are verified to ensure
other components haven't been
altered since the vendor created
the container.
This provides security
against threats like an "evil
maid" attack-one involving
physical access to the system
and the ability to alter it without
immediate detection. With SSC, a
disgruntled administrator cannot
become an "evil maid."

Better Business
The combination of PR/SM
and Linux allows for a secure
container into which the solution
is installed. Typical solutions
require administrators who
install software, apply patches,
etc. However, one goal of SSC
is to eliminate administrative
privileges, and thus eliminate the
risk from a rogue administrator.
To that end, SSC-based solutions
employ a virtual appliance
model-a pre-configured
VM image ready to run on
a hypervisor-with tightly
controlled interfaces.
An SSC-based solution is
delivered installed and mostly
configured as a self-contained
LPAR (i.e., an appliance). It's

14 // JULY/AUGUST 2017 ibmsystemsmag.com

pg 13-15.indd 2

6/13/17 10:07 AM


http://www.ibmsystemsmag.com

Table of Contents for the Digital Edition of IBM Systems Magazine, Mainframe - July/August 2017

Table of Contents
Editor's Desk: Learning About Cognitive Capabilities
Partner PoV: A Clear Picture: IT operational analytics tools can provide a view of management data
Trends: The Connected Mainframe: Java on z Systems delivers portability, security and other benefits
Currents: Keeping Out Risks: Secure Service Containers are a virtual appliance framework for sensitive workloads
IT Today: Protecting Your Crown Jewels: IBM Guardium updates help organizations reduce risk and demonstrate compliance
Feature: Accounting for the Future: Bankwest modernizes its mainframe integration environment with a RESTful API framework and Java
Cover Story: Modeling Machine Learning: Cognitive on IBM z gives clients the tools to make better, faster decisions
Feature: A Thoughtful Pairing: Keeping IBM Machine Learning z/OS next to the data on the mainframe enhances analytics
HotTECH Products
TECH Showcase: Plan for Protection: Five points to consider when preparing for backup and recovery
Hot Topics: Optimized for the Enterprise: IBM Machine Learning for z/OS is supported by Acache Spark
Solutions: JES2MAIL/JES2FTP V5.1, CASI Software; ReACT V5.0, Advanced Software Product Group Inc.; FDR/UPSTREAM Web Portal V2.0.00, INNOVATION Data Processing
Stop Run: Traveling Through Time: IBM archivist assists 'Hidden Figures' movie production with authentic artifacts
Reference Point - Global Events, Education, Resources for Mainframe
2017 Mainframe Solutions Edition
IBM Systems Magazine, Mainframe - July/August 2017 - Intro
IBM Systems Magazine, Mainframe - July/August 2017 - Cover1
IBM Systems Magazine, Mainframe - July/August 2017 - Cover2
IBM Systems Magazine, Mainframe - July/August 2017 - 1
IBM Systems Magazine, Mainframe - July/August 2017 - Table of Contents
IBM Systems Magazine, Mainframe - July/August 2017 - 3
IBM Systems Magazine, Mainframe - July/August 2017 - 4
IBM Systems Magazine, Mainframe - July/August 2017 - 5
IBM Systems Magazine, Mainframe - July/August 2017 - Editor's Desk: Learning About Cognitive Capabilities
IBM Systems Magazine, Mainframe - July/August 2017 - 7
IBM Systems Magazine, Mainframe - July/August 2017 - Partner PoV: A Clear Picture: IT operational analytics tools can provide a view of management data
IBM Systems Magazine, Mainframe - July/August 2017 - 9
IBM Systems Magazine, Mainframe - July/August 2017 - Trends: The Connected Mainframe: Java on z Systems delivers portability, security and other benefits
IBM Systems Magazine, Mainframe - July/August 2017 - 11
IBM Systems Magazine, Mainframe - July/August 2017 - 12
IBM Systems Magazine, Mainframe - July/August 2017 - Currents: Keeping Out Risks: Secure Service Containers are a virtual appliance framework for sensitive workloads
IBM Systems Magazine, Mainframe - July/August 2017 - 14
IBM Systems Magazine, Mainframe - July/August 2017 - 15
IBM Systems Magazine, Mainframe - July/August 2017 - IT Today: Protecting Your Crown Jewels: IBM Guardium updates help organizations reduce risk and demonstrate compliance
IBM Systems Magazine, Mainframe - July/August 2017 - 17
IBM Systems Magazine, Mainframe - July/August 2017 - 18
IBM Systems Magazine, Mainframe - July/August 2017 - 19
IBM Systems Magazine, Mainframe - July/August 2017 - Feature: Accounting for the Future: Bankwest modernizes its mainframe integration environment with a RESTful API framework and Java
IBM Systems Magazine, Mainframe - July/August 2017 - 21
IBM Systems Magazine, Mainframe - July/August 2017 - 22
IBM Systems Magazine, Mainframe - July/August 2017 - 23
IBM Systems Magazine, Mainframe - July/August 2017 - 24
IBM Systems Magazine, Mainframe - July/August 2017 - 25
IBM Systems Magazine, Mainframe - July/August 2017 - Cover Story: Modeling Machine Learning: Cognitive on IBM z gives clients the tools to make better, faster decisions
IBM Systems Magazine, Mainframe - July/August 2017 - 27
IBM Systems Magazine, Mainframe - July/August 2017 - 28
IBM Systems Magazine, Mainframe - July/August 2017 - 29
IBM Systems Magazine, Mainframe - July/August 2017 - Feature: A Thoughtful Pairing: Keeping IBM Machine Learning z/OS next to the data on the mainframe enhances analytics
IBM Systems Magazine, Mainframe - July/August 2017 - 31
IBM Systems Magazine, Mainframe - July/August 2017 - 32
IBM Systems Magazine, Mainframe - July/August 2017 - 33
IBM Systems Magazine, Mainframe - July/August 2017 - 34
IBM Systems Magazine, Mainframe - July/August 2017 - 35
IBM Systems Magazine, Mainframe - July/August 2017 - HotTECH Products
IBM Systems Magazine, Mainframe - July/August 2017 - 37
IBM Systems Magazine, Mainframe - July/August 2017 - 38
IBM Systems Magazine, Mainframe - July/August 2017 - 39
IBM Systems Magazine, Mainframe - July/August 2017 - 40
IBM Systems Magazine, Mainframe - July/August 2017 - TECH Showcase: Plan for Protection: Five points to consider when preparing for backup and recovery
IBM Systems Magazine, Mainframe - July/August 2017 - 42
IBM Systems Magazine, Mainframe - July/August 2017 - 43
IBM Systems Magazine, Mainframe - July/August 2017 - 44
IBM Systems Magazine, Mainframe - July/August 2017 - 45
IBM Systems Magazine, Mainframe - July/August 2017 - 46
IBM Systems Magazine, Mainframe - July/August 2017 - 47
IBM Systems Magazine, Mainframe - July/August 2017 - Hot Topics: Optimized for the Enterprise: IBM Machine Learning for z/OS is supported by Acache Spark
IBM Systems Magazine, Mainframe - July/August 2017 - 49
IBM Systems Magazine, Mainframe - July/August 2017 - 50
IBM Systems Magazine, Mainframe - July/August 2017 - 51
IBM Systems Magazine, Mainframe - July/August 2017 - 52
IBM Systems Magazine, Mainframe - July/August 2017 - 53
IBM Systems Magazine, Mainframe - July/August 2017 - Solutions: JES2MAIL/JES2FTP V5.1, CASI Software; ReACT V5.0, Advanced Software Product Group Inc.; FDR/UPSTREAM Web Portal V2.0.00, INNOVATION Data Processing
IBM Systems Magazine, Mainframe - July/August 2017 - 55
IBM Systems Magazine, Mainframe - July/August 2017 - Stop Run: Traveling Through Time: IBM archivist assists 'Hidden Figures' movie production with authentic artifacts
IBM Systems Magazine, Mainframe - July/August 2017 - Cover3
IBM Systems Magazine, Mainframe - July/August 2017 - Cover4
IBM Systems Magazine, Mainframe - July/August 2017 - Reference Point - Global Events, Education, Resources for Mainframe
IBM Systems Magazine, Mainframe - July/August 2017 - 2017 Mainframe Solutions Edition
IBM Systems Magazine, Mainframe - July/August 2017 - SE2
IBM Systems Magazine, Mainframe - July/August 2017 - SE3
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20191112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/relevantz_20190102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/2019mfse
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20181112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/2018mfse
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20171112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_sesupp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_linuxsupp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20161112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/MainframeSecurity
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20151112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150910_se
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150910
http://www.ibmsystemsmagmainframedigital.com/MFSkills
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150506_supp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20141112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_gt_201405
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/BigData
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20131112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20121112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/buyersguide2013
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/ibmsystems_mainframe_2012bg
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20111112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20101112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100910_bg
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20091112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090506
http://www.nxtbook.com/nxtbooks/ibmsystemsmag/mainframe_20090304
http://www.nxtbook.com/nxtbooks/mspcomm/ibmsystems_mainframe_200901
http://www.nxtbookMEDIA.com