Monday, July 17, 2017

IBM z14 Mainframe = Trust and Security Benchmark

By Rich Ptak

         Figure 1 z14 Design Goals        (Image courtesy of IBM, Inc.)
IBM's introduction of the z14, the next generation mainframe raises the bar not only for enterprise security, scalability and performance, but also addresses the pricing issues. The first three with pervasive encryption and technological innovation. The latter with highly flexible container-based pricing models. 

In their announcement details, IBM focused on enterprise and business relevance of the z14.
There are too many new features, capabilities, and innovative aspects to cover in one article.
We will highlight the design goals and provide a quick overview of the perennially interesting new pricing models. Then, look at the Open Enterprise Cloud aspects in a little more detail.

It's the z14 For Trusted Computing - Overview

The amount of business-critical data collected for rapid analysis and feedback continues to explode. Digital transformation is well-on its way to reality for enterprises of all sizes. Data sharing includes an increasing number of partners and customers. The issues around data security, data integrity, data authentication, and the risk of compromise become of increasing concern. At the same time, an operating model built on the hybrid cloud (with collocation, shared infrastructure, multi-tenancy, etc.) is clearly establishing itself as the preferred enterprise computing infrastructure model for the foreseeable future. This results in enormous pressures on existing security and data handling approaches to adapt and change to be more innovative and reliable.

In the increasingly interconnected, interactive world, trust, security, risk reduction and management to serve are critically important. It is such an operating environment that IBM aims to serve as it introduces the z14, the latest generation of mainframe computing.

So, IBM operated with three basic design goals and one major pricing innovation for the z14.
The design goals (see Figure 1) first:
  1. A new security model - pervasive encryption as the new standard for data protection and processing with no changes to apps or impact on SLA's - the security perimeter extends from the center to the edge - designed-for security, processing speed and power; the most efficiently secure mainframe ever. 
  2. Fully leverage continuous, in-built intelligence - complement and extend human-machine interaction with direct application of analytics and machine learning capabilities to data where it resides - leverage continuous intelligence across all enterprise operations.
  3. Provide the most open enterprise operating environment - new hardware, open standard firmware, operating system, middleware and tooling that simplifies systems management for admins with minimal IBM z knowledge - more Open Source software supports agile computing, e.g. leverage and extend existing API's as service offerings; easier scaling of cloud services.

Next, pricing innovation:

After some extensive research with customers, IBM is introducing three new pricing models.
The goal is to provide increased operational flexibility with prices that are significantly more
competitive and attractive for modern digital workloads. Container Pricing for IBM z is designed
to provide "simplified software pricing for qualified solutions, combining flexible deployment
options with competitive economics that are directly relevant to those solutions." We provide
some details later. First, a look at the Open and Connected aspect of the z14.

Open and Connected

Today's market demands open, agile operating environments, and services with new or
extended capabilities being introduced rapidly and seamlessly. All to be delivered through an
agile, open enterprise cloud. The z14 software environment is designed to those expectations.
Advanced DevOps tools that leverage new and existing APIs can cut service build times by
90%. To speed innovation, IBM's extensive ecosystem of partners are developing and
delivering thousands of enterprise-focused, open source software packages to support the
mainframe in accelerating the "delivery of new digital services through the cloud." Let's look at
this a little more closely.

The new z14 is about leveraging APIs to speed development and ease access to mainframe
capabilities. The goal is to make the efforts of developers and users to exploit the powers of
the mainframe to be easier to access, simpler to use and more quickly deliverable to the
market. This is to be achieved with new hardware, firmware, operating system, middleware
and tooling that simplifies systems management tasks. These also make the process easier for
system administrators with minimal IBM z System experience and knowledge.

The procedure breaks down into four tasks:

  1. Discover - leverage existing investments by helping developers to quickly, automatically discover existing applications and services that can then be converted to API services. 
  2. Understand -  prior to going into production or implementing application changes, identify the dependencies and interactions between the applications and API's to identify how they are affected by any changes. Know where and what an API touches to avoid down time and re-working of changes. It also minimizes the risk of removing protection of critical data by exposing an API. 
  3. Connect - provide easy, automated creation of RESTful services based on industry standard tooling to rapidly create new business value, e.g. link a vacation search to destination appropriate clothing, hotels, interesting sites, etc. Or, associate an order for heavy equipment to a link that suggests purchasing insurance, maintenance, installation or operating services. 
  4. Analyze - use operational analytics and data collection to create an enterprise view of the mainframe and the surrounding operational environment. Integrate the z System data with data from over 140 different data sources in any format. Search, analyze and create a visual representation of service activities and interactions using SIEM tools, such as Splunk or open source Elasticsearch. This helps in early identification of potential problem areas such as performance bottlenecks or operational conflicts.

New capabilities dramatically increase the performance and scalability to already impressive
mainframe abilities. These include such new capabilities as zHyperLink a new direct connect,
short-distance link. It is designed for low latency connectivity between the z14 and FICON
storage systems. It can lower latency by up to 10x which can reduce response time up to 50%
in I/O sensitive workloads, without any code changes. The z14 has available, as a purchasable
option, Automatic Binary Optimizer for z/OS(r), which will automatically optimize binary code for
COBOL applications which can reduce their CPU usage by 80% without a recompilation. One
z14 can scale out to support an impressive 2 million Docker containers. Now, let's look at

Container Pricing for IBM z

Any mainframe discussion is bound to include a discussion of pricing policies, management,
and control. Customers want predictability - to know what the bill will be. They want
transparency - knowing how billing is calculated. They want visibility - to understand the
impact of changing or moving workloads. They want managerial flexibility - ability to adjust
workload processing and scheduling to balance their needs with computing costs.

IBM's solution is the concept of Container Pricing for IBM z, which provides line-of-sight pricing
to make the true cost highly visible. It applies to a collection of software collocated in a single
container. It determines a fixed price which applies to that single container[1] of software with no impact to the pricing of anything external to the container.

[1] A container is a collection of software treated for pricing purposes as a single item. The collection is priced separately and independently of any other software on the system.

A container pricing solution can be within a single logical partition or a collection of partitions.
Multiple, collocated and/or stacked containers are permitted. Separate containers with different
pricing models and metrics can reside in the same logical partition. Container deployment is
flexible to allow the best technical fit, independent of the costs. Three types of Container
Pricing solutions are offered now:
  1. Application Development and Test solution (DevTest) - provides DevTest capacity that can be increased (up to 3x) at no additional MLC cost. Clients choose the desired multiplier and set the reference point for MLC and OTC software. Additional DevOps tooling with unique, discounted prices are available. 
  2. New Application solutions - special, competitive pricing for those adding a new z/OS workload to existing environments. There is no impact on existing workload prices. The container size determines the billing for capacity-priced IBM software.Payments 
  3. Pricing solution - offers on-premise, Payments-as-a-Service on z/OS based on IBM Financial Transaction Manager. It applies to software or software plus hardware combinations. 
This is a simplified review of the new model. Contact IBM for more detailed information. IBM
will be refining and adding models to meet customer needs. Moving on to the other design goals.

Trust + Security thru Pervasive Encryption

Data and application security in enterprise IT have taken a beating in the last few years. Traditional security techniques and barriers have fallen victim to numerous attacks as well as rapidly evolving threats and scams. Successful attacks and breaches came from sophisticated external criminals as well as maliciously or accidentally by insiders. Victims include large, sophisticated financial institutions to national governments and ministries. Even blockchain ledgers have proven vulnerable to weak implementations and clever hackers.

With data widely recognized as an asset of escalating value, the risks and costs of such breaches increases. Traditional security methods focused on trying to prevent successful intrusions or minimizing damage with selective encryption, rapid detection, and blocking. Selective data encryption proved too expensive, resource intensive and inconsistent in application. And, significant risks remain when leaving some data un- or weakly protected as hackers and intruders became more sophisticated. Also, new policies or evolving compliance requirements can make critical once non-critical data, further weakening selective methods.

IBM's solution was to design the z14 with hardware technology and software protections that make pervasive encryption from the edge to the center including the network affordable, efficient and rapid. All data is encrypted all the time without requiring any changes to applications and without impacting Service Level Agreements (SLA's).

Application of Machine Learning

Successfully leveraging artificial intelligence (AI) in the enterprises had been an elusive goal
for decades. Early attempts were frustrated by limitations in expertise, processing power, high
costs and the sheer amount of effort required to build and test models.

Today, the maturation and automation of modeling techniques along with improvements in
infrastructure and technology have allowed AI, more accurately described as machine learning,
to come into its own in the enterprise. Examples in the z14 include optimized instructions,
faster processing of Java code, and improved math libraries that speed and improve analytics.
The 32TB of memory means the z14 can process more information and analyze larger
workloads and in-memory databases in real-time. The results come in the form of prompt
availability of actionable business insights that result in better customer services. The
announcement contains much more about machine learning applications as well Blockchain
capabilities. Topics for future coverage.

The Final Word

The new z14 is an impressive and worthy addition to the IBM mainframe family. It promises
"Trusted" computing on the platform that has been the benchmark for processor security. That
is a much-desired deliverable in a highly integrated, totally connected, rapidly evolving world of
digital enterprise. There are many more attractive features to the new z14. These include
unique to IBM Blockchain services which provide significant protection against fraud. There's
the ability to rapidly build microservices choosing from over 20 different languages and
databases to use. There's the free access to the mainframe for those interested in testing the
ease of use features or expanding their mainframe skillset. (See

By delivering efficient, affordable, speedy 100% end-to-end encryption of all application and
data base data it pushes infrastructure boundaries to achieve a uniquely secure environment;
without requiring any changes to applications, services or data. IBM has also implemented
unique encryption key protection that removes any risk of it being exposed. To do so without
changing or impacting the ability SLA's is remarkable. IBM estimated encryption overhead at
"low-to-mid" single digits.

IBM's focus on automating and facilitating the utilization and optimization of API services is a
very smart move on their part. An on-going 'critique' of the mainframe has been that it is
inaccessible, living and operating in its own isolation. True in the past, the last few years have
seen a dramatic alteration with the emergence of the "Open, Connected and Innovative"
mainframe. The change has been rapid and significant.

The significant impact of the introduction of Linux on Z and the proliferation of numerous Open
Standard solutions, APIs, tools and interfaces cannot be ignored. The introduction and
movement of numerous Open Stack products to the mainframe along with the addition of agile,
Open Source DevOps tools and APIs have made the mainframe's extensive capabilities easier
to access and faster to exploit by a much wider audience. This is reflected in the growth of the
highly diverse ecosystem of mainframe partners, ISVs and developers working with IBM. The
z14 looks to accelerate that process.

The mainframe, IBM's longest running product, has seen its ups and downs over the last 50+
years. Anticipation and predictions of its death have filled column space of way too much IT
commentary, stories and speculation. The z14 fills a well-defined, valuable place in the IT