LAKE WALES Fla.—IBM claims its newest z13s server family —announced today at the IBM PartnerWorld Leadership Conference 2016 (February 16 and 17, Orlando, Fla.)—dovetails with hybrid cloud transactions with Internet of Things (IoT) devices by keeping user data safe even if the system is tampered with or breached.
The key, says IBM, is an end-to-end solution using a hardware/software security infrastructure that guards user-data before, during and after potential breaches. Instead of mere signature spotting, IBM uses analytics to identify malicious behavior even before its signature is known, based on learned behaviors using ever-improving machine-learning. IBM calls the z13s the "world's most secure server" because all data is encrypted and the decryption keys are erased if a hacker tries to gain entrance.
IBM's z13 mainframes can encrypt and decrypt data twice as fast as previous generations by virtue of technologies like the CryptoExpress5S card here.
(Source: IBM, used with permission)
"Nothing else comes close to IBM's z-Systems, including the new z13s," Laura DiDio, the principal analyst at Information Technology Intelligence Consulting (ITIC, Boston) and director of Enterprise IoT and Analytics, Systems Research & Consulting and Strategy Analytics, told EE Times. "What IBM has done with its latest release is give IT managers the most advanced tools by embedding security into their mainframes by default at all levels," DiDio said. "And by giving access to its advanced cognitive tools z13s owners can also use them to repel intrusions before they happen."
IBM is following its own "big-brother/little-brother" strategy for systems somewhat similar to Intel's tick-tock strategy for processors, but different in that a smaller "s" version is released after every major mainframe release, according to Mike Kahn, managing director at the Clipper Group (Rye, N.H.). Kahn said the little-brother release is typically more affordable and also more self-contained. The z13 announced last year was a "big-brother" to the "little brother" z13s announced today.
"To handle today's analytics-heavy workloads, the z13s comes with a maximum of 4TBs of RAIM (Redundant Array of Independent Memory), while the z13 has a maximum of 10TBs. The z13s' cores (up to 20 of which are configurable for application use) have a cycle rate of 4.3GHz (compared with 5GHz in the z13)," which are z System cores' that are more complex than Power cores, but share some of the same features/functions/capabilities, according to Kahn. "Hidden behind these configurable cores (that are running z/OS, Linux and other operating systems) are additional mainframe cores that are used to accelerate I/O, perform security and system-health operations, and can serve as spares; for example, the maximum number of active cores for the z13s and z13 are 26 and 168, respectively. Applications can use the full processing power of each configurable core, which typically isn't true for Intel-architecture servers."
IBM z13 mainframes are optimized for hybrid cloud workloads by bringing the security of data encryption at twice the speed of previous generations.
(Source: IBM, used with permission)
According to DiDio and other analysts, IBM's z Systems are already predominant at banks and finance, health and welfare organizations as well as in government and defense, and that the former z13, introduced last year, gave mid-sized businesses an expandable mainframe base with a low cost of entry. Now the latest z13s follow-up this year, is giving mid-sized businesses an even lower priced entry point (starting at $75,000) albeit without the expandability of z13—to take advantage of faster more reliable encryption/decryption hardware/software as well as the superior up-time of IBM's platform.
"The z13s is the latest of IBM's 'mid-market' mainframes, a product class the company has delivered for over a decade to businesses smaller than the large enterprises that make up the majority of z System customers. It's an interesting approach that's helped to expand mainframe sales into new markets," Charles King, principal analyst at Pund-IT, Inc. (Cary, North Carolina) told EE Times.
Pros and cons
When DiDio did a recent non-vendor funded survey of mainframe-calibre servers of all brands, she had one IT executive answer her question as to how much downtime z Systems suffered with "z Systems don't go down." The survey itself revealed that the average yearly downtime of a z System was 1.27 minutes per year, which divided by 12 yields about 7.5 seconds per month--a blessing, according to DiDio, whose non-vendor funded surveys reveal that downtime can cost companies from $100,000 to $1 million per hour with 75 percent estimating over $300,000 per hour.
According to IBM's Kathryn Guarini, vice president, Offering Management for z Systems & LinuxONE, the three key new feature of z13s are the doubling of its encryption/decryption speed with its z System processors on-chip resources and a new CryptoExpress5S card (pictured). Secondly its use of cognitive analytics to learn the normal behavior's of a client's z13s, allowing it to flag unusual hacker behaviors even if no one anywhere has previously experiencing that specific type of attack. And lastly its expanded portfolio of partnerships with certified z13s service providers.
"We call the z13s 'the world's most secure server' mainly because of the certifications its received," Guarini told EE Times. "An example of our security measures is its tamperproof I/O [input/output] solution, the cryptographic coprocessor card cannot be penetrated--it detects tampering and zeros out all the protected [decryption keys], it can even detect unusual fluctuations in the outside voltage and temperature as well as physical tampering."
DiDio told EE Times, however, that IBM was being honest by only claiming the z13s were tamper resistance--not tamperproof. After all, hackers and criminals today are getting more and more clever and eventually may find ways around the certifications behind 'the world's most secure server.' When EE Times pointed this out to Guarini, she retreated, saying that while IBM believed it was tamperproof, she should have said tamper-resistant since we live in a world of uncertainties (and IBM's policy is to err on the side of understating its specifications)."
Nevertheless, Guarini rattled off a long list of security firsts that IBM did lay claim to, such as the first mainframe operating systems (zOS, although Linux-only models are also available) to have multi-factor authentication built into its kernel. The first to use sophisticated cognitive computing techniques to anticipate where intrusions might come from so they can be patched before a breach is even attempted. The first to detect intrusions as they are happening--zeroing decryption keys before they can be accessed. The first to encrypt all data without slowing down the processor--at twice the speed of the original z13--with multiple levels of integrated cryptography on the z System processor chip itself and its CryptoExpress5S co-processor card. And the first to collaborate with third-parties offering z13s certified services that IBM does not provide, but which can be acquired without compromising security.
"Important to this announcement are many new security offerings, some available through IBM's newly-announced partners. These focus on the hybrid cloud that can be created within the mainframe (say, with z/OS or with Linux) and the need to secure the ecosystem and to identify threats (both internal and external) as they are happening by using cognitive analysis," Kahn told us.
IBM's security offerings include Guardium—a data activity monitor that keeps track of who is accessing what data complete with an audit trail—identifying inappropriate access attempts by hackers before they decrypt it. The Cyber Security Analytics option (free to try out) uses cognitive analytics running on IBM supercomputers off-site to learn each z13s's typical usage, becoming more effective as it learns over time, and alerting security personnel when unusual activities are taking place. Working with Cyber Security Analytics is QRadar which does additional analytics correlating data from more than 500 sources to aid in deciding whether anomalous behaviors are potential threats.
IBM zSecure provides integration that harnesses security-relevant information from across the entire organization using real-time analytics to provide a context that helps detect threats faster, identify vulnerabilities, prioritize risk, and automate compliance activities.
IBM Security Identity Governance and Intelligence software likewise augments identity and authentication management by coordinating policies and preventing critical data from being accessed by inappropriate parties.
Lastly is IBM's newest program called "Ready for IBM Security Intelligence" is basically a referral service to qualified x13s security expertise from other companies that have add-on capabilities that, through partnership with IBM, do not "break" any of IBM's own security measures.
The giant z13s chip shown here has embedded cryptographic functions that does not slow down its operation thus offering improved performance even though data is encrypted.
(Source: IBM, used with permission)
IBM's new partners for z Systems include BlackRidge, Forcepoint (a joint venture of Raytheon and Vista Equity Partners) and RSM Partners.
BlackRidge supplies independent identity-based network security "before" the user is connected to the network supplying an extra application layer that can stop known, or in some cases even unknown threats, before they are even connected to a z System.
Force point supplies a z System compatible Trusted Thin Client that can secure sensitive mission critical data at the end-point (at the user) by offering them a read-only device that prevents access to z Systems even if lost or leaked.
And RSM Partners supplies application readiness, penetration testing and security review expertise for hire. It also supplies some software products to each security administration with dashboards that visually present the current overall security "posture" of a z System.
— R. Colin Johnson, Advanced Technology Editor, EE Times