Transcription
Front coverFour Ways to TransformYour Mainframe for aHybrid Cloud WorldIBM Garage Technical Enablement SeriesGuillaume ArnouldGuillaume HoareauHerve SabrieSebastien LlaurencyYann KindelbergerRedpaper
Mainframe application modernization: The four strategicdimensionsThe IBM mainframe remains a widely used enterprise computing workhorse, hostingessential IT for the majority of the world’s top banks, airlines, insurers and more. As themainframe continues to evolve, the newest IBM Z servers offer solutions for AI andanalytics, blockchain, cloud, DevOps, security and resiliency, with the aim of making the clientexperience similar to that of using cloud services.Many organizations today face challenges with their core IT infrastructure: Complexity and stabilityAn environment might have years of history and be seen as too complex to maintain orupdate. Problems with system stability can impact operations and be considered a highrisk for the business. Workforce challengesMany data center teams are anticipating a skills shortage within the next 5 years due to aretiring and declining workforce specialized in the mainframe, not to mention the difficultyof attracting new talent. Total cost of ownershipSome infrastructure solutions are seen as too expensive, and it’s not always easy tobalance up-front costs with the life expectancy and benefits of a given platform. Lack of speed and agilityOlder applications can be seen as too slow and monolithic as organizations face anincreasing need for faster turnaround and release cycles.Some software vendors suggest addressing these challenges with the “big bang” approach ofmoving your entire environment to a public cloud. But public cloud isn’t the best option forevery workload, and a hybrid multicloud approach can offer the best of both worlds. IBM Z isconstantly being developed to address the real challenges businesses face today, and everyday we’re helping clients modernize their IT environments.Consider the following strategic elements when modernizing your mainframe environment: InfrastructureApplicationsData accessDevOps chainThis IBM Redpaper publication focuses on these modernization dimensions. Copyright IBM Corp. 2021.ibm.com/redbooks1
Infrastructure modernizationMost IBM clients’ mainframe systems are operating on the latest IBM Z hardware, but someare using earlier systems. The first step in updating your mainframe environment is adoptingthe newest features that can help you get the most from your infrastructure. Many technicalinnovations were introduced in IBM z15 . This platform has been engineered to encrypt dataeverywhere, provide for cloud-native development, and offer a high level of stability andavailability so workloads can run continuously.Application modernizationCore system applications — implemented as monolithic applications — form the backbone ofmany enterprises’ IT. The key characteristic of these monolithic applications is the hyperintegration of the main components of the application, which makes it difficult to understandand update them. Modernizing your mainframe applications starts with creating a map toidentify which applications should follow a modularization process and which should berefactored. This implies working on APIs and microservices for better integration of themainframe with other IT systems and often redefining the business rules. You might alsomove some modules or applications to the cloud using containerization.Data access modernizationFor years, some businesses have chosen to move their sensitive data off IBM Z to platformsthat include data lakes and warehouses for analytics processing. Modern businesses needactionable and timely insight from their most current data; they can’t afford the time requiredto copy and transform data. To address the need for actionable insights from data in real timeand the cost of the security exposures due to data movement off the mainframe, IBM Z offersmodern data management solutions, such as production data virtualization, production datareplication in memory, and data acceleration for data warehouse and machine learningsolutions.DevOps chain modernizationThe pressure to develop, debug, test, release and deploy applications quickly is increasing. ITteams that don’t embrace DevOps are slower to deliver software and less responsive to thebusiness’s needs. IBM Z can help clients learn how to modernize through new DevOps toolsand processes to create a lean and agile DevOps pipeline from modern source-codemanagement to the provisioning of environments and the deployment of the artifacts.This paper will highlight how to modernize through new DevOps tools and processes, tocreate a lean and agile continuous integration / continuous development (CI/CD) DevOpspipeline from a modern source code management, to the provisioning of the environmentsand the deployment of the artifacts. We will go through these four different pillars and explainhow to modernize the mainframe.Infrastructure modernizationThe world has changed, and we are living in a dangerous world. In every international crisis,there is now a risk of cyber attack in the background. Cyber activities orchestrated by veryorganized entities demonstrate that day after day they develop new and sophisticated types ofattacks to slow down, to destroy, and ultimately to remove from the market targetedorganization.This is one of the reasons why most of security standards and regulations raised the bar oftheir expectations to a higher level, and faster than before. They focused only in a recent paston data breach and security, and nowadays they extend to data privacy and cyber resilience.2Four Ways to Transform Your Mainframe for a Hybrid Cloud World
In September 2019, IBM introduced the IBM z15, the latest evolution of the IBM Ztechnologies, designed for cyber resilience, security and privacy. It introduces leading-edgenew technologies to comply with today’s and tomorrow’s challenges, helping organization tobetter protect their data at speed and volume, in motion and at rest, on and off the IBM Zplatform.Hardware evolution to tackle new security challengesAt first with the launch of IBM z15, IBM announced the important evolution of hardwareencryption features. The CP Assist Cryptographic Functions (or simply CPACF) embeddedinside each processor chip, supports new encryption algorithms that matter to encrypt datafaster, and to reduce the increase in CPU utilization. The 7th generation of the hardwareencryption features in PCI Express (the Crypto Express 7S cards or simply CEX7S) reachnew performance records and exist in new packaging to comply more than ever with theclient’s infrastructure requirements. These improvements are an opportunity for organizationsto encrypt more data thanks to the incredible encryption bandwidth available by design andby default in every IBM z15 configuration.The second noticeable improvement from the hardware, the new IBM z15, embeds a newintegrated accelerator for zEnterprise Data Compression (or simply zEDC), inside eachprocessor chip, very much like the encryption is with CPACF. Now customers can have thebest of both worlds with compression and encryption (in that order) right on the processorchip. Encryption becomes even less expensive, since after compression, there is much lessdata to encrypt.A significant step forward preparing the security of tomorrow is done with the new IBM z15.Quantum computing capabilities and their use, are growing—and will explode over the next10 - 20 years. We all know that a key quantum computing use case is code breaking, and thatincludes intuiting encryption keys or breaking cryptographic algorithms in a very fast way. Thisis why, to make the data secure today and tomorrow, IBM Z is starting down the path forcrypto agility by providing quantum-safe digital signing algorithms as part of the base system.As an initial use case, z/OS audit logs can be dual signed with one National Institute ofStandards and Technology (NIST) certified digital signature and one quantum-same digitalsignature in order to provide clients an early view of this new technology.Data security journey to protect the data on the platformIn July 2017, IBM announced its new IBM z14 mainframe server, which combined bothtraditional mainframe hardware and new capabilities in areas such as cloud, cognitive,analytics and more. Most importantly, the z14 included a strategy security feature namedPervasive Encryption for IBM Z or simply PE to help clients stay one step ahead of cyberthreats.Pervasive Encryption for IBM Z is a consumable approach to enable extensive encryption ofdata in-flight and at-rest to substantially simplify encryption, and reduce costs associated withprotecting data.With the z14, for the first time in the 50-year history of mainframe technology, encryptionbecame pervasive. This feature added software-based security intelligence to themainframe’s robust encryption mechanism allowing security solutions to leveragehardware-based cryptography like never before.3
To protect the data at rest, Pervasive Encryption for IBM Z can be used in conjunction with fulldisk and tape encryption, database encryption, and application encryption. This multi layersencryption approach helps to address main enterprise data security risks: Full disk and tape encryptionFull disk and tape encryption protects against intrusion, tamper or removal of physicalinfrastructure. File or data set encryptionVolumes encryption on LinuxONE and Linux on IBM Z. Data set encryption for z/OS,managed through z/OS and providing simple policy controls that allow clients to protectdata in mission critical databases including IBM DB2 , IMS, and VSAM. Additionally, z/OSdata set encryption gives clients the ability to eliminate storage administrators from thecompliance scope. Database encryptionDatabase encryption provides selective encryption and granular key management controlof sensitive data. Application encryptionApplication encryption is used to encrypt sensitive data when lower levels of encryptionare not available or suitable.Figure 1 summarizes the value of the multi-layer encryption approach and addresses differentrisks.Figure 1 The pervasive encryption pyramid and multi-layer approachTo protect the data in motion, Pervasive Encryption for IBM Z relies on an early announcedset of functionalities to protect the network sessions according to today’s standards. Thisincludes the following: Traditional secured network protocol supportThe objective is to secure the data from/to the IBM Z thanks to the secured networkprotocol implementation. This includes the support of SSL/TLS, SSH, IPSec. zERTzERT stands for z Encryption Readiness Tool. It is literally a z/OS network scanning tool tohelp z/OS administrators to be sure that the network sessions and connection are securedand if secured, indicates the quality of the network security.4Four Ways to Transform Your Mainframe for a Hybrid Cloud World
z/OS Coupling Facility EncryptionCoupling Facility (CF) encryption helps to protect z/OS Coupling Facility data. CFencryption processes are transparent to applications leveraging CF structures. Encryptionis based on policies which are established on a workload and Coupling Facility structurebasis, to identify data that is to be encrypted before being sent to the Coupling Facility. End-Point Fiber Channel EncryptionFiber Channel is the premier transport for Storage Area Networks. In September 2019,IBM introduced the IBM z15, to extend the IBM Z position as with a new feature named“End Point Fiber Channel Encryption”. It better protects data circulating from the storageto the OS encrypting the network flow at hardware level. This offering provides in-flightprotection for all data, independent of the operating system, file system, or access methodin use.Pervasive Encryption for IBM Z consumable features help many pain points associated withthe EU’s upcoming General Data Protection Regulation (GDPR), which governs howcompanies around the world handle personal data belonging to EU residents.We can encrypt today’s data on the IBM Z platform with no application changes, and noimpact in SLA. The schema in Figure 2 summarizes the value of the pervasive encryptionapproach, protecting both data at rest and in motion on IBM Z Platform.Figure 2 Protected data on the IBM z infrastructure5
Data privacy journey to protect the data off the platformBusinesses and organizations are very concerned with ensuring that data shared with theirown networks, that often include third-party partners, remains protected, accessible, andprivate. That data is protected today within IBM Z thanks to pervasive encryption. The nextstep with the IBM z15 is to protect that data even as it moves throughout the enterprise (seeFigure 3 on page 6).Figure 3 Data protection beyond IBM ZIn September 2019, IBM introduced the IBM z15, to extend the IBM Z position as theindustry-leading platform for mission-critical hybrid cloud, with new innovations acrosssecurity, data privacy, and resilience.Data security requires a multi-level approach in order to effectively reduce the risk ofbreaches among businesses. Pervasive encryption encrypts all data associated with anapplication, database, or cloud service whether on premises, at rest or in flight. The IBM z15extends this beyond the border of the IBM Z environment. The data-centric IBM z15 offerssecurity solutions to simultaneously address breaches and provide privacy and ease ofoperations for any business operating in the connected IBM Z landscape.The data privacy journey to protect data off the IBM Z platform is based on the two followingtechnologies introduced with the IBM z15: IBM Z Data Privacy for DiagnosticsIBM Data Privacy Passports provides clients with the capability to protect sensitive datafrom source DBMS. But there is also the use case of data that organizations have to carefor regarding the exfiltration risk: dumps. IBM Z Data Privacy for Diagnostics providesclients with the capability to protect sensitive data that may be included in diagnosticdumps. Now sensitive data can be tagged such that it can be identified in dumps with noimpact to dump capture times. Tagged sensitive data in dumps can be secured andredacted before sending to third-party vendors. IBM Data Privacy PassportsThe IBM Z Data Privacy Passports, in conjunction with IBM z15, is designed to enforcesecurity and privacy protections to data not only on IBM Z but across platforms (includingcloud and distributed environments).6Four Ways to Transform Your Mainframe for a Hybrid Cloud World
There are two privacy services delivered by IBM Data Privacy Passports:– Data protection: Protecting the data at the exfiltration point.– Data enforcement: Enforcing the data at the consumption point.Data protectionData protection is about protecting the data at the exfiltration point. To do so, IBM DataPrivacy Passport provides a data-centric security (data protection mechanism stays with thedata) solution that enables data to play an active role in its own protection across theenterprise.This offering is the next logical step from the IBM z14 Pervasive Encryption for IBMZ offering, now extending the IBM Z leadership in security and data protection to data not onlyresident on the IBM Z platform but also as it moves throughout the enterprise and beyond.The concept of Data Centric Audit and Protection (DCAP) is a transition from the currentmodel most enterprises have become accustomed to, as illustrated in Figure 4.Figure 4 Current model of data protection vs. DCAPIn the DCAP model, before the data is moved around the enterprise, it will be repackaged intoa secure object. In the case of Data Privacy Passports, this is call the Trusted Data Object(TDO).The Data Privacy Passport Offering does this protection at a field level, which means thatthere is a level of granularity to this protection that cannot be obtained from more broadprotection techniques. Once the field is wrapped in a TDO, that TDO moves throughout theenterprise.Figure 5 shows the lifetime of a data source protected with IBM Data Privacy Passportsthanks to the Data Protection function.Figure 5 Copies of trusted data objectsA source table to be shared is copied and then protected via encryption according to thedefined fine grain privacy policy. A protected copy and its copies are called a TDO and complywith the DCAP concept that the data stays with the security mechanism. Only IBM DataPrivacy Passports has the required keys to decrypt the content of a TDO and its copies.7
When any original TDO or its copies need to be decrypted, the TDO must come back to theIBM Data Privacy Passports infrastructure. Otherwise, it is impossible to read the encrypteddata of a TDO. This is how a lost, an exfiltrated, or a breach copy of a data source remainsprotected by default.Data enforcementData enforcement is about enforcing the data at the consumption point. To do so, IBM DataPrivacy Passports provides an Enforced View of the data upon SQL queries. The EnforcedView will depend on the user’s credentials that is provisioning the data. The data as a sourcemay be in the clear (original source of data), or a Trusted Data Object. In this last case, wecan combine both data protection and data enforcement together to secure the data at thepoint of extraction and consumption as illustrated in Figure 6.Figure 6 Data enforcement: One source, multiple views according to the need to knowThe IBM Z is weaponized to protect its data, and the data of others at the point of extraction,and the point of consumption. IBM Z environment can reduce the risk associated with dataexfiltration covering IBM Z DBMS, and non-IBM Z DBMS. This is an important factor ofsynergies and integration as expected to confirm its role of security hub, in the multi-clouddriven enterprise IT infrastructure.Application modernizationThe fundamental challenges of legacy applications to support the new markets forces andbusiness requirements is the lack of modularity. This situation is the result of decades of fixesand patching creating layers over layers of an old-core system, resulting in an extremelycomplex monolithic structure that has created an uncontrolled and unknown hyper-integratedmodel of processes, data, and transactionality.Due to this lack of modularity, any change requires a deep and long analysis and costlyregression tests. It definitively impacts the agility to move the customer needs andrequirements to the system in production. This also results in high costs of development andmaintenance, as well as obsolescence risks, due to the difficulties to update outdatedmiddleware.From hyper-integration to hyper-modularityTo address the challenges due to lack of modularity, the recommendation is to modernizethose core legacy applications by shifting to a new paradigm from hyper-integration tohyper-modularity.8Four Ways to Transform Your Mainframe for a Hybrid Cloud World
The modularity does have several dimensions that are crucial for an agile modular system: Structural modularizationThe system is composed of modules, each one with a clear responsibility and interface.The system is structured as a set of collaborating Modules in a loosely coupled way. Development modularityThe strict encapsulation and interface allow very loosely coupled design and developmentlife cycles, extremely useful for agile development techniques. Operational modularityEach module is operated independently of other modules, running on different andisolated runtime environments depending on the implementation technology.A strict modularized approach has the following advantages: Less maintenance and evolution costs. Since the development of each module is veryisolated and the inter-module interfaces are clearly defined, much less regression testingis needed, being the maintenance and evolution are much simpler. Much faster response to the business needs. This is related
IBM Data Virtualization Manager provides virtual, integrated views of data residing on IBM Z, and enables users and applications read/write access to IBM Z data in place, without having to move, replicate or transform data. And it perfo
