Security Capabilities for z/VM and Linux Running on IBM Z 

November 13th, 2017

Andy Hartman
Senior Consultant

With the introduction of the new IBM z14, there has been a priority put on pervasive security. IBM has a long history of building security into the IBM Z, and they have continued this tradition with their newest generation of the mainframe. With the z14, security has been enhanced with improvements in speed, as well as new capabilities in hardware and software.  

z/VM and Linux can take advantage of these security capabilities just as it has for previous generations of the IBM Z. These enhancements cover a wide range of areas for both z/VM and Linux.  

Data is one of the most valuable assets a business has, and it must be protected at all stages of use. Data can be protected when it is not being used, by encrypting the data on the storage subsystem, as well as being encrypted for long-term archiving using tape encryption. Data being accessed by applications and programs can be encrypted in-flight. This utilizes onboard cryptographic processors and cryptographic cards that help to offload this processing, which reduces load on the central processor, leaving it to process more of the application workload.   

Communications to and from the mainframe can be encrypted to protect session traffic. This encryption can be offloaded to the Crypto Express 6s cards, or the onboard CP Assist for Cryptographic Functions (CPACF) processors, as well. Depending on how the network traffic is designed to flow between applications and servers, utilizing the OSA Express 6s communications cards, as well as z/VM virtual switches and hypersockets, the flow of data may not have to even leave the mainframe, and could be transferred directly in memory, eliminating exposure to networks. 

Resource and user control is critical to security, and the IBM Z has a long history of providing these capabilities with RACF and IBM zSecure, as well as a suite of IBM Tivoli products. RACF and zSecure are utilized to provide very granular access control for z/VM resources, such as virtual switches, access to disks and access to other z/VM functions and commands. When you’re using z/VM as a hypervisor to run many Linux guests, RACF provides additional layers of isolation between Linux guests, as well as the auditing of tasks between system administrators and other users. Utilizing various products from the IBM Tivoli suite, you can control access to your Linux guests, as well as provide monitoring and auditing.  SuSE, RedHat and Ubuntu have security functionality built into their Linux servers. This functionality is the same on IBM Z, as any other architecture, i.e. when using SELinux with RedHat or AppArmor with SuSE and Ubuntu. Along with other hardening practices, these can be used to make for a very secure Linux environment.  

Isolating critical workloads even further, from both outside and inside threats, can be achieved by utilizing IBM’s new Secure Container technology. This technology  can be built by IBM, a user, or a third-party vendor to host applications on Linux that require the highest security controls. Access to these containers are through REST API’s, and they prevent access through traditional methods, such as Secure Shell or other remote access methods.  

Both z/VM and Linux can take advantage of the new z14’s enhanced security capabilities, such as the new Crypto Express 6s features, as well as utilizing other components like virtual switches, file system encryption and RACF. These capabilities can be used to create very secure environments that don’t have to give up performance for extra security. 

Mainline has extensive experience with z/VM and Linux on IBM Z. Please contact your Mainline Account Executive to answer any questions you may have, or to set up a more in-depth discussion about what you can do with z/VM and Linux.  

Please contact your Mainline Account Executive directly, or click here to contact us with any questions.

Mainline