ContentsWelcome to the Arcati Mainframe Yearbook 2020 ............................................................ 310 Steps to True Mainframe DevOps: A Phased Approach to
Cross-platform DevOps Success ................................................................................. 6Mainframe Data Management .......................................................................................... 17Join a Mainframe Development Revolution in 2020 – Embrace Open! ....................... 22Indicators of Compromise and Why It Takes Six-Plus Months to ID a Breach ........... 27Mainframe breaches: a beginner’s defensive strategy ................................................. 33
The 2020 Mainframe User Survey .................................................................................... 37An analysis of the profile, plans, and priorities of mainframe users
Vendor Directory ............................................................................................................... 55Vendors, consultants, and service providers in the z/OS environment
A guide to sources of information for IBM mainframers ............................................ 141Information resources, publications, social media, and user groups for the z/OS environment
Glossary of Terminology ................................................................................................ 147Definitions of some mainframe-related terms
Mainframe evolution ........................................................................................................ 179Mainframe hardware timeline 1952-2019; mainframe operating system development
We are very grateful – as always – to all those who have contributed this year by writing articles, taking part in our annual user survey, or updating their company profiles. In particular, I must thank the sponsors and advertisers, without whose support this Yearbook would not be possible.
The big IBM announcement in 2019 was its new z15 mainframe, which culminates four years of development with over 3,000 IBM Z patents issued or in process and represents a collaboration with input from over 100 companies. Building on the z14’s pervasive encryption, IBM introduced Data Privacy Passports technology that can be used to gain control over how data is stored and shared. This gives users the ability to protect and provision data and revoke access to that data at any time. In addition, it not only works in the z15 environment, but also across an enterprise’s hybrid multi-cloud environment. This helps enterprises to secure their data wherever it travels.
Also new with the z15 is IBM Z Instant Recovery, which uses z15 system recovery technologies, to limit the cost and impact of planned and unplanned downtime by accelerating the recovery of mission-critical applications by using full system capacity for a period of time. It enables general-purpose processors to run at full-capacity speed, and allows general-purpose workloads to run on zIIP processors. This boost period accelerates the entire recovery process in the partition(s) being boosted.
Security is an on-going and growing issue for anyone with a computer, and enterprises especially. Back in the summer, the annual Evil Internet Minute report1 from RiskIQ, suggested that cyber-criminals cost the global economy $2.9 million every minute in 2018, for a total of $1.5 trillion. The report concluded this after analysing proprietary research and data derived from the volume of malicious activity on the
Internet. Major companies are paying $25 per Internet minute because of security breaches, while hacks on cryptocurrency exchanges cost $1,930. Criminals are leveraging multiple tactics, from ‘malvertising’ to phishing and supply chain attacks. The loss from phishing attacks alone is $17,700 per minute. Global ransomware events in 2019 were projected to total $22,184 by the minute. Cyber-criminals have also increased their targets on e-commerce with Magecart hacks, which grew by 20% over the last year. The study found 0.21 Magecart attacks were detected every minute. It also found that in each Internet minute: 8,100 identifier records are compromised, seven malicious redirectors occur, and 0.32 apps are blacklisted. Plus, there are 2.4 phish traversing the Internet per minute.
The Arcati Mainframe Yearbook 2020
Publisher: Mark LillycropEditorial Director: Trevor EddollsContributors: Broadcom, Compuware, Model 9, BMC, Mark Wilson
All company and product names mentioned in this publication remain the property of their respective owners.
This Yearbook is the copyright of Arcati Limited, and may not be reproduced or distributed in whole or in part without the permission of the owner. A licence for internal e-mail or intranet distribution may be obtained from the publisher. Please contact Arcati for details.
IBM’s “Cost of a Data Breach Report”2, in 2019, highlighted the financial impact that organizations can feel for years after an incident. The actual cost of a breach has risen from $3.86m to $3.92m over the past year, and by over 12% over the past five years. According to IBM, in the USA, the cost of a breach is $8.19m. For companies with fewer than 500 employees, losses averaged out at over $2.5m, a potentially fatal sum. Mega breaches of over one million records cost $42m, while those of 50 million records are estimated to cost companies $388m. IBM also found that on average 67% of data breach costs were realized within the first year after a breach, but over a fifth (22%) accrued in the second year and another 11% accrued more than two years after the initial incident. Organizations in highly-regulated environments (like healthcare and financial services) were more likely to see higher costs in the second and third years, apparently. Malicious breaches accounted for the majority (51%) of cases, up 21% over the past six years, and cost firms more – on average $4.45m per breach. Accidental breaches, 49% of all incidents, cost slightly less than the global breach average. Human error cost $3.5m, and system glitches cost $3.24m. For the ninth year in a row, healthcare organizations suffered the highest cost of a breach – nearly $6.5m on average. IBM suggested that extensively tested incident response plans can minimize the financial impact of a breach, saving on average $1.23m. Other factors affecting the cost of a breach include how many records were lost, whether the breach came from a third party, and whether the victim organization had in place security automation tech and/or used encryption extensively.
IBM’s most significant acquisition this year concluded on 9 July when it acquired Red Hat, which is best known for its version of Linux. IBM acquired all the issued and outstanding common shares of Red Hat for $190.00 per share in cash, representing a total equity value of around $34 billion. At the time, IBM said that the companies together will accelerate innovation by offering a next-generation hybrid multi-cloud platform. Based on open source technologies, such as Linux and Kubernetes, the platform will allow businesses to securely deploy, run, and manage data and applications on-premises and on private and multiple public clouds.
The year ended with the news that Compuware intends to acquire Innovation Data Processing. This, perhaps, is another example of larger companies looking round for mid-range companies to strengthen their product range – like Syncsort’s acquisition of Pitney Bowes’ software and data business.
As well as Data Privacy Passports, introduced with the z15 mainframe, some other acronyms we’re getting used to this year are zCX, WMLz, and Db2ZAI. zCX stands for z/OS Container Extensions (zCX), which let you run Linux capabilities in a container on z/OS. WMLz stands for IBM Watson Machine Learning for z/OS. It’s designed to simplify the production implementation of AI models. Users can develop models where they want. And, users can readily deploy them within their transaction applications for real-time insight. Db2ZAI stands for IBM Db2 AI for z/OS, which can optimize a Db2 for z/OS engine to determine the best-performing query access paths, based on the workload characteristics. You may also have come across fog computing or fog networking or fogging, which is an architecture that uses edge devices to carry out a substantial amount of computation, storage, and communication locally and then routes it over the Internet backbone.
Looking forward to 2020, it’s interesting to see what Gartner highlights as the top 10 strategic technology trends for the year. They are:• Hyperautomation – the combination of multiple machine learning (ML), packaged software, and
• Multiexperience – a change in the user experience in how they perceive the digital world and how they interact with it. It’s suggested that the burden of translating intent will move from the user to the computer.
• Democratization of expertise – providing people with access to technical expertise (eg machine learning, application development) or business domain expertise (eg sales process, economic analysis) through a radically simplified experience and without requiring extensive and costly training.
• Human augmentation – using technology to deliver cognitive and physical improvements as an integral part of the human experience.
• Transparency and traceability – a range of attitudes, actions, and supporting technologies and practices designed to address regulatory requirements, preserve an ethical approach to use of artificial intelligence (AI) and other advanced technologies, and repair the growing lack of trust in companies.
• The empowered edge – empowering edge computing with more sophisticated and specialized compute resources and more data storage.
• Distributed cloud – the distribution of public cloud services to different locations while the originating public cloud provider assumes responsibility for the operation, governance, updates to, and evolution of the services.
• Autonomous things – physical devices that use AI to automate functions previously performed by humans, eg robots, drones, autonomous vehicles/ships and appliances.
• Practical blockchain – a maturing blockchain functionality and growth in use.• AI security – artificial intelligence and machine learning can augment human decision making and
create great opportunities to enable hyperautomation and leverage autonomous things to deliver business transformation, it creates significant new challenges for security in terms of protecting AI-powered systems, leveraging AI to enhance security defence, and anticipating nefarious use of AI by attackers.
It’s fascinating to see how many of those will use a mainframe in order to work effectively.
So, it looks like the mainframe industry is an exciting place to work. And with that in mind, I can confidently predict that 2020 will be an interesting year, and that the mainframe will continue to offer outstanding performance and reliability, and be at the heart of the world’s business-critical applications.
As well as the z15, IBM announced a 53-quantum bit (qubit) device in 2019, which they claimed was the most powerful quantum computer ever offered for commercial use. IBM’s machine can be used by anyone, and is sited at the company’s Quantum Computation Center in Poughkeepsie, New York State. As yet, the new computer doesn’t have a name. IBM said of its new 53-qubit system that it benefits from a number of new techniques that enable it to be larger and more reliable. It features more compact custom electronics for improving scaling and lower error rates, as well as a new processor design.
10 Steps to True Mainframe DevOps:A Phased Approach to Cross-platform DevOps SuccessThis article looks at what this approach means to you and your company.
Enterprises must quickly and decisively transform their mainframe practices. The slow, inflexible processes and methods of the past have become intolerable impediments to success in today’s innovation-centric digital markets. IT leaders must therefore bring the proven advantages of Agile, DevOps and related disciplines to bear on the mainframe applications and data that run their business.
But how? And where to begin? Mainframe transformation can seem overwhelming. And no IT leader wants to embark on a “boil the ocean” project that consumes resources and generates risk without a high probability of sizable, near-term concrete rewards.
This article addresses these concerns by spelling out a proven, phased approach for measurably modernizing mainframe practices. By following this approach, IT leaders can rack up high-impact, near-term “wins” at each stage along the way, while staying on course towards a vital strategic objective that can be fully achieved in less than two years.
Because every organization has its own existing processes, tools and culture, this mainframe transformation game plan can be modified to fit each organization’s specific needs.
No company, however, can afford to further delay mainframe transformation—or embark on such a transformation without a clear plan. To remain competitive in an app-centric economy,
mainframes must be as adaptive as other platforms. And enterprise IT must be able to manage DevOps in an integrated manner across mainframe, distributed and cloud.
This article lays out a plan for doing exactly that.
Step 1:DETERMINE YOUR CURRENT AND DESIRED STATEBefore embarking on the process of mainframe transformation, it’s wise to first be clear about what that transformation will entail. To map out a transformation plan that all relevant stake-holders can understand and buy into, you will need to:
Document and assess your current state. What tools do your development, QA and ops teams currently use? What does your software delivery process look like? What are the results in terms of velocity, frequency, person hours and quality? How consistent or variable are those results? How much institutional knowledge is isolated in the minds of your top SMEs? How well do your mainframe teams collaborate and coordinate with their counterparts working on your distributed and cloud platforms?
Define your desired state. Prioritize the goals that are most important to your organization. These can include velocity (compressing the time required to go from business requirement to code in production), agility (the ability to make smaller, more frequent changes to application code), efficiency (reducing cost through better use of person hours), integration (better coordination of code changes across platforms) and generational shift (empowering technical staff with mainstream skillsets to assume responsibility for mainframe DevOps). These goals must obviously be achieved without compromising the reliability and stability of core applications.
Identify impediments. Many mainframe teams face technical obstacles, such as tools that lock them into slow, waterfall processes. Entrenched
habits and work culture—such as insufficient emphasis on speed and collaboration—can also tangibly hinder mainframe transformation. Or you just may be under-funded. Your gap analysis should zero in on these specific impediments preventing you from achieving your specific goals.
Define your customized plan. Once you know where you want to go and what’s currently pre-venting you from getting there, you can craft a rational, credible transformation plan. Your plan will likely look very similar to the nine steps that follow. Depending on the particulars of your situation, however, you may need to prioritize certain steps or allocate more resources to certain aspects of your transformation.
Step 2:MODERNIZE YOUR MAINFRAMEDEVELOPMENT ENVIRONMENTMost mainframe development is still performed in antiquated “green screen” ISPF environments that require highly specialized knowledge and problematically limit new staff productivity. Modernizing the mainframe begins with modernizing this developer workspace.
A modernized mainframe workspace should possess the look and feel of the Eclipse-style IDEs that have become the de facto standard for other platforms. This user-friendly interface will allow staff at all experience levels to move easily between development and testing as they work on both mainframe and non-mainframe applications. Your modernized mainframe IDE will also support a complementary palette of value-added tools as you continue your mainframe transformation through its subsequent steps.
ToolsThe enabling technology for Step 2 is Compuware Topaz Workbench—along with associated Compuware solutions such as File-AID, Abend-AID and Xpediter.
These products provide complete source code editing, debugging, fault diagnosis and data browse/edit/compare functionality. Topaz Workbench, in particular, allows developers to write, compile and run code all from a modern Eclipse-based IDE. It also brings drag-and-drop ease to copying files between LPARs and other common developer tasks. This puts the mainframe development experience on par with other technologies in the enterprise such as Java.
Find more information on Topaz Workbench.
Success Indicators• Empirical productivity metrics such as
features delivered, code commit frequency and shorter learning curve for new employees
• Posi t ive anecdota l feedback f rom development and testing teams
• Ability to recruit and train individuals with no mainframe experience to work on mainframe applications.
Step 3:ADOPT AUTOMATED TESTINGUnit testing is central to Agile. Frequently testing small increments of code enables developers to quickly and continuously assess how closely their current work aligns with immediate team objectives—so they can promptly make the necessary adjustments or move on to the next task.
Unfortunately, technical obstacles have historically prevented the kind of automated unit testing that is commonplace in Java from being applied to mainframe development. Now that those obstacles have been removed as described below, reliable automated unit testing can become a mainframe reality.
Of course, effective unit testing requires more than technology. Mainframe developers not accustomed to unit testing must learn how to best leverage the practice to work much more iteratively
on much smaller pieces of code. One particularly effective way to accelerate adoption of unit testing best practices across your development teams is to monitor the percentage of code that has been subject to automated testing. By combining automated unit testing with code coverage metrics, you can build confidence among your developers that they can make incremental changes to mission-critical applications without jeopardizing quality. It’s also important to implement controls that ensure unit testing is successfully completed before promoting code. But automated unit testing across all platforms is a fundamental requirement for Agile.
Once you have completed the unit testing phase, you can work through the functional testing phase. Functional testing validates that the implementation works as specified in its requirements. This is different from “the code works correctly,” which is determined during unit testing.
After functional testing, you can then start the integration testing phase. With integration testing, you evaluate if the collaboration between two or more programs works as expected. This extends the functional testing that focuses on testing the specifications of one program to test the interaction between several programs.
ToolsThe enabling technology for Step 3 is Compuware Topaz for Total Test. The product automatically scans mainframe code and creates appropriate unit and functional tests based upon the program’s structure. It can automatically create these test cases for both main programs and subprograms. Test cases can include test data and a set of default test result assertions. This automated test creation empowers developers at all skill levels to quickly, easily and accurately validate and troubleshoot any changes they make to mainframe applications.
Topaz for Total Test now offers functional and integration testing capabilities to extend the
use of the solution further into the application development lifecycle. This provides additional levels of test automation to improve velocity to production use of application changes.
Find more information on Topaz for Total Test.
Success Indicators• More frequent drops of code updates
required by the business• Fewer errors found later in the DevOps
lifecycle (“shift left”)• Lower cost of defect resolution (since
resolution costs are much lower earlier in the DevOps lifecycle)
• Tighter synchronization of in-tandem mainframe/non-mainframe development
Step 4:PROVIDE DEVELOPERS WITH GRAPICAL, INTUITIVE VISIBILITY INTO EXISTING CODE AND DATA STRUCTUREAs mainframe applications have been expanded and enhanced over many years, they have typically become quite large and complex. They are also typically not very well-documented. This combination of complexity and poor documentation is a major impediment to core transformation goals—including agility, confidence and efficiency. In fact, the undocumented idiosyncrasies of mainframe applications and data structures almost universally make enterprise IT highly dependent on the personal/tribal knowledge of senior mainframe staff. Worse yet, if a seasoned mainframe developer is no longer available, IT may be fearful of making any changes at all.
To overcome this dependency, you have to make it much easier for any new participant/ contributor to quickly “read” existing application logic, program interdependencies, data structures and data relationships. Developers and other technical staff also need to be able to understand application runtime behaviors—including the actual sequence and nature of all program calls as well as file and
database I/O—so they can work on even the most unfamiliar and complex systems with clarity and confidence.
ToolsThe enabling technologies for Step 4 are Compuware Topaz for Program Analysis and Topaz for Enterprise Data. Their unique, powerful visualizations reveal underlying program logic and data relationships through dynamically generated, graphically intuitive diagrams. These diagrams show how COBOL and Pl/I programs flow with the associated variables and files, while also enabling developers to play, save and compare visualizations of application runtime behaviors— without requiring access to current source code files.
Find more information on Topaz for Program Analysis and Topaz for Enterprise Data.
Success Indicators• Reduction in amount of time it takes a
developer to understand large/complex mainframe applications
• Experienced developers gaining further insight into runtime behavior of mainframe applications
• Developers better estimating project work required to meet delivery deadlines
Step 5:EMPOWER DEVELOPERS AT ALL SKILL AND EXPERIENCE LEVELS TO DELIVER HIGH-QUALITY CODE WITH LESS FRICTIONSuccessful mainframe transformation demands rigorous, reliable and early detection and resolution of quality issues. There are three primary reasons for this. First, mainframe applications often support core business processes that have little to no tolerance for error. Second, in transitioning from waterfall to Agile delivery cycles, continuous quality control reduces costs and prevents even
relatively minor errors from adding friction that undermines the goal of faster, more streamlined application updates.
Third—and of particular importance at this moment in the history of the mainframe—a new generation of developers with less mainframe experience and expertise are being called upon to maintain and evolve mainframe applications. These developers must be supported with quality controls and feedback above and beyond the automated unit testing adopted in Step 3.
Every effort must therefore be made to rigorously safeguard application quality as the mainframe becomes more agile. Continuous Integration (CI) is especially important in this regard, since it ensures that quality checks are performed continuously as your code is updated.
Also, with the right quality control tools and processes, you can do more than just catch and fix individual issues early in the cycle. You can also capture KPIs that give you clear visibility into individual, team and project quality metrics so you can quickly pinpoint issues requiring additional coaching and training—allowing you to continuously improve development performance and productivity.
ToolsAs with Step 3, a core technology enabler for Step 5 is Compuware Topaz for Total Test—which provides a single point-of-control for developers to manage their testing activities, while also tracking code coverage to ensure consistent conformance with testing best practices prior to code promotion.
Topaz a lso prov ides in tegra t ions wi th SonarSource’s SonarLint and SonarQube. SonarLint integrates into the Topaz Workbench environment to give developers on-the-fly feedback on any potential new bugs and quality issues they may inject into their code. With SonarLint, even mainframe-inexperienced developers can quickly be alerted to application quality issues such as
unbalanced or unmatched working storage/data items and sections of code that are too complex. SonarQube is a feature-rich dashboard for tracking quality issues, code coverage from automated tests and technical debt—all of which are useful for capturing the kinds of KPIs needed to ensure deliverables are being created with sustainable and high-quality methods.
Jenkins, the open source automation server, is also typically important for this step since it provides Continuous Integration functionality. Jenkins can also automatically drive execution of any essential quality checks—such as static code analysis, automated unit and functional tests and measuring code coverage—that you want to ensure are performed on every change to code.
Compuware zAdviser further aids in the use of KPIs to drive improvements in mainframe DevOps performance by both capturing developer behaviors and benchmarking those behaviors against metrics captured from across a broad range of other organizations engaged inmainframe agility initiatives.
Find more information on SonarQube, SonarLint, Jenkins and zAdviser.
Success Indicators• Increasing code coverage exercised by
automated tests• Positive trends in quality and reduced
technical debt metrics• Reduced number of error-related cycles
between testing and development teams• Quant i f iable improvements in the
performance and productivity of new mainframe developers
Step 6:INITIATE TRAINING IN ANDADOPTION OF AGILE PROCESSESAt this point in your journey, you should have the right development environment in place—so
your development teams will be ready for actual training on Agile development methodologies. Once completed, you’ll be able to start shifting your process from a traditional waterfall model with large sets of requirements and long project timelines to a more incremental model. The goal is to have developers for mobile, web and mainframe components collaborate on a single Scrum team. Teams are focused on stories and epics that capture specific units of value to your business versus technical tasks in a project plan. By estimating the size of these stories and assigning them their appropriate priority, your teams can start engaging in Agile processes that allow them to quickly iterate towards their goals.
The move from large-scale waterfall projects to Agile represents a significant change in work culture for most mainframe teams. Training in Agile processes and work culture is therefore a must. Technical Leadership roles and Product Owners, in particular, need in-depth training and coaching. However, all team members should have at least some formal introduction to basic Agile concepts—especially if they’ll be expected to read Scrum or Kanban boards.
You may want to build your initial Agile mainframe team by choosing select mainframe developers and pairing them with Agile-experienced developers from other platforms. You may also want to consider how you’ll factor conformance to Agile values such as transparency, knowledge sharing and ideation into your developer performance reviews.
ToolsEnabling technologies for Step 6 include modern collaboration platforms and Agile project management tools. Atlassian Jira, for example, is an Agile task management tool that supports Agile methodologies such as Scrum and Kanban. It enables you to plan, track and manage all Agile development activity, so you can keep your teams on track and continuously improve Agile adoption in terms of speed, effciency, quality and—most
importantly—ongoing alignment with your most urgent business needs.
Atlassian Confluence complements Jira by providing a centralized, well-organized web collaboration space where your Agile teams can easily and flexibly share ideas and product requirements as well as provide process and status updates, etc. This type of collaboration supports the required culture of innovation.
It’s typically wiser to leverage these kinds of popular best-in-class tools than it is to adopt a monolithic approach that requires you to perform all SDLC activities within a single vendor’s solution set—since going forward you’ll want to avoid vendor lock-in and ensure your ability to take advantage of the latest innovations in Agile management.
Find more information on Atlassian Jira and Confluence.
Success Indicators• Target percentage of dev/test staff completes
Agile training with goal of 100% trained• First delivery of artifacts from initial Agile
teams and discovery of technical and cultural obstacles to broader Agile adoption
• Evidence of cross-team collaboration and business participation in Agile process
Step 7:LEVERAGE OPERATIONAL DATAACROSS THE DEVELOPMENT,TESTING AND PRODUCTION LIFECYCLETo ensure that your applications will perform optimally in your production environment, it’s not enough to just write good code. You also need to understand exactly how your applications behave as they consume processing capacity, access your databases and interact with other applications.
One good way to gain this understanding is to leverage operational data continuously throughout the DevOps lifecycle. This provides dev and ops teams with a common understanding of the operational metrics/characteristics of an application throughout its lifecycle, helping them more fully and accurately measure progress towards team goals. Early use of operational data can also dramatically reduce your MIPS/MSU-related costs by allowing you to discover and mitigate avoidable CPU consumption caused by ineffcient code.
ToolsThe enabling technologies for Step 7 are Compuware Abend-AID and Strobe. Abend-AID provides source-level analysis of application failures—sparing developers the time-consuming work of manually cross-referencing numerous pages of memory dumps, source listings and application code. With Abend-AID, dev/test staff can quickly pinpoint bad statements, identify data issues and isolate many other types of application problems.
Strobe pinpoints application ineffciencies such as bad SQL statements, wasteful Db2 system services that cause excessive CPU consumption, slow data retrieval and other issues that add cost while undermining the end-user experience. By automatically identifying these issues, Strobe enables even novice dev/test staff to contribute to faster delivery of better-performing applications.
Find more information on Abend-AID and Strobe.
Success Indicators• Early detect ion of avoidable CPU
consumption• Reduction in abends in production• Reduction in average cost per error and
For more information on transforming your operations team, check out a companion piece in our DevOps guidebook series entitled 9 Steps to Agile Ops.
Step 8:DEPLOY TRUE AGILE/DEVOPS-ENABLING SOURCE CODE MANAGEMENTTraditional SCM environments are inherently designed for waterfall development and are thus incapable of providing essential Agile capabilities—such as parallel development work on different user stories, quick compare and merge of different versions, and conditional pathing of code promotion.
But to truly enable Agile and DevOps on the mainframe, your SCM must do more than just provide automation, visibility and rules-based workflows to your SDLC. It must also integrate easily and seamlessly with other tools in your end-to-end toolchain. Chances are that your development, test and ops teams will want to use some combination of Jenkins, XebiaLabs, Slack, CloudBees and/or other popular tools. You must therefore be able to move data easily between these tools—and trigger automated actions, messages and alerts between them. Ideally, your new SCM will do this with industry-standard REST APIs and webhooks, which provide the simplest means of doing so and give you the greatest flexibility to allow your next-gen developers to work with whatever their personal tools-of-choice happen to be at any points in time.
The shift from waterfall-based SCM to Agile-enabling SCM is a pivotal moment in any mainframe transformation, and it should be carefully planned to avoid disruption to current work in progress. It is, however, an absolutely essential shift if your goal is to increase the speed and frequency of new mainframe code drops, optimize developer productivity and simplify end-to-end management of your SDLC.
ToolsThe enabling technology for Step 8 is Compuware ISPW. ISPW is a modern, end-to-end Agile SCM and release automation solution that enables mainframe application developers at all skill levels to fulfill business requirements, optimize code quality and improve developer productivity through mainframe DevOps. It provides automated change management that eliminates manual steps and empowers your teams to iterate quickly through the development, test and QA cycles. ISPW is fully integrated into the Topaz Workbench environment, so developers have full access to all of their tools from a single, intuitive interface. It also integrates with other popular tools, including Jenkins, as described above.
Find more information on ISPW. Compuware also offers SCM Migration Services to speed and de-risk this critical conversion.
Success Indicators• Developers no longer working with “personal
libraries” and different Agile teams working on different stories in parallel
• Developers with different mainframe skills levels are able to quickly understand the scope of their changes before they begin to code
• Reduction in code approval delays
Step 9:AUTOMATE DEPLOYMENT OF CODE INTO PRODUCTIONAgile development alone is insuffcient for full digital business agility. To keep pace with today’s fast-moving markets, your business must also be able to quickly and reliably get new code into production. That means automating and coordinating the deployment of all related development artifacts into all targeted environments
in a highly synchronized manner. You’ll also need to pin-point any deployment issues as soon as they occur, so you can take immediate corrective action.
And, if such corrective action is not immediately evident or doesn’t immediately produce its expected remediative effect, you have to be able to quickly and automatically fallback to the previous working version of the application. This automated fallback is, in fact, a key enabler of rapid deployment—since it is the primary means of mitigating the business risk associated with code promotion.
ToolsThe enabling technology for Step 9 is also Compuware ISPW. ISPW complements its core SCM capabilities with advanced mainframe deployment features that empower you to rapidly move code through the deployment process—including test staging and approvals—while also providing greatly simplified full or partial fallbacks. As such, it offers a significantly superior solution to traditional “homegrown” scripts, which do not provide essential capabilities such as fallback, progress visibility and auditability of deployment processes.
ISPW also provides visualization that enables DevOps managers to quickly pinpoint deployment issues in order to both solve immediate rollout problems and address persistent bottlenecks in code promotion.
ISPW features a mobile interface that enables mainframe DevOps managers to respond immediately when alerted that code changes are ready for approval. This anytime/anywhere mobile management eliminates a common cause of mainframe code promotion delays.
Find more information on ISPW.
Success Indicators• Faster rollouts of applications into production• Reduction in code promotion failures• Reduction in personnel effort and system
down time caused by need to revert after failed deployment
Step 10:ENABLE COORDINATED CROSS-PLATFORM CONTINUOUS DELIVERYMainframe applications and data increasingly serve as a back-end resource for multi-platform customer- and employee-facing applications that include mobile, web and/or cloud components. DevOps teams must therefore be able to fully synchronize the delivery of new, approved code across all platforms. These deployment controls should also provide unified, cross-platform fallback and progress reporting.
This is the target state of enterprise DevOps at the completion of Step 10: A de-siloed environment where the mainframe is “just another platform”—albeit an especially scalable, reliable, high-performing, cost-effcient and secure one—that can be quickly and appropriately modified as needed to meet the needs of the business by whichever staff resources are available to do so.
ToolsThe enabling technologies for Step 10 include ISPW REST APIs and integration with tools like XebiaLabs XL Release and CloudBees. ISPW integrates with distributed tools to provide a single point of control for all changes across z/OS, Windows, Unix and other platforms. REST APIs are especially important for ensuring full flexibility to mix and match best-in-class tools and avoid vendor lock in.
XL Release is a highly advanced application release automation solution that eases the planning, automation and analysis of cross-platform software releases so you can streamline code promotion, maintain full visibility into release progress, pinpoint release problems and address any chronic bottlenecks in your DevOps processes.
Find more information about our integrations with XebiaLabs XL Release and CloudBees.
Success Indicators• Ability to work on related code on multiple
platforms in parallel• I n c r e a s e d c o m m u n i c a t i o n s a n d
collaboration between previously siloed developers with different skillsets
• First successfully automated cross-platform release fallout
THE ONGOING PURSUIT OF DIGITAL EXCELLENCEThe evolution of your mainframe doesn’t stop once you achieve the desired state of agility and cross-platform integration of your DevOps workflows. In fact, you’ll probably want to build upon that achievement to further enhance your company’s digital agility and effciency over time.
One especially compelling way to do that is by providing your IT service management (ITSM) team with a unified environment for both mainframe and non-mainframe applications. This unified ITSM model will become increasingly useful as more of your company’s digital value proposition is based on code that traverses multiple platforms—from back-end mainframe systems of record to customer-facing web and mobile apps.
Topaz Connect provides this kind of cross-platform ITSM integration by unifying third-party ITSM solutions such as ServiceNow, BMC Software, Tivoli and CA. Through this integration, ITSM staff
can track processes for mainframe applications in the same manner as they do for other hardware and software platforms. If an ITSM change request requires a code change, the specifics of that change are automatically communicated to ISPW. And as those modifications are delivered, your ITSM environment can track the progress of the workflow right through to deployment. You can also use a solution like XebiaLab’s XL Release Dashboard to both maintain real-time insight into your active projects across platforms and track KPIs that help you pinpoint opportunities for further improvement—whether it’s the time it takes your smallest incremental changes to get through QA or the types of technical issues that seem to be driving the most chatter in your collaboration tools.
Compuware zAdviser can also help you pinpoint opportunities for continuous improvement— especially as its benchmarks reveal how your peers at other organizations keep raising the bar for mainframe agility over time.
THE TRANSFORMATION IMPERATIVEIT leaders are under intense pressure to deliver on many fronts. They have to deliver new AI-enabled systems. They have to fulfill the escalating mobility expectations of customers and employees. They have to safeguard the enterprise from an ever-intensifying range of threats. And they have to do all this within extremely challenging capex and opex budget constraints.
Mainframe transformation, however, is central to the success of all these efforts and more. If your core systems of record aren’t agile—and if you’re not fully prepared to extend the useful life of those systems of record well into the next decade, even as you lose your current cohort of mainframe veterans to retirement—then your other efforts can only deliver limited benefits. The performance of your business will ultimately be constrained by the constraints of your mainframe environment.
The good news is that best practices, modern tools and committed partners are now available to assist you in your efforts. All you need is a decision and a plan. Then you can start.
Compuware empowers the world’s largest companies to excel in the digital economy by taking full advantage of their mainframe investments.
We do this by delivering innovative software that enables IT professionals with mainstream skills to develop, deliver and support mainframe applications with ease and agility. Our modernized solutions uniquely automate mainframe work, integrate into a cross-platform DevOps toolchain and measure software delivery quality, velocity and efficiency.
Learn more at compuware.com.
Mainframe AIIBM Watson Machine Learning for z/OS (WMLz) can’t run your mainframe for you, but it is taking baby steps toward making some applications (eg Db2) run more efficiently. In effect it is working like a DBA on steroids! WMLz, currently at Version 2.1, is said to simplify the production implementation of AI models. Users can develop models where they want. And, users can readily deploy within their transaction applications for real-time insight. At the moment, WMLz can help sites optimize their transactions, but it isn’t restricted to just mainframes. WMLz offers a hybrid cloud approach to model development and model deployment lifecycle management and collaboration that is designed to help organizations innovate and transform on an enterprise scale. Db2ZAI is a separate product that can optimize data access in Db2. I would hope that we will see something similar for CICS and IMS in the near future. And, in the not too distant future, we will, perhaps see more features on the mainframe optimized and controlled by Watson.
The IBM Db2 AI for z/OS (Db2ZAI) can optimize a Db2 for z/OS engine to determine the best-performing query access paths, based on the workload characteristics. The optimizer consists of Relational Data Services (RDS) components that govern query transformation, access path selection, run time and parallelism for every SQL statement used. The access path for an SQL statement specifies how Db2 accesses the data that the query specifies. It determines the indexes and tables that are accessed, the access methods that are used, and the order in which objects are accessed. Db2ZAI collects data from the optimizer and the query execution history, finds patterns from this data and learns the optimal access paths for queries entering Db2 for z/OS. That means data access is as quick as it can possibly be. And because each site has a unique workload, this optimization is specific for that particular site. Should workloads change, the optimization will change, too. It will learn how to work the best it can.
Mainframe Data ManagementWhen it comes to mainframe data management, there are hidden costs and now there are some new opportunities.
Based on estimates and benchmarks from Technavio and Gartner, the mainframe market—hardware and software—is worth about $44 billion a year. An estimated 90% of all credit and debit cards were still processed on the mainframe in 2017, and IBM continues to sell more processing capabilities each year.
Considering its size, the mainframe market does not have many vendors. As a result, it is unusually stable for a technology market, with rigid control over technological direction.
While stability can be extremely useful, the stagnation of data management solutions in particular has proven to be of concern. Mainframes, and the ecosystem of hardware, services, and applications that surround them are costly. They act on vital data and run critical workloads. They are counted upon to provide the highest level of reliability and speed. These factors have created a high level of risk aversion among mainframe administrators. Change controls are extremely strict and new technologies are introduced slowly. Mainframe customers want to see others adopt the technologies successfully before taking the plunge themselves.
However, with the volume and velocity of data at unprecedented levels, with business continuity SLAs becoming more demanding, with increasing demand for business analytics access to mainframe data and with a high priority focus on mainframe costs, managing mainframe data needs to be looked at in an entirely different light. In this article we will explore the real costs of mainframe data management today and identify modernization opportunities.
THE DATA MANAGEMENT DILEMMA ON MAINFRAMESData backup, restore and archive is one area of the mainframe ecosystem where evolution has been significantly slower than in the open systems world. It is dominated by a small group of vendors such as IBM, CA, EMC, Oracle, and Innovation Data Processing.
These vendors offer a limited number of backup and archive products, all of them based on tape architecture and all of which consume costly central processor (CP) resources. The only significant innovation over the years has been the introduction of Virtual Tape Libraries (VTLs)—hard disk arrays that serve as a buffer between the backup streams and the physical tape storage devices, often doing away with physical tape altogether.
With mainframes typically handling critical data in highly regulated business environments, risk-averse mainframe administrators have not been clamoring for novel backup/restore solutions despite the high costs of hardware and software, cumbersome restore procedures, and other drawbacks of these legacy systems.
DATA MANAGEMENT AND DATA ACCESS IMPACT ON MLCBased on the analysis of numerous mainframe logs from a wide range of companies worldwide, backup and space management workloads can take up to 10% of a mainframe’s compute consumption, much of which is the result of emulating tape systems. They expend costly main Central Processor (CP) cycles on house-cleaning tasks that are only necessary because the backup and space management solutions need to believe that their data sits on tape.
Further - as access to Mainframe data is on the rise and analytics tools outside the mainframe require more and more data to be pushed out from the mainframe, the load of ETL and other
means of data transport is also putting pressure on Mainframe compute engines.
IBM employs the Monthly License Charge (MLC) model, in which organizations are charged based upon a monthly measurement of the four consecutive peak hours of usage, known as the Rolling 4-Hour Average (R4HA). Keeping data management and ETL workloads out of the R4HA peak is a challenge for many administrators. Organizations frequently face the dilemma of having to choose between restricting data management job timing and scope so as not to fall into the R4HA monthly peak, or allowing these processes to run during peak times and affecting MLC charges.
SHIFTING DATA MANAGEMENT WORKLOADS TO SPECIALTY PROCESSORSFor many mainframe administrators the R4HA and its impact on MLC are constantly top of mind. In a 2019 BMC mainframe survey, 61% of Execs and 68% of Tech managers saw Cost reduction as their top priority. As noted above, workloads that use the main Central Processor (CP)—including data management and ETL workloads—drive a significant portion of the MLC costs. However, there are specialty processors that allow organizations to execute some percentage of a workload’s compute time without impacting the main CP. Specialty processor cycles are charged at significantly lower rates than main CP cycles.
The z Systems Integrated Information Processor (zIIP) is one such specialty processor. It can be used to offload numerous types of workloads, such as Java, XML, and DB2 for z/OS. The zIIP is proving to be of increasing importance as Java usage grows. According to the previously mentioned BMC survey, 59% of the respondents reported Java usage growing, and it is the language of choice for new applications.
Encryption and decryption are also examples of processor-intensive data management tasks that can be offloaded to specialty processors. This cost-
saving measure becomes even more significant in light of regulatory guidelines that strongly advise that backups—and even production storage—be encrypted. Fines for violations of the EU’s General Data Protection Regulation (GDPR) regulations, for example, can soar to 4% of annual global turnover or €20,000,000, whichever is higher.
Fortunately, a new generation of Java-based backup, archive and data access solutions is emerging that can move some or all of the backup, archive, space management and analytics data access processing over to the less expensive specialty processors, avoiding the main CP overhead (and reducing the MLC charges) of virtual-tape-based and ETL products. This shift can greatly decrease costs and may have the added benefit of allowing Data Management processes to be executed with fewer timing constraints, even as higher priority tasks are executed on the main CP.
MODERN CLOUD ARCHITECTURE STORAGEIn the open systems world, centralized storage x86 virtualization and more recently Cloud storage are two great examples of solutions that have delivered impressive savings to organizations of all sizes. While the reliability, speed, and functionality of open systems storage keep advancing, the average storage prices are declining consistently year over year.
Adopting modern commodity SAN, On-premises Cloud or Public Cloud storage solutions for use with mainframes would allow organizations to store 3x to 10x more data compared to traditional mainframe secondary storage solutions of the same price. This would seem to be a compelling value proposition to those 68% of mainframe Techs for whom cost reduction is their primary concern. Using cloud storage from public providers such as Amazon’s AWS, Microsoft’s Azure, and others, further reinforces the value proposition. For archive specifically, cold storage on public cloud providers can improve the capacity/cost ratio 100X.
However, while solutions that enable mainframes to make use of commodity storage exist, significant barriers to adoption remain. Risk aversion, based on outdated beliefs that commodity storage solutions are inadequately resilient for mainframe usage, is one issue. Another is that many of the extant approaches to adding commodity storage to mainframes simply make this commodity storage available as part of a VTL, inheriting the problems and costs associated with the VTL approach. Furthermore, the current approaches may place commodity storage behind DASD—which maintains lock-in to specific storage Hardware.
In reality, commodity and cloud storage solutions have evolved rapidly, and now provide a wide range of features that can make it at least as resilient as traditional mainframe storage at a significantly reduced cost. Cloud storage, for example, can be easily and inexpensively configured to be locally and geographically redundant. Mainframes can be configured to use cloud storage for secondary, or backup storage, as well as a replication tier.
Commodity storage needn’t be restricted to a storage solution hidden behind a VTL or DASD. Mainframes can use commodity storage solutions, ranging from extremely high speed all-flash arrays to cold archival disk warehouses, or even inexpensive mainstream LTO (linear tape-open) tape libraries. Perhaps more importantly, mainframes can embrace all that cloud storage has to offer.
RECOVERY“Data protection for us was easy – everything was on 1/4” tape back then so we just duplicated them. We ran a twice-yearly recovery exercise to our DR site near Heathrow—in the 13 years I worked there I think the test partially worked once and failed the other 25 times...”--Jon Waite, CTO, Computer Concepts Ltd
For some organizations, the high cost of classic mainframe storage solutions and MLC cost concerns can lead to compromising on the number
of separate remote backup copies, the frequency of their backups, and/or the amount of backup testing and verification that they perform. This is a very serious problem. Backups aren’t worth anything if you aren’t sure you can restore from them.
Administrators don’t want to see backup jobs creating contention with other workloads, ensuring that only absolutely critical backup jobs run during R4HA peaks. Pushing backup jobs off peak can save money, but it also reduces the window in which backups can run, potentially allowing fewer backup runs.
Amongst all of this backups need to be verified, restores tested, and disaster recovery failovers planned and executed. In a perfect world, all of this is automated so that it occurs regularly. In reality, many organizations make a series of compromises to juggle cost and backup execution windows while still leaving enough time to test restores.
These issues are not unique to mainframes. Administrators in the open systems world juggle these problems as well. Open systems administrators, however, don’t have to worry about MLC pricing. The pressure on mainframe administrators to compromise is even greater than it is in the open systems world. Considering the criticality of mainframe workloads and data, this is alarming.
THE COMPLEXITY PROBLEMIf the vendor and technology issues were insufficient to cause angst, there is a looming skills gap. Many of today’s mainframes are maintained by practitioners who are retiring or near retirement. While there are some younger administrators choosing mainframes as a career, they are not compensating for the number of individuals looking to exit the workforce.
The aforementioned BMC survey notes that 49% of Techs see Staffing/Skill Shortages as the key obstacle for Mainframes in 2019.
Many organizations have intricate or bespoke backup implementations. The tape management solutions that manage the VTLs are separate from the solutions that schedule and run the backups themselves. Instead of a single, simple solution to this critical aspect of mainframe infrastructure, a complex web of multiple applications often exists. And the same goes for data transfer off the mainframe - with multiple components used to offload data transform it and them push it out to open systems.
This complexity is a problem. The mainframe skills shortage is not only seeing the pool of experts shrink, but many administrators also feel that time is running out to transfer knowledge to a new generation of mainframe practitioners.
CONCLUSIONData management has been a perennial—and expensive—bugbear for mainframe customers. When we asked Gil Peleg, CEO of Model 9 and an IBM mainframe veteran, how the mainframe backup cost could be quantified, here’s what he had to say: If you consider, as mentioned above, that 35% of mainframe cost is workload related (MLC) and that 10% of that is data management related, then you’re already looking at ~3.5% of total MF cost. Add to that the cost of secondary storage, which can come to 25% of mainframe hardware costs (based on our experience with customer budgets), and Gartner saying that hardware accounts for 18% of total mainframe cost—then we’re looking at another 4.5% of
total budget. So with a total cost item of 8% of budgets and the potential to save ~30–70% of that cost with offloads and commodity storage we are looking at a potential savings of 2–5.5% on mainframe budgets. For a typical enterprise, that could translate into 100s of thousands to millions of dollars per year. By all accounts that’s a significant chunk of money, with the additional upside being that the enterprise also benefits from superior data protection and access to the best in storage paradigms the cloud can offer.”
Outside of the mainframe ecosystem, the world has moved on. Open systems needn’t be feared, and cloud storage has demonstrated reliability and flexibility. Mainstream data management solutions have grown and evolved so much that they are no longer merely a check against various mistakes or disasters, they are themselves part of solutions that deliver tangible benefits. Cloud storage in particular can offer a number of resilience options and deliver consistent and significant cost reductions.
Fortunately, mainframe customers do have the choice to embrace commodity and cloud storage. They can enjoy the best of both worlds by combining the unmatched reliability of mainframes with the rapid evolution of capabilities and significantly decreased costs of open systems.
Read more about modern solutions that allow you to do just that at www.model9.io.
z/OS Container Extensions (zCX) is a new technology from IBM. It provides a way to run Linux capabilities on z/OS. zCX is a virtual appliance that requires minimal involvement after set up. And the benefit is that z/OS can run Linux code that has an affinity for z/OS data or applications. Running a virtual Docker appliance as a started task on z/OS makes all of the great features of z/OS available to Linux applications. In particular, Linux applications will benefit from z/OS performance of high-speed networking as well as resiliency around data replication and automation. zCX also expands and modernizes the software ecosystem for z/OS to include Linux on Z applications.
Join a Mainframe Development Revolution in 2020 – Embrace Open!What a difference a decade makes. Mainframe developers have seen major changes to their workspaces in the last ten years, which have only accelerated in the last several, and have opened up a wide new horizon for coders, new and old, as they step into a new decade.
Tools like the green screens of ISPF and the Eclipse desktop IDE enhanced with proprietary plug-ins have served mainframe application developers well over the years and, for those comfortable with them, will continue to do so. However, there are changes in the larger world of development that are creating the conditions for a revolution in mainframe tooling.
Firstly, mainframe developers are aging out of the workforce at a steady pace, leaving behind extensive code libraries and a workforce skills gap. Those likely to backfill these roles know and love modern IDEs, especially Visual Studio Code, while the popularity of Eclipse is quickly waning. For example, the annual Stack Overflow Developer Survey found that, over the past year, the popularity of Visual Studio Code grew from 34.9% to 50.7%, once again making it the most popular IDE, while Eclipse fell from 18.9% to 14.4%.
Secondly, application development has made great strides in productivity since the current mainframe tools were created, especially in the area of automation through the adoption of DevOps enablers like task runners, scripting and testing frameworks. Again per the Stack Overflow survey, scripting language Python is now, by far, the most sought-after skill among developers.
Finally, as the velocity of overall software delivery increases, the mainframe has lagged, becoming a drag on digital transformation. According to
451 Research, 24% of companies are releasing application software daily or hourly while, similarly, DORA’s State of DevOps report shows 20% of companies deploy multiple times per day. Software delivery expectations have changed with continuous deployment becoming the new normal and, to remain a vital computing platform for the long term, mainframe application development needs to support this high cadence.
Enter Che Rather than an evolution of the existing Eclipse IDE, Eclipse Che is a radical departure. At a high level, Che is an open-source Java-based developer workspace server and browser-based IDE that is container-native. For enterprises, Git provides a good analogy for primary value a hosted IDE provides: its usability and collaborative power have made Git the de facto standard for version control. Che’s workspace server offers comparable benefits to development teams, especially hybrid IT ones.
Che is now relevant to developers working on the mainframe via the Che4z subproject. It provides access to the z/OS file system, remote debug and remote editing of COBOL programs with all the expected modern editor capabilities including syntax highlighting, code assist and real-time syntax validation. Che4z is currently in beta but the first release is scheduled for Q4.
Beyond the foundational benefits mentioned above, Che is revolutionary for the mainframe for the following reasons:
Che, Visual Studio Code and more Che was architected to deliver a VS Code-like experience from the outset which, with the popularity of VS Code, turns out to be a sage decision. Che is based on Eclipse Theia which provides an in-browser VS Code experience complete with the latest tooling protocols: language server, debug adapter and compatibility with VS Code extensions.
The Che4z subproject, contributed by Broadcom, provides language support for COBOL and High-level Assembler is planned. The language server protocol (LSP) enables developers to use these languages with Che, VS Code and any other LSP clients (e.g., IntelliJ, VIM, Emacs).
Bottom line: developers can use VS Code for mainframe development independent of Che adoption.
Cross-platform Applications For many Fortune 500 companies, the mainframe hosts critical system-of-record applications and data while the cloud and mobile applications have evolved from user-oriented systems-of-experience. With tech-first startups disrupting entire industries, large companies are deploying more cross-platform applications not only compete but to win by harnessing the best of both worlds. Cross-platform apps combine modern user experiences with the transactional power and data assets of mainframes.
Because cloud and mobile developers need to integrate mainframe applications, allowing them to use the tools they know and love is key. That means the popular code editors and IDEs they love today as well as new innovations, like the
browser-based, container-deployed tools they will love tomorrow.
Che also facilitates pair programming, perfect when mainframe and distributed developers need to collaborate on cross-platform applications.
Bottom line: Che helps to make the mainframe less of a silo and more like other, easy-to-use platforms
Open Source-enabled Vendor Independence While open source is not new to the mainframe – zLinux has been around for years – access to off-platform toolchains were opened with the introduction of the Zowe open source framework (described in more detail below). Unlike the incumbent Eclipse vendors, and consistent with the open source vision, the Che4z extensions are open sourced and free to use. The legacy vendor-controlled model has given way to open source tooling for development teams.
Furthermore, Eclipse locked mainframe developers into using a specific set of editors, runtimes, and user interfaces for required capability and functionality – thus imposing a learning curve. Che, by comparison, offers flexibility via modular design, allowing individual developers to choose the components they need.
first open source project based on z/OS, enables developers to manage, control, script, and develop on the mainframe as easily as any cloud platform.
Command Line Interfaces (CLIs), for example, are popular with developers wanting the productivity lift of scripting and higher levels of automation (i.e., CLIs facilitate DevOps adoption). The Zowe CLI is a key component of the Che4z stack.
Also, Code4z is a free Visual Studio Code plugin that offers mainframe developers the ability to access datasets and elements on the mainframe and develop mainframe code using today’s most popular desktop IDE.
Bottom line: Using Zowe as the foundation for the Che4z mainframe extensions ensures the modern experience extends far beyond the IDE.
Are Che and Zowe Ready For The Enterprise?The continuing stigma of Open Source as ‘the Wild West’ of software development is vanishing into the sunset. Enterprises that are used to dealing with software vendors are, rightly, wary of stepping into open source implementations that may not provide the infrastructure to adequately support it once it goes live in production.
For that reason, vendors, like Broadcom, have stepped in to provide commercial, fully supported versions of these open technologies that help enterprises adopt and integrate them with their existing, proven proprietary solutions.
CA Brightside was a foundational element of Open Mainframe Project’s Zowe initiative, the first open source project for the mainframe. It was conceived to promote and support the implementation of enterprise-ready mainframe open source technologies and was awarded the 2018 Most Innovative DevOps Solution by DevOps.com.
Today, it provides a streamlined installation process and technical and legal support for all
Rich assets on your Mainframe? But FOMO on innovation?
Today’s digital leadership is about delivering innovations that drive
the business forward. With open source technologies, like Zowe,
the first open-source project based on z/OS, you can more easily
open up your mainframe to connect all the powerful data and
services required for delivering truly rich apps.
You can begin to automate development processes and establish
CI/CD pipelines to deliver at the speed of business. Only Broadcom
is fully committed to openness with full enterprise support for Zowe
and many other open-source projects making a difference.
Want to empower your teams to not miss a beat? Get open with Broadcom.
Whether developing for mainframe or other platforms, the Che community welcomes contributions from those passionate about software development. Want to incorporate a lesser-used language? No need to plead with a vendor. Anyone can seek community support for an idea or simply do it themselves. The Che/Che4z communities will ensure the proper procedures are followed before the code is ever released.
Bottom line: Che provides a more frictionless, fast-moving market allowing coding innovations to extend to the mainframe
Onboarding and Cost Reduction Consider the compatibility and maintenance nightmare created by the heavyweight plugins required for Eclipse. For mainframe leaders, the need to reduce costs is an ongoing challenge as is the need to quickly onboard the next generation of developers. As a container-based IDE with no client footprint, local installation, maintenance, and configuration is eliminated. The potential of moving entire teams currently using Eclipse with customizations to Che provides an attractive opportunity to materially reduce operating costs simultaneously developer productivity.
Because Che workspaces are containerized, they can be used to onboard new team members at lightning speed - open the container, begin work.
Bottom line: For mainframe leaders focused on costs and facilitating reassignment of team members across projects, Che is a compelling solution.
Built on Zowe The extensions that open the mainframe to the Che IDE are powered by the Zowe open source framework, maintaining mainframe-native security standards. Zowe, which was founded by Broadcom, IBM and Rocket Software and is the
Zowe core capabilities, as well as support for the Che4z stack and Code4z plugin. It tests and certifies these solutions for their quality and security, as well as supporting integrations with solutions like CA Endevor SCM, CA File Master Plus and CA OPS/MVS.
Bottom line: combining open source toolkits with commercially supported offerings like CA Brightside gives mainframe development teams the confidence to embrace open source in the enterprise
Conclusion For companies wanting to empower developers integrating mainframe assets with the most powerful application development tools on the planet, Che provides the best of both worlds - the immediacy of VS Code use with the path to full-on, in-the-cloud team collaboration.
Expanded tool choice, greater alignment with off-platform peers and DevOps-fueled
software delivery acceleration are all elements of a mainframe appdev revolution in the making powered by Che.
Broadcom Inc. (NASDAQ: AVGO), a Delaware corporation headquartered in San Jose, CA, is a global technology leader that designs, develops and supplies a broad range of semiconductor and infrastructure software solutions. Broadcom’s category-leading product portfolio serves critical markets including data center, networking, software, broadband, wireless, storage and industrial. Our solutions include data center networking and storage, enterprise and mainframe software focused on automation, monitoring and security, smartphone components, telecoms and factory automation.
Visit us today: broadcom.com/products/mainframe.
You’ve just discovered there’s been a breach! IBM’s “Cost of a Data Breach Report”, in 2019, reported that the average time to detect a breach is an unacceptable 206 days, with a further 73 days taken to control the breach. What are you going to do? Are you going to look through the SMF records? What’s needed is File Integrity Management (FIM) software that provides a way of detecting changes by comparing the current contents of components to their trusted state. FIM software can tell you who made the changes by accessing data in SMF and searching it to see what userid changed the files during the attack interval. It can tell you what has changed. FIM tools can identify every file that was modified, added, or deleted. It shows you where the problem started (a suspicious update) and every component that was accessed. It can also identify altered log files that would cloak a hacker’s tracks. However, if the content matches the trusted state, then you very quickly know it was just a false alarm. FIM software can tell you what LINE was changed and when it changed. FIM software records every successful scan, it knows the last time each component was correct. Now it can give you the attack interval (from the last good date to incident time) so you can focus your research on the exact actions during the interval. Knowing the last good date will also be important in deciding when the recovery process should be started too. FIM software can tell you why it changed. By querying change management products like Remedy and ServiceNow, advanced FIM products can determine whether the change was authorized or not – avoiding many false alarms and ensure only validated alerts become an incident.
Indicators of Compromise and Why It Takes Six-Plus Months to ID a Breach Poorly Identifying Indicators of Cyberattack Is Why It Takes Us Six-Plus Months to Identify a Breach, and Even Longer to Remediate
Across the U.S., both public and private entities are under assault. Cyberattacks are invisible, but the effects have increasingly been thrust into the limelight, and ransomware is one of the most prevalent threats. In August 2019,1 The New York Times reported that upwards of 40 municipalities had fallen victim to the data “kidnapping” malware variant. These municipalities range from towns of less than 5,000 to major city centers including Baltimore and Atlanta. For cybercriminals, they all represent the potential for a massive payday at the expense of taxpayers.
Despite warnings from agencies like the FBI, some local governments are choosing to pay ransoms to hackers in the hopes of getting their files returned and systems fully restored. Not surprisingly, data ransom prices have increased as criminals continue to have their demands met. In March 2019, Jackson County, FL paid out a $400,000 demand. Riviera Beach, a city of 35,000, paid a ransom of $600,000 just three months later. When Lake City was hit, the insurance provider paid hackers $460,000 – a hefty price for a city of just 12,000.
Although it’s easy to see how paying ransoms perpetuates the cycle of cyberattacks, public entities often have little choice when vital systems like emergency response services are down. Steve Parks, a member of the National Cybersecurity & Communications Integration Center’s (NCCIC) Threat Analysis Branch (TAB), explains that “It’s a really tough decision for an organization to have to make, paying the ransom or paying the cost to fix everything once they’ve been compromised. The cost of the latter increases significantly if
the organization hasn’t followed industry best practices,”2 which means the companies most likely to be breached are also most likely to need to pay up. When systems in Atlanta were breached in 2018, city officials took a stand and staunchly refused to pay a $51,000 ransom. Recovery costs, which – at this writing – remain ongoing, have surpassed $7 million.3 Information Security expenditures are at an all-time high, but hackers continue to find ways to circumvent security controls, predominantly through insider threats and employee negligence.
Hackers will always find novel ways to bypass your security protocols and fighting cybercrime has become less about prevention and more about stemming the bleeding. Ideally, if you can spot these indicators of attack, you can transform your organization’s approach to data protection from reactive to proactive.
Innovation (and Negligence!) has Created Big Business for Cybercriminals WorldwideAccording to Tim Slaybaugh, Malware Analyst at the NCCIC, “For many ransomware authors, developing malware is a business. They’re continuously upgrading and repackaging their tools to make them harder to detect and more effective at compromising systems in an effort to provide a superior product for their clients.”4 In return for offering their Malware as a Service, these black hat developers rake in a hefty cut of each successfully conducted attack. Unfortunately, the bad guys just need to be right once, while the good guys must try and maintain secure defenses 24/7/365 in a constantly shifting landscape.
It should come as no surprise that the battle is taking its toll. According to data from CyberSeek, the U.S. alone has more than 300,000 vacant cybersecurity positions – nearly half the total employed cybersecurity workforce of 700,000.5 Not surprisingly, these unfilled positions put an immense amount of pressure on the individuals who are forced to pick up the slack, and research
from the Information Systems Security Association (ISSA) reports that 40% of cybersecurity executives blame the skills gap for high turnover rates and employee burnout.6 Data from a Spiceworks survey shows that IT professionals are clocking a 52-hour work week on average, with almost 20% exceeding 60-hour weeks.7 It’s no wonder filling this human resource gap is at the top of CxO priorities in 2019, second only to security.8
To make matters worse, a gap in communications between mainframers and the distributed personnel who hold watch over Security Information and Event Management or SIEM systems leads to a consequential gap in security that is more than big enough for a sophisticated hacker to exploit. Even though mainframes power the enterprise computing needs of regulated industries like banking, finance, healthcare and government, InfoSec resources continue to miss the critical vital signs – indicators of compromise – that spell trouble for highly sensitive data and intellectual property residing on their mainframes.
Plenty of mistaken assumptions plague mainframe security. Some personnel think that data security standards don’t apply to mainframes, or that mainframes can’t be hacked. Others might not realize that nightly processing of mainframe log data is as real time as their mainframe gets to sending user events to the distributed SIEM system managing their organization’s cybersecurity. Unfortunately, in today’s threatscape, security measures lacking real-time indicators are creating a security blind spot that, on average, isn’t discovered for more than six months.9
Indicators of Compromise Vs.Indicators of Attack – What to Watch ForAround the globe, organizations rely on user log data as the foundation of their security efforts. This data, which can quickly grow to terabytes in seconds in a large enterprise, is indeed an important component of security, but it is not in itself a defense mechanism. Instead, log data
empowers an organization to correlate user logs with systems logs (time, user location, system location, access type, etc.) to determine potential anomalies in user activity synonymous with cyber threat. All organizations collect log data, but without combining logs with these other data points – the correlation – they are missing the security events that could be indicators of compromise (IOC).
IOCs are an important ingredient for your organization’s cyber defense, but their presence often means the breach has already occurred. They’re largely forensic, used after the fact to compile evidence of a breach and uncover information about the criminal actors involved and the methods they used. Knowing how a system was breached is a great way to ensure that the same method can’t be utilized again as soon as your systems are back up and running, but it’s still a reactive approach to cybersecurity and one that’s costing organizations a fortune.
Instead of relying on traditional IOCs (post-breach indicators), your organization must move from a reactive approach to a proactive one that looks for a different kind of evidence – Indicators of Attack (IOA). At BMC, we work with leading penetration testers and build our correlation threads around their tactics, techniques and procedures. If you are going to proactively mitigate the risk of cyberattack, you’ll need to identify and react to these IOAs in real time. Without a cutting-edge security solution, it’s highly possible that an IOA in your organization would have no connection to any malware definition in your security operations center (SOC).
How then, can you leverage both IOC events and IOA events to predict and deter cyber risk? Three key components will help tremendously:
1. Event correlation across both mainframe and distributed systems
2. Visibility of enterprise-wide event data in your organization’s SOC, and
3. Real-time alerts to appropriate personnel (or automation queue) of the impending cyber risk so proactive measures can be undertaken prior to breach
This is immensely easier written here than executed in your enterprise network, but it’s a vital effort if you want to avoid becoming a datapoint in the next major breach report. To create a proactive posture and secure your systemwide data and intellectual property, look for these breach markers that indicate cyber risk: 1. Port scanning If a source IP is thoroughly scanning your
ports, it may be an attacker looking for the best avenues of attack. Instead of blocking the source address, which will just prompt the attacker to use a different one, make sure that the activity isn’t sending actionable information back to the cyber criminals – or requesting it from them as part of a command and control process. In some cases, scanning activity might be originating from a partner organization’s network (as was the case in the Target breach of 2013), in which case you should notify their security or network management staff.
2. Password attacks Repeated failed password attempts could
indicate a credential stuffing attack, where an attacker is trying known username and password combinations stolen or bought off the dark web. According to Stacey Wright, Director of Cyber Intelligence at the Multi-State Information Sharing and Analysis Center (MS-ISAC), “If you’re logging these failed password attempts and you have flags set so you get notified when accounts are locked out, that can be extremely effective in detecting a brute force password attack.”10 Put controls in place that lock out accounts after three to five incorrect login attempts. Even if accounts are only locked for 15 minutes, the measure can drastically slow down the speed at which brute force attacks can be carried out.
3. Anomalous activity of privileged users Privileged users are an undeniable security risk, particularly on mainframe systems. They have the keys to your most valuable IT asset, and they can wipe their trails clean to make manual detection incredibly difficult. A privileged user accessing a load library s/he doesn’t normally access is not unusual. But, if the access comes from an IP address in Turkey when you know that user always works from the office, that’s anomalous activity. Understanding what privileged users are doing in correlation with where they are doing it is critical to your data security. And, with a solution that delivers this information from this critical endpoint device in real-time, you can spot this anomalous activity and even privileged user attempts to erase the activity. More importantly, you can commence remediation immediately and have a forensic record of it.
4. Escalation of user privilege In the hack of Logica’s mainframe, Gottfrid
Svartholm stole credentials for all 120,000 user accounts, including those with administrator privileges. Instead of stopping there, he escalated the privileges of many non-admin users in order to create backdoors once administrators caught wind of the hack and updated their compromised accounts.11 Secure systems should automatically flag privilege escalation across your user base and notify administrators who can look into the event to confirm its legitimacy.
5. Correlation of user activity to geographic location
In the rare event that all of your employees work on-site, you can block IP addresses outside your location and prevent them from accessing your system. If that level of granularity isn’t possible and you have employees telecommuting from around the world, you can still correlate user activity and location to determine when attacks are being conducted. If one of your
employees regularly logs into your system from Germany, your system should automatically flag that employee’s attempted login from halfway around the world when you know they were in your local office today. Then further investigation or remediation can commence.
6. Incidence of probing Hackers can gather huge amounts of information
by probing your networks, and they’ll use this preliminary research to identify the most promising vulnerabilities in your system. This probing could occur over weeks or months just to understand your organization’s cybersecurity maturity. Besides scanning for open ports, they’ll look for items on your network like user accounts, shared folders and even connected printers/ fax machines, or Point-of-Sale systems as in the case of the Target breach of 2013. These items are all possible entry points for a hacker to load viruses, key loggers or other malicious programs.
7. File integrity monitoring Provided you know what your systems look
like when healthy, file integrity monitoring lets you compare your current system to that established baseline. It’s a powerful way to monitor changes to the known secure state of your operating systems. Some file integrity monitoring solutions require periodic scans, but an automated solution can give you an accurate picture of changes as they occur in real-time. Even if there is no sign of change to your OS’s file integrity, a simple timestamp change to a file or folder might indicate cyber intrusion. Most FIM solutions are made for distributed systems, but you can do FIM on the mainframe with select vendors, BMC being one of those. Armed with real-time mainframe FIM information, your security teams can spot and stop 0-day threats as they emerge.
8. Virus definition management It’s imperative that security tools keep an
updated database of the latest known virus definitions. A virus such as Mimikatz, for
example, allows hackers to steal credentials and escalate privileges on Windows systems, and it’s constantly being updated and improved. ELV.APF is a well-documented open-source tool that performs a similar function on the mainframe. To add an extra layer of protection against these and other threats, software should automatically notify security personnel of any unauthorized changes to virus definitions, as this activity could indicate the presence of a sophisticated hacker.
Correlate and Alert in Real-Time Across Your Entire EnterpriseCyber criminals and the tools they use are on the offensive 24/7/365. Your approach to proactively securing your data and IP should be an endless, ongoing effort as well. With solutions like BMC’s Automated Mainframe Intelligence (AMI) for Security, security teams can identify and correlate IOCs and IOAs as they materialize. And they don’t have to stare at a dashboard all day. These “breach markers” that appear in your SIEM and SOC can also trigger SMS, email alerts or other preferred methods of notification to the appropriate security personnel (or system of automated breach response).
AMI for Security is not just security software. It is Endpoint Detection and Response technology coded by security practitioners using a holistic method for data protection built with security solution workflows, automation, high-speed indexing, massive log throughput, and real-time alerts. It is designed as a standalone system but there is deep integration built into a multitude of complementary SIEM products, and it has the capability to integrate to any SOC. A single system in your technology stack is not going to stop the sophistication and coordination that hackers employ to get to the data they want. Your people and systems need to come together in a united front to quickly spot the indicators that tell you an attack is imminent.
Security functions used to be hidden away in the IT department, but that perception is thankfully evolving. Today, cybersecurity is an integral part of an organization’s IT DNA, and it’s up to CxOs (not just the CISO) to bring known best practices into the spotlight while implementing security solutions that automatically scan for indicators of attack in real-time.
BMC’s AMI for Security is a solution specifically engineered to protect the mainframe - your most mission-critical IT asset - while removing unnecessary burdens from the shoulders of your overworked IT personnel and augmenting their efforts in powerful ways.
To learn more about AMI for Security, please visit our product page or reach out to a BMC expert today.
BMC delivers software, services, and expertise to help more than 10,000 customers, including 92% of the Forbes Global 100, meet escalating digital demands and maximize IT innovation. From mainframe to mobile to multi-cloud and beyond, our solutions empower enterprises of every size and industry to run and reinvent their businesses with efficiency, security, and momentum for the future.
BMC – Run and Reinvent www.bmc.com
1 https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html 2 https://www.youtube.com/watch?v=D8kC07tu27A 3 https://www.theatlantavoice.com/articles/mayor-testifies-before-u-s-house-subcommittee/ 4 https://www.youtube.com/watch?v=D8kC07tu27A 5 300,000 vacant cybersecurity positions 6 https://www.issa.org/page/2017_issaesg_surv 7 http://www.itmanagerdaily.com/survey-it-pros-are-seriously-overworked/ 8 https://www.cio.com/article/3329741/top-priorities-for-cios-in-2019.html 9 279 days to identify a breach according to 2019 IBM/Ponemon study https://www.ibm.com/security/data-breach 10 https://www.youtube.com/watch?v=D8kC07tu27A&t=1753s 11 https://www.youtube.com/watch?v=SjtyifWTqmc&t=1805s
The API (Application Programming Interface) economy involves making the best use you can of existing applications and data by making them available as APIs and then developing new applications to meet a need of customers and potential customers. One way to do that is by using IBM’s z/OS Connect Enterprise Edition. IBM’s z/OS Connect Enterprise Edition provides a framework enabling z/OS-based data and programs to become part of the API economy and connect with users and other APIs in the cloud and on mobile devices. z/OS Connect EE makes CICS, IMS, WebSphere MQ, Db2, and batch accessible through RESTful APIs with JSON-formatted messages. RESTful APIs and JSON are frequently used with mobile application development. And that means those developers can work with mainframes without needing to know too much about mainframes. Your mainframe makes a good API host because: it has a fast response time; it’s extremely reliable; it handles high workload volumes; and it is highly available.
Mainframe breaches: a beginner’s defensive strategy2019 was another year marked by lurid tales of data breaches, writes RSM Partners’ Mark Wilson. When it comes to getting our own house in order, he says the mainframe industry needs to get on the front foot in 2020.
For too long, people have continued with the mantra “our mainframe is safe, it’s buried in the heart of our data center behind three firewalls”. We’ve almost buried our heads in the sand. We have to stop, think, and change our mindset. And that’s happening in some quarters: in the last year, more than 70% of my company’s work was related to mainframe security in some shape or form.
And it’s not really the outside world that I’m so worried about, although the external cyber threat is clearly serious. What worries me more are the privileged and non-privileged insiders, how we run security internally, and in particular the privileges we extend. The access we permit and, crucially, fail to control properly may have the starkest consequences.
Criminal intentWe still hear the old refrain that the IBM mainframe is the most secure computing platform available today. That’s not true. But it’s definitely the most securable. Some people still say the mainframe is unhackable. That’s also not true: there have been numerous successful hacks. To the bad actor, it’s just another server or a computer with an IP address to be attacked and infiltrated. Come on, the mainframe is running UNIX and Linux. As our perimeter defenses come up to speed, it’s time to look inwards. And the internal risks have always been there.
Back in 2014, for example, an employee of one of the UK’s largest banks was able to steal £2.1
million from his employer to fund a lavish (and rather dissolute) lifestyle. This software engineer, responsible for 30 million retail banking accounts, was able to exploit vulnerabilities in the bank’s systems. He went undetected for more than five years.
And the breaches have kept coming, as I wrote about a few months ago, when the UK’s Information Commissioner’s Office announced its intention to fine Marriott International, Inc. almost one hundred million pounds sterling (around US125m) for GDPR infringements. This related to an incident in which personal data in around 339 million guest records globally were exposed. The vulnerabilities apparently dated back to when the systems of another hotel group, which were later purchased by Marriott, had been compromised.
British Airways faced a bigger penalty of £183m (US227m) for a breach in 2018, a “sophisticated, malicious criminal attack” on its website. Users were diverted to a fraudulent site and the details of half-a-million customers were harvested.
Now, I should make it clear that I don’t know the deep detail of these incidents or if they, in fact, specifically relate to mainframes. But both companies mentioned have mainframe systems.
Running the worldGiven the risks, it’s just as well the mainframe is no longer around, and was dead and buried over 20 years ago. “I predict that the last mainframe will be unplugged on March 15, 1996” said Stewart Alsop, Editor-In-Chief of InfoWorld, back in 1991. It didn’t quite happen that way. I’ve been working in mainframes since 1980 and I’m certain they’ll out-live my career.
Mainframes do truly run the world. And you don’t need me to tell you about the continuing role that mainframes will play moving forward; delivering more than 1.2 million transactions per second for a world that, in 2020, will have more than 30
billion connected devices. CICS is ready. It just seems we are not quite ready to properly secure our systems.
Back to those internal threats. In July 2019, a former employee of Amazon Web Services was charged with computer fraud and abuse after accessing data held by Capital One that included individual’s names, post codes, birth dates and income, as well as credit scores, credit limits, payment history and some transaction history. The breach, which affected 100 million people in the US, also saw 140,000 Social Security numbers and 80,000 linked bank account numbers to credit card customers being compromised. In this case, it was reported that an “improperly configured firewall” meant the hacker could access the data. Capital One has a cloud-first strategy. It’s a connected world, and you have to plan for every eventuality.
Mainframe security complacencyAnother regular theme in 2019 was security complacency. I was clear in my belief that some parts of IT, including mainframers, were in self-denial about the risk of breaches and the state of their security in general. These concerns were reinforced by a 2019 research report from Forrester Consulting titled ‘Don’t Let Mainframe Security Complacency Leave Your Critical Customer Data At Risk’ – which kind of says it all.
The research showed a worrying lack of awareness around what people actually needed to do to secure all parts of their environment. “Not only are companies not making decisions with the mainframe in mind, but they are not taking actionable steps to secure the mainframe” it said. This included not actively scanning for vulnerabilities. Indeed, scanning the OS for vulnerabilities was considered the least important factor “when managing your organization’s mainframe security.”
Two-thirds of respondents said protecting their systems from ‘zero-day attacks’ exploiting
software weaknesses or other vulnerabilities is the greatest mainframe security challenge they face. Two-thirds of companies said they struggled to identify vulnerabilities rapidly.
The continuing importance of the mainframe and the complacency around security were again underlined by BMC Software’s Mainframe Survey 2019. While survey results showed “the enduring power of the platform for business transformation and growth” they also highlighted that security remains a major issue and has greater visibility at C level than previously – yet technical teams still rated ‘cost reduction’ as their top priority, ahead of ‘security’ by some 14 percentage points.
While security is described as a key factor in “the next wave of mainframe success” and “maintaining customer trust that their critical data is secure is key”, more than two-thirds of respondents were not using external services for pen testing, 58% of respondents were not carrying out privileged user monitoring, and almost three-quarters of organizations surveyed (74%) were not using dedicated Security Information and Event Management SIEM. Yet at the same time, “Mainframe environments are handling increases in data volume, the number of databases, and transaction volume.”
We clearly need to crack on with rethinking our mainframe security stance.
The insider threat: a defensive strategyHow can we mitigate some of these risks? What’s our defensive strategy to be? A good place to start is getting solid answers to the basic question, are we as secure as we think we are? How many times have I heard, “But we don’t need to secure our internal SSL network to the mainframe. It’s safe.” It’s not safe: it’s ancient and insecure.
As a non-privileged user, I can use TCP/IP capturing software, browse unencrypted data and, hopefully, get hold of some nice clean credentials. If I can see your user ID and password, I’m
privileged too. As far as the mainframe is concerned, I am you.
And if ‘you’ happens to be a systems programmer, that could be very bad news. Once I get my hands on all your access rights and privileges, just imagine what I could do.
A good opening salvo is to remove standing access as a rule. This is often a historical hangover to an earlier era. As the mainframe is no longer an impregnable island fortress, it’s no longer viable. And this needn’t be a negative, it can be proactive. For example, our own ‘Breakglass’ software is designed to enable fast and easy temporary access controls in a secure and audited way, elevating privileges and giving users temporary additional security permissions so they can perform a specific activity. It’s not another barrier, a security measure that slows things down. It’s an enabler: ensuring elevated security from the get-go and protecting the business while simultaneously making sure people can get on with their jobs.
Okay, that’s a more tactical activity. How about planning and executing a more strategic approach? First, we need to get some of our language straight, so we all know what we’re talking about.
Performing a Security Assessment means carefully and expertly reviewing the security settings of a site to identify any security weaknesses. This requires quite a high level of authority. Vulnerability Scanning means scanning code delivered by IBM and ISVs plus any code you may have developed in-house: testing the code to see if it throws up vulnerabilities that might be exploited by a knowledgeable user. Then my personal favorite, Penetration Testing, which is something people like me carry out at sites to help them stop the real bad folk getting in. For these simulated attacks, I just need the same access as any normal user.
A pen test is a good route in, to reveal flaws, putting the mainframe infrastructure and its security
protocols and settings through their paces. We use real-life techniques employed by the bad guys in ways that are designed not to disrupt your own systems. A controlled and entirely safe process, it’s about finding gaps in defenses and vulnerabilities in systems before someone else does. It’s just one tool in your security armory.
Advocacy – and the ‘virtuous circle’ of mainframe securityOverlaying your defensive strategy is advocacy when it comes to your mainframes and enterprise security. We need people to be on side. What helps is for the people running the mainframe to go through a security design process themselves. This begins with asking “what’s our most at-risk, or unsecured, data, applications, and so on?” and then asking “how can we design a security model that best protects our stuff?” This model will be different for everyone. It should fit who you are, how you work, the levels of regulatory compliance you need to achieve, whatever.
You take all of that into context then develop a security design that gives you what you need. Then you implement it - test your model versus the design - make any changes and carry out remediation – and constantly review both your organizational requirements and the model, and update your approaches as business needs, technology and the threat landscape continue to evolve.
This is really about getting on the front foot before someone blasts a hole in the mainframe and gets in. This approach can form the basis for an effective defensive strategy. Once we change our mindset, and plan and implement the right security model, it then becomes a continuous process of testing, reflection, remediation and improvement, creating that closed loop. And you drop into the mix whatever you need to be part of that, whether that means role-based access control (RBAC), real-time alerts and monitoring, dynamic elevation of privileges, and so on.
In this way, we can really start to address the security challenges that we face in a properly proactive, head on manner. We can engage with disciplines such as application forensics, from a true forensics standpoint. What does that mean in our world? You can’t freeze activity on the mainframe but we need to move towards true forensics in our world, extracting and decoding logs of applications, to analyze, interpret and preserve data, to better understand activity and its security implications.
Quite apart from the Internet of Things and our connected world, yet another new era is coming: the reality of quantum computing based on that strange ability of subatomic particles to exist in more than one state at any given time. New machine learning speeds, brand new algorithms, the ability for hackers to crack the most sophisticated passwords and credentials in
the blink of an eye… it’s time we were on the front foot when it comes to security.
About the author An award winning global thought leader in mainframe technology and security, Mark Wilson heads RSM Partners’ Technical and Security teams. Drawing on more than 30 years’ experience in mainframe systems in diverse sectors and environments, in both hands-on technical and strategic roles, his insight and solutions-driven approach mean he is highly valued by RSM Partners clients, IBM and third-party technology partners, and is much in demand as a speaker on the international circuit. Mark is Chair of the Guide Share Europe Large Systems Working Group and Technical Co-Coordinator of the GSE Enterprise Security working group.
RSM Partners: rsmpartners.com/
WebSphere Liberty was introduced into WebSphere Application Server V8.5, and was originally called the WebSphere Liberty Profile. In 2016, following a move to continuous delivery of Liberty, IBM changed the numbering scheme to reflect the year and quarter of the Liberty fixpack release. That makes WebSphere Liberty a lightweight downsized version of WAS, which results in it being a fast, dynamic, and easy-to-use Java application server. It’s a combination of IBM technology and open-source software, with fast start-up times, no server restarts to pick up changes and a simple XML configuration. Liberty’s modular architecture allows developers to minimize server size and increase infrastructure utilization. It can be integrated with other frameworks like Docker, Chef, Puppet, Jenkins, and UrbanCode Deploy. Liberty is designed to be highly composable, to start fast, use less memory and scale easily.
According to a Forrester report entitled The Total Economic Impact Of IBM WebSphere Liberty: “IBM’s new Open Liberty server runtime has open-sourced the WebSphere Liberty architecture, providing developers with open source benefits like low-cost experimentation, customization, and access to a rapidly evolving ecosystem. Open Liberty shares the same code base as WebSphere Liberty, so organizations can begin development in Open Liberty and seamlessly move applications to WebSphere Liberty for support in production.”
Liberty can be used with CICS and IMS to make the applications available with those subsystems available to users on the web, and so extend or modernize the use of those applications.