Continuing its quest to find relevance for big iron in the age of open systems, IBM Corp. today is announcing a new generation of its LinuxONE mainframes with built-in security for Docker containers and support for Kubernetes orchestration.

The announcement comes just a little more than two years after IBM entered the Linux-on-mainframe market via a partnership with Canonical Ltd. The company positions the products as the ultimate in security and performance for organizations that need to scale to very high volumes. “For workloads that need high levels of privacy assurance and applications that don’t scale out well on Intel-based models, we think this platform is the solution,” said Mark Figley, Director, LinuxONE Offerings.

Scale-out architectures, in which performance is improved by clustering more servers together, aren’t appropriate for every situation. Applications like high-speed network switching and very large databases may benefit more from scale-up architectures in which capacity is added within a single server instance.

The new Emperor II processors run at 5.2GHz, scale vertically to 170 cores and can support a 17-terabyte MongoDB Enterprise instance in a single system with up to 10 times better read/write latency than a comparable implementation based on the Intel X86 architecture. They also can support up to 2 million container instances. IBM achieves these performance figures by eliminating the need for sharding, or subdividing large databases into smaller ones. Sharding is often necessary in scale-out architectures, but introduces a performance penalty, Figley said.

Secure containers

The big news IBM is highlighting however, concerns security. The new mainframes come with a feature called Secure Service Containers that provides automatic encryption of data in motion and at rest and tamper-resistant administrative features that prevent changes from being made at the command-line level.

Encryption has been improved to comply with Federal Information Processing Standard Publication 140-2 Level 4 security, which provides the highest level of protection for encryption keys by specifying both the hardware and software environment in which they’re maintained. The new mainframe also implements “secure boot” start-up to ensure that only good operating system images can be launched.

Perhaps the most audacious feature, however, is restrictions on the ability of administrators to execute commands through a Secure Shell remote login. Instead, administrative functions are exposed through a RESTful interface or web page, and all administrative operations have to be whitelisted before they’re made available.

Administrators may balk at the loss of control, but Figley said the tradeoff is warranted. “Most high-profile attacks over the last few years have involved a trusted admin or a hacker using social engineering to get administrative credentials,” he said. “We are cutting off a very important vulnerability.”

Docker Inc.’s Docker Enterprise Edition containers-as-a-service platform inherits the security capabilities of Secure Service Container without any change to the software, thus removing much of the need to build security into applications. However, the security features aren’t limited just to Docker. “SSC is an [logical partition] technology, not just a container technology,” Figley said. “It doesn’t depend on Docker at all. Any workload can get the security benefits.”

IBM compares its security approach to Intel’s Software Guard Extensions, which uses protected areas of execution in memory called enclaves. SGX has a couple of major weaknesses, Figley said. One is that enclaves top out at 90 megabytes, which is too small to support a virtual machine or moderately sized database

Another is that developers must write to the SGX application program interface in order to get the benefit of enclave protection. “If one of Intel’s partner developers forgets to write to the enclave and codes normally, you’ve got a vulnerability,” he said. In contrast, IBM’s approach requires no code changes at the application level.

Image: IBM