IBM’s latest Z mainframes offer a bulwark against data breaches

Protecting data in an information economy is a tough task. Bigger data breaches have been occurring more often in recent memory, affecting retailers like Target and decidedly more seedy victims. In response to this growing problem, IBM has tooled up the Z (or Z14), its latest line of mainframe computers, to take a shot at stemming the tide. The new mainframe systems' claim to fame is their end-to-end encryption chops, a capability that IBM says will help to protect sensitive information from cybercriminals, state actors, and rogue employees both at rest and in flight.

IBM claims its new generation of big iron is specifically built to reduce corporate and government costs related to hacks and security breaches, and it's also poised to help businesses stay in compliance with new laws like the EU's General Data Protection Regulation. The company predicts that global cybercrime costs could top a heart-stopping $8 trillion by 2022, and the need for stronger encryption certainly seems pressing. According to IBM, only 4% of the nine billion data records stolen since 2013 were encrypted.

The company attributes the lagging use of encryption on corporate data stores to technological complexity in managing encrypted systems and to the reduced performance of x86 systems when extensive encryption is enabled. To ensure high performance when handling encrypted data, the company says that it has quadrupled the amount of silicon dedicated to cryptographic algorithms in the Z14 platform. The result is a claimed 18x performance increase in these scenarios compared to x86 servers. IBM further claims administrators will be able to encrypt data associated with entire databases, applications, or cloud services with a single click, as opposed to the piecemeal approach to encryption that's apparently common in today's organizations.

The company further says its new machines can protect millions of encryption keys with "tampering respoding" hardware that can invalidate the keys and restore them safely later. IBM has also created new encrypted APIs that will make it easy for developers to discover and use IBM Z applications from cloud services, as well, and that access to these APIs will be three times faster than with x86 systems serving similar requests.

As for the hardware, the Z mainframes are built up from 5.2 GHz ten-core processors built on a 14-nm silicon-on-insulator (SOI) process node. IBM says the z14 CPU boasts new single-instruction-multiple-data (SIMD) instructions for analytics and traditional floating-point workloads. The processor also has hardware-accelerated encryption capabilities and a specialized compression co-processor. Each Z server can pack as much as 32 TB of system memory, a three-fold increase over the older z13 models. IBM says the Z mainframes have triple the I/O performance of its last-generation systems, as well.

IBM says all this silicon, memory, and storage lets the Z mainframe process up to 12 billion encrypted transactions per day, offer up to 2.5x faster NodeJS performance, and 50% better Java performance than comparable x86 platforms. Administrators might also be able to host two million Docker containers and over 1000 concurrent NoSQL databases on a fully armed and operational Z14. The company didn't provide any pricing information for the new Z mainframes, but TheStreet says prices will start at a cool $500,000.

Comments closed
    • ronch
    • 2 years ago

    I’d love to sneak up on one of these and quietly stick an Intel Inside® case sticker in front.

    • trackerben
    • 2 years ago

    For sure, its description is not tamper-resistant to our spoding over it.

    • ronch
    • 2 years ago

    I’ve never Xeon such Epyc mainframes.

    • shank15217
    • 2 years ago

    Yes instead of criminals having full control of your data, you can just give your soul to IBM. The amount of money and time companies spent moving away from big iron should tell you something about big iron, big iron is a lot like big coal. Its time is over, its time to move on.

    • maxxcool
    • 2 years ago

    I am not seeing that all pages of ram are encrypted. Anyone else see if it is just referring to DISK encryption or does it also encrypt ram as well?

    • psuedonymous
    • 2 years ago

    How many serious data breaches were actually the result of an external actor gaining unauthorised access, rather than an authorised actor being compromised and accessing data they had legitimate access to (e.g. Doris in accounting who also uses her corporate password for AOL).

    • the
    • 2 years ago

    After browsing through some literature, it is unclear if that 32 TB figure is what is fully addressable or before RAIM. If it is the addressable figure, then the physical amount of RAM installed is closer to 50 TB due to 10 bit ECC /w chipkill on each memory channel and a fully redundant channel of memory off of each controller.

    • ultima_trev
    • 2 years ago

    It’s been 15 years since I began classes for my computer science degree and since day one I’ve heard “mainframe is a dead platform.”

    Meanwhile I’m working at a Fortune 500 financial company that relies pretty heavily on mainframe ops and doesn’t seem like the mainframe aspect is dying anytime soon.

    On the other hand, proprietary Solaris/SPARC, HP-Ux and AIX/POWER seem to be slowly but surely being phased out in favor of Red Hat on x86.

      • the
      • 2 years ago

      Solaris/SPARC is dying because of Oracle who at first didn’t know what to do with a hardware platform. They have since come around and made the necessary improvements but now that the results are in, it seems that management yesterday decided yesterday to go back to being noncommittal. The other side of SPARC, Fujitsu, is dropping SPARC it seems in favor of ARM.

      HP-UX married itself to Itanium after a painful transition from PA-RISC. It wasn’t just HP-UX that tied to itself to Itanium, both OpenVMS and Nonstop were tied to it. But the combination of these three OS wasn’t enough to keep a platform alive even with the hardware backing of Intel.

      IBM’s POWER hardware is seeing hard days but they have made some choices to at least survive. OpenPOWER is growing and slicing out a piece of markets that it wasn’t able to compete before with IBM’s traditionally kidney trade pricing. AIX still lives in that segment but IBM’s embrace of Linux on POWER and alternative hardware manufacturers has gotten traction in the HPC segment. Joining up with nVidia here has also helped.

      But the mainframe lives on! What is dead may never die.

      • just brew it!
      • 2 years ago

      The Cloud is essentially the old mainframe concept resurrected with a new skin. Massive fault-tolerant server farms (mostly x86 running Linux) have largely replaced the proprietary mainframes, and your smartphone has replaced the terminal; but the paradigm is a throwback. Big datacenters where everything is stored and most of the heavy lifting happens, and a network of satellite terminals.

      While I don’t see mainframes ever dominating again like in days of old, something like Z series can still have a niche in this landscape, especially with the rise of virtualization.

      (Disclaimer: I am currently employed by IBM. The views expressed in this post are my own.)

        • blastdoor
        • 2 years ago

        Yes, all that was old is new again.

        One slight difference between now and the past, though, is that in the past I think the clients were too thin.

        My current guess is that the future will have very powerful clients connected to very powerful mainframes. The “client” will essentially be a cyborg, but a far more fashionable cyborg (brought to you by Apple, at the high end) than in Star Trek. The cloud/mainframe (brought to you by IBM, at the high end) will be a very powerful resource available to the clients, not the master of the clients.

        In a world like that, data security/integrity/privacy is incredibly important. It just cannot be overstated how important it will be. Those who understand that importance and can afford it, will definitely choose the highest levels of security/privacy. Those who don’t understand or cannot afford it will end up being someone else’s pawns.

          • just brew it!
          • 2 years ago

          The old mainframe “clients” were “thin” (from a capabilities standpoint, not physically) out of necessity. Given the tech of the time, they were limited by what could reasonably fit on a desktop (and be powered by a standard 120VAC power outlet).

          As far as the rest of your post is concerned… well, all I can say is, Skynet, here we come! (Likely brought to you by some combination of Google/Microsoft/Apple/IBM/Facebook/Amazon.)

            • blastdoor
            • 2 years ago

            I’m guessing the future won’t be quite like Skynet, because I think the cyborgs will be more autonomous and the central mainframes more for coordination than for controlling.

            The difference is really driven by the capabilities of the human brain. A cyborg that starts with a human brain and adds silicon enhancements is a much more capable cyborg than one that is mostly machine and then adds a veneer of organics. In other words, I think Borg are vastly superior to Terminators.

          • psuedonymous
          • 2 years ago

          [quote<]One slight difference between now and the past, though, is that in the past I think the clients were too thin. [/quote<] "Clients are too thin, compute is cheap, bandwidth is cheap, push processing to the edge!" "Workloads are too big, bandwidth is insufficient, push processing to the core!" This flip-flops regularly every few years. It has for decades, and it will continue to do so.

    • UberGerbil
    • 2 years ago

    Crazy fronts / doors. And they had a chance to make them look like a bunch of interlocking Zs and completely missed it (really even just going with the mirror image would have got them a long way there).

      • CuttinHobo
      • 2 years ago

      The doors look pretty slick. The open picture, though gave me a metal image of a flasher with a big trench coat, showing off his… “wares”.

        • meerkt
        • 2 years ago

        Not enough RGB LEDs.

          • CuttinHobo
          • 2 years ago

          RGB LEDs are for the kids buying overclocker motherboards – this is a commercial product! ……They use CMYK LEDs.

          (The black LEDs are especially cool)

            • meerkt
            • 2 years ago

            Oh. Then I just hope it supports both rich black and registration black.

    • chuckula
    • 2 years ago

    [quote<]The result is a claimed 18x performance increase in these scenarios compared to x86 servers.[/quote<] We think you should just buy 18 servers! -- AMD/Intel

      • blastdoor
      • 2 years ago

      And the 18 x86 servers would probably cost less, though calculating price/performance misses the point entirely.

      Data security / privacy / integrity are already huge issues, but they are going to become much bigger in the future.

      The next ten years could be pretty challenging for companies like Facebook and Google while a company like IBM may have an opportunity to make a comeback.

        • UberGerbil
        • 2 years ago

        You have to factor in the cost of legal liability also. If you [i<]could have[/i<] employed hardware that provided encryption but did not, and a breach occurred....

          • chuckula
          • 2 years ago

          I’m not sold on a lot of this hype about in-memory encryption on servers.

          It’s only really useful for a small subset of situations in which you are running a virtualized set of servers and the virtualization itself is basically broken allowing one hacked instance to read out the raw memory of other instances. The “encryption” is supposed to make it impossible to use the retrieved memory dump from the other instances, but if your virtualization infrastructure is so screwed up that attackers have full access to the system memory, what guarantees do we have that they can’t figure out a way to recover the encryption keys for other instances?

          An “encrypted” database server that hasn’t been properly locked down or patched is literally just as vulnerable to remote hackers as an “unencrypted” database server with the same configuration.

            • UberGerbil
            • 2 years ago

            Yeah, I was thinking about posting something about “end to end encryption… and then social engineering goes around it.” You’d hope that something like this would at least minimize the “100 thousand unencrypted patient records sitting on a server” problem. But the reality is that practices that allow that to happen will still allow that to happen; fancy hardware may make it easier to enforce policy, but your policy has to be competent in the first place. This may reduce some casual leakage, but self-encrypting storage may be doing most of that already.

            However, the legal issue is somewhat divorced from that. If encrypting hardware is available and in use by other companies in your industry, and you’re not using it, then you may have a liability [i<]even when the data breach had nothing to do[/i<] with said encryption and wouldn't have been prevented by it. I'm not a lawyer, but I've been peripherally involved with lawsuits where "standards and practices" came into play: it doesn't matter if the hardware / software / policy wouldn't have made any difference -- if everybody in your industry uses them and you don't, you may have created a liability for yourself that is many times larger than the price of that hardware / software / policy, should something go wrong and you get sued.

            • the
            • 2 years ago

            I’m not entirely sure that zVM can even read the raw hardware keys necessary for full memory encryption. At this level, the keys are controlled by hardware and getting them would require a seriously flaw in it. Not improbable but highly unlikely. This is further complicated that zVM can fully virtualize zVM inside itself. When the hardware capable of putting a hypervisor in a hypervisor, being able to break out of one jail cell can find themselves in a larger cell needing a different key. That is the important factor here is that the decryption keys to protected memory are not found in memory that is readable by software user space, super user or hypervisor.

            • ptsant
            • 2 years ago

            Apparently the keys are are handled by a separate processor and are only available within the instance. The Epyc uses an ARM a5, running its own OS, for that purpose. Using temporary keys, the instance owner can exchange keys with the VM. These keys are not available to other instances or to the system root.

            Just to be clear, the intended purpose is to have a secure instance EVEN WHEN YOU CAN’T TRUST ROOT/SYSTEM ADMINISTRATOR. I can’t say whether they have succeeded, but that has been the goal.

            Obviously, if the instance itself is hacked, there is nothing much you can do.

      • Chz
      • 2 years ago

      That’s certainly what they *say*, but not all problems scale out in such a way that it’s viable. There is a reason, other than pure inertia, that these systems still exist despite their predicted demise at least 35 years ago. A Z-class can still handle volume in a way that an x86 cluster would struggle with.

    • just brew it!
    • 2 years ago

    “If you have to ask about the price, you probably can’t afford it!”

    😀

      • ronch
      • 2 years ago

      If you don’t ask, how would you know how much to pay?

    • chuckula
    • 2 years ago

    [quote<]The company didn't provide any pricing information for the new Z mainframes, but TheStreet says prices will start at a cool $500,000.[/quote<] Yes, but can it break 11,000 in Cinebench at that price?!!!? [url<]https://www.servethehome.com/crushing-cinebench-r15-v4-quad-intel-xeon-8180/[/url<]

      • aspect
      • 2 years ago

      The real question is “But can it run Crysis?”

      • shank15217
      • 2 years ago

      Its not even about the initial cost, its the support cost that will make your head spin.

Pin It on Pinterest

Share This