IBM on Tuesday launched LinuxOne Emperor II, the second generation of its open source mainframe computer system, at the annual Open Source Summit in Los Angeles.
The new model has a layer of security and privacy not seen in a Linux-based platform before, the company said.
“We saw in our success stories for Emperor that security was a recurring theme attracting new customers to the platform,” noted Mark Figley, director of LinuxOne Offerings at IBM.
“Later, our experience with blockchain — and specifically being the platform for IBM’s premier blockchain offering because of our security capabilities — reinforced that lesson for us,” he told LinuxInsider.
LinuxOne Emperor II includes a proprietary Secure Service Container technology that protects data against external threats, as well as internal threats from users with elevated credentials or from hackers who gain access to an insider’s credentials.
The system is the most advanced enterprise Linux platform anywhere, IBM said. It features the fastest microprocessor in the industry and a unique I/O architecture with up to 64 cores dedicated to I/O processing.
“LinuxOne is a highly engineered platform with unique security, data privacy and regulatory compliance capabilities, combined with a design optimized for data serving and transaction processing at extreme scale,” said Ross Mauri, general manager of IBM LinuxOne.
More than 4 billion data records were lost or stolen in 2016 — a 556 percent jump from the year before, IBM noted.
Of the 9 billion records breached over the past year, only 4 percent previously were encrypted, the company said.
LinuxOne Emperor II’s vertically integrated, shared everything design allows it to support a 17-TB MongoDB Enterprise instance in a single system, with up to 10 times better read/write latency than an x86 based implementation, according to IBM. That gives applications faster, more secure access to data, while allowing greater scale.
The system also provides integrated, pause-less garbage collection, which allows Java applications to run concurrently. It provides constant transaction processing 2.6 times that of x86-based systems, which need to stop workloads to conduct garbage collection.
Further, the new system provides certified Docker EE, with integrated management and scale tested with up to 2 million containers.
“As a service provider, LinuxOne allows us to set up a complete IT infrastructure capable of supporting millions of users in the blink of an eye for clients like the Plastic Bank,” said Ron Argent, CEO of the Cognition Foundry. That cuts the risk of outside hacking threats due to separate user environments running on the system.
IBM is offering beta participation for both developers and clients, working in an observation or hands-on mode.
The Open Source Factor
“Something being open source does not make it less secure because it is open source, but it is true that many new-generation open source projects focus on capability enablement before they focus on high-security assurance, especially in the early days of a project,” noted IBM’s Figley.
“Security isn’t the only thing often out of focus for an open source project in its early stages,” he pointed out.
“Other enterprise quality of service issues — such as scalability, reliability and consistency — are often focused on later in the life of an open source project as it matures,” Figley said.
“We believe that LinuxOne can accelerate the rate of adoption of new open source technologies, and allow companies to do so safely, because the LinuxOne platform can help solve many of the security, scalability, reliability and consistency issues at the system level while the software layer continues to mature,” he explained.
“Certainly with the rise of Linux and a whole host of other open source technologies in very wide use in enterprises handling very critical apps and data, there isn’t any general concern about open source and security,” observed Gary Chen, research manager, software defined compute, at IDC.
“You really have to look at vendors and any software project, open or closed, individually,” he told LinuxInsider. “Some have very good security initiatives and prioritize security, and some don’t. Being open or closed has nothing to do with that, and you can find good and bad examples in each camp.”
Over the Shoulder
The Secure Service Container technology performs a couple of tasks that system administrators could do on their own — but they tend not to on a regular basis, said Paul Teich, principal analyst at Tirias Research.
First, it limits access to those authorized in secure service LPAR, (instead of allowing SSH credentials) he told LinuxInsider. Second, it disables direct memory access to secure containers.
As for IBM’s LinuxOne Emperor II security claims, Jeff Williams, chief technology officer at Contrast Security, dashed a bit of cold water on them.
“For application security, the Emperor II has no clothes,” he told LinuxInsider. “From what I understand here, Emperor II is container security. I believe it has enhanced access control and possibly encryption capabilities, but those are irrelevant at the application layer.”
The belief that you can drop “a vulnerable application into a secure container and everything will be OK,” Williams said, is one of the most “pernicious and dangerous ideas in security.”
The correct approach would be to secure the application itself, either using IAST to prevent vulnerabilities during the development phase, or using application runtime protection with RASP to prevent exploits.