DevSecOps Matters for the Mainframe
Today’s customers want new services and they want them now. To remain competitive and keep up with customer needs, organizations are seeking ways to innovate rapidly around some of their most valuable assets—customer data and enterprise data.
At one time, the mainframe was viewed as an isolated system. Data was often moved to a different platform before exposing it for use. That approach may have been sufficient 15 or 20 years ago, but in our modern digital economy, when customers expect results in seconds, data extraction no longer works.
Now, companies are increasingly focused on cloud-based and distributed architectures that let them apply digital innovation to grow business. But it’s not always clear how they should leverage the essential data and applications they have on the mainframe in a cloud environment. The challenge then becomes how to rapidly respond to customer needs and maximize performance while keeping data, results and related IP safe and secure, extending the mainframe’s qualities of service to the cloud. The answer? Applying a DevSecOps approach on the IBM Z platform.
By combining IBM Z and DevSecOps, enterprises can create a steady stream of new releases and updates that are both innovative and inherently secure. “The mainframe has an advantage because of the ability to layer in security at all levels of the stack,” says Sherri Hanna, program director, Worldwide IBM Z Marketing. ”The IBM Z platform has premier perimeter security for the hardware and the data. Combining that with IBM applications, API security tools and a DevSecOps mindset delivers the competitive advantage of digital trust.”
Better Together
DevSecOps is a software philosophy based on collaboration among all of the primary stakeholders within an organization. For many years, software development was siloed, with the development, operations, QA and security teams walled off from one another. Each group completed its task before handing the project to the next team. It was a lengthy process that depended on infrequent releases and a patient public.
“The IBM Z platform has premier perimeter security for the hardware and the data. Combining that with IBM applications, API security tools and a DevSecOps mindset delivers the competitive advantage of digital trust.”
—Sherri Hanna, program director, Worldwide IBM Z Marketing
But the public is no longer patient, and neither are the markets. This pressure for continuous software delivery led to the emergence of the DevOps movement, which has morphed into DevSecOps. DevSecOps brings together developers, operations, QA, security and even customers to create a cross-disciplinary environment for efficiently developing secure, quality software.
Representatives from each team can now work together to attack problems, exchange ideas and learn from one another. In this sense, the approach is more about a cultural shift than a change in technology.
“This is not trivial stuff,” says Mike Fulton, Distinguished Engineer, CTO DevOps for Enterprise Systems. “The technology is the easy part. The hard part is how teams work together to take on this new approach, and how it transforms the company.” The payoff is big, he notes. “When DevSecOps is done right, it really is marvelous because now, all of a sudden, these complex processes get much simpler.”
DevSecOps isn’t just about integration of the teams. It focuses on integration of the process itself. Shift left testing—testing done during development rather than after—makes it possible to catch problems early. Shift left security has a similar effect on protecting digital content. The developers gain a better understanding of issues like buffer overruns and denial-of-service attacks. Once developers understand the issues, they can incorporate the fixes in their code from the beginning. And DevSecOps gets secure, quality code to market faster.
DevSecOps is an essential approach for any enterprise wanting to remain competitive, especially for mainframe shops. Mainframes feature security by design, but with the emergence of the multicloud model, organizations need more. “Customers want to expose their mainframe assets to realize significant business value, but since these assets are their crown jewels, this must be done very securely,” says Hanna.
“A secure mainframe alone is not enough. In mobile applications, for example, the security of the application needs to extend from the mobile application all the way back to the mainframe because it’s accessing banking information. I think that’s why DevSecOps is becoming more prevalent in mainframe shops,” she adds.
DevSecOps can also help mainframe customers comply with standards and directives for data privacy, banking regulations and healthcare confidentiality. Consider the European Union’s Revised Directive on Payment Services (PSD2). As a digital banking regulation put into place earlier this year, PSD2 requires banks to make online banking safer and more secure. “The European banks had to consider security as an important piece of this because they were allowing payment systems to access customer information on their mainframe,” says Hanna. “That’s a good example of DevSecOps team members working hand-in-hand to accomplish the goal in the time frame that they were given.”
Security at the Application Layer
DevSecOps puts the focus on applying security throughout the stack. This starts at application development with coding best practices. IBM supports several tools for mainframe environments, designed to detect issues and even correct them early in the process. For more information, see “Tools You Can Use.”
“You can make sure that when developers go to check in their code, they must run a scan as part of that process,” says Fulton. “These tools also have support for best practices around security. They can detect problems like buffer overruns during the scan of the source code while the developers are writing the application. This is really another expression of the philosophy that the earlier you can detect a problem, the cheaper it is for you to fix it.”
Security at the Interface
Before organizations can take advantage of the multicloud environment, they need a secure method for bridging from these environments to the mainframe. APIs make it possible to share mainframe assets in a controlled fashion by applying a layered security approach. Secure APIs make it possible to tightly couple Linux* development with the mainframe platform in a private cloud environment, for example.
“We’re seamlessly bridging the distributed security model with the z/OS security model so that the system is locked down. APIs aren’t something to be afraid of. They’re something to embrace.”
—Kyle Charlet, Distinguished Engineer and IBM Z architect
APIs can be structured with role-based security. After all, just because a developer has permission to call an API doesn’t mean that they should have access to the back-end subsystem that the API is calling. The solution is to have multiple authentication steps. Operations might be authorized to maintain the services and APIs, but developers don’t have that access.
“It’s important that we provide as much additional security as possible,” says Kyle Charlet, Distinguished Engineer and IBM Z architect, responsible for API economy and analytics. “The good news is that we didn’t invent anything new. The back-end subsystems of IBM Z already include that final authentication step. Clients don’t have to do anything different. This feeds right into their existing security policies and protocols.”
IBM has developed two API solutions that serve the mainframe. The first is z/OS Connect, an API hosting solution designed for the platform. z/OS Connect makes it possible for an enterprise to reveal mainframe assets without changing the back-end systems. An operations team would use z/OS Connect to build and host the API, define security policy and so on. z/OS Connect is hosted on IBM’s Liberty server, which is designed to maximize security for web-based applications.
API Connect is IBM’s API management tool. It acts as a secure gateway to funnel traffic between users and the mainframe. API Connect enables enterprises to establish portals through which internal and external programmers can select and call APIs. API Connect also authenticates users according to predefined security policies. Once user access is approved, API Connect allows the user to call the API and access the mainframe assets securely through z/OS Connect.
The overarching goal is to ensure a secure connection from start to finish. “There should be no concern that APIs are introducing any kind of mechanism by which there could be a security breach,” says Charlet. “We’re seamlessly bridging the distributed security model with the z/OS security model so that the system is locked down. APIs aren’t something to be afraid of. They’re something to embrace.”
Security at the Platform
DevSecOps is built around bringing security into the design of the application up front. That said, not all aspects of security belong within the application. “Some organizations are considering spending tens if not hundreds of millions of dollars to integrate encryption into their applications on a field by field basis,” says Michael Jordan, Distinguished Engineer, IBM Z Security. “While there may be value in implementing encryption in the application layer, for most organizations, this cost is prohibitive. One of the values IBM Z brings to the table is that we own the whole stack, and can decide the best place to integrate a particular security feature. In the case of encryption, we’re able to integrate encryption into the OS that is transparent to the application, simple to implement and optimized for performance.”
The IBM Z platform makes extensive use of pervasive encryption. The standard approach to encryption starts with identifying sensitive data that needs to be encrypted. The problem is that many mainframe applications involve very complex data records to the point that separating sensitive and nonsensitive data becomes a laborious and time-consuming chore. Pervasive encryption takes a much broader approach. Rather than combing the database for sensitive data, an organization can perform high-level data mapping to identify databases or applications with sensitive data. When that topline identification has been made, the organization can define a policy to encrypt all of the data in that database or all of the data in that application.
Pervasive encryption provides a foundation of data protection and frees application development teams to focus on adding functionality and other types of security and services that are best optimized in the application layer. In some instances, the biggest threats come from inside an organization. Secure Service Containers protect data and content from both external and internal incursion. Originally developed to deliver IBM operational analytics, Secure Service Containers are security appliances designed to isolate workloads. IBM validates the OS, the application and any associated software. The containers have a secure boot process so that code is validated as it’s being brought into memory.
By default, all of the data at rest and data in flight associated with a container is encrypted. Secure Service Containers also incorporate technology to protect the encryption keys. “If you’re developing a proprietary solution that you want to deploy in a managed service environment, you can ensure confidentiality and encryption,” says Jordan. “That’s where it ties into this concept of pervasive encryption so everything is encrypted by default.”
The philosophy of layered security extends even farther. System administrators manage the containers via secure purpose-built APIs. They don’t have access to the OS and they don’t have full access to files. They only have access to the degree they need in order to manage the system.
Keeping up With Today’s Market
Today’s market moves too quickly for a siloed approach to be effective. By breaking down those silos, DevSecOps becomes a transformative technique for enabling organizations to rapidly respond to customer needs while leveraging mainframe assets in a multicloud environment.
Pushing both tests and security earlier in the development process produces better applications while shrinking the time from requirements to delivery.
With its scalability and layered security, DevSecOps is a powerful tool for getting the most out of the IBM Z platform.
Most of all, DevSecOps provides a competitive advantage in the marketplace. “If an enterprise had implemented DevSecOps 10 years ago, they would now be reaping the rewards,” says Fulton. “If a company doesn’t do it today, 10 years from now, they’re not even going to be able to compete.”