Erich Clementi, the general manager of IBM systems who is also in charge of the company's mainframe efforts, discussed some of the features of IBM's z9 mainframe, which was announced last week. The z9 represents IBM's biggest mainframe upgrade in nearly three years, cost US$1.2 billion to develop and doubles the performance over its predecessor to 1 billion transactions per day. Those performance improvements notwithstanding, company officials put a particular focus on the z9's security improvements when they unveiled the new system.
Previous mainframe announcements have usually focused on performance improvements. But this time, security seemed to share center stage. Why was that?
Mainframes are developed for very specific customer sets. So when we develop performance, we develop performance targeted on input that we get from customers. Right now, the biggest input we get is, "Help us fix the security problem." That's why we put particular focus on these features and the availability of encryption.
What security functionality did you include in this system that will be of most interest to your customers?
First and foremost, the new AES [Advanced Encryption Standard algorithm] standard. That is higher encryption than Triple DES [Triple Data Encryption Standard]. We have added into the zOS software Identrus-certified public-key infrastructure [PKI]. There is the work we have done with standards to allow the mainframe to work as the security server for a diverse infrastructure. So when you look at it, we have bleeding[-edge] encryption technology, we have augmented the encryption bandwidth of the system with more power for encryption capability, we have tripled the performance [of the] adapters for [Secure Sockets Layer] encryption, we have introduced PKI, and we are extending the security into the infrastructure. It's pretty comprehensive. On top of this, we have announced a zOS encryption facility to address this tape in the clear issue.
How does tape security work?
When you produce the tape, you encrypt the tape [with] software that uses the hardware accelerators in the system. That makes it affordable, and that makes it viable. By using the centralized key management, we can use the key with a PKI infrastructure, so you send me your public key, and I send you the encryption key with your private key, you access the key and decrypt the data -- so the data is never in the clear. If you don't have a PKI identity, then we deliver to you a Java applet, which allows you to combine tape and key and decrypt and re-encrypt. So in reality, losing a tape would never again be a problem.
Who are the customers for this system -- existing mainframe customers?
I think we are going to broaden beyond that. Connecting everything is powerful, but it also comes with its set of problems. The moment you start sharing, you want to pretty sure that what you share is what you intended to share. We see very interesting uses of our technology in segments of the market that previously were not typical mainframe segments. Why? Because, [for instance], it's unique to connect medical records -- the security requirements start to be the same that you have in financial services.
But makers of distributed systems argue that there is a high degree of security and reliability already built into those systems.
The single system needs to be secure. Once you connect all the systems, a new level of problem starts coming to you. You've got to manage that security and reliability. Today, most data resides on mainframes. If you have geographically dispersed parallel sysplex, I can assure you that I can not only save your data integrity in case of disaster; I can also restart all your applications. The mainframe can coordinate security, workload management, data management and disaster recovery.
There is perception that that mainframe is ultimately going to be a dying business, replaced by distributed systems. Do you feel like you're running a dying business?
This is not the mainframe that used to be. If we didn't open the mainframe to Java technology, to TCP/IP, to Apache, to Linux, to what are distributed technologies, this would have gone a different course. We have grown revenue -- how about that for dying species?
IBM doesn't disclose the price/performance numbers for its mainframes. I can get that for other systems and make comparisons. Why not release that data for the mainframe?
Releasing price/performance or price figures makes sense in a standardized market, where you compare commodity. If you go to Boeing's Web site, you won't find a price for the 747, because it's not a commodity; they tailor the systems. You have certain technologies, which are bought by the pound and which are comparable by the pound. There is no way to compare this system with others [that] would do it justice.