An Introduction to z/OS and the IBM Common Cryptographic Architecture

IBM’s mainframe computers have been a rock-steady part of banks’ security infrastructure for many years. Originating from the local data-center concept, the current release is able to stretch banks’ security architecture across the hybrid cloud, harnessing advantages of on-premise and cloud-native software deployments - all without compromising data security and privacy.

This article introduces IBM’s z/OS and CCA and describes how Cryptomathic’s Crypto Key Management System integrates with the IBM mainframe, giving the bank control over crypto in an automated and highly secure way throughout the whole key life-cycle.

What is z/OS?

z/OS is an operating system with a monolithic kernel architecture. It was developed by IBM for its mainframes and is the latest in the long line of mainframe operating systems, such as OS/390 or MVS.

z/OS can be considered as a ‘hybrid’ mainframe operating system. It combines elements of modern operating systems and features typical from the very specific mainframe architecture that began in the 1960s. z/OS is entirely backward-compliant with any previous version. 

The mainframe operating system of IBM has specific features including a Workload Manager (WLM)  and a dispatcher. These systems are high-level managers that orchestrate concurrent units of work running in the operating system. This provides immediate multi-tenancy within the operating system. Besides those features, IBM z/OS also offers other levels of virtualizations such as LPAR or z/VM in its most recent versions.

z/OS works closely with Linux and Solaris, especially Linux One, the Linux operating system developed by IBM. The WebSphere application platform/server is the backbone of software applications in the z/OS ecosystem. 

Finally, we should note that z/OS is only available in a 64-bit version and can be run only on an IBM mainframe. This is because z/OS complies only with the z/Architecture, also named ESA model extension or ESAME, which is IBM’s specific 64-bit instruction set.

In short, z/OS is IBM’s operating system that is dedicated to its Z mainframes. It is immediately ready for multi-tenancy and contains many features allowing cryptographic operations or high-reliability computations or data processing.

z/OS and Z mainframes

Independent of z/OS terminology, IBM Z denotes a family name that relates to the z/Architecture mainframe machines. The latest Z mainframe is IBM Z15, enabling a deployment across hybrid cloud landscapes.. Previous versions range from IBM z14 to IBM z9 that encompass several older models, including EC models.

Z mainframes are Common Criteria Evaluation Assurance Level (EAL) 5+ security-certified. 

The z/VM virtualization system is itself independently evaluated at the EAL4+ level. 

An introduction to IBM’s CCA

IBM CCA, IBM’s Common Cryptographic Architecture, is a complex framework entirely dedicated to cryptographic operation in the Z ecosystem. It features a full security API with bindings for the most common programming languages (C#, Java, etc.). Behind the scenes, that security API calls a cryptographic service layer (directory servers, cryptographic algorithms, security server), and at the lowest level, a device driver that calls a cryptographic engine, e.g.usually an IBM HSM. 

The cryptographic engine software gives access to the cryptographic engine hardware.

This cryptographic engine is implemented in the hardware of the CEX*C coprocessor, e.g., IBM HSM’s processors. The portion of the CCA that is at this level operates within a protected boundary. Indeed, the coprocessor's tamper-resistant, tamper-responsive environment provides physical security for this boundary, and the CCA architecture provides the logical security needed for the full protection of critical information.

The mechanisms behind the CEX*C security processors can be extremely complex. These crypto processors provide all the trusted and low-level cryptographic features needed by the higher-level layers of the CCA. 

Why are z/OS and Z mainframes good for banking and payment systems?

We want to briefly explain why z/OS and Z mainframes are such a popular choice for banks and fintech companies. 44 of the top 50 banks rely on IBM Z for trusted security and services. This is because the IBM Z platform is known for its stability, security, scalability, and performance. And this is what the banking industry demands. Z mainframes offer closed, secure, robust machines and the guarantee of “Big Blue” behind. 

E.g., Visa Inc. relies heavily on mainframe technology and is known to process around 145,000 transactions every second. This goes to show how popular and well-established mainframes, and especially, Z mainframes are in the banking and financial ecosystem. 

Extending the IBM Z features to the hybrid cloud provides security, privacy and cyber resilience across decentralized cloud landscapes in a time where banks are strategically moving towards cloud-embracing financial service platforms.

Being in full control of cryptography and key management

Cryptomathic's Key Management System (CKMS) fully integrates into the IBM z / CCA world. It allows banks and financial institutions to manage the key life-cycle and distribution of the cryptographic keys in a secure, compliant and automated way. The benefits include:

• Securely sharing keys between mainframe, on-premise and cloud applications
• Centrally managing the life-cycle of cryptographic keys at large scale
• Automating key management activities and on-line key distribution
• Reducing the risk of key compromise and human errors
• Providing tamper-evident audit and usage logs for compliance
• Based on industry-standard APIs and key-formats

But we need to point out the following: infrastructures are rarely provided by one vendor. They are rather multi-vendor based, requiring a multitude of integration points, including MS Azure and Dynamics, the Google or Amazon cloud and various HSM brands.

Cryptomathic has been providing data security in banks for more than 40 years and provides cryptographic integration points for all of them. With experience and a proven track record of security and stability, Cryptomathic’s CKMS becomes an enabler for stable solutions.

This removes crypto as a hampering point in the implementation of the banks’ platform strategies. The flexibility and security given allows banks to strategize unleashed and implement new concepts across the hybrid cloud in accelerated time-to-market.

References

• Selected articles on IBM Mainframes in Banking Infrastructure (2019-today) by Martin Schmitt and more
• Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
• Selected articles on Key Management in the Cloud (2017-today) by Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more
• Key Management in a Multi-Cloud Environment - A blessing or a curse? (2017), by Johannes “Jo” Lintzen
• Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs

• NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker

• CKMS Product Sheet (2016), by Cryptomathic

• White Paper – Deploying CKMS Within a Business (2017), by Cryptomathic

• Digital Bank: Strategies to launch or become a digital bank Kindle Edition (2014), by Chris Skinner