Recently IBM published the Cost of a Data Breach Report for this year, 2023 (1). This report emphasizes to enterprises the need to be better prepared for breaches by understanding their causes and the factors that increase or reduce costs. It is estimated that the global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years. It is apparent that 51% of organizations are planning to increase security investments because of a breach, including incident response (IR) planning, focus on Cyber Security framework controls, automation, testing and threat detection tools.
With the importance of compliance automation playing a crucial role for this preparedness, IBM came out with IBM Z Security and Compliance Center solution which automates the compliance posture evaluation of IBM Z and LinuxONE platforms. The gravity of data collected from IBM Z and LinuxONE platform infused with detailed analytics on non-compliance failures and drift analysis in IBM Z Security and Compliance Center enables clients to get detailed insights around non-compliance to be prepared for compliance audits.
This blog outlines various deployment options available for a client to get IBM Z Security and Compliance Center up and running.
IBM Z Security and Compliance Center is a container-based solution, and these containers are implemented as micro-services. With container-based architecture, we can quickly enable deployment, customization and easy upgrade of the IBM Z Security and Compliance Center via Fix Pack releases from IBM. These containers are OCI (Open Container Initiative) compliant images, which enables clients to deploy these containers in multiple ways as described below.
|
zSCC Deployment Option
|
Support Details
|
|
Red Hat OpenShift Container Platform on Linux on Z (z/VM and KVM)
|
Supported
|
|
Red Hat OpenShift Container Platform on Linux on Z – Single Node OpenShift
|
Supported
|
|
Red Hat OpenShift Container Platform on Multi-architecture with x86_64 control nodes and compute nodes on IBM Z (z/VM and KVM)
|
Supported
|
|
Red Hat OpenShift Container Platform on IBM zCX Foundation for Red Hat OpenShift
|
Supported
|
|
Red Hat OpenShift Container platform on IBM zCX Foundation for Red Hat OpenShift – Single Node OpenShift
|
Supported
|
|
IBM z/OS Container Extensions
|
Supported
|
Red Hat OpenShift Container Platform has become the hybrid cloud foundation for building and scaling containerized applications across IBM, including IBM Z. The z/OS Container Extensions deployment option is for those new and in the beginning stages of their container adoption journey. The recommended deployment option for IBM Z Security and Compliance Center is Red Hat OpenShift on IBM Z and IBM zCX Foundation for Red Hat OpenShift. This recommended deployment option could also provide a starting point (or another reason) to get Red Hat OpenShift Container Platform into your enterprise. Additionally, you can leverage your new Red Hat OpenShift Container Platform configuration for other applications (not just IBM Z Security and Compliance Center) and leverage the extensive ecosystem that Red Hat OpenShift has to offer. Through the recommended deployment option, Red Hat OpenShift Container Platform will provide high availability & scalability with automated installation, deployment, scaling, and upgrades.
IBM Z Security and Compliance Center deployment on Red Hat OpenShift Container Platform on IBM Z and IBM zCX Foundation for Red Hat OpenShift
If you have a Red Hat OpenShift Container Platform installed and deployed, then you can take advantage of this enterprise Kubernetes platform to orchestrate the IBM Z Security and Compliance Center containers.
a. Hardware pre-requisites to deploy Red Hat OpenShift Container Platform on IBM Z with IBM z/VM (or) KVM is documented here.
b. Hardware pre-requisite to deploy Red Hat OpenShift Container Platform on IBM zCX Foundation for Red Hat OpenShift (zCX for OpenShift) is documented here.
IBM Z Security and Compliance will make use of the IFLs (or zIIPs), Memory and Storage allocated for the compute nodes on Red Hat OpenShift based on the deployment option you choose. There are no additional hardware requirements for deploying IBM Z Security and Compliance Center other than the pre-requisites listed by Red Hat OpenShift Container Platform. Based on the number of scans and scan types, clients may need to look at adding additional persistent storage to IBM Z Security and Compliance Center. There are various persistent storage options available on Red Hat OpenShift Container Platform as described in this link.
IBM Z Security and Compliance Center deployment on Red Hat OpenShift Container Platform on IBM Z and IBM zCX Foundation for Red Hat OpenShift configured with Single Node OpenShift (SNO)
With Red Hat OpenShift Container Platform 4.14, IBM Z based deployment options for Red Hat OpenShift (including zCX for OpenShift) supports Single Node OpenShift (SNO) as described here. Single Node OpenShift deployment offers both control and compute node capabilities in a single server with no high availability. With the SNO option, the processor pre-requisite for Red Hat OpenShift Container Platform is 2 IFLs (or 2 zIIPs) with SMT-2 enabled on installation time allowing clients to deploy Red Hat OpenShift Container Platform with a reduced hardware resource footprint. You can take advantage of SNO based deployment to deploy IBM Z Security and Compliance Center with an additional compute of 0.5 IFLs (or zIIPs) on average based on the deployment option you choose.
IBM Z Security and Compliance Center deployment on Red Hat OpenShift Container Platform on IBM Z with multi-architecture support
With Red Hat OpenShift Container Platform 4.14, Red Hat extended the support of OpenShift deployment across multiple architectures (Link). An OpenShift Container Platform cluster with multi-architecture compute machines is a cluster that supports compute machines with different architectures. Clusters with multi-architecture compute machines are available only on IBM Z user-provisioned infrastructure with x86_64 control plane machines. For example, a client can OpenShift control and compute nodes in x86_64 architecture and some control nodes on IBM Z with IBM z/VM (or) KVM. Clients with existing Red Hat OpenShift installation on x86_64 architecture can take advantage of this approach to deploy IBM Z Security and Compliance center on the compute node running on IBM Z while the control nodes are in x86_64. The hardware requirements for the control nodes are the same as a specific control node requirement for Red Hat OpenShift Container Platform as documented here.
IBM Z Security and Compliance Center provides additional deployment on IBM z/OS with IBM z/OS Container Extensions
If your enterprise is still in the container adoption journey and working towards modernization around z/OS, then you can deploy IBM Z Security and Compliance Center in IBM z/OS Container Extensions (zCX). Being an OCI compliant container images software solution, IBM Z Security and Compliance Center can be deployed on IBM z/OS Container Extensions. In this deployment model, IBM Z Security and Compliance Center is deployed via Docker Compose (an open-source package as a part of IBM Z Security and Compliance Center). Clients will be able to deploy and orchestrate the IBM Z Security and Compliance Center with Docker Compose. They can choose between local storage (VSAM) and NFS for shared persistent storage within IBM z/OS.
More information on IBM Z Security and Compliance can be found here.