IBM LinuxONE: A Strategy Refinement

By Joe Clabby, Clabby Analytics

Clabby Analytics has argued for years that IBM needs to do a better job of explaining which workloads belong on which servers (x86, Power Systems, mainframes). Our primary argument has been that microprocessors process workloads differently; and systems are designed differently – meaning that workloads perform better when placed on systems that are best suited to process them. IBM has traditionally resisted providing such guidance, leaving sales teams and customers/prospects to work out which workloads belong on which processors/servers.

Last year, we took it upon ourselves to publish this report in which we discussed which workloads belong on LinuxOne vs. x86 servers. Robert Francis Group also published a similar report. IBM, on the other hand, continued to focus its sales efforts on server consolidation and the price advantages LinuxONE had over distributed x86 server environments (upwards of 30% cost savings for certain workloads).

This year, IBM seems to have gotten the message: to further increase sales of LinuxONE its going to have to do some workload positioning work. Accordingly, IBM has done a strategic rethink of LinuxONE positioning. The “new think” at IBM is that LinuxONE should be pitched as: 1) a powerful, scale-up server environment that is ideal for data-intensive processing; and, 2) as unparalleled secure server environment. Pricing will become a secondary, corollary argument. We agree with this new positioning – and this article explains why.


IBM introduced Linux on its mainframe architecture almost 20 years ago. In the early days, adopters initially deployed the then not-quite-enterprise-grade operating environment on isolated partitions on their mainframes where they could experiment with using mainframe power and scale to drive custom as well as open source Linux applications. As Linux continued to improve, adopters became more comfortable with Linux as a resilient and secure operating environment – and the adoption level of Linux on the mainframe rose steadily.

As demand for Linux on the mainframe continued to increase, IBM decided that it would be wise to build and promote Linux-only mainframes – turnkey, integrated Linux mainframes configured and priced to compete head-to-head with large Intel x86-based servers. Accordingly, less than two years ago, at LINUXCON, IBM announced its “LinuxONE” servers. Since that announcement, IBM’s LinuxONE servers have experienced strong growth as consolidation servers, as database servers, and as servers for new generation Linux applications such as Blockchain.

A Shift in Buying Patterns

IBM’s strategic-rethink is being driven by LinuxOne customers and prospects searching for super strong security as well as outstanding data processing, scalability and management:

  • The strongest growth for LinuxONE is occurring in China where LinuxONE has become recognized as a highly secure, high performance server – and very price competitive server — for a wide range of Linux and open source applications;
  • New applications such as Blockchain are also making their way to LinuxONE, driven by performance and security Quality-of-Service requirements; and,
  • IBM customers are starting to realize that it makes more sense to run “a single version of the truth” database on highly scalable, scale up servers such as the mainframe as compared to the complexity of controlling multiple copies of databases across distributed servers.

The Security Difference

IBM’s mainframe architecture has long had very significant design advantages over x86-based servers – with clear and distinct advantages found at the microprocessor level as well as in the overall system design:

  • At the microprocessor level, a sizeable portion of microprocessor real estate being devoted to encryption/decryption services.
  • At the system level, tamper responding cryptography cards can be added to address security and compliance requirements.
  • At the operating system level, the operating environment can control access to logical partitions – protecting them from internal and external exploits.

With these design advantages, mainframe architecture has been able to achieve a Common Criteria security ranking of EAL Level 5+ (zero x86 servers have achieved this ranking). And, IBM’s Crypto Express6s has been designed to meet a Federal Information Processing Standard known as FIPS 140-2 level 4 using PCIe interconnect. Add to these hardware rankings that IBM also offers a comprehensive set of security tools including zSecure and Watson-enabled QRadar– as well as many related security services – and the competitive advantages of the IBM LinuxONE architecture and software/service portfolio over x86 servers and related security ecosystem become readily apparent.

When it comes to security on IBM’s mainframe, it should also be noted that in July of this year IBM introduced a new approach to security with “pervasive encryption” (encrypts all data within a mainframe environment); as well as secure service containers that helps isolate workloads to prevent tampering. With pervasive encryption, IBM’s mainframe can encrypt data-at-rest without application changes – while offering tremendously better performance than x86 architecture while doing so. Data-in-flight (networked data) can also be encrypted and protected with full end-to-end network security. And pervasive encryption helps enterprises lower their compliance testing costs because auditors no longer have to check to seek what data is protected and how – instead, ALL data is encrypted. Finally, it is important to note that mainframes and LinuxONE servers offer industry-leading secure Java performance via TLS (2-3x faster than Intel).

IBM’s Secure Service Containers are worth a closer look. What IBM announced was a statement of direction regarding a Security on Demand (SoD) service that will allow its clients to use Docker container technology and secured containers to build new services of their own design. IBM’s Secure Serivce Containers will completely protect memory by isolating memory in LPARs so no peer environment can access to memory in another container. With Secure Service Containers, a known good image boots in firmware; all data and code is encrypted by default, which can also help clients protect sensitive and/or proprietary code; system administrators can’t gain access to that data through remote command line access, nor directly access the operating system. With SSCs, IBM has clearly concentrated on preventing access to data from external as well as internal forces.

IBM is also quick to point out that there are clear and distinct differences in the way that the x86 world approaches security as compared with the mainframe world. Intel offers a facility known as Secure Guard Extension (SGX) which essentially creates a secure enclave of protected memory (only 90 MB, however). To use SGX, developers need to write to the SGX APIs. So, to tighten security in x86 container environments, the x86 ecosystem needs to step forward and write code – and should a developer miss a line of code and writes to the wrong API, an application becomes insecure. Contrast this approach with IBM created Secure Service Containers which require NO software code changes to take advantage of container security for applications.   If administrators want to expose administrative functions such as starting a chron job or scheduling a daily backup, they can do so by expose administrative functions using Web pages or Restful services.   If an administrator does not properly access services, they have to fix their access – but they’re not operating under the belief that an application is secure when it isn’t. Secure Service Containers, provide a secure infrastructure for deploying virtual appliances, helping to contain and address infrastructure security threats and vulnerabilities.

Couple the mainframe’s solid hardware security (including tamper responding crypto) with IBM’s rich software security portfolio – and with related services – and enterprises that are extremely security conscious would be hard pressed to find a more secure solution than IBM’s z14 and LinuxONE servers.

LinuxONE as a Scale-up Database Environment

What is easier to control: 1) multiple copies of a database distributed amongst many servers; or, 2) a single version of a database running on a high performance, scale-up server? Obviously, the answer is #2.

With billions of dollars invested in building mainframe architecture, IBM has architected the world’s most powerful and scalable scale-up commercial server environment. And the company has an explicit desire to capture as much enterprise data as possible on its scale-up mainframe platform. So it should come as no surprise that IBM’s LinuxONE marketing organization wants to go after data intensive workloads.

From a performance perspective, IBM’s LinuxONE offers industry-leading performance when processing Java workloads (up to 50% faster than Intel).

From a system design perspective, mainframes can vertically scale within the same frame to 170 cores, equivalent to hundreds of x86 cores. Mainframes can use up to 640 POWER-based cores to deliver unparalleled channel input/output, as well as to ensure data integrity by checking data quality. Mainframes offer advanced single instruction, multiple data (SIMD) extensions that enable processors to perform the same operation on multiple data points simultaneously (critical to financial applications). Further, mainframes offer pause-less garbage collection to enable vertical scaling while maintaining predictable performance. Mainframes can support large data-in-memory applications by providing access to 32TB of main memory, and access to much larger caches than Intel offers. With mainframe architecture, it is also possible to build to build a large cloud within a single box.

Which data workloads belong on the LinuxONE mainframe? Clearly those workloads that need access to large memory. And clearly those workloads that need near real-time results (such as banking applications where transactions and balances must be done in near real time). And those workloads that require strong security. In short, secure, time sensitive stateful workloads such as databases and systems of record where data is persistent should be deployed on mainframe architecture.

Which data workloads do not belong on the LinuxONE mainframe? Clearly workloads where time is not a critical factor – such as e-mail, Web searches or Twitter tweets. Or small workloads that don’t need scale. Or workloads with low security Quality-of-Service requirements.

Summary Observations

For at least a decade we have argued that workload characteristics should dictate system choice – and that no single system is ideal for all jobs. Accordingly, IT executives should understand the differences between mainframe and x86 architectures in order to make the most optimal choice for executing various workloads.

The way that IBM’s LinuxONE (mainframe) z processors process work is distinctly different from the way that x86 processors process work. In short, some microprocessors focus on processing large numbers of threads (examples: x86, POWER and SPARC) – while the LinuxONE microprocessor focuses on placing data in large cache and then quickly executing threads (a process known as stacking).

Mainframe system design is also distinctly different than typical x86 server designs. Mainframes feature access to very large memory (32TB); they have very large I/O channels; they can have dozens of communications processors to offload network processing from the CPU; they offer super strong security – and they can scale vertically much higher than x86 based servers. Plus mainframes can operate at 100% of capacity for sustained periods whereas typical x86-based servers run in the 50-60% range. With all of these advantages, it is easy to argue that IBM’s LinuxONE mainframes are particularly well suited for processing data intensive workloads. LinuxONE is an especially powerful solution when used for making business decisions based on a central source of truth.

As for security, given the huge data breaches and constant stream of attacks on corporate databases, security is becoming a key decision factor in server selection. With major advantages in processor design, in server design, in pervasive encryption, Secure Service Containers and in its software and service portfolios – as well as in FIPS and EAL certifications – LinuxONE is clearly the better choice when compared to x86 solutions.

According to a report published last year by the Robert Francis Group, the best workloads to put onto LinuxONE are “applications requiring rapid disaster recovery, business-critical ISV applications, business connectors, data services, development of WebSphere and Java applications, email and collaboration applications, network infrastructure, virtualization and security services, and Web servers and Web application servers.” These types of applications can exploit LinuxONE strengths in reliability, availability, processing power, networking and security. But we would also add that the best workloads to put onto a LinuxONE server are those that can take advantage of LinuxONE cache to host more and more virtual machines that can then make variable use of underlying resource pools. These types of applications can be run more efficiently on LinuxONE than on comparatively low cache x86 servers.

What I’m starting to see is a set of new use cases; what I’m hoping to see from IBM’s LinuxONE organization is a litany of use cases with proof points that clearly depict and articulate why LinuxONE is a better choice for certain workloads than x86 architecture. Right now we have a strategy shift statement that will focus LinuxONE on databases and security. This is a step in the right direction – but IBM needs to provide a lot more guidance using use cases and customer proof points if it intends to convince the market that LinuxONE servers are the optimal choice to execute secure, data-intensive workloads.

Leave a Reply

Your email address will not be published. Required fields are marked *