Manage Learn to apply best practices and optimize your operations.

Is it more secure to have a mainframe or a collection of servers?

The general public may think that mainframe computing is a thing of the past, but expert Michael Cobb reviews why the mainframe is still the cornerstone most large IT projects.

From a security perspective, is it better to have a mainframe, a collection of servers, or a combination of the...


I'm sure the general public thinks that mainframe computing is a thing of the distant past, given all the press coverage of developments like client/server technology, distributed systems, server farms and cloud computing. The mainframe, however, is still the cornerstone of most large IT projects around the world. One of the main reasons for this is that a mainframe has a proven security track record that others can only dream of.

Interestingly, if you compare security based on the Common Criteria for Information Technology Security Evaluation (CC), both mainframe computers running Linux or IBM's z/OS system software and various versions of Microsoft's Windows 2003 server software have all been certified at Evaluation Assurance Level (EAL)-4+. (CC specifies seven levels of security from EAL-1 to EAL-7.)

Effective distributed security across a network of systems, which is what's necessary when running a collection of run-of-the-mill servers, is hard to achieve. As the number of machines increases, there's more to protect. A variety of tools – many of which often operate independently of each other – are needed, making it difficult for anyone to truly understand the overall security picture and be confident that security policies and procedures have been correctly implemented.

Mainframes, on the other hand, have the benefit of centralized management and auditing features. And, of course, there are no monthly security patches to be tested and rolled out. Viruses, too, are almost unheard of on mainframe computers because their architecture makes it virtually impossible for unauthorized programs to execute functions that could bypass security. Also, mainframe computer security tends to include additional access control functions, often due to their size and price, not commonly found on other types of computers. These include features such as verification of tape access, access control over printouts and the automated destruction of data when disk data sets are erased.

Alternatively, a server-based approach does offer benefits. A lower entry cost is an obvious one, and that leaves more money left over for security. Although the initial cost of acquiring distributed servers may be less than the cost of a mainframe, it may cost more in the long run to maintain them. Infrastructure and energy costs have become a big consideration now. Distributed systems require additional NICs, hubs, switches and routers to be used, all of which add to floor space, power consumption and heat dissipation costs.

One big trend in the market is virtualization. Although it's being adopted in server-based projects, the level of sophistication of mainframe virtualization capabilities is far more advanced. Also, the security implications of virtualization in a distributed environment are not yet fully understood.

Distributed computing is certainly here to stay, cloud computing being the latest incarnation. Advances in processors, virtualization technology, disk storage, broadband Internet access and fast, inexpensive servers can make it an attractive option. Organizations can pay for and use the services and storage that they need, when they need them. It's probably too early, though, to risk large-scale critical applications on such an untested platform against the tested scalability, resilience, recoverability and security offered by the mainframe. Having a mixed environment may be an option for your type of applications and workloads, but you're doubling the number of in-house skills you'll need to maintain the systems.

Still, if you're looking at a truly mission-critical, enterprise-size application, then a mainframe is probably the way to go. The recent smaller, cheaper mainframes paired with the Linux operating system also look like an attractive alternative to Unix on RISC or SPARC servers.

This was last published in February 2009

Dig Deeper on Virtualization security issues and threats