Skip to main content

Secure Service Containers and Consumption-Based Pricing Enable Opportunity

Organizations are eager to capture opportunities that beckon in the marketplace. They know that new and modernized applications are necessary to better serve customers. Organizations also realize that, now more than ever, security remains crucial to business success.

In October, IBM announced IBM Secure Service Containers, a new offering that provides benefits for security, as well as the Solution Consumption License Charges (SCLC) metric, a consumption-based pricing model for new z/OS*-based applications. Both offerings are designed to provide developers with an agile environment that fully exploits the capabilities of IBM Z* to cost effectively deploy new services.

IBM Secure Service Containers

Security and agility are at the heart of the IBM Secure Service Container offering. This software appliance framework is designed to securely package an OS, middleware and application components to be deployed as a single image on an IBM Z or LinuxONE* server. A Secure Service Container provides unique security capabilities like tamper protection of the appliance framework, encryption of data in flight and at rest, and protection from misuse of privileged user credentials.

“Consider server infrastructure deployed in a data center,” says Diana Henderson, offering manager, IBM Z and LinuxONE. “The admins managing and configuring this environment need access to the infrastructure—the networking, storage, configuration of hardware profiles, etc., but don’t necessarily need visibility to the data and code running on the systems."

While Secure Service Containers are foundational to existing solutions like IBM Blockchain, IBM Db2* Analytics Accelerator for accelerated Db2 queries and others, there has always been a desire to enable external users to deploy their choice of workload within the Secure Service Container framework. This journey begins now as Secure Service Containers have been extended to enable the deployment of applications at runtime by external users.

“We leverage Docker container and Kubernetes container management technologies as a means to leverage an industry standard for application packaging and deployment,” says Henderson. This is available through a new offering called the IBM Secure Service Container for IBM Cloud* Private, which enables organizations to securely deploy Docker and Kubernetes workloads on IBM Z and LinuxONE servers while managed by IBM Cloud Private, a Platform as a Service for hybrid and private cloud deployments.

A Secure Environment

Bad actors both inside and outside an organization are threats to its security. External threats from hackers and ransomware remain a primary focus for organizations. Industry studies have returned compelling statistics regarding the threats faced by enterprises. The 2018 Data Breach Investigations Report by Verizon ( states that today, most cybercriminals are motivated by monetary gain, targeting sensitive data such as personally identifiable information (PII), business assets and intellectual property or payment card data.

Savvy CIOs know they must protect their organizations from growing insider threats, which typically come from an employee with a high access level to data. Perhaps someone has a set of credentials to access databases or other repositories. If the person moves to another job in the organization, those credentials may no longer be needed. If access isn’t curtailed, the employee could misuse that access inadvertently or maliciously for personal gain.

Built-in Encryption

Many organizations are turning to encryption to secure their data. But they wrestle with decisions about which data to encrypt. “Identifying the most critical data to be encrypted and where that data resides in the enterprise can be a challenge for many,” notes Henderson. Organizations are looking for a better way to determine which data to encrypt.

Businesses can leverage IBM Secure Service Container technology and, in particular, its encryption of data at rest and in flight capabilities for container workloads deployed in the Secure Service Container for IBM Cloud Private. The management flow is encrypted for data in flight with Transport Layer Security (TLS), while data at rest is encrypted using the Linux* Unified Key Setup (LUKS)-based encryption. The appliance, in this instance, is performing the encryption automatically. The keys utilized to perform this encryption are contained within and managed by the appliance, so they’re inaccessible to a user from outside the appliance, whether internal or external to an organization.

Debug and configuration data of the Secure Service Container framework are also encrypted in case they hold sensitive data. “Even encrypting the configuration data of the appliance could be as valuable as the defense itself,” Henderson says.

In addition to security, deployment speed is key. With the packaging of underlying components of the OS, middleware and UI control, organizations can focus at higher levels of the stack, managing Kubernetes-based clusters in the case of IBM Secure Service Container for IBM Cloud Private and the containerized application. The underlying execution environment is abstracted away as part of the appliance image. “This layer doesn’t need to be managed by the end user as its update path is tied to the updates of the overall appliance,” Henderson says.

Cloud Integration

IBM is also working to enable clients and ISVs to use Secure Service Containers to deploy their own solutions in the environment. IBM’s embrace of Docker container technology and Kubernetes supports that goal.

IBM Cloud Private in combination with the IBM Secure Service Container offering helps clients embrace microservices and agile DevOps deployment of their containerized workloads. Organizations can focus on the development and deployment pipeline of applications within their organization while IBM Secure Service Container for IBM Cloud Private provides the execution environment—including an OS virtualization layer, management interfaces and REST APIs—for clients to host their critical applications.

SCLC: A Consumption- Based Pricing Model

Organizations engaged in creating new services desire the flexibility to add new applications to their systems in a cost-effective way. IBM is responding to client needs with the new SCLC metric, a consumption-based pricing model for new IBM z/OS technology-based applications on IBM z13* and IBM z14* platforms.

SCLC is a new monthly license charge (MLC) metric that delivers a true metered usage model, where the MSUs that are consumed are charged at the same per-MSU rate, regardless of hourly peaks. This gives clients predictable economics to help them understand the costs associated with deploying new services.

This new consumption-based pricing model was announced in October as a part of the IBM New Application (NewApp) Solution, a Container Pricing for IBM Z offering. The NewApp Solution allows qualified new applications to be tightly integrated with colocated workloads from a technical perspective, while delivering a standalone environment from a pricing perspective.

Origins of Container Pricing for IBM Z

IBM introduced Container Pricing for IBM Z in 2017 with the goal of dramatically simplifying pricing for a number of qualified solutions. In this context, IBM defines a container as a method of measuring the scope of a workload for pricing and billing purposes. “Container Pricing for IBM Z provides standalone workload pricing, which is important for highly virtualized IBM Z environments,” says Sherri Hanna, program director, Worldwide IBM Z Marketing.

The offerings that are available under Container Pricing are referred to as solutions. It’s these solutions that actually carry the price point. Each solution is priced differently, and IBM provides competitive economics that are directly related to each. “Pricing for the solutions is based on business value and doesn’t affect unrelated workload costs,” Hanna says.

Three announced solutions are offered as part of Container Pricing:

  1. The Applications Development and Test (DevTest) Solution, a highly discounted option for DevTest software.
  2. The Payments Pricing Solution, which offers per-payment pricing for payment applications.
  3. The NewApp Solution, geared to create predictable costs for new workloads. With this year’s announcement, the NewApp Solution is now a consumption-based model, offering pay-as-you-go pricing for new z/OS-based applications.

To fully appreciate the benefits of Container Pricing, it’s useful to compare it to what came before. For many years, clients were charged for full capacity of the hardware. In the 1990s, IBM introduced pricing based on a peak rolling four-hour average (R4HA). This peak R4HA approach was well received at the time because it allowed clients to add hardware capacity without immediately increasing software costs. However, over the years, the R4HA model has become rather complex. In addition, many clients are now architecting to manage this peak R4HA, rather than architecting for technical excellence.

Opting for Simplicity

IBM’s Container Pricing is a move toward a simpler pricing model and the October 2018 announcement of a true consumption-based charging model shows that IBM continues to innovate in this area. “Consumption pricing is made possible by the ability to more precisely meter and report on the usage of a new application for the purposes of billing—even if that new application is colocated alongside another workload in an existing LPAR,” Hanna says. “This provides a true-fit pricing based on the actual usage and can easily be compared to the business value to determine ROI for the new workload.”

With SCLC, clients are charged the same per-MSU rate, giving clients pricing predictability and transparency. For instance, if a client’s application uses 50 MSUs for the first hour, 100 MSUs for the second hour and 50 MSUs for the third hour, the total number of chargeable MSUs for the three-hour period is 200. Hourly periods continue to be calculated this way over the entire month.

“IBM’s SCLC is a pricing model similar to cloud pricing,” Hanna explains. “We aren’t charging for peaks or averages. We are charging for exactly what the client uses.”

For qualified new applications, two pricing options are available. The SCLC pay-as-you-go option offers a low-priced, per-MSU model for each software program within the NewApp Solution. There’s no minimum financial commitment for the client. With the SCLC-committed MSU option, clients have a monthly minimum MSU commitment of just 25,000 MSUs. “This option offers a savings of 20 percent over pay-as-you-go price points,” Hanna notes.

In addition, clients have flexibility in changing from one option to another. “Clients can move from the SCLC pay-as-you-go pricing option to the SCLC-committed MSU option as well as vice versa,” Hanna points out.

How It Works

Here’s one example of how clients can move from one tier to another: An organization puts a new application into production under the SCLC pay-as-you-go option. The cumulative MSUs consumed over the first month are 15,000. The charges for that month are calculated based on the price per MSU, multiplied by the 15,000 MSUs used.

After a few months, the usage of the new application grows. As a result, the organization decides to move to the SCLC committed MSU option. The minimum monthly commitment is now 25,000 MSUs.

For the first month under the SCLC-committed MSU option, the cumulative MSUs consumed over the month totals 23,500. Because this is below the minimum commitment of 25,000 MSUs, the charges for that month are calculated based on the 20 percent lower price per MSU multiplied by the minimum commitment of 25,000 MSUs.

The following month, the usage of the new application grows to 25,500 MSUs. Because this is above the minimum commitment, the charges for that month are calculated based on the 20 percent lower price per MSU multiplied by the actual usage of 25,500 MSUs.

By using SCLC, clients can add new workloads and predict the cost of those workloads. “For IBM Z clients, the ability to add workloads as needed with an incremental increase in cost can be less expensive than doing it in the cloud because clients are using their own hardware and all the data applications are in-house,” notes Hanna. Visit to learn more about SCLC and the NewApp Solution.

Getting the Most Out of IBM Z

The new IBM Secure Service Container and SCLC offerings are designed to give clients the confidence to develop and deploy new workloads while meeting budgets. The IBM Z platform is known for its agility, security and flexibility. These new offerings expand how clients can use IBM Z to full advantage.