The Ongoing Pursuit of z/OS Integrity
New TechChannel host Laticia Carrow interviews NewEra Software chairman Paul Robichaux, who reflects on his company's development and shares his insights on z/OS 3.1.
This transcript is edited for clarity.
Laticia Carrow: Hello. My name is Laticia Carrow and I’ll be your host for this episode of TechChannel’s TechTalk. Very quickly, I’d like to say that I’m new to hosting TechTalk podcasts, although I’m not all that new to the IBM Z ecosystem anymore. I am a two-year IBM Z Champion and a TechChannel Rising Star. I also serve on the SHARE editorial advisory board and speak at many of our industry’s conferences, including IBM TechXchange, IBM Z Day, and SHARE. I’m thrilled to be here hosting TechChannel’s TechTalk today, and I’m equally thrilled to welcome Paul Robichaux, chairman of NewEra Software. Paul hails from a quaint coastal town in Louisiana. He is a seasoned business leader with an educational background, including a BS, MBA, and CPA. With a career spanning over four decades, Paul has steered companies like Boole & Babbage as CFO throughout the 1980s before he transitioned to CEO roles, most notably at Frame Technology. In 1990 Paul co-founded NewEra Software with Robert Tapia, and he remained at the helm as CEO until 2023, and has continued his influence as chairman of NewEra into the present day. Paul, thanks so much for joining me today on TechTalk. Welcome. How are you?
Paul Robichaux: Oh, I’m doing fine, Laticia. Thanks for having me and I’m really looking forward to this. I appreciate the opportunity.
Laticia: It is my pleasure. It is my pleasure to have you on today. You know it’s not often that we are able to speak with technical royalty on the show, and it’s just an honor to have you. I’d like to begin by asking you how do you make NewEra Software as robust as it is on the mainframe?
Paul: Well that’s a long story, but the arc of our success always bends towards z/OS integrity. Our goal is to make certain that our users are prepared for disasters, have methods of recovery and backup of the primary z/OS configuration components. The foundation for what we do essentially prepared us to develop products that could predict, if you would, potential z/OS system failures that might prevent the initiation of a specific LPAR under certain circumstances. We continued that legacy into the security world with tools like our Control Editor, which allows our users to easily implement zero trust policies. As always for us, a pursuit of supporting the latest releases of z/OS—in current time z/OS 3.1—and the implementation of innovations in those releases into our product, particularly in the case of 3.1, is a net set of functionalities which is referred to as secure boot. So we’re in it for the community. We are in it to preserve and extend z/OS integrity and essentially, as I said, the arc of our success always spins in that direction.
Laticia: That is wonderful. With all of that, especially with the Control Editor, how is that programmers today can bring the Control Editor and utilize it and show others, especially those that are new to Z, how can they bring that to their new Z people and help them with it as far as their learning curve is concerned?
Paul: Well I think the first thing is that ease of use is always an important element of any system utility in the z/OS environment, like the Control Editor and what it allows users to do is to set up what we refer to as configuration boundaries and to empower users to follow best practices inside those boundaries. For example, Laticia, the old rule is always make a backup before you make a change. In the Control Editor, that’s always done for you automatically. Before you actually begin the process of making a change, the Control Editor will interpret your behavior and make a backup for you so that you’re always assured that you have a recovery point that can help you if you would need to recover from any inadvertent mistakes that you might make.
Laticia: Okay. Now do you think that z/OS is the most secure operating system available for large-scale general purpose computing?
Paul: Absolutely. I don’t think there’s any doubt about that. It’s just the history of z/OS from the early 1970s when the systems first came online with things like the SAF, the system ACT facility, APF dataset, the external security manager. The combination of those has essentially created an environment that all of us who have been active in that environment believe is the most secure that is available for large-scale general purpose business computing. One of the advantages of that general purpose nature is that third party vendors like NewEra and, let’s say, Rocket Software and others are able to develop and provide products to the community that help them to extend that general nature to form-specific versions of z/OS that are appropriate for their organizations and the threat landscapes that they face in their day-to-day operations.
Laticia: And so what do you think the advent and deployment of quantum and AI technology will have on system security and integrity?
Paul: Well, there’s a lot of speculation about that. It’s not here yet and we don’t see it as part of our concerns in today’s world, but there’s no doubt that the ability of sophisticated quantum-based computers will be able to perform calculations that will essentially render many of the algorithms that are used—for example in digital certificates—to build private keys that are used for protecting transactions between a server and client will become less and less secure. And when you combine that with intelligence and AI that can learn from those processes themselves, then they truly become vulnerable targets. There are many different things that are being considered by IBM and others to enhance today’s techniques for creating private keys, making them bigger, making them more complex, incorporating lattice mathematics in those keys, but it is yet to be seen whether all of those activities will actually result in a status quo of security or whether they may not be able to advance it, and so typically we think it might degrade. That will be a serious problem that all of us will need to address.
Laticia: That’s a lot of T’s for thought, if you will [laughs].
Paul: Yeah, you bet. I think there’s a lot of thought going into that, a lot of people thinking about it for sure because I mean, Laticia, it’s just an unknown now at this point. It’s not a conspiracy theory but it’s a suspicion that many of the techniques that we have relied on will be overtaken by the rapid advance of both quantum computing and AI. I mean from a public perspective, consumer perspective, you can’t turn over a rock today without seeing AI in some form or another, and as those LLMs as they’re referred to, large language models, become more and more sophisticated and talented if you would in understanding the algorithms that are used in, again, digital certificates. That will cause vulnerability and something will have to be done about that, not only at the software level but also at the hardware level as well.
Laticia: Absolutely, absolutely. So, you know what I’m hearing is a thought that is well thought out. It sounds to me that it just goes in parallel to what NewEra Software was founded on: developing supportive innovation for mainframe system management tools and services. So it seems to me that we’re right on point for what the mission is. Now let me ask this in the same wheelhouse. What steps has IBM taken recently to improve the integrity of the mainframe?
Paul: Well I think that probably the most important technique that they introduced in z/OS 3.1 was a sort of broad idea that there is a potential vulnerability in the supply chain of z/OS to its end computing platform, that last LPAR if you would that is going to actually execute the z/OS operating system. The supply chain is secure up to the point that the tool is delivered to the customer because it’s a general purpose operating system that the customer in turn has to make or will make modifications and add componentry to it in order to customize it to fit their specific business purpose. That last mile, that last step has essentially been the responsibility of the z/OS system programming staff, but within the broad framework of zero trust which is being applied everywhere these days, there has been concern—and it will continue on and probably get worse—that customization step lacks the controls that are necessary around it to ensure the organization that that last step again is as secure as it possibly can be. And so what they introduced was the concept that includes essentially three components. A clean room, this is a place very limited in scope but also limited in access to a very special group of people. Within that clean room is the creation of what is referred to as the infrastructure. This would be key rings and certificates that will be used for actually signing z/OS components that will be passed forward to the third step, which is called secure boot. And in that involvement what the end result is is a set of componentry signed in the clean room by a specific group of individuals that bears responsibility for those components. The recipient of it which will perform a secure boot then knows through processes that are inherent in z/OS 3.1 that the components that will be IPL’ed in fact did originate from that group, from that clean room, and that they bear responsibility for its content, meaning that nothing has been injected in there, no maliciousness has occurred. Everything falls back on making sure that that last mile is as secure as it possibly can be, so I think that’s a big step forward and will probably fall into favor with auditors over time. Certainly it will help in conformity with things like DORA in Europe, which needs to be implemented by January 2025.
Laticia: Absolutely. Absolutely. Well, that is ambitious, and I know it can be done. It sounds wonderful, absolutely wonderful, and with the few minutes that we have left, could you tell us a little more about your efforts with NextGen, the next generation of systems programmers and the transfer of knowledge? We’ve talked about this before.
Paul: Well unfortunately I have probably some not too good news. For 20 years, NewEra was the sponsor and advocate for an organization which was a sharing group that was run by a gentleman by the name of Jerry Seefeldt. Jerry retired about six months ago, and so we haven’t been as active with the NextGen group as we have been in the past. But we look forward to starting that back up again and providing content on a regular basis, not only from NewEra but also from the community in general.
Laticia: And we look forward to seeing all of that content, Paul, because I know that it’s going to be amazing content because it’s an amazing product.
Paul: Yeah, all of the historical information that was on the Z Exchange—that was the name of the organization—is still online. So if people want access to it, there’s a directory that they can reference through a browser and if they’re interested in that, they can email me at support@newera.com and we’ll provide them with the appropriate link.
Laticia: That’s wonderful. That’s wonderful and I see here that there is a phone number that they can call, 1-800-421-5035, or email for more information or to schedule a personalized webinar. Is that right?
Paul: Exactly.
Laticia: Outstanding. Well Paul, thank you so much for coming onto TechTalk today. We certainly do appreciate your time. Again, it’s been a pleasure to speak with tech royalty like yourself and I hope you have a wonderful day.
Paul: Okay, thank you so much, Laticia. Greatly appreciate it.
Laticia: That’s our episode with Paul Robichaux and NewEra Software. I am Laticia Carrow for TechChannel’s TechTalk. Join me again for future TechTalks when we sit down with more brilliant experts and luminaries on IBM Z.