Everything old is new again. In the 1960s, IBM's 650 mainframe operating system had two modes, MFT and MVT, in which process got its own address space and couldn't interface with others processes running parallel with it. This was the ancestor to both virtual machines (VM) and containers. Fast forward to now, and IBM Secure Service Container for IBM Cloud Private enables you to run an operating system and applications in containers with their own address space and walls to keep them from interacting with other programs.
Also: Photos: Looking back to the birth of the IBM mainframe TechRepublic
Of course, you can do a wee bit more with Secure Service Containers (SSC) on IBM LinuxONE and Z mainframes than you could on a 360 mainframe with a maximum of 1MB of memory. IBM Cloud Private is a Platform as a Service (PaaS) environment for developing and managing containerized applications. It's built on top of the Kubernetes container orchestrator Kubernetes.
Within Cloud Private, IBM claims SSC takes advantage of today's mainframes hardware embedded capabilities to help protect your data, guard against internal and external threats and simplify your data compliance initiatives. It does this with the following three features:
Tamper protection during installation time
This is managed by making sure the entire booting process is signed and encrypted so that they can only be executed within the protected and tamper-proof logical partition (LPAR) environment. The image boot loader is also signed to ensure that it cannot be tampered or exchanged with a different one.
Restricted administrator access to help prevent the misuse of privileged user credentials
When an application is running in a SSC, its code cannot be accessed even by platform or system administrators. Data access is controlled by the appliance, so unauthorized access is disabled. The SSC also disables all external interfaces that provide LPAR memory access.
Automatic encryption of data both in flight and at rest
All transmitted data is protected by OpenSSL. To speed up encryption, the current generation of IBM mainframes use build-in encryption processors.
Want to use it? IBM container pricing now offers a pay-as-you-go pricing model. The Solution Consumption License Charge metric delivers cost transparency and predictability when deploying new z/OS applications.
So, while you may think of mainframes as old fashioned, IBM container security continues to be state of the art.