Hyper Protect Services for Linux on Z and Linuxone — Fabian Kulmann Software Architect IBM Cloud Hyper Protect Virtual Servers

Hyper Protect Services for Linux on Z and LinuxONE — Fabian Kulmann Software Architect IBM Cloud Hyper Protect Virtual Servers

Hyper Protect

DBaaS Crypto Virtual Servers Containers

• 95% of enterprise clients polled cite security, Business Needs: privacy and regulatory concerns as their main inhibitors for using a public cloud 1 • Meet regulatory compliance requirements

• Average cost of a data breach = $3.86M • Complete authority over sensitive data and Up 6.4% from 2017 2 associated workloads

• Use of own encryption keys that only they • Percentage of breaches caused by malicious can control (Keep Your Own Key / KYOK) or criminal acts = 48% 2 • No access even to the cloud providers, • Compliance can be complex. especially for sensitive and confidential Penalties can be significant! data

September 4, 2019 / © 2019 IBM Corporation “IBM Secure Service Container provides the base infrastructure for an integration of operating system, middleware, and software components into an appliance, which works autonomously and provides core services and infrastructure focusing on consumability and security.”

Easy to Security Deploy

Easy to Manage

Easy to Security Deploy

Easy to Manage

- Deployment of a solution instead of different components Easy to - Deployment without Operating System Security skills needed Deploy - Deployment without solution skills needed

- Only 10 minutes needed to deploy the solution

- Deployment via a web installer Easy to Manage à enable IBM Z for the cloud

- Management of the appliance without Operating System skills Easy to - Limited variance of settings Security Deploy - RESTful APIs for automation - UI for better user experience

Easy to Manage

- System Admins don’t need to be trusted

- The solution leverages security features Easy to without code changes Security Deploy - The Secure Service Container only boots untampered appliances

- Data and code is encrypted in flight and at rest

- The System Admin can not access the memory or processor state

- No direct host or OS level interaction Easy to Manage - Only well-defined interfaces into and out of the appliance

IBM Secure Service Container Solution / Application Appliance

Application Interfaces

Management Backend

Base Operating System Management UI / REST API REST / UI Management

Solution / Application

Application Interfaces Installer Loader

Firmware Management Backend

Hardware Base Operating System Management UI / REST API REST / UI Management

Solution / Application

Application Interfaces

Management Backend Management UI / REST API Base Operating System

Installer Loader

Firmware

Hardware

Secure Boot Encryption Reduced Attack Secrets Surface - IBM Z/LinuxONE - LUKS-based disk - Encrypted - Can be system-protected encryption communication contained inside via REST APIs the appliance - Only boots - Any debug data authorized like dumps and - No direct OS workloads log files level access - Appliance configuration for life-cycle management

IBM Db2 Analytics IBM Blockchain Accelerator Platform 1.0

Delivers high-speed An integrated processing for platform designed complex Db2 to accelerate the queries to support creation of a business-critical "built for business" reporting and global blockchain analytic workloads. network across industries and use cases.

Secure Enclaves Key safety Simplified Security

Platform-enforced Confidentiality and Secure Key technology ensures keys Docker-base stack inherits security Security for the cloud are never in the clear without any code changes

On board HSM with tamper resistant Built-in tamper resistance and cards providing FIPS 140-2 Level 4 Malware protection via whitelisted pervasive encryption data in use, in security execution environment transit and at rest

Scalable to +1300 security domains in 4x better crypto performance Locks out privileged users a single system footprint for protection against abusive use of system admin or root user credentials

Hyper Protect Hyper Protect Hyper Protect Hyper Protect Crypto Services DBaaS Virtual Servers Containers

Keep your own keys Complete data Create Linux VMs Build and deploy for data encryption confidentiality for with own public ssh micro services within protected by a your sensitive data key to maintain a hyper secure dedicated cloud exclusive access to environment HSM* code and data

* Industry’s only (PostgreSQL, MongoDB EE) (Ubuntu) (Kubernetes) FIPS 140-2 Level 4 certified HSM

GA 1Q19 GA 2Q19 Beta in 3Q19 Coming Soon! Only you have access to your data, encryption keys and workloads. Only your cloud admin has access!

-Keys never leave the HSM

Integrated HSM

September 4, 2019 / © 2019 IBM Corporation Ø IBM Cloud admins do not ever have access to customer IBM Hyper Protect keys Crypto Services Ø Key Lifecycle Management and support for Keep Your Own Key (KYOK) for cloud data encryption, with keys protected by customer controlled, dedicated cloud HSMs Ø Integrates using Key Protect APIs to secure IBM Cloud data Dedicated key management and and storage services Ø Provides industry's first and only FIPS 140-2 Level 4 cloud HSM service certified HSMs in the public cloud market today Ø First cloud provider to provide dedicated (cloud) CLI for HSM Key Ceremony, supporting multiple personnel with crypto key Keep your own keys for cloud data encryption responsibilities in a dedicated cloud HSM Ø Supports industry standards – PKCS #11

Customer Benefits: Ø Full control of the entire key hierarchy including the HSM

BYOK: Bring Your Own Key Master Key KYOK: Keep Your Own Key HSM: Hardware Security Module PKCS: Public Key Cryptography Standards Ø Industry-leading security for Cloud data and digital assets Ø Reduced data compromise risk due to in-built protection Built On against privileged access threats Ø LinuxONE secure enclaves Ø Regulatory compliance through data encryption and controls on privileged access IBM Cloud offers Multi- and Single-Tenant Cloud KMS solutions

• Key Protect • Multi-Tenant Solution Key Protect Multi-Tenant • FIPS 140-2 level 2 certified HSMs • Operational Assurance Hyper Protect Single-Tenant • Hyper Protect Crypto Services Wrap / • Single-Tenant solution based on IBM LinuxONE Wrap / unwrap unwrap • FIPS 140-2 Level 4 HSMs (IBM Crypto Express 6S) • Isolation with Secure Service Container (EAL 5+) Data Service • Key Protect API compatible Objects • Technical Assurance Objects • Enterprise Cryptographic Operations (GREP11)

Services do not store unwrapped DEK in non-volatile memory

Customer Value • HSMs are based on the zHSM technology - has industry’s highest security certification FIPS 140-2 Level 4 • Dedicated HSMs – the customer holds the master key - operational management is done by IBM • Technical controls are in place to ensure IBM has no access & visibility of customer key material • Simple integration with other IBM Services (Blockstorage and VMWare today, COS Q3’19, ICD and others coming,..)

Target Customer Segment

• full control of all keys in an end-to- Enterprise IBM Cloud end process including the HSM master key Object Storage Cloudant • highest possible technical Cloud Databases certifications of a BYOK solution Key Protect API Boot/Block and the involved HSMs VMware KYOK - Encryption Keys never Hyper Protect Crypto exposed to Cloud Providers Service • secret data classification looking to DEKs make use of cloud benefits CRKs MasterKey • Multiple integration options like Dedicated key management & Cloud HSM REST API, PKCS11, KMIP Trust Boundary under Customer Control

Customer’s VMWare environment

vSphere encryption vSAN encryption

vCenter VM VM VM VM

ESXi ESXi

local local vsan

• Protecting against disk drive loss • Protecting against disk drive loss • Protecting against VM disk file loss KMIP for VMWare • Not protecting against VM disk file loss • No deduplication & compression • Deduplication & compression • Limitations on migration • No limitations on migration

Hyper Protect Crypto Services • Hosts and protects the keys needed • Separates keys from VMWare environment

September 4, 2019 / © 2019 IBM Corporation IBM Hyper Protect DBaaS Ø IBM cloud admins cannot access customer data Ø Industry-leading data confidentiality through built-in workload isolation, restricted administrator access, tamper protection against internal threats Provision and manage highly Ø High availability and reliability for mission critical applications secure, high volume databases* Ø Supports industry compliance and certifications - GDPR * on IBM Cloud Ø Provides standard APIs to provision, manage, maintain * PostgreSQL and MongoDB Enterprise and monitor multiple database types Ø Integrates with IBM Cloud services for access management, logging and monitoring , Alert management,…

https://cloud.ibm.com/catalog/services/hyper-protect-dbaas Customer Benefits:

Ø Data owner maintains complete control over data Ø Application developers can easily provision secure data stores for sensitive data without specialized skills

Default HA configuration: At GA:

Multi Zone Region support • In Dallas • 3 node clusters for each deployed instance • Additional MZRs in plan for 2019 • Automatic daily backups stored in the local storage Hyper Protect Pod (one per Availability Zone) • Recovery via cloud tracking request Two (designed for 4) IBM LinuxONE Rockhopper II systems with:IBM FlashSystem 9150 NVMe-storage systems • Logs and Metrics are sent to DBA Each IBM Cloud Region • Consists of three Hyper Protect pods, each installed in an unique Availability Zone • Results in a clustered topology with high resilience and low latency

Within an IBM Cloud Region

Availability Zone A Availability Zone B Availability Zone C

Customer 1 MongoDB Cluster

Customer 2 MongoDB Cluster

SQL Database – PostgreSQL Version: 10.6

Tier RAM Disk • Fully supported by IBM Free 3 GB 10 GB

Free 8 GB 80 GB

NoSQL - MongoDB Enterprise Version: 3.6.4

Tier RAM Storage • Fully supported by IBM, IBM will coordinate Free 3 GB 10 GB with MongoDB for support Free 8 GB 40 GB

- Rapidly provision a Virtual Server running on LinuxONE in the IBM Cloud - Authentication is done via ssh keys à No password is exposed to IBM - Our system administrators do not have access to the data within the Virtual Servers and the hosting OS Solution / Application - Ubuntu Operating System

- Built on IBM Secure Service Container to enforce confidentiality Application Interfaces - Public Beta Management Backend

Base Operating System Management UI / REST API REST / UI Management

September 4, 2019 / © 2019 IBM Corporation IBM Hyper Protect Virtual Servers ssh ssh ssh - Rapidly provision a Virtual Server running on LinuxONE in the IBM Cloud - Authentication is done via ssh keys à No password is exposed to IBM Ubuntu VS 1 Ubuntu VS 2 Ubuntu VS n - Our system administrators do not have access to the data within the Virtual Servers and the hosting OS Virtual Server Host/Management System - Ubuntu Operating System

- Built on IBM Secure Service Container to enforce confidentiality Application Interfaces - Public Beta Management Backend

Base Operating System Management UI / REST API REST / UI Management

A secure platform to deploy Kubernetes workloads for confidential computing. Kubernetes Cluster - Deploy any number of Kubernetes nodes on the IBM Hyper Protect Virtual Servers - Our system administrators do not have Ubuntu VS 1 Ubuntu VS 2 Ubuntu VS n access to the data within the containers Virtual Server Host/Management System and the hosting OS

- Each cluster is deployed in an internal set

of VMs for multitenancy isolation Application Interfaces - Closed Experimental: https://www- 01.ibm.com/marketing/iwm/iwmdocs/w Management Backend eb/cc/earlyprograms/hyper.shtml

Base Operating System Management UI / REST API REST / UI Management

Fabian Kulmann Software Architect – IBM Cloud Hyper Protect Virtual Servers — [email protected] ibm.com

Hyper Protect

DBaaS Crypto Virtual Servers Containers