The Value of z Systems Virtualiza on Security
David Rossi IBM z Systems Security Architect dzrossi@us.ibm.com V1.02d – Last updated 09 March 2016 Trademarks
The following are trademarks of the International Business Machines Corporation in the United States, other countries, or both.
Not all common law marks used by IBM are listed on this page. Failure of a mark to appear does not mean that IBM does not use the mark nor does it mean that the product is not actively marketed or is not significant within its relevant market. Those trademarks followed by ® are registered trademarks of IBM in the United States; all others are trademarks or common law marks of IBM in the United States.
For a complete list of IBM Trademarks, see www.ibm.com/legal/copytrade.shtml:
*, IBM Systems, IBM System z10®, IBM System Storage® , IBM System Storage DS®, IBM BladeCenter®, IBM System z®, IBM System p®, IBM System i®, IBM System x®, IBM IntelliStation®, IBM Power Architecture®, IBM SureOne®, IBM Power Systems™, POWER®, POWER6®, POWER7®, POWER8®, Power ®, IBM z/OS®, IBM AIX®, IBM i, IBM z/VSE®, IBM z/VM ®, IBM i5/OS®, IBM zEnterprise®, Smarter Planet™ ,Storwize®, XIV® , PureSystems™, PureFlex™, PureApplication™ , IBM Flex System™ , Smarter Storage The following are trademarks or registered trademarks of other companies.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.
* All other products may be trademarks or registered trademarks of their respective companies.
Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
2 Disclaimer
The informa on contained in this document has not been submi ed to any formal IBM test and is distributed on an "AS IS" basis without any warranty either express or implied. The use of this informa on or the implementa on of any of these techniques is a customer responsibility and depends on the customer's ability to evaluate and integrate them into the opera onal environment. While each item may have been reviewed by IBM for accuracy in a specific situa on, there is no guarantee that the same or similar results will be obtained elsewhere. Customers a emp ng to adapt these techniques to their own environments do so at their own risk.
In this document, any references made to an IBM licensed program are not intended to state or imply that only IBM's licensed program may be used; any func onally equivalent program may be used instead.
Any performance data contained in this document was determined in a controlled environment and, therefore, the results which may be obtained in other opera ng environments may vary significantly. Users of this document should verify the applicable data for their specific environments.
It is possible that this material may contain reference to, or informa on about, IBM products (machines and programs), programming, or services that are not announced in your country. Such references or informa on must not be construed to mean that IBM intends to announce such IBM products, programming or services in your country.
3 Agenda
• Mainframe Security in the Modern World
• The Value of z and LinuxONE Security • Hardware • Virtualiza on security • Linux Guest security • Cloud Security
• Summary and references
4 Mainframe Security in the Modern World
5 IBM’s Commitment to Security & Integrity
• z Systems “System Integrity” is defined as the inability of any program not authorized by a mechanism under the installa on’s control to circumvent or disable z/OS or z/ VM Security Controls • In the event that an IBM System Integrity problem is reported, IBM will always take ac on to resolve it. • IBM’s commitment extends to design, development and test prac ces. Including the crea on of the z Systems Center for First issued in 1973 & Secure Engineering to provide addi onal Reaffirmed in 2007 security focused tes ng and scru ny.
IBM’s long-term commitment to System • The z Systems Security Portal informs Integrity is unique in the industry, and clients about the latest security and system forms the basis of integrity service to help keep their enterprise z/OS & z/VM industry leadership in system up to date security http://www-03.ibm.com/systems/z/os/zos/features/racf/zos_integrity_statement.html http://www.vm.ibm.com/security/zvminteg.html
6 The a ack surface for a typical business is growing at an exponen al rate
Employees Hackers OutsourcersOutsourcers Suppliers People Consultants Terrorists Customers
Data StructuredStructured UnstructuredUnstructured At rest InIn motionmotion
Web Systems WebWeb 2.02.0 MobileMobile apps Applications Applications Applications Applications
Infrastructur
e JK 2012-04-26
7 A ackers break through conven onal safeguards every day
2012 2013 2014 40% increase 800,000,000+ records Unprecedented impact
Attack types XSS Heartbleed Physical Brute Misconfig. Watering Phishing SQLi DDoS Malware Undisclosed Access Force Hole
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015 256 days $6.5M
average time to detect APTs average cost of a U.S. data breach V2015-07-30
Source: 2015 Cost of Data Breach Study, Ponemon Institute 8 XSS and SQL injec on exploits are con nuing in high numbers Sampling of 2015 security incidents by attack type, time and impact
$18M average organizational $606 average organizational cost cost of a data breach in the U.S. per compromised record in the U.S.
Source: 2015 ‘Cost of Data Breach Study: Global Analysis’, Ponemon Institute It's 10:00pm. Do you know where your data is?
• Chances are, not all the data on your systems is created equal • Chances are, you are beholden to certain regula ons concerning that data • PCI DSS, HIPAA, SOX, FIPS (one of the 200 of them), OECD, APEC … pick an acronym • Some combina on thereof, or a local security policy even more stringent? • And does your data stay in one place? • PCI DSS v3 actually requires diagrams of data flow for Cardholder Informa on
Mobile Linux1 WAS Linux2 Linux1 Linux3 First
DB2 running on ZVMSYS01 ZVMSYS02 ZVMSYS03 z/OS
LinuxONE z13
10 z Virtualiza on is increasingly in the middle of bigger things.
Your zVM Guest Guest Guest Guest SVM SVM SVM … USERID
z/VM
PR/SM (one z System Logical Par on)
CPACF OSA Crypto Express z13
11 IBM LinuxONE Por olio ™
Linux without Limits Linux Your Way Linux without Risk
12 Example* risks to sensi ve data in virtual environments *(PCI DSS v3.1 Supplement - Virtualiza on Guidance v2.1)
1. Vulnerabili es in the Physical Environment Apply in a Virtual Environment 2. Hypervisor Creates a New A ack Surface 3. Increased Complexity of Virtualized Systems and Networks 4. More than One Func on per Physical System 5. Mixing VMs of Different Trust Levels 6. Lack of Separa on of Du es 7. Dormant Virtual Machines 8. VM Images and Snapshots 9. Immaturity of Monitoring Solu ons 10. Informa on Leakage between Virtual Network Segments 11. Informa on Leakage between Virtual Components
13 The Value of z and LinuxONE Security:
• z Systems and LinuxONE combine ba le-tested hardware and par oning with best-in-class hypervisor security to protect your Linux workloads
• The business value of virtualiza on security: it mi gates risk to your business by protec ng the data on which your company runs and thrives.
• The technical value of virtualiza on security: it helps to protect your servers, your passwords, your data, and your resources from threats which would steal or destroy them.
14 The Value of z and LinuxONE Security: Explained at Every Level
1515 Informa on Security and Standards
• Informa on Security and Informa on Assurance • Protec ng informa on systems from unauthorized access, use, disclosure, disrup on, modifica on, inspec on, recording or destruc on. • Fields are interrelated. Common goals of mee ng AIC triad of infosec
• Variety of standards & evalua on schemes … • Common Criteria (ISO/IEC15408) • FIPS 140-2 (US) • DK (Germany Banking), MEPS (France Banking), and many more
• The Common Criteria is an interna onal standard for infosec cer fica on • Recognized by 26 countries through the Common Criteria mutual recogni on agreement (CCRA) • A framework in which users can specify security func onal and assurance requirements • Vendors can implement and/or make claims about a product's security a ributes • Tes ng laboratories can evaluate the products to determine if they actually meet the claims
Common Criteria provides assurances that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standardized fashion. • May help to reduce risk & improve the product under evaluation
IBM Development & Verification processes are subject to Common Criteria Evaluations 16 z Systems Cer fica ons z/VM The Common Criteria § Common Criteria EAL4+ § z/VM 6.3 with OSPP with -LS program establishes and -VIRT an organizational and technical framework § FIPS 140-2 validated § z/VM 6.3 System SSL is FIPS to evaluate the 140-2 validated. trustworthiness of IT Products and • System Integrity Statement protection profiles z/OS z/VM Linux on System z z/OS Linux Linux Linux
• Common Criteria EAL4+ Virtualization with partitions § Common Criteria EAL4+ • z/OS 1.12 , z/OS 1.13, z/OS § SUSE SLES11 SP2 certified V2R1 (OSPP) Cryptography at EAL4+ with OSPP • z/OS 1.11 + RACF (OSPP) • Common Criteria EAL5+ • IBM z13 – Completed § Red Hat EL6.2 EAL4+ with • RACF V2R1 (OSSP) • Common Criteria EAL5+ with specific target of OSPP • RACF V1R13 (OSPP) evaluation -- LPAR: Logical partitions § OpenSSL - FIPS 140-2 Level 1 • RACF V1R12 (OSPP) • Crypto Express5S– In evaluation validated - FIPS 140-2 level 4 Hardware Evaluation • z/OS 1.10 IPv6 Certification by • zEnterprise 196 & zEnterprise 114; System zEC12 & BC12 § CP Assist - SHA-1 validated for JITC • Common Criteria EAL5+ with specific target of FIPS 180-1 - DES & TDES • IdenTrust™ certification for z/OS evaluation -- LPAR: Logical partitions validated for FIPS 46-3 PKI Services • Crypto Express3 & Crypto Express4S, - FIPS 140-2 level 4 Hardware Evaluation • FIPS 140-2 - Approved by German ZKA • System SSL z/OS 1.10 à1.13 • CP Assist • z/OS ICSF PKCS#11 Services - FIPS 197 (AES) – z/OS 1.11 à z/OS 1.13 - FIPS 46-3 (TDES) • Statement of Integrity - FIPS 180-3 (Secure Hash) 17 Let's start with the hardware.
• EAL5 – be er than an air gap • Isola on of a logical par on at the architectural level (more on this in a moment) • Controls on direct access to devices • Elimina on of covert channels • Role-based access controls to a par on (or par ons) or hardware
• With a few added bonuses: • Controlled in-memory communica on paths (HiperSockets)
18 IBM z/VM and KVM for IBM z can co-exist on z Systems
IBM z/VM KVM for IBM z z Systems Host § World class quality, security, § Standardizes configuration and reliability - powerful and operation of server virtualization versa le § Leverage common Linux § Extreme scalability creates cost administration skills to savings opportuni es administer virtualization z/OS z/OS z/OS Linux on z Linuxon z Linuxon z Linux on z Linuxon z § Exploita on of advanced Linux on z Linux on z Linux on z § Flexibility and agility leveraging technologies, such as: the Open Source community – Shared memory (Linux kernel, executables, z/VM KVM § Provides an Open Source communica ons) virtualization choice PR/SMTM § Highly granular control over- § Integrates with OpenStack resource pool Processors, Memory and IO § Provides virtualiza on for all z Systems opera ng systems Support Element § Integrates with OpenStack
19 Virtualiza on security requires some basics:
• Isola on of hosted guests • Confiden ality of data on the system • Protec on of privileged hypervisor commands and opera ons • Controlled sharing of data between virtual machines • Management of virtual devices and integrity of data • Securing connec vity to and within the hypervisor layer • TCP/IP connec vity • Virtual networking • Hardening of the hypervisor layer • Mul -tenancy and “security zones” • Audi ng of security-relevant opera ons
20 Guest Isola on on z and LinuxONE
• All guests must be isolated from one another • Separa on of du es and need to know Linux1 Linux2 • Control the flow of data • Keep workloads from interfering with one another ZVMSYS01
• Isola on on z & LinuxONE starts at hardware LinuxONE
• The Interpre ve Execu on Facility and Start Interpre ve Execu on (SIE) instruc on are how virtual machines are executed • PR/SM controls LPAR crea on • z/VM Control Program (CP) controls VM instan a on • KVM's Linux Kernel creates VM's as processes
• SIE instruc on “runs” a virtual machine un l a condi on is raised • "What happens in a VM stays in a VM" • No mechanism for hyperjacking the pla orms • Only leaves machine on intercep on condi ons (a.k.a. "SIE break")
21 Scope of Responsibility
VM • Any virtual machine is constrained in its ability to Definition impact the hypervisor
• Role-based access controls • Administrator vs. general-use commands • Communica on with other machines / resources
z/VM KVM for IBM z: § Privilege classes (Class G or less) § SELinux for guest isolation § Administrators can write their own classes § SVMs and Operators may have more § libvirtd to manage virtual machines § Directory statements to augment VM § cgroups for connecting machines to defini ons: certain resources – LOGONBY statement for controlled access – COMMAND statements for pre-LOGON context § chmod for access rights crea on – CRYPTO statement for z Systems CryptoExpress § sudo for privileged auth (no root) access – LINK and NICDEF for controlled access to § Extra statements can be added to a virtual resources VM definition for specific needs
22 Virtualizing Device Access
Virtual Cylinder • A virtual machine is not an island • Will eventually require access to disk, 0-99 shared data, a network device, or some other hardware device LABEL4 • Such devices are maintained at the 0-99 hypervisor level LABEL3 • In z/VM, CP controls access to devices • In KVM, qemu controls access to devices 0-99 • These devices need to adhere to local security LABEL2 policy as well ("know the ways your data flows") 0-99 • Hypervisor controls me slices and LABEL1 extent management • Access control lists manage VM access 630WRK • Minidisk passwords, etc., for addi onal controls
23 Virtual Switches, VLANs, and Zoning (both)
z/VM KVM for IBM z
db db web web db web
app app web web app
VSWITCH Open vSwitch
To internet
24 Virtual Networking
• z/VM controls Layer 2 traffic • KVM for IBM z provides through a Virtual Switch virtual Ethernet devices • Separates guest traffic by VLAN through Open vSwitch or • No need for a virtual router (all CP) MacVTap (direct connec on) • Can flow traffic to/through OSA • Separates guest traffic by VLAN devices • Isola on of traffic based on network • Separa on of traffic via Port Isola on and VEPA modes interfaces • Can flow traffic to specific OSA ports based on ethernet interfaces
25 Virtualized Crypto Express under z/VM
LPAR 1
LINUX01 LINUX02 LINUX01
CRYPTO DOMAIN N APDED 0 CRYPTO APVIRT CRYPTO APVIRT
APDED APVIRT z/VM
0 1 n 0 1 n . . . MK . . .
CEX5S 0 CEX5A 1
26 Encryp ng Hypervisor Connec ons
§ Ge ng "under" a guest could disrupt opera ons … it is vital to protect access to the hypervisor layer itself • z/VM Supports: • KVM Supports: • Secure Telnet and FTPS via the • Openssl (TLS 1.2 and SHA-256) SSL/TLS server • Openssh (ephemeral keys) • TLS 1.2 support, SHA-256 cer ficates • Configurable to meet cryptographic (*new* to z/VM 6.3) standards • FIPS 140-2 validated • NIST SP 800-131a compliant (*new* to z/VM 6.3) • KVM also has na ve firewall support • Open/close ports for na ve TCP/IP • The TLS Server can also encrypt communica on traffic to/from local PORTs (e.g., • Note: default policy does not allow for Systems Management traffic) guest migra on
27 Hypervisors, by their natures, are highly flexible
• There are a lot of op ons to consider • Alternate communica on paths to check • Virtual networking op ons to control • Shared memory spaces • Access to data at rest (storage, tape)
• And other considera ons to factor in … • Password controls – are they in the clear? Are they changed? • Audi ng – are you logging the right security-relevant events? Can you?
A security manager provides both a finer granularity of control and the ability to enact more complete isola on of guests and projects … in a consolidated interface.
28 Infrastructure Security with RACF for z/VM
• RACF Security Server is a priced feature of z/VM • A requirement for mee ng today's enterprise security requirements • RACF enhances z/VM by providing: • Extensive audi ng of system events • Strong Encryp on of passwords and password phrases • Control of privileged system commands • Extensibility in z/VM environments clustered through Single System Image • Controls on password policies, access rights, and security management • Security Labeling and Zoning for mul -tenancy within a single LPAR (or across a cluster)
• RACF for z/VM is an integral component of z/VM's Common Criteria evalua ons (OSPP-LS at EAL 4+)
29 sVirt for KVM
• sVirt is an SELinux Framework for KVM • Labels all resources associated with hypervisor (processes, disk images …) • Separates guest processes, even within a single userid • Innate Mandatory Access Control policies (security labeling and zoning) • Can allow shared read/write content between virtual machines if desired • Booleans for qemu virtual motherboard processing
• Security policy decisions are fed to auditd • Security does not exist without an audit trail
• sVirt is an integral component of the RHEL+KVM Common Criteria Evalua on, and will be vital if/when KVM for IBM z is evaluated. 30 sVirt for KVM for IBM z
VMM Guest01 Guest02 (libvirt, virt-manager)
libvirtd processes qemu qemu
sVirt (SELinux)
KVM Host
31 This is your LinuxONE System On Lockdown.
Encrypted Mobile Net TCP/IP Security SVM WAS WAS DB2 First Traffic SVM with Manager Server TLS
VSWITCH Role Based Access Controls
Virtual Memory Management z z Virtualiza on Architected VM Separa on Pla orm
PR/SM (one Logical Par on)
CPACF OSA Crypto Express
32 Linux Guest Security
Linux01
Of course, all of the preceding content assumes you will secure your Linux guests with the same diligence and vigilance as you do your hypervisor.
It does no good to lock the door if you leave the window open.
PR/SM (one z Systems Logical Par on)
CPACF OSA Crypto Express
33 Linux on z is Linux ... With all of z's Benefits
• Linux is Linux • Linux security features and tools available to all architectures • Differences only in • architecture specifics • device support • Thorough open source review of key components • Security is and was always a focus of kernel development • Core Infrastructure Ini a ve (a.o. sponsored by IBM) focuses on suppor ng security relevant packages (like openSSL) • OpenMainframe project: community involvement
• Benefits stem from the pla orm • Strong guest isola on • Cryptographic hardware support
34 OPEN MAINFRAME PROJECT
35 Linux on z Systems Crypto Stack
Customer Application openssh IBM Customer Apache Apache C/C++ Customer (ssh, scp, C/C++ WAS Java/JCE Layer (mod_ssl) (mod_nss) SW using CCA SW sftp) SW. SW PKCS#11
NSS GSKIT JCA/JCE ICC Standard IBMPKCS11Impl Crypto Interfaces via openssl / libcrypto openCryptoki (PKCS#11) network ibmca cca ica token ep11 token icsf token engine token z/OS crypto System z server HW Crypto ICA (libica) EP11 library CCA (libcsulcaa) Libraries
Kernel IPsec dmcrypt Operating Kernel crypto System framework zcrypt device driver System z backend
CPU Crypto Adapters Hardware CCA Co- CPACF Accelerator EP11 Co- clear key Processor (DES, 3DES, AES, SHA,PRNG) (RSA) Processor (RSA, RNG, ECC) protected key 36secure key Using dm-crypt for Guest Data Encryp on
• dm-crypt / LUKS Program • A mechanism for data encryp on
• Data only appears in the clear when in program
• kernel component that transparently • encrypts data wri en to disk
• decrypts data read from disk dm-crypt
• How it works: Linux kernel • Encryp on keys stored on disk • Encryp on keys on disk are protected by passwords SAN • uses in kernel-crypto • can use HW crypto • Linux on z has HW support for • AES-CBC disk • XTS-AES (recommended)
37 Managing Your Secure Virtualiza on Pla orm
§ Controlling your virtual infrastructure (and its security) will eventually necessitate automa on and tooling. • z/VM Supports: • KVM Supports: • Opera ons Manager for z/VM: for • virt-manager: the VMM graphical automa on of management and interface alert-based ac ons. • IBM Wave for z/VM: an • Na ve OpenStack support through infrastructure-management tool libvirtd (more on this in a with graphical interfaces. moment) Authorized by (and interfaces with) RACFVM • IBM Security zSecure for RACFVM: policy management and audi ng
38 zSecure Manager for RACF z/VM
• Provides audit & administra ve usability improvements for RACF/VM and audi ng for z/VM and Linux virtual machines on z and LinuxONE • ISPF display-and-overtype administra on • Provides highly customizable repor ng and analysis of audit records • Full support for audi ng an administering RACF database • Snapshot and analysis of z/VM security relevant se ngs (minidisks, real devices) • Snapshot and analysis of RACFVM security relevant se ngs (e.g. SYSSEC, CDT) • Comparison of status (what changed)
39 "If you have built castles in the air, your work need not be lost; that is where they should be. Now put the founda ons under them."
-- Henry David Thoreau, Walden (1854)
40 "Notorious Nine" Threats to Cloud Environments (Cloud Security Alliance, 2013)
1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse and Nefarious Use 8. Insufficient Due Diligence 9. Shared Technology Issues
41 What is cloud security?
• Security in the cloud means securing that infrastructure … and their services … for all combina ons of public and private infrastructure … wherever they are … for whoever is managing them.
VM KVM VM OS KVM VM VM VM VM VM VM
LinuxONE z13 zEC12 PowerVM with PowerVC
42 Inside Your z or LinuxONE On-Prem Cloud (z/VM)
Cloud Product
Browser
Web Interface z/VM Plug-ins Controller Node REST APIs Compute Node
xCAT Manager
xCAT HCP
Guest Guest Compute SMAPI xCAT DIRMAINT SMAPI Services Workload Workload Node Servers Control Program
ZVMSYS01 (a z/VM 6.3 System) Directory Product
PR/SM (one z Systems Logical Par on) Security Product
43 Inside Your z or LinuxONE On-Prem Cloud (KVM)
Cloud Browser Product
REST APIs Web Interface
Controller Node
Compute Linux Node Applications Compute Node
Linux libvirt libvirt Guest OS Linux sVirt qemu qemu Applications cgroups KVM for IBM z Linux qemu
z Systems LPAR SELinux
44 OpenStack Projects
Compute (Nova)
Block Storage (Cinder)
Network (Neutron) Provision and manage virtual resources
Dashboard (Horizon) Self-service portal
Image (Glance) Catalog and manage server images
Identity (Keystone) Unified authentication and authorization
Object Storage (Swift) Petabytes of secure, reliable object storage
Telemetry (Ceilometer) Data collection
Orchestration (Heat) Engine to launch cloud applications based on templates
Database Service (Trove) Cloud Database-as-a-Service
Data Processing (Sahara) Data processing stack and management
45 Remember:
•There is a difference between cloud-level security (for the consumers) … • And infrastructure-level security (for your system administrators, security administrators, and virtual machines) • Administrator privilege does not necessarily reflect workload privilege
VM VM VM OS VM VM VM VM VM VM VM VM VM VM
z13 zEC12 LinuxONE zBC12 zBC12 z13s
46 Enterprise Hybrid Cloud Requires Integrated Security Solu ons
Identity Protection Insight
Enable users to connect securely Secure connectivity and data Monitoring and risk profiling of Software as a to SaaS movement to SaaS enterprise SaaS usage service • SaaS access governance • Data tokenization • Monitor SaaS usage (SaaS) • Identity federation • Secure proxy to SaaS • Risk profiling of SaaS apps • Application control • Compliance reporting
Integrate identity and access into Build and deploy secure services Log, audit at service and services and applications and applications application level Platform as a • DevOps access • Database encryption • Monitor services and Service management platform • App security scanning (PaaS) • Authentication and • Service vulnerabilities • Fraud protection and threats authorization APIs • Compliance reporting Manage cloud administration and Protect the cloud infrastructure to Security monitoring and workload access securely deploy workloads intelligence Infrastructure • Privileged user management • Storage encryption • Monitor hybrid cloud infrastructure as a Service • Access management of web • Network protection ‒ (IaaS) workloads firewalls, IPS • Monitor workloads • Identity federation for B2B • Host security, vulnerability • Log, audit, analysis and scanning compliance reporting
Note: Listed capabilities in the above table are examples of capabilities, and not a comprehensive list 47 IBM offers end-to-end security for the hybrid cloud
IaaS PaaS SaaS
Manage Access Protect Data Gain Visibility
Securely connect people, applica ons, Iden fy vulnerabili es and prevent a acks Monitor the cloud for security breaches and devices to the cloud targe ng sensi ve data and compliance viola ons Identity federation to SaaS applications Network Protection for virtualized Visibility across hybrid cloud Allow employees to federation and single infrastructure environments sign-on from enterprise to SaaS services A new high-speed threat protection appliance Security monitoring of IaaS, PaaS, and SaaS to control and defend virtualized infrastructure platforms, as well as cloud-based Single Sign On APIs applications with automated customizable Allows developers to add access security to Application Security Scanning as Cloud reporting and alerts apps built on the IBM Cloud (Bluemix) using service Security intelligence IBM id and popular social identities Mobile and Web application scanning Enabling IBM Cloud customers to easily Access and privileged Identity services for Bluemix developers to quickly find software vulnerabilities deploy Security Intelligence to detect threats management for Cloud and monitor regulatory compliance such as Allows customers, employees and Data activity monitoring for Cloud PCI, SOX, STIGs, etc. administrators to securely access Cloud Database monitoring and control for AWS Next Gen Threat Protection Center resources enforcing separation of duties and SoftLayer, using Guardium and privileged user monitoring New managed security services platform to seamlessly monitor customer security from Managed Cloud Identity Solution Managed Security for SoftLayer Fully incorporates IBM’s managed security traditional to cloud environments Comprehensive cloud-based Identity and Access management built upon IBM’s IAM services into SoftLayer, with Vyatta support Virtual Machine protection software and global delivery capabilities Data encryption and key management Specific security support for virtual machine Data encryption and standards-based isolation providing administration, auditing encryption key lifecycle management and compliance that includes Linux on z 48 Systems
Components of IBM’s hybrid Cloud E2E Security solu on
IaaS PaaS SaaS
Manage Access Protect Data Gain Visibility
Securely connect people, applica ons, Iden fy vulnerabili es and prevent a acks Monitor the cloud for security breaches and devices to the cloud targe ng sensi ve data and compliance viola ons
§ IBM Security Identity and Access § IBM InfoSphere Guardium § IBM Security QRadar SIEM Management Suite § IBM Enterprise Key Management § IBM Security zSecure Manager for § IBM Security Federated Identity Foundation RACF z/VM Manager - Business Gateway § IBM Security Key Life Cycle § IBM Security zSecure Compliance § IBM Security Privileged Identity Manager and Auditing Manager § IBM Security AppScan § IBM Security Network IPS and Virtual IPS § IBM Security zSecure portfolio
49 Summary
5050 Virtualiza on Security on z and LinuxONE
• z/VM represents 40+ years of • KVM on IBM z brings the open virtualization security community to z virtualiza on
• SIE virtualization and isolation of guest operating systems • Virtualized device access and management controls • Virtual Switches and VLANs – separation of network traffic • Virtualized hardware cryptography – CPACF and/or CryptoExpress • TLS or SSH for secure connectivity to the hypervisor layer • Security policy management: • Encryption of passwords and passphrases • Security Labels and Multi-Level Security • Identity management through LDAP and other interfaces • True multi-tenancy within the hypervisor layer • Common Criteria and FIPS 140-2 certifications (z/VM) • Formal Security and Integrity Statement (z/VM)
51 Linux on z provides ul mate security at scale.
IaaS on z Systems for Linux OpenStack for compa bility and open standards Keystone for Iden ty Management and Integra on
QRadar Linux Linux Linux Linux Security (SELinux, AppArmor, cgroups) Zone 1 Zone 2 Zone 3 OpenSSH for secure guest connec vity zSecure for Centralized Audit with PAM and ITDS RACFVM Architecture-layer guest isola on TLS 1.2 connec vity & VLAN-aware Virtual Switch Your Virtualiza on Pla orm OSPP EAL 4+ with Labeled Security (Mul tenancy)
Architecture-layer isola on of workload PR/SM Ul mate par on isola on (CC EAL 5) Hipersockets for secured internal traffic
Hardware accelera on of cryptographic ops Crypto Express5S CPACF PKCS #11 and CCA support FIPS 140-2 Level 4 HSM (Secure Key)
52 Virtualiza on Security Tomorrow
Do you want more z/VM Security enhancements?
Submit one!
https://www.ibm.com/developerworks/rfe/
53 Security on the IBM Mainframe Redbook
54 Security for Linux on System z Redbook
• Introduc on • Hardware, z/VM and Storage Configura on • The z/VM security management support u li es • Configuring and using the System z LDAP servers • For both z/OS and z/VM • Authen ca on and access control • Cryptographic hardware • Clear and secure key and CPACF • Physical and infrastructure security on System z • Protec ng the HMC, system configura on, disk security, z/VM minidisks, firewall • Security implica ons of z/VM SSI and LGR • Best Prac ces
• h p://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247728.html?Open
55 Ge ng Started with KVM for IBM z Redbook
• KVM for IBM z Systems • Planning the environment • Installing and configuring the environment • Managing and monitoring the environment • Building a cloud environment • Appendices: • Installing KVM for IBM z Systems with ECKD • Installing IBM Cloud Manager with OpenStack • Basic Setup and use of zHPM
• h p://www.redbooks.ibm.com/abstracts/sg248332.html?Open
56 For More Informa on (z/VM Security)
• z/VM Security: h p://www.vm.ibm.com/security/ • z/VM Systems Management: h p://www.vm.ibm.com/sysman/ • OpenStack Enablement for z/VM: h p://www.vm.ibm.com/sysman/openstk.html • OpenStack Security Guide: h p://docs.openstack.org/sec/ • IBM Cloud Manager with OpenStack on SMC: h p://www.ibm.com/developerworks/servicemanagement/cvm/sce/index.html • IBM Systems for Cloud Compu ng Infrastructure: h p://www-03.ibm.com/systems/infrastructure/us/en/cloud-servers/
Contact Information:
Brian W. Hugenbruch, CISSP IBM z Systems Virtualization Security bwhugen at us dot ibm dot com
@Bwhugen
57 For More Informa on (Cloud Compliance and Standards)
• NIST SP 800-144: "Guidelines on Security and Privacy in Public Cloud Compu ng" h p://csrc.nist.gov/publica ons/nistpubs/800-144/SP800-144.pdf • NIST SP 800-144: "The NIST Defini on of Cloud Compu ng" h p://csrc.nist.gov/publica ons/nistpubs/800-145/SP800-145.pdf • NIST SP 800-144: "Cloud Compu ng Synopsis and Recommenda ons" h p://csrc.nist.gov/publica ons/nistpubs/800-146/sp800-146.pdf • PCI DSS v2: "PCI DSS Cloud Compu ng Guidelines" h ps://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf
58 Dank u Dutch Merci Спаcибо Gracias French Russian Spanish
감사합니다 Tack så mycket Swedish شكراً Korean Arabic
תודה רבה धन्यवाद Hindi Hebrew Obrigado Brazilian ᨀᨀ Chinese Portuguese Dankon Esperanto Thank You ありがとうございます Japanese Trugarez Tak Breton Danke Danish German Grazie Italian ந Tamil děkuji ขอบ go raibh maith agat Czech Gaelic คุณ Thai 59