The Value of z Systems Virtualiza�on Security
David Rossi IBM z Systems Security Architect dzrossi@us.ibm.com V1.02d – Last updated 09 March 2016 Trademarks
The following are trademarks of the International Business Machines Corporation in the United States, other countries, or both.
Not all common law marks used by IBM are listed on this page. Failure of a mark to appear does not mean that IBM does not use the mark nor does it mean that the product is not actively marketed or is not significant within its relevant market. Those trademarks followed by ® are registered trademarks of IBM in the United States; all others are trademarks or common law marks of IBM in the United States.
For a complete list of IBM Trademarks, see www.ibm.com/legal/copytrade.shtml:
*, IBM Systems, IBM System z10®, IBM System Storage® , IBM System Storage DS®, IBM BladeCenter®, IBM System z®, IBM System p®, IBM System i®, IBM System x®, IBM IntelliStation®, IBM Power Architecture®, IBM SureOne®, IBM Power Systems™, POWER®, POWER6®, POWER7®, POWER8®, Power ®, IBM z/OS®, IBM AIX®, IBM i, IBM z/VSE®, IBM z/VM ®, IBM i5/OS®, IBM zEnterprise®, Smarter Planet™ ,Storwize®, XIV® , PureSystems™, PureFlex™, PureApplication™ , IBM Flex System™ , Smarter Storage The following are trademarks or registered trademarks of other companies.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.
* All other products may be trademarks or registered trademarks of their respective companies.
Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
2 Disclaimer
The informa�on contained in this document has not been submi�ed to any formal IBM test and is distributed on an "AS IS" basis without any warranty either express or implied. The use of this informa�on or the implementa�on of any of these techniques is a customer responsibility and depends on the customer's ability to evaluate and integrate them into the opera�onal environment. While each item may have been reviewed by IBM for accuracy in a specific situa�on, there is no guarantee that the same or similar results will be obtained elsewhere. Customers a�emp�ng to adapt these techniques to their own environments do so at their own risk.
In this document, any references made to an IBM licensed program are not intended to state or imply that only IBM's licensed program may be used; any func�onally equivalent program may be used instead.
Any performance data contained in this document was determined in a controlled environment and, therefore, the results which may be obtained in other opera�ng environments may vary significantly. Users of this document should verify the applicable data for their specific environments.
It is possible that this material may contain reference to, or informa�on about, IBM products (machines and programs), programming, or services that are not announced in your country. Such references or informa�on must not be construed to mean that IBM intends to announce such IBM products, programming or services in your country.
3 Agenda
• Mainframe Security in the Modern World
• The Value of z and LinuxONE Security • Hardware • Virtualiza�on security • Linux Guest security • Cloud Security
• Summary and references
4 Mainframe Security in the Modern World
5 IBM’s Commitment to Security & Integrity
• z Systems “System Integrity” is defined as the inability of any program not authorized by a mechanism under the installa�on’s control to circumvent or disable z/OS or z/ VM Security Controls • In the event that an IBM System Integrity problem is reported, IBM will always take ac�on to resolve it. • IBM’s commitment extends to design, development and test prac�ces. Including the crea�on of the z Systems Center for First issued in 1973 & Secure Engineering to provide addi�onal Reaffirmed in 2007 security focused tes�ng and scru�ny.
IBM’s long-term commitment to System • The z Systems Security Portal informs Integrity is unique in the industry, and clients about the latest security and system forms the basis of integrity service to help keep their enterprise z/OS & z/VM industry leadership in system up to date security http://www-03.ibm.com/systems/z/os/zos/features/racf/zos_integrity_statement.html http://www.vm.ibm.com/security/zvminteg.html
6 The a�ack surface for a typical business is growing at an exponen�al rate
Employees Hackers OutsourcersOutsourcers Suppliers People Consultants Terrorists Customers
Data StructuredStructured UnstructuredUnstructured At rest InIn motionmotion
Web Systems WebWeb 2.02.0 MobileMobile apps Applications Applications Applications Applications
Infrastructur
e JK 2012-04-26
7 A�ackers break through conven�onal safeguards every day
2012 2013 2014 40% increase 800,000,000+ records Unprecedented impact
Attack types XSS Heartbleed Physical Brute Misconfig. Watering Phishing SQLi DDoS Malware Undisclosed Access Force Hole
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015 256 days $6.5M
average time to detect APTs average cost of a U.S. data breach V2015-07-30
Source: 2015 Cost of Data Breach Study, Ponemon Institute 8 XSS and SQL injec�on exploits are con�nuing in high numbers Sampling of 2015 security incidents by attack type, time and impact
$18M average organizational $606 average organizational cost cost of a data breach in the U.S. per compromised record in the U.S.
Source: 2015 ‘Cost of Data Breach Study: Global Analysis’, Ponemon Institute It's 10:00pm. Do you know where your data is?
• Chances are, not all the data on your systems is created equal • Chances are, you are beholden to certain regula�ons concerning that data • PCI DSS, HIPAA, SOX, FIPS (one of the 200 of them), OECD, APEC … pick an acronym • Some combina�on thereof, or a local security policy even more stringent? • And does your data stay in one place? • PCI DSS v3 actually requires diagrams of data flow for Cardholder Informa�on
Mobile Linux1 WAS Linux2 Linux1 Linux3 First
DB2 running on ZVMSYS01 ZVMSYS02 ZVMSYS03 z/OS
LinuxONE z13
10 z Virtualiza�on is increasingly in the middle of bigger things.
Your zVM Guest Guest Guest Guest SVM SVM SVM … USERID
z/VM
PR/SM (one z System Logical Par��on)
CPACF OSA Crypto Express z13
11 IBM LinuxONE Por�olio ™
Linux without Limits Linux Your Way Linux without Risk
12 Example* risks to sensi�ve data in virtual environments *(PCI DSS v3.1 Supplement - Virtualiza�on Guidance v2.1)
1. Vulnerabili�es in the Physical Environment Apply in a Virtual Environment 2. Hypervisor Creates a New A�ack Surface 3. Increased Complexity of Virtualized Systems and Networks 4. More than One Func�on per Physical System 5. Mixing VMs of Different Trust Levels 6. Lack of Separa�on of Du�es 7. Dormant Virtual Machines 8. VM Images and Snapshots 9. Immaturity of Monitoring Solu�ons 10. Informa�on Leakage between Virtual Network Segments 11. Informa�on Leakage between Virtual Components
13 The Value of z and LinuxONE Security:
• z Systems and LinuxONE combine ba�le-tested hardware and par��oning with best-in-class hypervisor security to protect your Linux workloads
• The business value of virtualiza�on security: it mi�gates risk to your business by protec�ng the data on which your company runs and thrives.
• The technical value of virtualiza�on security: it helps to protect your servers, your passwords, your data, and your resources from threats which would steal or destroy them.
14 The Value of z and LinuxONE Security: Explained at Every Level
1515 Informa�on Security and Standards
• Informa�on Security and Informa�on Assurance • Protec�ng informa�on systems from unauthorized access, use, disclosure, disrup�on, modifica�on, inspec�on, recording or destruc�on. • Fields are interrelated. Common goals of mee�ng AIC triad of infosec
• Variety of standards & evalua�on schemes … • Common Criteria (ISO/IEC15408) • FIPS 140-2 (US) • DK (Germany Banking), MEPS (France Banking), and many more
• The Common Criteria is an interna�onal standard for infosec cer�fica�on • Recognized by 26 countries through the Common Criteria mutual recogni�on agreement (CCRA) • A framework in which users can specify security func�onal and assurance requirements • Vendors can implement and/or make claims about a product's security a�ributes • Tes�ng laboratories can evaluate the products to determine if they actually meet the claims
Common Criteria provides assurances that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standardized fashion. • May help to reduce risk & improve the product under evaluation
IBM Development & Verification processes are subject to Common Criteria Evaluations 16 z Systems Cer�fica�ons z/VM The Common Criteria § Common Criteria EAL4+ § z/VM 6.3 with OSPP with -LS program establishes and -VIRT an organizational and technical framework § FIPS 140-2 validated § z/VM 6.3 System SSL is FIPS to evaluate the 140-2 validated. trustworthiness of IT Products and • System Integrity Statement protection profiles z/OS z/VM Linux on System z z/OS Linux Linux Linux
• Common Criteria EAL4+ Virtualization with partitions § Common Criteria EAL4+ • z/OS 1.12 , z/OS 1.13, z/OS § SUSE SLES11 SP2 certified V2R1 (OSPP) Cryptography at EAL4+ with OSPP • z/OS 1.11 + RACF (OSPP) • Common Criteria EAL5+ • IBM z13 – Completed § Red Hat EL6.2 EAL4+ with • RACF V2R1 (OSSP) • Common Criteria EAL5+ with specific target of OSPP • RACF V1R13 (OSPP) evaluation -- LPAR: Logical partitions § OpenSSL - FIPS 140-2 Level 1 • RACF V1R12 (OSPP) • Crypto Express5S– In evaluation validated - FIPS 140-2 level 4 Hardware Evaluation • z/OS 1.10 IPv6 Certification by • zEnterprise 196 & zEnterprise 114; System zEC12 & BC12 § CP Assist - SHA-1 validated for JITC • Common Criteria EAL5+ with specific target of FIPS 180-1 - DES & TDES • IdenTrust™ certification for z/OS evaluation -- LPAR: Logical partitions validated for FIPS 46-3 PKI Services • Crypto Express3 & Crypto Express4S, - FIPS 140-2 level 4 Hardware Evaluation • FIPS 140-2 - Approved by German ZKA • System SSL z/OS 1.10 à1.13 • CP Assist • z/OS ICSF PKCS#11 Services - FIPS 197 (AES) – z/OS 1.11 à z/OS 1.13 - FIPS 46-3 (TDES) • Statement of Integrity - FIPS 180-3 (Secure Hash) 17 Let's start with the hardware.
• EAL5 – be�er than an air gap • Isola�on of a logical par��on at the architectural level (more on this in a moment) • Controls on direct access to devices • Elimina�on of covert channels • Role-based access controls to a par��on (or par��ons) or hardware
• With a few added bonuses: • Controlled in-memory communica�on paths (HiperSockets)
18 IBM z/VM and KVM for IBM z can co-exist on z Systems
IBM z/VM KVM for IBM z z Systems Host § World class quality, security, § Standardizes configuration and reliability - powerful and operation of server virtualization versa�le § Leverage common Linux § Extreme scalability creates cost administration skills to savings opportuni�es administer virtualization z/OS z/OS z/OS Linux on z Linuxon z Linuxon z Linux on z Linuxon z § Exploita�on of advanced Linux on z Linux on z Linux on z § Flexibility and agility leveraging technologies, such as: the Open Source community – Shared memory (Linux kernel, executables, z/VM KVM § Provides an Open Source communica�ons) virtualization choice PR/SMTM § Highly granular control over- § Integrates with OpenStack resource pool Processors, Memory and IO § Provides virtualiza�on for all z Systems opera�ng systems Support Element § Integrates with OpenStack
19 Virtualiza�on security requires some basics:
• Isola�on of hosted guests • Confiden�ality of data on the system • Protec�on of privileged hypervisor commands and opera�ons • Controlled sharing of data between virtual machines • Management of virtual devices and integrity of data • Securing connec�vity to and within the hypervisor layer • TCP/IP connec�vity • Virtual networking • Hardening of the hypervisor layer • Mul�-tenancy and “security zones” • Audi�ng of security-relevant opera�ons
20 Guest Isola�on on z and LinuxONE
• All guests must be isolated from one another • Separa�on of du�es and need to know Linux1 Linux2 • Control the flow of data • Keep workloads from interfering with one another ZVMSYS01
• Isola�on on z & LinuxONE starts at hardware LinuxONE
• The Interpre�ve Execu�on Facility and Start Interpre�ve Execu�on (SIE) instruc�on are how virtual machines are executed • PR/SM controls LPAR crea�on • z/VM Control Program (CP) controls VM instan�a�on • KVM's Linux Kernel creates VM's as processes
• SIE instruc�on “runs” a virtual machine un�l a condi�on is raised • "What happens in a VM stays in a VM" • No mechanism for hyperjacking the pla�orms • Only leaves machine on intercep�on condi�ons (a.k.a. "SIE break")
21 Scope of Responsibility
VM • Any virtual machine is constrained in its ability to Definition impact the hypervisor
• Role-based access controls • Administrator vs. general-use commands • Communica�on with other machines / resources
z/VM KVM for IBM z: § Privilege classes (Class G or less) § SELinux for guest isolation § Administrators can write their own classes § SVMs and Operators may have more § libvirtd to manage virtual machines § Directory statements to augment VM § cgroups for connecting machines to defini�ons: certain resources – LOGONBY statement for controlled access – COMMAND statements for pre-LOGON context § chmod for access rights crea�on – CRYPTO statement for z Systems CryptoExpress § sudo for privileged auth (no root) access – LINK and NICDEF for controlled access to § Extra statements can be added to a virtual resources VM definition for specific needs
22 Virtualizing Device Access
Virtual Cylinder • A virtual machine is not an island • Will eventually require access to disk, 0-99 shared data, a network device, or some other hardware device LABEL4 • Such devices are maintained at the 0-99 hypervisor level LABEL3 • In z/VM, CP controls access to devices • In KVM, qemu controls access to devices 0-99 • These devices need to adhere to local security LABEL2 policy as well ("know the ways your data flows") 0-99 • Hypervisor controls �me slices and LABEL1 extent management • Access control lists manage VM access 630WRK • Minidisk passwords, etc., for addi�onal controls
23 Virtual Switches, VLANs, and Zoning (both)
z/VM KVM for IBM z
db db web web db web
app app web web app
VSWITCH Open vSwitch
To internet
24 Virtual Networking
• z/VM controls Layer 2 traffic • KVM for IBM z provides through a Virtual Switch virtual Ethernet devices • Separates guest traffic by VLAN through Open vSwitch or • No need for a virtual router (all CP) MacVTap (direct connec�on) • Can flow traffic to/through OSA • Separates guest traffic by VLAN devices • Isola�on of traffic based on network • Separa�on of traffic via Port Isola�on and VEPA modes interfaces • Can flow traffic to specific OSA ports based on ethernet interfaces
25 Virtualized Crypto Express under z/VM
LPAR 1
LINUX01 LINUX02 LINUX01
CRYPTO DOMAIN N APDED 0 CRYPTO APVIRT CRYPTO APVIRT
APDED APVIRT z/VM
0 1 n 0 1 n . . . MK . . .
CEX5S 0 CEX5A 1
26 Encryp�ng Hypervisor Connec�ons
§ Ge�ng "under" a guest could disrupt opera�ons … it is vital to protect access to the hypervisor layer itself • z/VM Supports: • KVM Supports: • Secure Telnet and FTPS via the • Openssl (TLS 1.2 and SHA-256) SSL/TLS server • Openssh (ephemeral keys) • TLS 1.2 support, SHA-256 cer�ficates • Configurable to meet cryptographic (*new* to z/VM 6.3) standards • FIPS 140-2 validated • NIST SP 800-131a compliant (*new* to z/VM 6.3) • KVM also has na�ve firewall support • Open/close ports for na�ve TCP/IP • The TLS Server can also encrypt communica�on traffic to/from local PORTs (e.g., • Note: default policy does not allow for Systems Management traffic) guest migra�on
27 Hypervisors, by their natures, are highly flexible
• There are a lot of op�ons to consider • Alternate communica�on paths to check • Virtual networking op�ons to control • Shared memory spaces • Access to data at rest (storage, tape)
• And other considera�ons to factor in … • Password controls – are they in the clear? Are they changed? • Audi�ng – are you logging the right security-relevant events? Can you?
A security manager provides both a finer granularity of control and the ability to enact more complete isola�on of guests and projects … in a consolidated interface.
28 Infrastructure Security with RACF for z/VM
• RACF Security Server is a priced feature of z/VM • A requirement for mee�ng today's enterprise security requirements • RACF enhances z/VM by providing: • Extensive audi�ng of system events • Strong Encryp�on of passwords and password phrases • Control of privileged system commands • Extensibility in z/VM environments clustered through Single System Image • Controls on password policies, access rights, and security management • Security Labeling and Zoning for mul�-tenancy within a single LPAR (or across a cluster)
• RACF for z/VM is an integral component of z/VM's Common Criteria evalua�ons (OSPP-LS at EAL 4+)
29 sVirt for KVM
• sVirt is an SELinux Framework for KVM • Labels all resources associated with hypervisor (processes, disk images …) • Separates guest processes, even within a single userid • Innate Mandatory Access Control policies (security labeling and zoning) • Can allow shared read/write content between virtual machines if desired • Booleans for qemu virtual motherboard processing
• Security policy decisions are fed to auditd • Security does not exist without an audit trail
• sVirt is an integral component of the RHEL+KVM Common Criteria Evalua�on, and will be vital if/when KVM for IBM z is evaluated. 30 sVirt for KVM for IBM z
VMM Guest01 Guest02 (libvirt, virt-manager)
libvirtd processes qemu qemu
sVirt (SELinux)
KVM Host
31 This is your LinuxONE System On Lockdown.
Encrypted Mobile Net TCP/IP Security SVM WAS WAS DB2 First Traffic SVM with Manager Server TLS
VSWITCH Role Based Access Controls
Virtual Memory Management z z Virtualiza�on Architected VM Separa�on Pla�orm
PR/SM (one Logical Par��on)
CPACF OSA Crypto Express
32 Linux Guest Security
Linux01
Of course, all of the preceding content assumes you will secure your Linux guests with the same diligence and vigilance as you do your hypervisor.
It does no good to lock the door if you leave the window open.
PR/SM (one z Systems Logical Par��on)
CPACF OSA Crypto Express
33 Linux on z is Linux ... With all of z's Benefits
• Linux is Linux • Linux security features and tools available to all architectures • Differences only in • architecture specifics • device support • Thorough open source review of key components • Security is and was always a focus of kernel development • Core Infrastructure Ini�a�ve (a.o. sponsored by IBM) focuses on suppor�ng security relevant packages (like openSSL) • OpenMainframe project: community involvement
• Benefits stem from the pla�orm • Strong guest isola�on • Cryptographic hardware support
34 OPEN MAINFRAME PROJECT
35 Linux on z Systems Crypto Stack
Customer Application openssh IBM Customer Apache Apache C/C++ Customer (ssh, scp, C/C++ WAS Java/JCE Layer (mod_ssl) (mod_nss) SW using CCA SW sftp) SW. SW PKCS#11
NSS GSKIT JCA/JCE ICC Standard IBMPKCS11Impl Crypto Interfaces via openssl / libcrypto openCryptoki (PKCS#11) network ibmca cca ica token ep11 token icsf token engine token z/OS crypto System z server HW Crypto ICA (libica) EP11 library CCA (libcsulcaa) Libraries
Kernel IPsec dmcrypt Operating Kernel crypto System framework zcrypt device driver System z backend
CPU Crypto Adapters Hardware CCA Co- CPACF Accelerator EP11 Co- clear key Processor (DES, 3DES, AES, SHA,PRNG) (RSA) Processor (RSA, RNG, ECC) protected key 36secure key Using dm-crypt for Guest Data Encryp�on
• dm-crypt / LUKS Program • A mechanism for data encryp�on
• Data only appears in the clear when in program
• kernel component that transparently • encrypts data wri�en to disk
• decrypts data read from disk dm-crypt
• How it works: Linux kernel • Encryp�on keys stored on disk • Encryp�on keys on disk are protected by passwords SAN • uses in kernel-crypto • can use HW crypto • Linux on z has HW support for • AES-CBC disk • XTS-AES (recommended)
37 Managing Your Secure Virtualiza�on Pla�orm
§ Controlling your virtual infrastructure (and its security) will eventually necessitate automa�on and tooling. • z/VM Supports: • KVM Supports: • Opera�ons Manager for z/VM: for • virt-manager: the VMM graphical automa�on of management and interface alert-based ac�ons. • IBM Wave for z/VM: an • Na�ve OpenStack support through infrastructure-management tool libvirtd (more on this in a with graphical interfaces. moment) Authorized by (and interfaces with) RACFVM • IBM Security zSecure for RACFVM: policy management and audi�ng
38 zSecure Manager for RACF z/VM
• Provides audit & administra�ve usability improvements for RACF/VM and audi�ng for z/VM and Linux virtual machines on z and LinuxONE • ISPF display-and-overtype administra�on • Provides highly customizable repor�ng and analysis of audit records • Full support for audi�ng an administering RACF database • Snapshot and analysis of z/VM security relevant se�ngs (minidisks, real devices) • Snapshot and analysis of RACFVM security relevant se�ngs (e.g. SYSSEC, CDT) • Comparison of status (what changed)
39 "If you have built castles in the air, your work need not be lost; that is where they should be. Now put the founda�ons under them."
-- Henry David Thoreau, Walden (1854)
40 "Notorious Nine" Threats to Cloud Environments (Cloud Security Alliance, 2013)
1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse and Nefarious Use 8. Insufficient Due Diligence 9. Shared Technology Issues
41 What is cloud security?
• Security in the cloud means securing that infrastructure … and their services … for all combina�ons of public and private infrastructure … wherever they are … for whoever is managing them.
VM KVM VM OS KVM VM VM VM VM VM VM
LinuxONE z13 zEC12 PowerVM with PowerVC
42 Inside Your z or LinuxONE On-Prem Cloud (z/VM)
Cloud Product
Browser
Web Interface z/VM Plug-ins Controller Node REST APIs Compute Node
xCAT Manager
xCAT HCP
Guest Guest Compute SMAPI xCAT DIRMAINT SMAPI Services Workload Workload Node Servers Control Program
ZVMSYS01 (a z/VM 6.3 System) Directory Product
PR/SM (one z Systems Logical Par��on) Security Product
43 Inside Your z or LinuxONE On-Prem Cloud (KVM)
Cloud Browser Product
REST APIs Web Interface
Controller Node
Compute Linux Node Applications Compute Node
Linux libvirt libvirt Guest OS Linux sVirt qemu qemu Applications cgroups KVM for IBM z Linux qemu
z Systems LPAR SELinux
44 OpenStack Projects
Compute (Nova)
Block Storage (Cinder)
Network (Neutron) Provision and manage virtual resources
Dashboard (Horizon) Self-service portal
Image (Glance) Catalog and manage server images
Identity (Keystone) Unified authentication and authorization
Object Storage (Swift) Petabytes of secure, reliable object storage
Telemetry (Ceilometer) Data collection
Orchestration (Heat) Engine to launch cloud applications based on templates
Database Service (Trove) Cloud Database-as-a-Service
Data Processing (Sahara) Data processing stack and management
45 Remember:
•There is a difference between cloud-level security (for the consumers) … • And infrastructure-level security (for your system administrators, security administrators, and virtual machines) • Administrator privilege does not necessarily reflect workload privilege
VM VM VM OS VM VM VM VM VM VM VM VM VM VM
z13 zEC12 LinuxONE zBC12 zBC12 z13s
46 Enterprise Hybrid Cloud Requires Integrated Security Solu�ons
Identity Protection Insight
Enable users to connect securely Secure connectivity and data Monitoring and risk profiling of Software as a to SaaS movement to SaaS enterprise SaaS usage service • SaaS access governance • Data tokenization • Monitor SaaS usage (SaaS) • Identity federation • Secure proxy to SaaS • Risk profiling of SaaS apps • Application control • Compliance reporting
Integrate identity and access into Build and deploy secure services Log, audit at service and services and applications and applications application level Platform as a • DevOps access • Database encryption • Monitor services and Service management platform • App security scanning (PaaS) • Authentication and • Service vulnerabilities • Fraud protection and threats authorization APIs • Compliance reporting Manage cloud administration and Protect the cloud infrastructure to Security monitoring and workload access securely deploy workloads intelligence Infrastructure • Privileged user management • Storage encryption • Monitor hybrid cloud infrastructure as a Service • Access management of web • Network protection ‒ (IaaS) workloads firewalls, IPS • Monitor workloads • Identity federation for B2B • Host security, vulnerability • Log, audit, analysis and scanning compliance reporting
Note: Listed capabilities in the above table are examples of capabilities, and not a comprehensive list 47 IBM offers end-to-end security for the hybrid cloud
IaaS PaaS SaaS
Manage Access Protect Data Gain Visibility
Securely connect people, applica�ons, Iden�fy vulnerabili�es and prevent a�acks Monitor the cloud for security breaches and devices to the cloud targe�ng sensi�ve data and compliance viola�ons Identity federation to SaaS applications Network Protection for virtualized Visibility across hybrid cloud Allow employees to federation and single infrastructure environments sign-on from enterprise to SaaS services A new high-speed threat protection appliance Security monitoring of IaaS, PaaS, and SaaS to control and defend virtualized infrastructure platforms, as well as cloud-based Single Sign On APIs applications with automated customizable Allows developers to add access security to Application Security Scanning as Cloud reporting and alerts apps built on the IBM Cloud (Bluemix) using service Security intelligence IBM id and popular social identities Mobile and Web application scanning Enabling IBM Cloud customers to easily Access and privileged Identity services for Bluemix developers to quickly find software vulnerabilities deploy Security Intelligence to detect threats management for Cloud and monitor regulatory compliance such as Allows customers, employees and Data activity monitoring for Cloud PCI, SOX, STIGs, etc. administrators to securely access Cloud Database monitoring and control for AWS Next Gen Threat Protection Center resources enforcing separation of duties and SoftLayer, using Guardium and privileged user monitoring New managed security services platform to seamlessly monitor customer security from Managed Cloud Identity Solution Managed Security for SoftLayer Fully incorporates IBM’s managed security traditional to cloud environments Comprehensive cloud-based Identity and Access management built upon IBM’s IAM services into SoftLayer, with Vyatta support Virtual Machine protection software and global delivery capabilities Data encryption and key management Specific security support for virtual machine Data encryption and standards-based isolation providing administration, auditing encryption key lifecycle management and compliance that includes Linux on z 48 Systems
Components of IBM’s hybrid Cloud E2E Security solu�on
IaaS PaaS SaaS
Manage Access Protect Data Gain Visibility
Securely connect people, applica�ons, Iden�fy vulnerabili�es and prevent a�acks Monitor the cloud for security breaches and devices to the cloud targe�ng sensi�ve data and compliance viola�ons
§ IBM Security Identity and Access § IBM InfoSphere Guardium § IBM Security QRadar SIEM Management Suite § IBM Enterprise Key Management § IBM Security zSecure Manager for § IBM Security Federated Identity Foundation RACF z/VM Manager - Business Gateway § IBM Security Key Life Cycle § IBM Security zSecure Compliance § IBM Security Privileged Identity Manager and Auditing Manager § IBM Security AppScan § IBM Security Network IPS and Virtual IPS § IBM Security zSecure portfolio
49 Summary
5050 Virtualiza�on Security on z and LinuxONE
• z/VM represents 40+ years of • KVM on IBM z brings the open virtualization security community to z virtualiza�on
• SIE virtualization and isolation of guest operating systems • Virtualized device access and management controls • Virtual Switches and VLANs – separation of network traffic • Virtualized hardware cryptography – CPACF and/or CryptoExpress • TLS or SSH for secure connectivity to the hypervisor layer • Security policy management: • Encryption of passwords and passphrases • Security Labels and Multi-Level Security • Identity management through LDAP and other interfaces • True multi-tenancy within the hypervisor layer • Common Criteria and FIPS 140-2 certifications (z/VM) • Formal Security and Integrity Statement (z/VM)
51 Linux on z provides ul�mate security at scale.
IaaS on z Systems for Linux OpenStack for compa�bility and open standards Keystone for Iden�ty Management and Integra�on
QRadar Linux Linux Linux Linux Security (SELinux, AppArmor, cgroups) Zone 1 Zone 2 Zone 3 OpenSSH for secure guest connec�vity zSecure for Centralized Audit with PAM and ITDS RACFVM Architecture-layer guest isola�on TLS 1.2 connec�vity & VLAN-aware Virtual Switch Your Virtualiza�on Pla�orm OSPP EAL 4+ with Labeled Security (Mul�tenancy)
Architecture-layer isola�on of workload PR/SM Ul�mate par��on isola�on (CC EAL 5) Hipersockets for secured internal traffic
Hardware accelera�on of cryptographic ops Crypto Express5S CPACF PKCS #11 and CCA support FIPS 140-2 Level 4 HSM (Secure Key)
52 Virtualiza�on Security Tomorrow
Do you want more z/VM Security enhancements?
Submit one!
https://www.ibm.com/developerworks/rfe/
53 Security on the IBM Mainframe Redbook
54 Security for Linux on System z Redbook
• Introduc�on • Hardware, z/VM and Storage Configura�on • The z/VM security management support u�li�es • Configuring and using the System z LDAP servers • For both z/OS and z/VM • Authen�ca�on and access control • Cryptographic hardware • Clear and secure key and CPACF • Physical and infrastructure security on System z • Protec�ng the HMC, system configura�on, disk security, z/VM minidisks, firewall • Security implica�ons of z/VM SSI and LGR • Best Prac�ces
• h�p://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247728.html?Open
55 Ge�ng Started with KVM for IBM z Redbook
• KVM for IBM z Systems • Planning the environment • Installing and configuring the environment • Managing and monitoring the environment • Building a cloud environment • Appendices: • Installing KVM for IBM z Systems with ECKD • Installing IBM Cloud Manager with OpenStack • Basic Setup and use of zHPM
• h�p://www.redbooks.ibm.com/abstracts/sg248332.html?Open
56 For More Informa�on (z/VM Security)
• z/VM Security: h�p://www.vm.ibm.com/security/ • z/VM Systems Management: h�p://www.vm.ibm.com/sysman/ • OpenStack Enablement for z/VM: h�p://www.vm.ibm.com/sysman/openstk.html • OpenStack Security Guide: h�p://docs.openstack.org/sec/ • IBM Cloud Manager with OpenStack on SMC: h�p://www.ibm.com/developerworks/servicemanagement/cvm/sce/index.html • IBM Systems for Cloud Compu�ng Infrastructure: h�p://www-03.ibm.com/systems/infrastructure/us/en/cloud-servers/
Contact Information:
Brian W. Hugenbruch, CISSP IBM z Systems Virtualization Security bwhugen at us dot ibm dot com
@Bwhugen
57 For More Informa�on (Cloud Compliance and Standards)
• NIST SP 800-144: "Guidelines on Security and Privacy in Public Cloud Compu�ng" h�p://csrc.nist.gov/publica�ons/nistpubs/800-144/SP800-144.pdf • NIST SP 800-144: "The NIST Defini�on of Cloud Compu�ng" h�p://csrc.nist.gov/publica�ons/nistpubs/800-145/SP800-145.pdf • NIST SP 800-144: "Cloud Compu�ng Synopsis and Recommenda�ons" h�p://csrc.nist.gov/publica�ons/nistpubs/800-146/sp800-146.pdf • PCI DSS v2: "PCI DSS Cloud Compu�ng Guidelines" h�ps://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf
58 Dank u Dutch Merci Спаcибо Gracias French Russian Spanish
감사합니다 Tack så mycket Swedish شكراً Korean Arabic
תודה רבה धन्यवाद Hindi Hebrew Obrigado Brazilian ᨀᨀ Chinese Portuguese Dankon Esperanto Thank You ありがとうございます Japanese Trugarez Tak Breton Danke Danish German Grazie Italian ந�� Tamil děkuji ขอบ go raibh maith agat Czech Gaelic คุณ Thai 59