The Value of LinuxONE Security

Or, The Importance of Securing Your Workload on The World's Most Securable Platform

Brian W. Hugenbruch, CISSP – IBM Systems Virtualization & Cloud Security for z Systems & LinuxONE V2.2 – Last updated 31 May 2017 [email protected] – @Bwhugen Agenda

• Platform Security in the Modern World

• The Value of LinuxONE Security • Hardware • Virtualization security • Linux Guest security • Cloud Security

• Summary and References

2 Platform Security in the Modern World

3 IBM’s Commitment to Security & Integrity

• “System Integrity” is defined as the inability of any program not authorized by a mechanism under the installation’s control to circumvent or disable z/OS or z/VM Security Controls • In the event that an IBM System Integrity problem is reported, IBM will always take action to resolve it. • IBM’s commitment extends to design, development and test practices. Including the creation of the z Systems Center for First issued in 1973 & Secure Engineering to provide additional Reaffirmed in 2007 security focused testing and scrutiny. • The z Systems Security Portal informs clients IBM’s long-term commitment to System Integrity is unique in the industry, and about the latest security and system integrity forms the basis of z/OS & z/VM industry service to help keep their enterprise up to leadership in system security date

http://www-03.ibm.com/systems/z/os/zos/features/racf/zos_integrity_statement.html http://www.vm.ibm.com/security/zvminteg.html

4 The increasingly desirable target of non-x86 architecture

% % of all active code of enterprise data is 80 runs on the mainframe 80 housed on the mainframe

Today’s technologies are eliminating “mainframe isolation”

Cloud

Internet Mobile Business Innovation

Social Big Data

Source: 2013 IBM zEnterprise Technology Summit

5 The attack surface for a typical business is growing at an exponential rate

Employees Hackers OutsourcersOutsourcers Suppliers People Consultants Terrorists Customers

Data StructuredStructured UnstructuredUnstructured At rest InIn motionmotion

Web Systems WebWeb 2.02.0 MobileMobile apps Applications Applications Applications Applications

Infrastructure JK 2012JK - 04 - 26

6 Today’s threats continue to rise in numbers and scale

2014 2015 2016 1+ Billion records Unprecedented Impact 4+ Billion records

average time to identify data breach average cost of a U.S. data breach 201 days $7M

Source: IBM X-Force Threat Intelligence Index - 2017

7 It's 10:00pm. Do you know where your data is?

• Chances are, not all the data on your systems is created equal • Chances are, you are beholden to certain regulations concerning that data • PCI DSS, HIPAA, SOX, FIPS (one of the 200 of them), OECD, APEC … pick an acronym • Some combination thereof, or a local security policy even more stringent? • And does your data stay in one place? • PCI DSS v3 actually requires diagrams of data flow for Cardholder Information

Mobile Linux4 WAS Linux2 Linux4 Linux3 First

DB2 running on ZVMSYS01 ZVMSYS02 ZVMSYS03 z/OS

LinuxONE z13

8 And utilizing IaaS and cloud deployments only increases complexity.

Guest Guest Guest Guest USERID SVM SVM SVM …

Hypervisor

PR/SM (one LinuxONE System Logical Partition)

CPACF OSA Crypto Express Emperor

9 Example* risks to sensitive data in virtual environments *(PCI DSS v3.1 Supplement - Virtualization Guidance v2.1)

1. Vulnerabilities in the Physical Environment Apply in a Virtual Environment 2. Creates a New Attack Surface 3. Increased Complexity of Virtualized Systems and Networks 4. More than One Function per Physical System 5. Mixing VMs of Different Trust Levels 6. Lack of Separation of Duties 7. Dormant Virtual Machines 8. VM Images and Snapshots 9. Immaturity of Monitoring Solutions 10. Information Leakage between Virtual Network Segments 11. Information Leakage between Virtual Components

10 Linux without Risks Our platform is designed ensure the lowest downtime

Designed to Designed to Designed to Prevent Errors Detect & Correct Errors Recover without Loss • Hardware and firmware • Exhaustive error detection and • Automated failover capabilities designed to protect from errors correction capabilities isolate speed recovery and minimize that could lead to outages problems system impact • Built-in redundancy for all • Non-disruptive installation, • Leading business continuity and critical system components upgrades, and maintenance of disaster recovery solutions ensure eliminates single points of hardware and firmware avoid automated, reliable, and rapid failure outages recovery and enable planned site • Extensive testing and failure switches analysis t every level prevents problems from reaching clients

Designed to provide Faster problem determination & resolution 100% uptime for decades 45%

Core sparing IT Analytics 2 cores reserved avoid future outages

11 The Value of LinuxONE Security: Explained at Every Level

1212 Thesis Statement: the Value of LinuxONE Security

• LinuxONE combine battle-tested hardware and partitioning with best-in-class hypervisor security to protect your Linux workloads

• The business value of virtualization security: it mitigates risk to your business by protecting the data on which your company runs and thrives.

• The technical value of virtualization security: it helps to protect your servers, your passwords, your data, and your resources from threats which would steal or destroy them.

13 Information Security and Standards

• Information Security and Information Assurance • Protecting information systems from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. • Fields are interrelated. Common goals of meeting AIC triad of infosec

• Variety of standards & evaluation schemes … • Common Criteria (ISO/IEC15408) • FIPS 140-2 (US) • DK (Germany Banking), MEPS (France Banking), and many more

• The Common Criteria is an international standard for infosec certification • Recognized by 26 countries through the Common Criteria mutual recognition agreement (CCRA) • A framework in which users can specify security functional and assurance requirements • Vendors can implement and/or make claims about a product's security attributes • Testing laboratories can evaluate the products to determine if they actually meet the claims

Common Criteria provides assurances that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standardized fashion. • May help to reduce risk & improve the product under evaluation IBM Development & Verification processes are subject to Common Criteria Evaluations

14 z Systems Security Certifications

z/OS z/VM and Linux on z Systems

z/OS z/VM • Common Criteria EAL4+ • Common Criteria EAL4+ ̵ z/OS 1.12 , z/OS 1.13, z/OS V2R1 (OSPP) ̵ z/VM 6.3 with OSPP with -LS and -VIRT ̵ z/OS 1.11 + RACF (OSPP) • FIPS 140-2 validated • Common Criteria EAL5+ ̵ z/VM 6.3 System SSL (with CPACF) is FIPS 140-2 ̵ RACF V2R1 (OSSP) validated ̵ RACF V1R13 (OSPP) • System Integrity Statement ̵ RACF V1R12 (OSPP) • z/OS 1.10 IPv6 Certification by JITC Linux on System z • FIPS 140-2 • Common Criteria EAL4+ ̵ System SSL z/OS 1.10 à1.13 ̵ SUSE SLES11 SP2 certified at EAL4+ with OSPP ̵ z/OS ICSF PKCS#11 Services – z/OS 1.11 à z/OS 1.13 ̵ Red Hat EL6.2 EAL4+ with OSPP • Statement of Integrity • OpenSSL - FIPS 140-2 Level 1 validated • CP Assist - SHA-1 validated for FIPS 180-1 - DES and TDES validated for FIPS 46-3

Virtualization with partitions

• zSystem z13 • Crypto Express3 and Crypto Express4S, ̵ Common Criteria EAL5+ with specific target of evaluation ̵ FIPS 140-2 level 4 Hardware Evaluation -- LPAR: Logical partitions ̵ Approved by German ZKA • Crypto Express5S – In evaluation • CP Assist ̵ FIPS 140-2 level 4 Hardware Evaluation ̵ FIPS 197 (AES) • zEnterprise 196 and zEnterprise 114; System zEC12 and ̵ FIPS 46-3 (TDES) BC12 ̵ FIPS 180-3 (Secure Hash) ̵ Common Criteria EAL5+ with specific target of evaluation -- LPAR: Logical partitions

15 Let's start with the hardware.

• Built-in redundancy protects data against attacks on hardware • ECC • RAIM • Defense against rowhammer etc.

• Cache separation and virtualization tech prevents side-channel attacks

16 If a core fails, a spare is “turned on” without system or program interruption

• Each LinuxONE server has two cores designated as spare • Core failover (called sparing) is transparent to applications • Spares need not be local to the same Core0 Core2 Core4 node or drawer Shared L3 Core1 Cache Core6 • Any core (general processing core or I/O core) can failover Core3 Core5 Core7 to spare

Core0 Core2 Core4

Shared L3 Core1 Cache Core6

Core3 Core5 Core7

17 Why Use LinuxONE Hardware Cryptography?

• Trust & reliability • Proven implementation in HW • Cost • Security does not come for free: minimize cost • Save money • Off-load expensive CPU workload • Save time • Faster crypto algorithms • Ultra high security needed • Banks: secure key/CCA • Functionality • special build-in security functions for banking and financial applications: secure key • Regulations • FIPS 140-2 certified cryptography adapters

18 CP-Assisted Cryptographic Facility (CPACF)

CPACF Support (LIC Feature 3863) • Available on all LinuxONE hardware but it must be explicitly enabled • Provides on-CPU cryptographic processing at a higher throughput • Supports the following algorithms: • DES • TDES • AES-128 • AES-256 (z10 onward)

• SHA-1 • SHA-224 and SHA-256 • SHA-384 and SHA-512 (z10 onward)

• Single-length key MAC • Double-length key MAC

19 Crypto Express5S

• One PCIe adapter per feature Three configuration options for the PCIe adapter − Initial order – two features • Designed to be FIPS 140-2 Level 4 • Only one configuration option can be chosen at any given time • Installed in the PCIe I/O drawer • Switching between configuration modes will erase all card secrets • Up to 16 features per server • Exception: Switching from CCA to accelerator or vice • Prerequisite: CPACF (#3863) versa • Designed for 2X performance increase over Crypto Express4S

Accelerator CCA Coprocessor EP11 Coprocessor TKE N/A TKE OPTIONAL TKE REQUIRED CPACF NO CPACF REQUIRED CPACF REQUIRED UDX N/A UDX YES UDX NO CDU N/A CDU YES(SEG3) CDU NO

Clear Key RSA Secure Key crypto Secure Key crypto operations and operations operations SSL acceleration

Business Value § High speed advanced cryptography; intelligent encryption of sensitive data that executes off processor saving costs § PIN transactions, EMV transactions for integrated circuit based credit cards(chip and pin), and general-purpose cryptographic applications using symmetric key, hashing, and public key algorithms, VISA format preserving encryption(VFPE), and simplification of cryptographic key management. § Designed to be FIPS 140-2 Level certification to meet regulations and compliance for PCI standards

20 Let's start with the hardware.

• EAL5 – better than an air gap • Isolation of a logical partition at the architectural level (more on this in a moment) • Controls on direct access to devices • Elimination of covert channels • Role-based access controls to a partition (or partitions) or hardware

• With a few added bonuses: • Controlled in-memory communication paths (HiperSockets)

21 IBM LinuxONE Appliance Container Infrastructure (zACI) and the Secure Services Container

• A new Systems partition mode • z13, z13s, LinuxONE Emperor, and LinuxONE Rockhopper • Not for general-purpose usage • Fast deployment of virtual appliances, e.g.: • IBM zAware • z/VSE Network Appliance • Blockchain • Tamper-resistant • Validates integrity of downloaded appliance • Build and deploy through installer only

22 Secure Service Container Base Infrastructure to Host and Build Software Appliances

• Provides simplified mechanism for fast deployment and management of packaged solutions • Provides tamper protection during Appliance Services installation and runtime Applications

• Ensure confidentiality of Management data and code running within the Appliance – both at flight and at rest • Management provided via Remote APIs (RESTful) and web interfaces • Enables Appliances to be delivered via distribution channels

23 Secure Service Container Protection

EAL5+ • No system admin access Appliance Content • Once the appliance image is (i.e. Blockchain) built, OS access (ssh) is not possible • Only Remote APIs available

Container Software • Memory access disabled SSC Runtime Environment • Encrypted disk • Debug data (dumps) encrypted • Strong isolation between Secure Execution Context (one partition) container instances • Based on LinuxONE EAL5+ protection profile

Your LinuxONE machine • Requires dedicated HW

24 IBM z/VM and KVM can co-exist on LinuxONE

IBM z/VM KVM for LinuxONE LinuxONE Systems Host § World class quality, security, § Standardizes configuration and reliability - powerful and operation of server virtualization versatile § Leverage common Linux § Extreme scalability creates cost administration skills to savings opportunities administer virtualization Linux on z Linux on z Linux on z § Exploitation of advanced z on Linux z on Linux z on Linux § Flexibility and agility leveraging

technologies, such as: SSC Appliance SSC Appliance the Source community – Shared memory (Linux kernel, executables, z/VM KVM § Provides an Open Source communications) virtualization choice PR/SMTM § Highly granular control over- § Integrates with OpenStack resource pool Processors, Memory and IO § Provides virtualization for all LinuxONE operating systems Support Element § Integrates with OpenStack

25 Virtualization security requires some basics:

• Isolation of hosted guests • Confidentiality of data on the system • Protection of privileged hypervisor commands and operations • Controlled sharing of data between virtual machines • Management of virtual devices and integrity of data • Securing connectivity to and within the hypervisor layer • TCP/IP connectivity • Virtual networking • Hardening of the hypervisor layer • Multi-tenancy and “security zones” • Auditing of security-relevant operations

26 Guest Isolation on LinuxONE

• All guests must be isolated from one another • Separation of duties and need to know Linux4 Linux2 • Control the flow of data • Keep workloads from interfering with one another ZVMSYS01

• Isolation on LinuxONE starts at hardware LinuxONE • The Interpretive Execution Facility and Start Interpretive Execution (SIE) instruction are how virtual machines are executed • PR/SM controls LPAR creation • z/VM Control Program (CP) controls VM instantiation • KVM's Linux Kernel creates VM's as processes

• SIE instruction “runs” a virtual machine until a condition is raised • "What happens in a VM stays in a VM" • No mechanism for hyperjacking the platforms • Only leaves machine on interception conditions (a.k.a. "SIE break")

27 Scope of Responsibility

VM • Any virtual machine is constrained in its ability to Definition impact the hypervisor • Role-based access controls • Administrator vs. general-use commands • Communication with other machines / resources

z/VM KVM § Privilege classes (Class G or less) § SELinux for guest isolation § Administrators can write their own classes § SVMs and Operators may have more § libvirtd to manage virtual machines § Directory statements to augment VM § for connecting machines to definitions: certain resources – LOGONBY statement for controlled access – COMMAND statements for pre-LOGON context § for access rights creation – CRYPTO statement for CryptoExpress access § sudo for privileged auth (no root) – LINK and NICDEF for controlled access to virtual resources § Extra statements can be added to a VM definition for specific needs

28 Virtualizing Device Access

Virtual Cylinder • A virtual machine is not an island • Will eventually require access to disk, shared data, a network device, or some 0-99 other hardware device LABEL4 • Such devices are maintained at the 0-99 hypervisor level LABEL3 • In z/VM, CP controls access to devices • In KVM, qemu controls access to devices 0-99 • These devices need to adhere to local security LABEL2 policy as well ("know the ways your data flows") 0-99 • Hypervisor controls time slices and LABEL1 management • Access control lists manage VM access 630WRK • Minidisk passwords, etc., for additional controls

29 Virtual Switches, VLANs, and Zoning (both)

z/VM KVM

db db web web db web

app app web web app

VSWITCH Open vSwitch

To internet

30 Virtual Networking

• z/VM controls Layer 2 traffic • KVM provides virtual through a Virtual Switch Ethernet devices through • Separates guest traffic by VLAN Open vSwitch or MacVTap • No need for a virtual router (all CP) (direct connection) • Can flow traffic to/through OSA • Separates guest traffic by VLAN devices • Isolation of traffic based on network • Separation of traffic via Port interfaces Isolation and VEPA modes • Can flow traffic to specific OSA ports based on ethernet interfaces

31 Virtualized Crypto Express under z/VM

LPAR 1

LINUX04 LINUX02 LINUX03

CRYPTO DOMAIN N APDED 0 CRYPTO APVIRT CRYPTO APVIRT

APDED APVIRT z/VM

0 1 n 0 1 n . . . MK . . .

CEX5S 0 CEX5A 1

32 Encrypting Hypervisor Connections

§ Getting "under" a guest could disrupt operations … it is vital to protect access to the hypervisor layer itself • z/VM Supports: • KVM Supports: • Secure Telnet and FTPS via the • Openssl (TLS 1.2 and SHA-256) SSL/TLS server • Openssh (ephemeral keys) • TLS 1.2 support, SHA-256 certificates • Configurable to meet cryptographic (*new* to z/VM 6.3) standards • FIPS 140-2 validated • NIST SP 800-131a compliant (*new* to z/VM 6.3) • KVM also has native firewall support • Open/ ports for native TCP/IP • The TLS Server can also encrypt communication traffic to/from local PORTs (e.g., • Note: default policy does not allow for Systems Management traffic) guest migration

33 , by their natures, are highly flexible

• There are a lot of options to consider • Alternate communication paths to check • Virtual networking options to control • Shared memory spaces • Access to data at rest (storage, tape)

• And other considerations to factor in … • Password controls – are they in the clear? Are they changed? • Auditing – are you logging the right security-relevant events? Can you?

A security manager provides both a finer granularity of control and the ability to enact more complete isolation of guests and projects … in a consolidated interface.

34 Infrastructure Security with RACF for z/VM

• RACF Security Server is a priced feature of z/VM • A requirement for meeting today's enterprise security requirements • RACF enhances z/VM by providing: • Extensive auditing of system events • Strong Encryption of passwords and password phrases • Control of privileged system commands • Extensibility in z/VM environments clustered through Single System Image • Controls on password policies, access rights, and security management • Security Labeling and Zoning for multi-tenancy within a single LPAR (or across a cluster)

• RACF for z/VM is an integral component of z/VM's Common Criteria evaluations (OSPP-LS at EAL 4+)

35 sVirt for KVM

• sVirt is an SELinux Framework for KVM • Labels all resources associated with hypervisor (processes, disk images …) • Separates guest processes, even within a single userid • Innate Mandatory Access Control policies (security labeling and zoning) • Can allow shared /write content between virtual machines if desired • Booleans for qemu virtual motherboard processing

• Security policy decisions are fed to auditd • Security does not exist without an audit trail

• sVirt is an integral component of KVM's security certifications, including the Common Criteria Evaluations

36 This is your LinuxONE System On Lockdown.

Encrypted Net Mobile SVMTCP/IP Security SVM WAS WAS DB2 First Trafficwith Manager Server TLS

VSWITCH

Role Based Access Controls

Virtual Memory Management z Your Virtualization Architected VM Separation Platform

PR/SM (one LinuxONE Logical Partition)

CPACF OSA Crypto Express

37 Linux Guest Security

Linux04

Of course, all of the preceding content assumes you will secure your Linux guests with the same diligence and vigilance as you do your hypervisor.

It does no good to lock the door if you leave the window open.

PR/SM (one LinuxONE Logical Partition)

CPACF OSA Crypto Express

38 Linux is more secure on LinuxONE

• Linux is Linux • Linux security features and tools available to all architectures • Differences only in • architecture specifics • device support • Thorough open source review of key components • Security is and was always a focus of kernel development • Core Infrastructure Initiative (a.o. sponsored by IBM) focuses on supporting security relevant packages (like openSSL) • IBM involvement with open-source communities (platform, distros, products)

• Benefits stem from the platform • Strong guest isolation • Cryptographic hardware support

39 LinuxONE and Open Source Security (the starter list)

• SELinux for access control (see also: AppArmor) • A foundational component of Linux security (that's why KVM has sVirt) • Used to define policies for security within a Linux guest

• sudo and cgroups for resource control << you didn't give out root, right?

• openLDAP for open identity management << or find a SAML solution

• openSSL and openSSH for secure communication << don't forget httpd.conf

• IPtables / for firewalls << if you run them inside these boxes …

• dm-crypt / LUKS, eCryptFS for file-system encryption << we'll cover this soon …

• Lynis, Tiger, or openSCAP for system hardening << measure your guest vs baselines

40 OPEN MAINFRAME PROJECT

41 Leveraging the platform to Centralize Security Function

• Take advantage of the proximity of LinuxONE systems to other LinuxONE or z Systems machines to streamline certain functionality, such as …

• Centralized Identity, Authentication, and Audit • ITDS (LDAP Server) for z/VM or z/OS, using DB2, BFS, or RACF as a back-end • PAM plug-ins for Linux machines (regardless of architecture) • Additional plug-ins to auditd for centralized audit – pushes events out to SMF records • Password Synchronization • Using ITDI (IBM Tivoli Directory Integrator), LDAP, and RACFVM • PKI Services (z/OS PKI Services, connected to Linux guests)

42 Managing Your Secure Virtualization Platform

§ Controlling your virtual infrastructure (and its security) will eventually necessitate automation and tooling. • z/VM Supports: • KVM Supports: • Operations Manager for z/VM: for • virt-manager: the VMM graphical automation of management and interface alert-based actions. • IBM Wave for z/VM: an • Native OpenStack support through infrastructure-management tool libvirtd (more on this in a with graphical interfaces. moment) Authorized by (and interfaces with) RACFVM • IBM Security zSecure for RACFVM: policy management and auditing (see next slide)

43 "If you have built castles in the air, your work need not be lost; that is where they should be. Now put the foundations under them."

-- Henry David Thoreau, Walden (1854)

44 What is cloud security?

• Security in the cloud means securing that infrastructure … and their services … for all combinations of public and private infrastructure … wherever they are … for whoever is managing them.

VM KVM VM OS KVM VM VM VM VM VM VM

LinuxONE z13 zEC12 PowerVM with PowerVC

45 "Notorious Nine" Threats to Cloud Environments (Cloud Security Alliance, 2013)

1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse and Nefarious Use 8. Insufficient Due Diligence 9. Shared Technology Issues

46 Inside Your LinuxONE On-Prem Cloud (z/VM)

Cloud Product Browser Web Interface z/VM Plug-ins Controller Node REST APIs Compute Node

xCAT Manager

xCAT HCP

Guest Guest Compute SMAPI xCAT DIRMAINT SMAPI Services Workload Workload Node Servers Control Program

ZVMSYS01 (a z/VM 6.4 System) Directory Product

PR/SM (one LinuxONE Logical Partition) Security Product

47 OpenStack Projects

Compute (Nova)

Block Storage (Cinder)

Network (Neutron) Provision and manage virtual resources

Dashboard (Horizon) Self-service portal

Image (Glance) Catalog and manage server images

Identity (Keystone) Unified authentication and authorization

Object Storage (Swift) Petabytes of secure, reliable

Telemetry (Ceilometer) Data collection

Orchestration (Heat) Engine to launch cloud applications based on templates

Database Service (Trove) Cloud Database-as-a-Service

Data Processing (Sahara) Data processing stack and management

48 OpenStack Security

• OpenStack community has a Security Group • Security Advisories, Code Scanning tools • OpenStack Security Guide • Recommendations • Examples • Covers common cloud threats

• http://docs.openstack.org/sec/

• Note: Doc is KVM for x86 oriented. Does not replace LinuxONE security planning, but it helps a lot!

49 Multi-Tenant Clouds for LinuxONE

• The Cloud provides … • The Cloud exploits … • Nova security groups • Physical or virtual separation • Nova availability zones • Security labels for domains • Neutron VLANs • Endpoint protection • Keystone domains • Cryptographic acceleration • Keystone RBAC • Guest image security

VM VM VM VM VM KVM VM VM z/OS z13 LinuxONE zEC 12

50 Remember:

•There is a difference between cloud-level security (for the consumers) … • And infrastructure-level security (for your system administrators, security administrators, and virtual machines) • Administrator privilege does not necessarily reflect workload privilege

VM VM VM OS VM VM VM VM VM VM VM VM VM VM

LinuxONE LinuxONE z13 zEC12 Emperor Rockhopper zBC12 z13s

51 Enterprise Hybrid Cloud Requires Integrated Security Solutions

Identity Protection Insight

Enable users to connect securely Secure connectivity and data Monitoring and risk profiling of Software as a to SaaS movement to SaaS enterprise SaaS usage service • SaaS access governance • Data tokenization • Monitor SaaS usage (SaaS) • Identity federation • Secure proxy to SaaS • Risk profiling of SaaS apps • Application control • Compliance reporting

Integrate identity and access into Build and deploy secure services Log, audit at service and services and applications and applications application level Platform as a • DevOps access • Database encryption • Monitor services and Service management platform • App security scanning (PaaS) • Authentication and • Service vulnerabilities • Fraud protection and threats authorization APIs • Compliance reporting

Manage cloud administration and Protect the cloud infrastructure to Security monitoring and workload access securely deploy workloads intelligence Infrastructure • Privileged user management • Storage encryption • Monitor hybrid cloud infrastructure as a Service • Access management of web • Network protection ‒ (IaaS) workloads firewalls, IPS • Monitor workloads • Identity federation for B2B • Host security, vulnerability • Log, audit, analysis and scanning compliance reporting

Note: Listed capabilities in the above table are examples of capabilities, and not a comprehensive list 52 Summary

5353 LinuxONE provides ultimate security at scale.

Infrastructure-as-a-Service for LinuxONE OpenStack for compatibility and open standards Keystone for Identity Management and Integration

QRadar Linux Linux Linux Linux Security (SELinux, AppArmor, cgroups) Zone 4 Zone 2 Zone 3 OpenSSH for secure guest connectivity Security Centralized Audit with PAM and ITDS Manager Architecture-layer guest isolation TLS 1.2 connectivity & VLAN-aware Virtual Switch Your Virtualization Platform OSPP EAL 4+ with Labeled Security (Multitenancy)

Architecture-layer isolation of workload PR/SM Ultimate partition isolation (CC EAL 5) Secure Service Containers for tamper-proof workloads

Hardware acceleration of cryptographic ops Crypto Express5S CPACF PKCS #11 and CCA support FIPS 140-2 Level 4 HSM (Secure Key)

54 For More Information …

• IBM z14 Technical Guide: http://www.redbooks.ibm.com/redpieces/abstracts/sg248451.html?Open • IBM Z Hardware Crypto Synopsis: https://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP100810

• IBM Z Crypto Education Community:

• https://www.ibm.com/developerworks/community/groups/community/crypto

• z/VM Security: http://www.vm.ibm.com/security

• Linux on z Security: https://www.ibm.com/support/knowledgecenter/linuxonibm/liaaf/security.html

Contact Information:

Brian W. Hugenbruch IBM Z Security for Virtualization & Cloud bwhugen at us dot ibm dot com @Bwhugen Brian W. Hugenbruch, CISSP IBM z and LinuxONE Virtualization Security bwhugen at us dot ibm dot com @Bwhugen Dank u Dutch Merci Спаcибо Gracias French Russian Spanish 감사합니다 Tack så mycket ً Korean Swedish ﺷﻛرا Arabic धन्यवाद תודה רבה Hindi Obrigado Hebrew 谢谢 Brazilian Chinese Portuguese Dankon Esperanto Thank You ありがとうございます Japanese Trugarez Tak Breton Danke Danish German Grazie Italian நன்றி Tamil děkuji ขอบคุณ go raibh maith agat Czech Thai Gaelic

57