2020 Linux on IBM Z and Linuxone Client Workshop November 9-13

2020 Linux on IBM Z and LinuxONE Client Workshop November 9-13

Securing Workloads with Red Hat OpenShift Container Platform on IBM Z / LinuxONE

— Pradeep Parameshwaran Security & Compliance Lead, Linux on IBM Z & LinuxONE pradeep@de.ibm.com

• Why OpenShift on IBM Z ? • The cloud with the Privacy and Security • Deployment architecture: OpenShift on IBM Z • Security blueprint: OpenShift on IBM Z • Summary of native and augmented security capabilities IDC estimates that 71% of organizations are in the process of implementing containers and orchestration or are already using them regularly.

Containers are the next generation of software-defined compute that enterprises will leverage to accelerate their digital transformation initiatives,” says Gary Chen, Research Director at IDC. “IDC estimates that 71% of organizations are in the process of implementing containers and orchestration or are already using them regularly, and IDC forecasts that the worldwide container infrastructure software opportunity is growing at a 63.9 % 5-year CAGR and is predicted to reach over $1.5B by 2022.

3 Why Red Hat OpenShift on IBM Z? OpenShift a smart Kubernetes platform

5 Build once

• Fully integrated and automated architecture • Seamless Kubernetes deployment on any cloud or on-premises environment • Fully automated installation, from cloud infrastructure to OS to application services • One click platform and application updates • Auto-scaling of cloud resources • Enterprise-grade security • Ability to run enterprise workloads, “with enterprise build/manage services”, across all/multiple deployment options (private, public, hybrid/Multicloud)

6 Deploy anywhere

By combining the agility and portability of Red Hat • Vertical scalability: OpenShift with the security features, scalability and enables existing large monolithic applications to be reliability of IBM Z, businesses will have the tools to build containerized, and horizontal scalability enables support for new cloud-native applications while also modernizing large numbers of containers in a single IBM Z current applications. Deploying Red Hat OpenShift on IBM Z à reinforces key strengths and offers additional benefits • Security: Designed to protect data from external attacks and insider threats, with pervasive encryption

• Reliability: Designed for 99.999% and more availability to meet service levels and customer expectations

• Speed: Integration and co-location of cloud-native applications on the same system as the data enables faster response times than depending on network access speeds

7 Enterprise hybrid cloud with IBM Z

Why IBM Z Adoption patterns

• Low latency and large-volume data serving • Enterprise-scale private cloud in a box and transaction processing • Digital transformation and modernization for IBM • Enterprise-class infrastructure: elastic, z/OS® scalable, available and resilient • Built-in secure enclaves for zero-trust cloud • Highest levels of security and compliance native • Extreme consolidation and scalable data serving

Scale out to 2.4 million Reduce data center Process over 19 billion containers on a single footprint by 50%# encrypted transactions system* per day^

* Performance result is extrapolated from IBM internal tests running in a z15 LPAR with 1 dedicated IFL and 16 GB memory 980 NGINX Docker containers. Results may vary. Operating system was SLES12 SP4 (SMT mode). Docker 18.09.6 and NGINX 1.15.9 was used. ^ This transaction rate is based on internal measurements of a z15 configuration consisting of 2 8-way LPARs and a 4-way ICF running with dataset encryption and CF encryption enabled. Using these results, full size z15 transaction rates were projected using standard LSPR MIPS. The performance that any user will experience may vary. # On average, 70% of IBM z13 and z14 clients installing an IBM z15 can reduce raised floor space up to 50% or more depending on the configuration

8 The cloud with the privacy and security OpenShift and IBM Z with native security capabilities transforms into secure modern hybrid cloud

• OpenShift on IBM Z takes advantage of the underlying enterprise capabilities of the IBM Z server platforms, including advanced security, vertical and horizontal scalability, and 99.999% availability.

• A private cloud is a reliable and scalable cloud platform that runs on enterprise’s infrastructure. IBM Z infrastructure platform serve as the core of enterprise private cloud. • IBM Z manage and integrate with the private cloud leveraging open standards and tech like Kubernetes, containers and microservices. • Red Hat OpenShift and IBM Cloud Paks are designed to fully integrate IBM Z into a hybrid multicloud environment and manage everything from behind the firewall to help keep data protected from external attacks and insider threats.

Refer slides 14-18 for security capabilities overview of OpenShift and IBM Z

10 RedHat OpenShift Secures Kubernetes at each layer of the stack

ü Jenkins as a Service: Supports CI/CD deployments, can utilise OCP OAuth authentication. ü Quay - Private Registry: Enterprise-quality container registry with image scanning (via Clair). Application Lifecycle Management ü Integrated private registry: Stores container images, retrieval permissions can be set. Service Catalog ü S2I Build process: Builds reproducible container images. Restricts the operations performed as a root (Language, Runtimes, Middleware, Databases) user and can run the scripts as a non-root user.

Build Automation Deployment Automation ü TLS: Ensures secure control plane and API communication. ü OpenShift CI / CD Pipeline RBAC: Authorizes user actions to occur within the cluster. ü Admission Control: Govern and enforce cluster resource configuration. ü PSP & Security Contexts: Admission control for pod security and privilege. ü Secret Encryption: Since 1.13, secrets in etcd can be encrypted at rest. ü Audit: API server auditing of each stage of every execution. Container Orchestration & Cluster Management ü Resource Limitation: Protect services from resource starvation. ü Taints & Tolerations: Enable service & node segregation and zoning via labels. Container Orchestration and Cluster Management ü Namespace isolation: Boundaries to segregate projects, tenants etc. ü Network Policies: Enable restriction of network communication within cluster and for cluster Networking Storage Registry Log & Metrics Security ingress/egress.

Infrastructure automation + CRI-O: Container engine that interfaces with the container runtime that runs containers + SCCs: Opinionated control over security contexts permitted to pods (see K8s PSP). + SDN (Project Isolation): overlay network can isolate project pods & services. + Integrated OAuth: Provides token authentication for user interactions with API. Enterprise Container Host + OpenShift Service Mesh: Provide secure comms for containers without changing application. Container Runtimes and Packaging Additional security authorization policies for extra granularity. + Registry and Image Control: Control which registries can be used and can label images to control Red Hat Core OS Red Hat Enterprise Linux OS their use. + Scoped Tokens: Cluster-admins can delegate permissions to other users.

ü SELinux: enforces mandatory access control policies that confine user programs and system services, as well as access to files and network resources. ü Cgroups: enables fine grained control over allocating, managing etc. resource to containers. ü Seccomp: Allows a userspace program to set up syscall (user space requests into Linux kernel) filters. ü Read-only file system: Used by Atomic Host to prohibit unwanted file system change. ü Kernel namespaces: Partitioned kernel resources that provide isolated workspace (containers) .

Cloud Engagement Hub OpenShift enables secure hybrid cloud with defense in depth • Linux Host Security - SELinux+ - FIPS mode • Authentication & Authorization - Embedded OAuth Server - Supports 9 Identity Providers including AD/LDAP - Multi-Level Access Control (Users and Groups) - Secrets and certificate management • Image Security - ImageStreams - Scanning - Deployment policies • Integrated Audit, Logging, Monitoring • Security Policies - SCC (Security Context Controls) - Non-Root Containers - Controlled Access to Resources • Networking Isolation - Ingress / Egress control - Network microsegmentation

- Encrypted East / West traffic 12 Overview of native security capabilities on OpenShift

MZLB

Authentication & Authorization

Calico

Kubernetes Cluster Kubernetes API Image vulnerability Server etcd scanning Open VPN Server

Z Signed Image Worker Node Encrypted Worker POD node disk partition

Image Security Trust Agent enforcement Container Registry ALB/Lapp Load Container Balancer

Vulnerability Logstore Advisor Fluentd

Certificate management Secret management

13 Deployment security architecture: OpenShift on IBM Z

14 OpenShift on IBM Z leveraging Z native security (z/VM), augmented by security services

Enterprise Key Management Foundation Keys & Certificate Management MZLB Authentication Guardium & Authorization Data Activity Monitoring Calico

Qradar, zSecure Kubernetes Image vulnerability Kubernetes Cluster Security Intelligence, Audit & Reporting API Server etcd scanning Open VPN Server Z IBM Identity Governance & Intelligence Signed Image Worker Node Identity Governance on RACF , platform support services POD Image Security Trust Agent enforcement Container DevSecOps Registry ALB/Lapp Load Container Secure container build, deploy and manage Balancer Vulnerability Fluentd Logstore Advisor Container security management Encrypted Worker Certificate Secret node disk partition management management

Hyper Protect Virtual DASD* RCOS Servers Security capabilities Pervasive Encryption Security capabilities z/VM (LPAR 1) z/OS (LPAR2) Secure Service augmented by IBM native in IBM Z Container (LPAR3) security services RACF IBM Z Security capabilities native in OpensSift platform

* IBM DS8900F supports Red Hat OpenShift (through OpenShift flex volume driver support) 15 OpenShift on IBM Z leveraging Z native security (z/OS Cloud Broker), augmented by security services

Enterprise Key Management Foundation Keys & Certificate Management MZLB Authentication Guardium & Authorization Data Activity Monitoring Calico

Hyper Protect Virtual DASD Servers * z/OS Cloud Broker Security capabilities Pervasive Encryption Security capabilities z/VM (LPAR 1) z/OS (LPAR2) Secure Service augmented by IBM native in IBM Z Container (LPAR3) security services RACF IBM Z Security capabilities native in OpensSift platform

* IBM DS8900F supports Red Hat OpenShift (through OpenShift flex volume driver support) 16 Container environment introduces new threat vectors

Image Registry Orchestration Container Host OS

• Large attack surface • Image vulnerabilities • Insecure connections to • Unrestricted admin • Runtime software registries access vulnerabilities • Host OS component • Configuration defects • Stale images in • Unauthorized • Unbounded network vulnerabilities • Embedded malware registries orchestrator access access • Improper user access • Embedded clear text • Insufficient • Poorly isolated inter- • Insecure runtime rights secrets authentication container network configurations • Host OS file system traffic • Untrusted images • Insufficient • App vulnerabilities tampering • Mixing of workload authorization • Rogue containers • Poor host OS restrictions sensitivity levels configuration

Source: NIST SP 800-190 Security architecture blueprint

18 Security blueprint – OpenShift on IBM Z

Governance, Risk, and Security Policy Compliance Security awareness Audit & regulatory Strategy & Planning Compliance (CSD; Tech Specs) Management training support

Appl Threat Application Container Container Registry Secure container Appl Security AppSec Training Container Security Modeling & Security Security images (DevSecOps) Requirements & Awareness (Application) Architecture Remediation

Data Discovery & Data Loss Data Activity Encryption at Rest Encryption in Transit Encryption in Use Data Classification Prevention Monitoring

Certificate & Key Identity Privileged ID Multi factor Identity Access Management Admission Control Life Cycle Identity & Access Management Management Authentication Governance Management

Web Application Firewall Personnel Security Network Firewall DDoS Protection Physical Security Physical

Secure Service z/VM z/OS Server Container

zOS Cloud Broker Worker Node RHCOS Security

Cluster OCS Security

Security Security Heath Vulnerability Check Scanning / Penetration Testing Operations (Configuration) Management

Security Security Information Security Intelligence Monitoring & Log Management & Event Intelligence Management

The Blueprint provides security capabilities required. The color of cell suggests capabilities leveraged from. Security Services can help select the right offering specific to the requirements. OCP: OpenShift Container Platform IBM Security IBM Security IBM Security OpenShift IBM Z Service service on z service on OCP Container (Application) Security Domain – Components

Security Domains Security Controls Security Components

Container Container Security Container security Security (TwistLock) (Aquasec) Vulnerability Secure Image Build SAST, DAST scanning Image (AppScan) (OpenSCAP) Vulnerability Container DevSecOps Scanning (JfFog Image signing (Application) XRAY)

Container Registry Container Registry Container Registry Security (Quay, Clair) JFrog Artifactory

References- 10 layers of container security OCP DevSecOPs SANS reference

Legend: IBM Z native Image validation with detached signatures Security Components IBM Security OCP native Services 20 Data Security Domain - Components

Security Domain Security Controls Security Components

Data discovery & classification Guardium

Data Privacy Data encryption at Dm-crypt Passport rest

Data encryption in Data Privacy zERT transit Passport Data Security Data Privacy Libssl, libcrypto, Encryption in use Passport ibmca, libica

DLP Guardium

Data activity Guardium monitoring

Key management ICSF EKMF

ICSF: Integrated cryptographic service facility EKMF: Enterprise key management foundation Legend: IBM Z native DLP: Data leak prevention Security Components IBM Security OCP native Services

21 Identity & Access (IAM) Security Domain - Components

Security Domain Security Controls Security Components

Identity Identity Governance Governance & zSecure Admin Administration

Identity Management RACF LDAP IBM IAM

Access Management Identity & Access Privileged ID Management/Acces RACF LDAP PAM s Control

Multi factor IBM Z MFA authentication

Admission control Admission control plugin System authorization facility

PAM: Privileged Access Management Legend: IBM Z native LDAP: Lightweight Directory Access Protocol Security Components RACF: Resource Access Control Facility IBM Security OCP native Services 22 Network Security Domain - Components

Security Domain Security Controls Security Components

Ingress Container Firewall NeuVector Cluster Traffic Calico controller Network Web Application Security NGINX Firewall

DDoS Protection NGINX

Legend: Security Components OCP native IBM Security OpenShift multitenancy- fine grained control with network policy Services 23 Cluster Security Domain - Components

Security Domain Security Controls Security Components

Cluster Security Security Security with Twistlock Hashicorp vault context Sysdig Cluster constraints (SCCs)

Overview of OpenShift cluster. Each layer shall be secured to secure the cluster i.e from RHCOS till application lifecycle management and orchestration.

Legend: Security Components IBM Security OCP native Services 24 Security Monitoring & Intelligence - Components

Security Domain Security Controls Security Components

zSecure Logging & Log EFK Prometheus adapter for Management SIEM Security Monitoring & Security Information QRadar Intelligence & Event Management

Security Intelligence XFTM

OpenShift Container Platform ships with a pre-configured and self-updating monitoring stack that is based on the Prometheus open source project

Legend:

Security Components IBM Security OCP native Services 25 Summary

This session focused on, • Secure Hybrid cloud deployment on IBM Z with OpenShift Cloud Platform • Security Blueprint for OpenShift on IBM Z

26 DevSecOps with OpenShift Cloud Platform on IBM Z – Reference Architecture

27 Auto CI/CD Evidence Compliance CI/CD Locker remediation reference material output of CICD generating common scripts for checks on gitpull PR -requests Tekton/Jenkins change DevOps Outside Inside Pipeline PR Insights ServiceNow - quality create CR boundary boundary - unit test + Deep Visibility (shared across (one per) +policies Dependency + approval check - build Docker Analysis all boundaries) image Vulnerability Restricted - code scans Image Advisor Registry Region Fed Eclipse WebIDE - vulnerability Fed JFrog CD - develop in the advisor CI Fed XRay Pod-1 project/app:1.1CD Pod-2 cloud - set PR status Pod-3 - live edit, refactor project/app:1.0 JFrog Artifactory Public - debug project/app:canary-0.9 certified packages, Fed Region Fed docker images FedCI CD Pipeline CI CD Pod-1 Enforce img merge Pod-2 - “master” branch Pipeline CD Pod-3 signed Fed CD (protected branches) - unit test - change mgmt. - dependency analysis Dev Env Staging Env automation (G1) - static/dynamic Fed Enforce img Private analysis CI - signing image as Pod-1 Pod-1 prod ready (CISO) signed Fed CD Pipeline Microservice repo on git push - secret detection Pod-2 Pod-2 - kube deploy Worker incl. Docker file, - vulnerability scan Pod-3 Pod-3 master - OSSC license audit - health check deploy manifest branch - CIS benchmark - functional test Polling for work - additional image Docker engine Enforce img checks signed Fed CI - build Docker image (docker in Artifact Repository - dev/staging docker, kaniko…) certified packages, promotion docker images - functional test Pipeline CS Develop locally - quality gate check on timer - timer trigger - evidence into auditree Credential Vault - vulnerability scan Credential - signing key - sign image as CI - if fail trigger CI Vault compliant(CISO) - pipeline secure properties pipeline and/or generate - signing key / pipeline PR secure properties Linux on IBM Z and LinuxONE Client WS 2020 / © 2020 IBM Corporation 29