Front cover Cloud Security Guidelines for IBM Power Systems Turgut Aslan Peter G. Croes Liviu Rosca Max Stern Redbooks International Technical Support Organization Cloud Security Guidelines for IBM Power Systems February 2016 SG24-8242-01 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. Second Edition (February 2016) This edition applies to IBM PowerVC 1.3.0 (5765-VCS), IBM PowerVM 2.2.4 (5765-PVS Standard Edition, 5765-PVE Enterprise Edition, 5765-PVL Linux Edition), IBM PowerKVM 3.1 (5765-KVM), IBM Cloud Manager with OpenStack 4.3 (5765-OSP), and the IBM Hardware Management Console 8.3.2 (7042-CR8). © Copyright International Business Machines Corporation 2015, 2016. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x IBM Redbooks promotions . xi Preface . xiii Authors. xiii Now you can become a published author, too! . .xv Comments welcome. .xv Stay connected to IBM Redbooks . xvi Part 1. Business context and architecture considerations. 1 Chapter 1. Business context . 3 1.1 Overview . 4 1.1.1 Cloud deployment models . 4 1.1.2 Cloud service models . 5 1.2 Business drivers for cloud computing . 6 1.3 IBM Power Systems and the cloud . 7 1.3.1 Hypervisors . 7 1.3.2 Platform management. 8 1.3.3 Advanced virtualization management . 8 1.3.4 Cloud management. 9 1.4 Conclusion . 11 Chapter 2. Cloud security reference architecture . 13 2.1 IBM Cloud Computing Reference Architecture . 14 2.1.1 Adoption patterns . 15 2.1.2 Cloud Enabled Data Centers (or IaaS) . 16 2.2 Security and the CCRA . 18 2.2.1 Business drivers for a secure reference architecture . 19 2.2.2 Security requirements . 22 2.3 Cloud computing and regulatory compliance . 24 2.3.1 Government regulations and agencies . 24 2.3.2 Standards organizations . 26 2.3.3 Industry bodies . 27 2.3.4 Summary. 28 2.4 Security guidance . 28 2.4.1 Manage identities and access. 29 2.4.2 Secure virtual machines . 29 2.4.3 Patch default images . 30 2.4.4 Manage logs and audit data . 30 2.4.5 Network isolation. 31 2.5 Usage scenarios . 31 2.5.1 Generic use case with cloud-enabled data center . 31 2.5.2 Typical PowerKVM use case . 32 2.5.3 Typical PowerVM use case. 33 2.6 Integration with IBM software . 33 2.6.1 Security Information and Event Management (SIEM). 33 © Copyright IBM Corp. 2015, 2016. All rights reserved. iii 2.6.2 Identity and access management . 34 2.6.3 Endpoint management . 35 2.6.4 Threat and intrusion prevention . 35 2.7 Conclusion . 36 Part 2. Power cloud components . 37 Chapter 3. IBM Hardware Management Console (HMC) security . 39 3.1 Introduction to the HMC . 40 3.2 User interfaces . 40 3.3 Network interfaces . 41 3.4 User and role management. 43 3.4.1 Users. 43 3.4.2 Roles. 44 3.4.3 Practical scenario of using users and customized roles . 45 3.5 Monitoring and auditing HMC access . 50 3.5.1 Access monitoring. 51 3.5.2 Access auditing. 51 3.6 Security enhancements and compliance . 52 3.6.1 Security compliance . 52 3.6.2 HMC security enhancements . 52 3.6.3 Data replication . 55 3.6.4 Customizing HMC encryption . 55 3.7 HMC and security zones . 56 3.7.1 Virtual switches . 57 3.7.2 Enforcement of ACLs on virtual switches . 59 3.7.3 ACL support for LPM . 59 3.8 Conclusion . ..