POWER > Systems Management > Security

Secure Boot and Cloud Automation Protect IBM Power Systems

IBM Power Systems Security


Security is consistently top-of-mind for IBM Power Systems* clients. In fact, according to an IBM Systems Magazine survey on AIX* security, 56 percent of respondents were very concerned about the platform’s security, and an additional 35 percent of respondents were somewhat concerned. In response to clients’ concerns, IBM is developing tools and services that improve and simplify security and compliance. Here’s a look at the components that contribute to the impeccable Power Systems security record.

Secure Boot

The IBM Power Systems platform offers industry-leading security embedded in the firmware and the PowerVM* hypervisor. Beyond that, Power Systems servers running PowerVM also use cryptographic measures to protect guest OS boot images leveraging the virtualized Trusted Platform Module (vTPM).

The vTPM attests that the guest OS (for instance, AIX), boots from a trusted, unaltered boot image and thus attests that the AIX kernel and OS components are all known and trusted. The Linux* kernel also includes support for the PowerVM vTPM.

IBM OpenPOWER servers also provide a firmware-level security facility known as Secure Boot to verify your server is running only authorized firmware components from IBM or another trusted vendor. This allows users to detect and take corrective action in case of a boot code cyberattack (i.e., any attempt to replace your trusted firmware with malicious code). If an attacker manages to inject malicious code at the firmware level, no amount of protection within the OS, such as with IBM PowerSC*, could prevent the attacker from gaining control of your server.

The Power* management framework extends the concept of trusted code to applications as well, allowing only signed and uncompromised application code to run. Features such as AIX Trusted Execution (TE) and Linux Integrity Measurement Architecture (IMA) support build off of the Secure Boot work and extend the concept of trust to applications and critical system files (ibm.co/2fLkMBU).

The physical Trusted Platform Module (pTPM), which is an international standard for a secure crypto processor, was first provided on OpenPOWER servers and later extended to enterprise servers. It’s a dedicated security processor designed to hold integrity measurements anchored in platform hardware and enables Secure Boot in contrast to the vTPM available so far. Secure Boot validates critical firmware components and will stop the boot if a validation fails.

New instruction set additions enable improved performance of cryptography on Power Systems. Additionally, a new device driver and Common Cryptographic Architecture (CCA) support leverage the IBM PCle Cryptographic Coprocessor (bit.ly/2wzhVCQ) with its industry-leading key protection to OpenPOWER.

Open-Source Cloud Automation

The IBM Power Systems platform delivers powerful, enterprise-level tools to simplify security and compliance for your virtual and cloud environments. PowerSC security and compliance gives clients built-in profiles, predefined reports, automated patching and strong File Integrity Monitoring capabilities—all backed and supported by IBM. Read “Demystifying Compliance” on page 18 for more information on PowerSC.

IBM is listening to clients and tailoring security and compliance offerings to fit their needs. One option is to enhance these types of offerings with open-source cloud automation tools. Or, if clients prefer to just use open-source tools instead of purchasing a product like PowerSC, they can do so with tools like Chef or Ansible. IBM regularly publishes playbooks for both options on the Chef Supermarket and on github.com/aixoss.

These playbooks automate system configuration and tasks in the data center. For instance, there are plays for tasks such as automating the download of technology levels and service packs from a fix server, updating targets from a NIM server, checking target systems for vulnerabilities against available fixes (FLRTVC), applying fixes to targets and updating the VIOS to the latest maintenance level. Tools like these make it easy to update large-scale AIX infrastructure.

Infrastructure Monitoring at Your Fingertips

Earlier this year, IBM announced a whole new model of how to monitor your data center: the Cloud Management Console (CMC). The Software as a Service (SaaS), which was previously referred to as HMC-Apps or HMC-services, provides a holistic, aggregated view on your infrastructure. The CMC isn’t a single product, but rather a platform through which IBM can deliver apps or micro services in a DevOps model.

It’s a true SaaS, so nothing is installed or maintained on premises, and it can be accessed from anywhere, at any time for your complete enterprise. It can even span all of the data centers and silos that exist for traditional products. As a result, the CMC reduces the time to market significantly from the twice-yearly release cycle for traditional products. Best yet, minimal setup is required—clients can simply log in and customize the CMC to suit their needs.

The Patch Planning app was recently made available. This app provides a holistic view of your environment (connected servers) and does aggregation for AIX, HMC, firmware, etc. The service looks at the complete Power Systems stack and indicates if clients are missing any updates. In addition, it supports creating patch plans in order to make everyone aware of upcoming patches, get required approvals and identify possible downtime windows.

Security must be an integral part of IT infrastructure—particularly for public cloud environments. CMC fully supports multitenancy (i.e., each client’s data is isolated and the database is completely secure). Moreover, all of the data is encrypted at rest before it leaves the HMC using TLS. And the HMC, which serves as the data provider, can, of course, only access data at a server level and has absolutely no access to any client records stored in databases.

Holistic Security Solutions

Security is paramount to the health and success of your organization. Together, cloud-based offerings such as CMC, open-source software, Secure Boot and more work in concert to keep your Power Systems infrastructure secure.


comments powered by Disqus

Advertisement

Advertisement

2017 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Securely in Control

The right managed file transfer solution saves sleep and expense

A Study in Security

IBM-sponsored research reveals how C-level executives view security

At Your Fingertips

An introduction to biometrics

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store