Power Systems Security in the Cloud
Power Systems security features help clients stay ahead of new threats.
Image by Tatiana Plakhova
By Angela Fresne08/01/2019
Today, IT infrastructure spans on-premises systems, off-premises clouds—often run as a hybrid cloud environment—and in most cases, multiple third-party cloud services. In this hybrid, multicloud world, with data moving across systems and public clouds, securing workloads and data is more complex than ever.
Exposure is increased due to multitenancy in public clouds. Sharing resources within the enterprise is quite different from sharing resources with unknown tenants. And while Denial of Service (DoS) attacks have been around for a long time, the proliferation of devices and end points with Internet of Things (IoT) devices has given these attacks new life. New threats are also emerging, attacking new vulnerabilities such as those found in containers.
Power Systems in the Cloud
With IBM Power Systems* servers, security is baked into the infrastructure at all levels—whether you are using your data center on-premises, accessing that infrastructure through the IBM Cloud* or even via third-party clouds, such as Google (leveraging the IBM Power Systems platform for Google Cloud), or
Skytap (leveraging IBM Cloud for Skytap Solutions). Infrastructure matters, in particular when transforming mission-critical enterprise applications and when pursuing a hybrid multicloud strategy. You need a rock-solid foundation, and this is where Power Systems infrastructure comes into play.
With Power Systems servers, and in particular POWER9*, security features were added throughout the stack. Improvements were also made to better facilitate and enable simplified cloud environments and management.
Trusted and Secure Boot is just one example. It was added on the firmware level more than a year ago with the introduction of POWER9 servers, but also built up to the OS level with the release of AIX* 7.2 TL3. These enhancements allow clients to verify firmware and OS images via digital signatures and hashes during boot to make sure the images were provided by IBM and have not been tampered with. “This is, in particular, essential in cloud environments where resources are shared and clients might want to have a mechanism to check on the trust level of such a shared resource,” says Petra Bührer, Power Systems security offering manager. These enhancements also enable trusted install scenarios, such as applying a fix or update to AIX.
The Complete Cloud Package
IBM introduced a new software bundle focused around cloud, high availability, security and management simplicity: The IBM Power Systems Enterprise Cloud Edition. It brings together key elements for a robust cloud with industry-leading reliability, availability and serviceability (RAS) capabilities (see Figure).
Within that solution, IBM PowerSC standard edition provides centralized security management for VMs running on the Power Systems platform and adds virtualization and cloud-aware security extensions. PowerSC also features real-time file integrity monitoring, reporting to support security audits, compliance automation to help with the various industry standards, patch management, trusted logging, etc. Due to the integration with PowerVC* Cloud Manager (also part of the enterprise cloud bundle), PowerSC can secure your clouds from the start, when new VMs are created with PowerVC. The PowerVC software also enables workload movement between on-premises environments and public clouds, while PowerSC can secure VMs across these environments.
Because it’s vital to control who has access to sensitive systems and data, PowerSC Multi-Factor Authentication (MFA) is an integral part of the Enterprise Cloud Edition. In order to log in, PowerSC MFA requires more than one identification method (e.g., a certificate on a smart card, a code generated by a hardware or software token, a one-time password on your mobile phone, a biometric identifier, a yubikey, etc.).
Even Power Systems software offerings that aren’t explicit like PowerVC or the Recovery Manager for HA provide security features such as role based access control (RBAC), limiting authority to specific roles. To better manage the proliferation of endpoints, IBM BigFix* Lifecycle provides capabilities around an endpoint’s lifecycle such as patching, OS migration and compliance capabilities. It enables the identification and response to advanced persistent threats, regardless of endpoint type or location.
The key is that this concept can be applied in a very flexible way, such as with no application programming changes required, and no limitations in the amount of memory being protected. It even can be applied by our OpenPower partners leveraging this concept when bringing in their own firmware.
Cloud Strategies Bring Risks
One of the broadest security risks created by multicloud environments is the increased exposure of data both at rest and as it moves between systems and services. Power Systems servers for mission-critical workloads come with PowerVM* Enterprise Edition, which provides live partition mobility (LPM). LPM allows workload movement between servers for workload balancing, utilization, optimization purposes and more. And a new GZIP engine was introduced on the POWER9 chip for compression/decompression. This technology is leveraged by PowerVM to compress and encrypt LPM data, so that VMs and workloads running inside are protected in transit. The introduction of chip-based compression positively impacts performance compared to the way compression was done before leveraging software.
In addition, emerging cloud-native technology is creating new security concerns. Containers provide many advantages such as platform independence, portability, less resources, agility and more. Containers, in most cases, are deployed on a KVM-based system, which is an open-source hypervisor without the same security measures built into IBM’s PowerVM hypervisor. To achieve a similar level of security, IBM is planning to introduce the Protected Execution Facility (sometimes referred to as Secure Memory Facility) later this year, enabling VMs to run in a secure mode, protecting sensitive workloads running inside. “The key is that this concept can be applied in a very flexible way, such as with no application programming changes required, and no limitations in the amount of memory being protected. It even can be applied by our OpenPower partners leveraging this concept when bringing in their own firmware,” Bührer says.
IBM continues to focus on building on the Protected Execution Facility approach to protect containers even further and with more granularity. But even today, several container security measures are in place with IBM Cloud Private (ICP). ICP enables the creation of cloud-native applications and microservices running not only on POWER*, but also across IBM Z* or x86. It ships with popular open-source management, configuration and automation tools, providing multicloud management and integration capabilities—across traditional environments running VMs and emerging cloud-native apps.
The Kubernetes development environment provides access to popular languages, frameworks and runtimes to create and enrich these cloud native services while leveraging the qualities of service and benefits of the Power Systems platform. In this context, IBM provides Cloud Paks, which are enterprise-ready, containerized pre-integrated software solutions that give you an open, faster and more secure way to run core business applications in any cloud compared to doing that manually. The Cloud Paks are certified and provide full software stack support, and ongoing security, compliance and version compatibility. In addition, all Docker images are scanned for vulnerabilities.
Evolving Cloud Security
Cloud deployments—private, public, hybrid and multi—are here to stay. Security measures need to reflect evolving security threats: multitenancy, increasing movement of data, new technologies and the fact that everything is interconnected. These new types of attacks should be taken into consideration when choosing a solution. Regardless of which type of cloud approach organizations are taking, the Power Systems platform provides a robust and secure environment throughout the stack.
Find out more about the Power Systems Enterprise Cloud Edition in this brief overview video.
Angela is responsible for IBM TechU business development and curriculum management.