A new security paradigm for the cloud, PowerSC defines your known "good" system rather than try to defend against a known "bad" threat.
With the proliferation of virtual systems and internal cloud environments, all aspects of system administration have become more complex and challenging. As expected, this includes managing IBM Power Systems security on each of the virtual servers you create, any one of which can present new threat vulnerabilities.
Not only are there new challenges in managing security in a virtualized environment, but being able to prove to an auditor that your systems are in compliance with a variety of government and industry standards—from PCI, to Sarbanes-Oxley, to DOD—presents its own set of challenges.
IBM has recently released a new security offering for Power Systems called PowerSC that is part of a larger security framework the company has assembled to protect large and small enterprises alike.
PowerSC is a security and compliance solution that works in conjunction with the IBM Power Systems hypervisor, PowerVM. Initially offered on AIX, PowerSC undoubtedly will be rolled out to integrate with IBM i and Linux in the near future. It is a collection of four modules—for now—that takes an approach to security designed to stay one step ahead of existing, as well as yet-to-be created, external and internal threats. Some of the security features are currently available for IBM i from independent software providers, such as SkyView Partners and Raz-Lee Security, while others appear to be quite avant-garde and more closely integrated with PowerVM. Nevertheless, they are designed to work together seamlessly to protect high-value systems, particularly cloud environments.
The fear of a security breach to data residing in the cloud has kept many IBM i shops from moving to a cloud environment and has raised serious concerns by everyone else, even if they have started the migration. IBM simply had to do something to allay these fears. It really needed to design a system security approach that would work. They're hoping that PowerSC is the answer.
PowerSC consists of four main modules:
- Security Compliance Automation is a set of pre-built compliance profiles for the three main industry and government standards that is activated and reported on centrally using AIX Profile Manager.
- Trusted Boot guarantees that the operating system hasn't been hacked by comparing cryptographically signed boot and OS images.
- Trusted Network Connect and Patch Management, as its name implies, gives you a heads up if a system doesn't have all available security patches applied. It uses a sophisticated integration with Service Update Manager Assistant (SUMA) and Network Installation Manager (NIM).
- Trusted Logging captures all audit and system log information in real time and whisks it away to a secure centralized location within the virtual I/O server. In larger shops, it allows for the sharing of responsibilities by both the AIX system manager and individuals overseeing the virtualized infrastructure.
PowerSC comes in two editions, PowerSC Express, which is basic security and compliance automation, and PowerSC Standard, which supports Trusted Logging, Trusted Boot, and Trusted Network Connect and Patch Management. Trusted Boot works only on Power7 hardware with firmware update 7.4.
In conjunction with the announcement about PowerSC, IBM also released new features of PowerVM that, in many cases, integrate with PowerSC. Let's focus on the latter for the moment, however, and drill down into these four new PowerSC modules for a closer look.
Knowing, as well as showing, that your system is in compliance with the industry or government standards that affect your business can be a very expensive undertaking indeed. Security Compliance Automation is intended to help reduce the burdensome costs of getting and staying in compliance as well as being able to prove that you are on top of things. With IBM's pre-built profiles, Security Compliance Automation covers about 70 percent of the regulatory security requirements to which you might be subject. Others, such as physical security, which really go beyond "system security," are outside the scope of the product. Nevertheless, 70 percent is more than a good start.
The included profiles are Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act of 2002 (SOX), Control Objectives for Information and Related Technology (COBIT), and the Department of Defense (DOD). If you need to meet some other standard not listed here, then this product may not be for you.
One of the nice features about this module is that it allows you to set security profiles for numerous systems and then looks at reports to see if they are in compliance, all without the use of extensive logs or having to resort to guessing. You use a Systems Director plug-in called AIX Profile Manager with a clear and simple interface that tells you if the designated system is in compliance. If it flags one, you can use the same tool to investigate why it's not in compliance and what needs to be addressed.
Trusted Boot, which needs the latest Power7 hardware and 7.4 firmware update to work—and no, it does not work on Power6 or Power5 hardware—is, quite naturally, a very cool module. It changes the security paradigm from responding to a known "bad" threat to documenting your "good" system and not allowing anything unknown to run on it. Every virtual machine has its own Virtual Trusted Platform Module (VTPM), which is configured when you configure a new virtual machine. During boot-up, there is a sophisticated metric created, with the boot image and the operating system being cryptographically signed and validated against the VTPM. PowerSC and PowerVM work together to take the "snapshot" and do the image comparisons.
The beauty of Trusted Boot is that you can show the system is safe by reporting on its status with a GUI interface called OpenPTS Monitor that offers an easy-to-read view of flagged untrustworthy systems. It notes any changes in kernel extension, user commands, or applications and pinpoints any changed files.
Trusted Network Connect and Patch Management integrates with SUMA and NIM so that, during boot-up, the part of the module residing in an LPAR communicates with the TNC server in the Virtual I/O Server (VIOS). Every system is assigned a specific patch level, and the administrator is notified automatically of the conformance, or nonconformance, to the assigned patch level. It's a simple matter to determine whether all security patches have been applied to the system.
Trusted Logging employs a special virtual SCSI device that is managed by the VIOS and sends system log and audit log data to a central location within the VIOS that is tamper-proof and outside even the touch of the system administrator. No AIX administrator—or anyone else—can modify the logs, which provide a gold standard of what's happened on the system. You might be able to change the system, or even the system log, but you can't change the logs stored in the VIOS…or so IBM says. Having two copies of the logs also allows two groups to oversee operations: the system administrator and the virtual infrastructure folks. Nice.
PowerSC does not a complete framework make, and IBM offers appliances to protect against network threats. But at the system level, PowerSC takes security to the next level. It's likely that IBM will not stop with just four modules in the PowerSC offering, and there are more interfaces and more integrations to be made with, say, Systems Director. While AIX is the launch pad for this particular offering, a version for IBM i can't be far behind. If it convinces users that there is security in the cloud, then it's a job well done.