Stay Ahead of Clients' Changing Security Needs With IBM Z
Continuous IBM Z innovations offer a roadmap designed to stay ahead of clients' changing security needs.
Image by Kotryna Zukauskaite
By Karen E Lewis03/02/2020
The IBM Z* legacy has always included scale, performance and security. These capabilities are critical in regulated and compliant industries, and for IBM’s largest enterprise clients. In line with the direction clients are moving, that legacy will continue with further “cloudification” of the IBM Z platform. As cloud becomes more prevalent, the IBM Z platform offers a leading security roadmap designed to stay ahead of the changing needs of its clients. With unmatched levels of protection, the platform has become the gold standard for data security in the cloud.
The Continued Cloudification of IBM Z
IBM Z capabilities lend themselves exceptionally well to a cloud environment. The combination of IBM Z security capabilities such as encryption and virtualization is well suited for cloud services. IBM’s two-pronged data-centric approach uses encryption keys to ensure data is protected while leveraging the platform’s key protection capabilities. Encryption is central to protecting data and privacy in the cloud.
Easy and Impenetrable Security
With encryption becoming ubiquitous, delivering Crypto-as-a-Service capability is significant. When IBM’s Hyper Protect Virtual Servers are combined with IBM Z cryptographic horsepower, it’s easy to see why anyone using cryptocurrency is eager to tap into these new capabilities. For example, IBM cryptographic hardware—which meets the highest-level security certification standards, can be virtualized; each server can have 16 cryptographic cards with 85 virtual domains per card. When you multiply that out, it serves cloud-scale perfectly.
IBM Z as a Service in Action
IBM Blockchain is an excellent example of IBM Z as a Service in action. IBM Blockchain has been running in the IBM Cloud* on IBM Z for two years—with more than 500 customers using it as a secure platform shared among financial institutions. With that kind of rigor and transparency built into the design, it’s hard to make a business case for moving mission-critical workloads from the IBM Z platform onto a commodity cloud where enterprise data and applications are at risk.
IBM Hyper Protect Virtual Servers combine several capabilities, built in end-to-end—from the hardware, firmware and the OS, according to Michael Jordan, Distinguished Engineer, IBM Z Security. By default, all of the code and data associated with Hyper Protect Virtual Servers are encrypted. When you deploy an application in one of these containers, everything in flight and at rest gets encrypted automatically—without additional configuration or set up. IBM’s Hyper Protect Virtual Servers solution is a locked down container prohibiting access from anyone without a key. Blocking and restricting access prevents administrators with elevated privileges from having uncontrolled access to the file system.
“With good DevOps practices in place, there’s no need to support different skill sets to deploy across different environments.”
Addressing the Linux Conundrum
The idea of protected execution eliminates the ability for someone to use their access for malicious purposes. Using Secure Service Containers—which have been available for over a year, effectively resolves the problem. Secure Service Containers, now called Hyper Protect Virtual Servers, are available when coding in containers.
However, because organizations not using containers require a different approach to solve the same problem, a second solution from IBM is on the near horizon. It’s the next ace in a strong hand to ensure customer data and applications can be protected no matter what OS is used because IBM Z and LinuxONE* systems will have a more hardened, secure execution environment for Linux*.
From DevOps to DevSecOps
No organization wants its name plastered across the headlines for experiencing a data breach, compromising either data or clients’ privacy. Different threat factors can compromise an application throughout its lifecycle. For instance, now that containers are used pervasively across small and large organizations—from start-up to well-established businesses, development staff and contractors who possess elevated credentials have the potential to do real damage to an organization.
Misuse by authorized users is gaining ground as a breach pattern. According to the 2019 Verizon Data Breach Investigations Report (vz.to/2PFsIrc), “privilege misuse and error by insiders” account for up to 30% of breaches; and that number is even worse within the healthcare sector where internal threats are more prevalent than external attacks—60% (internal) versus 42% (external).
Insider-initiated incidents are problematic for several reasons. Insider breaches can be tricky to detect: An internal actor may already have access to a system to do their job. With no spotlight on the incident, the post-breach response can be slow; and, finally, organizations often hesitate to report breaches of this kind, regarding them as taboo. Without the usual signposts to highlight a potential threat, the infrastructure itself isn’t viewed as critical—especially when a team is focused on getting their applications built, out the door and deployed quickly.
Protect Against Misuse From Authorized Users
“Organizations need to consider who has access to the infrastructure—and what the individual could do with an elevated level of access,” says Diana Henderson, offering manager for IBM Z as a Service.
Trusted execution environments enable you to securely build, deploy and manage container run time environments in a virtualized environment on either IBM Z or LinuxONE platforms. “When an application is due to be deployed, there’s potential for bad actors with elevated authority to access the application or data. The individual could modify either the app or the profiles of the configuration associated with the app—causing serious damage,” explains Henderson.
The differentiated security capability is ideal for protecting mission-critical workloads in financial services, healthcare and government, as well as managed service providers providing infrastructure services to clients within their data centers. Using trusted execution environments allows these organizations to validate the content of their applications before they are deployed.
“Organizations need to know they’re deploying the application they want and not one infected with malware. The capabilities IBM introduced revolve around encryption and the signing of the application. Potentially, they could even involve an auditor responsible for checking the deployment of a digital asset or application,” explains Henderson. The auditor use case is highly relevant to the burgeoning fintech industry, where digital assets often underpin the business model.
The rich array of services and solutions IBM is pounding out wasn’t created in a vacuum. IBM is client-driven, and IBM Z as a Service has evolved quickly by engaging with the IBM Z community. “How and what we develop next is determined by our clients’ needs. Co-creating and co-developing the solutions they want allows everyone to emerge as a winner,” adds Henderson.
To remain essential to its clients, IBM listens intently, capturing requirements and continually revising and reviewing potential solutions through client feedback. Validating and refining solutions before they hit the market—based on user input and feedback—has resulted in the delivery of a roadmap that exceeds user expectations.
Embracing Common Development Tools
Clients want to work with the IBM Z platform in a way they can abstract away the specialized skills needed while still moving through the DevOps cycle at an accelerated rate. It’s that need for speed that is driving clients to the cloud—and it’s the reason why IBM is standardizing on Platform-as-a-Service platforms for cloud and on-premises. According to Henderson, developers are emerging as kings and queens, responsible for driving innovation within their organizations. “With good DevOps practices in place, there’s no need to support different skill sets to deploy across different environments,” she adds.
Moving forward, IBM will continue embracing industry standards, open source and the same tools the development community uses already—which are pervasive across the industry regardless of the underlying platform. This approach is reflected in IBM’s development efforts as well as how IBM clients are using the tools. “Our goal is to deliver the infrastructure and capability needed so these innovation kings and queens can excel,” says Henderson.
Data Protection Is the IBM Z Wheelhouse
The IBM Z platform has a long, field-proven tradition of security leadership and innovation. The continuous advances IBM is making with Hyper Protect Services, key management, pervasive encryption, Data Privacy Passports and trusted execution environments are additional examples of how IBM Z remains a formidable line of defense for organizations moving mission critical workloads, applications and data to the cloud.
For organizations moving data to the cloud—either temporarily or long term, no matter where they are in the enterprise-out journey—the IBM Z platform can provide a strong, differentiated value. This enables clients to move applications, pieces of applications and data to the cloud—securely with protection and privacy assured. As a result, IBM Z users can take advantage of the same robust capabilities, skills and processes, confident their data won’t be compromised—no matter which OS is chosen.
Karen E. Lewis is a global market segment manager with the IBM Systems and Technology Group. She has more than 20 years experience.