Sensitive Data Control
How IBM Z and IBM LinuxONE servers help keep data safe on-premise, in the cloud or both
By Jim Utsler09/01/2020
It’s an unfortunate fact of business life that bad actors are out there trolling for sensitive data. For them, the risk-reward is relatively low. For those whose data is breached, though, the costs can be exorbitant, whether from loss of intellectual property (IP), being socked with massive fines or losing customer goodwill.
The news isn’t all bad, however. With the assistance of several IBM security tools, organizations can place all of their data, including the most sensitive bits, in locked-down operating environments to avoid much of this. Once that’s done, IBM Z® and IBM LinuxONE™ users, whether in the IBM Cloud® or on-premise, can trust that their most prized asset is safe from prying internal or external eyes.
“Our approach to security is allowing clients to deploy workloads in those IBM Z and LinuxONE environments with the level of security controls we’ve been building into our systems over the past five-plus decades,” says Michael Jordan, Distinguished Engineer, IBM Z Security.
Operational Assurances Versus Technical Assurances
No two businesses are exactly alike, but many share similar security concerns, especially as they adopt hybrid multicloud environments.
As Stefan Liesche, Distinguished Engineer, IBM Z Hybrid Cloud, explains, “There are many reasons why clients are interested in higher levels of security and data privacy, but three of them come up again and again. One, there are regulations, policies and rules that organizations have to adhere to. Two, they’re protecting trade secrets, IP or some other types of digital assets. Three, there are organizations that have been burned before that want to adopt new measures rather than re-experiencing the pain they went through.”
But the how and why of this can become muddled as businesses move from Chapter 1 to Chapter 2 of the cloud story. For a variety of reasons, many of them are now considering placing sensitive data and workloads in the cloud rather than confining them to locally controlled data centers. As a result, they’re choosing a hybrid model where a portion of workload is in the cloud, and a portion on-prem, where these two environments need to interact and exchange data in a secure way.
"Our approach to security is allowing clients to deploy workloads in those IBM Z and LinuxONE environments with the level of security controls we've been building into our systems over the past five-plus decades."
“People are driven toward innovation and want to apply the speed of cloud to their projects that deal with sensitive data to stay ahead of the competition,” Liesche says. “At the same time, they want to avoid disruptions caused by quickly moving threats that could put their data in jeopardy. In the past, they may have secured their data exclusively behind a firewall, but the innovation speed of a connected hybrid cloud alters that paradigm.”
Companies are now dealing with both private and public clouds from multiple vendors. In some cases, they have to trust the cloud vendor when they ask about security. These operational assurances may not live up to expectations, however. For example, a cloud vendor may still be able to access customer data.
“What most cloud vendors offer today is operational assurance, like a commitment that they will not access data,” remarks Rohit Badlaney, vice president, IBM Z Hybrid Cloud. “From our engagement with large enterprise customers, however, we see that this isn’t sufficient to meet the stringent security controls that enterprises look for when considering a move to public cloud. This is where one of our security solutions, IBM Cloud Hyper Protect Services, shines. We provide technical assurance, such as we technically cannot access customer data. This applies even to our own cloud administrators/site reliability engineers.”
IBM Cloud Hyper Protect Services provides built-in data at rest and data in use protection to help developers easily build secure cloud applications using a portfolio of cloud services that allow clients to have complete authority over their sensitive data in the cloud.
- IBM Cloud Hyper Protect Crypto Services (built on the industry’s only FIPS 140-2 Level 4 HSM), which provide a “Keep Your Own Key” capability for data at rest encryption across multiple IBM Cloud services and data in use protection for private keys used for digital signing and protecting server identity (SSL Offloading)
- IBM Cloud Hyper Protect DbaaS, which provides complete data confidentiality for sensitive data and currently supports PosgreSQL and MongoDB EE databases
- IBM Cloud Hyper Protect Virtual Servers, which provide complete authority over LinuxONE workloads with sensitive data or business IP
Together, they give businesses complete authority over sensitive data and workloads to help them meet regulatory compliance requirements.
As Jordan explains, “We’re building the Hyper Protect infrastructure in IBM Cloud and these services so IBM Cloud admins can manage their environments without being able to see or get ahold of your data. The Hyper Protect infrastructure, in turn, is based on a secure enclave technology known as IBM Secure Services Container.”
Scalable Isolation of Individual Workloads
The IBM Cloud Hyper Protect Virtual Server offering for private clouds is a software-based solution that hosts container-based applications for hybrid and private cloud workloads on LinuxONE and IBM Z systems. This secure computing environment for microservices-based applications can be deployed without needing code changes to exploit the container’s security capabilities, even during the end-to-end DevSecOps cycle.
Additionally, Secure Execution for Linux is a hardware-based security technology built into the IBM z15™ and LinuxONE III systems. It provides scalable isolation for individual workloads to help protect them from both external and insider threats. This works for on-premise workloads as well as LinuxONE and IBM Z hybrid cloud environments.
“It’s designed to provide scalable isolation of individual workloads,” Badlaney says. “The Secure Services Container was at the LPAR boundary, and this goes down now to the VM boundary. The beauty of this is that it’s available for an on-prem architecture, and we’ve now expanded this capability and integrated it into the heart of the IBM Cloud. This helps reinforce our technical assurance philosophy.”
Badlaney cites the example of Daimler, which wants to implement an intelligent cloud solution for its global after sales portal. The data associated with this portal is very sensitive, which is why the company decided to migrate it to the IBM Cloud. The level of control that Daimler was looking for in the public cloud could only be met by IBM Cloud Hyper Protect Services.
As he notes, “Daimler has an aggressive public cloud push, and they wanted to make sure that no one in IBM Cloud can access their data. That was their requirement. The only way to assure this is with our LinuxONE technology.”
Securing every bit of company data isn’t monetarily feasible for many businesses, especially if it involves selecting their most sensitive data and deciding where to host it. IBM’s perspective regarding data protection (i.e., encryption) isn’t selective, which drives down the cost to allow organizations to encrypt data on a massive scale.
Some companies will keep everything on-premise based on strict lockdown protocols. This gives them peace of mind, knowing they have complete control over data access. Others may move some of it to the LinuxONE technology-backed IBM Cloud. In either case, IBM has deployed several additional security tools, including pervasive encryption and IBM Data Privacy Passports, to support the security needs for either scenario. IBM is also announcing a new fully homomorphic encryption toolkit for Linux, providing even more data security. Learn more in "Homomorphic Encryption Comes to Linux on IBM Z," below.
“Pervasive encryption is very focused on data at rest and in transit by keeping it encrypted. And users aren’t required to differentiate between sensitive and non-sensitive data. You protect everything so nothing can be stolen,” Liesche says. “Data Privacy Passports employs data protection even when the data needs to be shared with other platforms. To ensure the data cannot be compromised in end-process attacks, data is protected across the entire flow. This is used for any sensitive data, all the way up to your crown jewels. It offers everywhere encryption throughout your hybrid multicloud environments.”
Staying in Charge
Just as no two companies are alike, neither are any two computing environments. They might be on-premise, in a private or public cloud, or in hybrid multiclouds. The important issue here, though, is making sure the sensitive data and workloads in these environments are secure, whether that’s for regulatory, IP or customer confidence purposes. Hyper Protect Services, Secure Services Container, pervasive encryption, Data Privacy Passports and other IBM security solutions all help clients meet this goal.
“As they move from Chapter 1 to Chapter 2 of the cloud, they’re looking at hosting more sensitive data and workloads there than they previously had,” Jordan says. “So, our approach to security is allowing clients to deploy workloads in those environments with a level of control that puts them in charge, while also assuring them on a technical level that no one is going to covertly access or steal their data. That encapsulates at the highest level what we’re trying to do.”
Homomorphic Encryption Comes to Linux on IBM Z
For decades, modern cryptography methods have helped protect sensitive data during transmission and at rest. IBM Z® clients benefit from data encryption at rest and in-flight with pervasive encryption, along with Data Privacy Passports on IBM Z, a consolidated data-centric audit and protection technology (DCAP) for eligible data that has the capability to protect data along its journey through your enterprise by setting appropriate data protection controls.
The common method of storing sensitive data and sharing it with colleagues and partners has a weak link. Today, files are often encrypted in transit and at rest, but decrypted while in use. This regimen provides hackers repeated opportunities to steal unencrypted files. Fully homomorphic encryption (FHE) plugs those holes. It allows the manipulation of data by permissioned parties while it’s still encrypted, minimizing the time it exists in its most vulnerable state. In conjunction with other tools, FHE also makes it possible to selectively restrict decryption capabilities, so people can see only the portions of a file that are necessary for them to do their work.
FHE holds significant promise for industries like finance and healthcare, making it possible to share financial information or patient health records broadly while restricting access to all but the necessary data. FHE allows collaboration over the cloud and should facilitate cross-industry collaboration, even among competitors looking to perform advanced analytics on encrypted data of common interest. For example, rival pharmaceutical companies can pool and analyze encrypted medical research data to speed drug discovery, without revealing sensitive company or patient information.
IBM is announcing a new FHE toolkit for Linux®, bringing FHE to multiple Linux distributions for IBM Z and x86 architectures. The toolkit supports Ubuntu, Fedora and CentOS editions of the toolkit for x86 platforms. Experienced Docker developers can easily port this toolkit to their preferred distribution. The journey to pervasive FHE starts with these reference implementations, but will evolve with community involvement. This announcement takes IBM’s commitment to Linux and security a step farther to add data in-use security capabilities—the missing link of end-to-end encryption.
For more information on the encryption status quo versus the FHE model, see Figure 1 (above) along with the related IBM Research blog.
The Growing Remote Workforce and Demand for DIY Password Reset
Recent circumstances have left more folks working from home than ever before.
Much of that remote workforce is still required to operate in an ecosystem that requires constant password access.
It’s more important than ever to have a quick and efficient solution for resetting a forgotten password without the assistance of your organization’s IT professionals, which can be time consuming and costly.
There are many options available for simple password resets, but few that make it a simple, single-step process for multiple ESMs.
Global vice president, Vanguard Integrity Professionals
Milt has worked with Vanguard Integrity Professional as a consultant since 2001, along with other industry leading companies that provide solutions ACF2, Top Secret and RACF. Other areas of expertise include z/OS® vulnerably engagements, security information and event management connectively, compliance, audit solutions and system migrations.
z/OS / Linux on IBM Z / z/VM / z/VSE / Article / Cloud / Security / Systems management / Data management / Cloud security / Cloud strategy / Hybrid cloud / IBM Z / Data security / Workload management / LinuxONE / z15
Jim Utsler, senior writer, has been writing for IBM since the mid-1990s.