Bringing Security to the Cloud
Security, security, security. It’s been drummed into our heads a thousand times over.
Not that it shouldn’t be. One breach can put a company out of business, whether it’s due to regulatory fines or the loss of customer confidence. This is especially true with the increasing adoption of cloud computing. And internal and external security threats will keep poking around for unsecured holes—even in a private or hybrid cloud.
This is largely why the IBM Z* platform is widely seen as one of the most secure systems for cloud computing. It offers pervasive encryption, for example, that ensures data is encrypted at all times, at rest and on the move. And the existing security of cloud on IBM Z is even more robust now, with the addition of IBM Cloud* Private and IBM Secure Service Containers.
Thanks to these tools, it’s time to put the security into the agile DevOps development and operations environment—as in DevSecOps. And although the “security, security, security” chant isn’t likely to end anytime soon, the philosophy of baked-in DevSecOps on IBM Z will help significantly lessen the volume. For a summary of how IBM Cloud Private, Secure Service Containers and DevSecOps heighten security, see “IBM Cloud Private, Secure Service Containers and DevSecOps.”
A Security Philosophy
For years, software development was siloed. Development, operations, QA and security teams were walled off from one another, leading to a lengthy, inefficient process that left an impatient public frustrated. This waning patience, along with increasing pressure for continuous software delivery, led to the emergence of the DevOps movement, which ultimately morphed into DevSecOps.
DevSecOps is a software philosophy based on collaboration among all of the primary stakeholders within an organization. It brings them together to create a cross-disciplinary environment for efficiently developing secure, quality software. DevSecOps is creating a cultural shift in technology where teamwork, brainstorming and collaboration are top of mind.
More and more enterprises are adopting a DevSecOps approach to remain competitive, but DevSecOps is particularly crucial for mainframe shops. Mainframes are perceived as already featuring security by design, but with more emerging multicloud models, the need for increased security is growing. DevSecOps not only heightens security in a DevOps environment; it can also help mainframe customers comply with standards surrounding data privacy, banking regulations and healthcare confidentiality. For more details on DevSecOps, see “What Is DevSecOps.”
And these are hardly trivial matters, especially as organizations begin turning toward cloud computing. As Rohit Badlaney, director, IBM Z as a Service, IBM Systems, puts it, “As clients head off on their cloud journey, we want to be there to help them. Many of them are struggling with some of these issues, and most of the concerns involving moving to the cloud have to do with data and compliance. That’s why we’re talking so much about security. And if security can be baked into the DevOps cycle, that much the better.”
On Lock Down
Companies have on-premises clouds for a variety of reasons, including quicker access to data, greater control over their cloud instances and, of course, improved data security so they can meet or even exceed security-compliance regulations. But if businesses do want to clamp down on cloud access, few better options are available to do so than on IBM Z and LinuxONE*. They’re inherently secure on many levels, with end-to-end encryption and logical partitioning for workload segregation, which IBM calls “vertical isolation.”
IBM delivers additional security support in the form of Secure Service Container technology, available on IBM Z and IBM LinuxONE servers. It provides full encryption of data at rest and in flight. The integrity of a Secure Service Container is verifiable and reliable, and isolation of workloads running within a Secure Service Container on IBM Z or LinuxONE is better than if those workloads were on separate servers. The Secure Service Container appliance model reduces much of a solution’s governance to a single check box.
It should be noted that these containers shouldn’t be confused with other types of containers, such as Docker containers. Rather, a Secure Service Container is a specialized type of LPAR that can support thousands of VMs, each running hundreds of Docker containers.
For organizations interested in deploying cloud applications and data to an on-premises private cloud platform, IBM Cloud Private—a Platform as a Service for hybrid and private cloud deployments—provides an LPAR booster shot. This is made possible thanks to Secure Service Container for IBM Cloud Private, which—as being managed by IBM Cloud Private—enables organizations to securely deploy Docker and Kubernetes workloads on IBM Z and LinuxONE.
“We’re working to prevent insider access threats, and the method by which we’re doing that is with Secure Service Container technology. It’s a locked-down, on-prem technology wherein only a client can access their own data,” says Badlaney.
Protection and Security
The outermost level of the Secure Service Container is the LPAR, which is essentially a VM hosted by the bare-metal, firmware-based hypervisor PR/SM. LPARs define the resources available to the OS running within it, such as memory and CPUs, which can be dedicated, shared or even over-committed.
The benefits to this include performance, with PR/SM managing resources to maximize utilization while still meeting service levels for high-priority workloads, even if lower-priority workloads in another LPAR experience a spike in demand.
Another benefit is security. PR/SM is certified to Common Criteria Evaluation Assurance Level (EAL) 5+, an international standard (ISO/IEC 15408), which means PR/SM isolates LPARs better than any other hypervisor isolates its VMs. With multiple LPARs needing to communicate, workloads can be more secure than two separate servers because no vulnerable networking gear is needed to connect them.
Secure Service Container technology integrates the OS, middleware and software components into a software client-type environment. That software client is then packaged together as a single entity, and when deployed to the cloud, contains critical security capabilities in the underlying infrastructure—in a controlled-access environment.
“This appliance is a completely secure region on your system where you can host and drive workloads and applications that cannot be accessed or compromised by those who don’t have access privileges,” says Nathan Dotson, IBM Z offering manager, Cloud. “It’s really about being able to meet all of your cloud-computing and data requirements and completely protecting them, even from internal users. This gives IBM Z and LinuxONE levels of protection and security that don’t exist anywhere else.”
Although all of this sounds well and good from a cloud security perspective, some may be concerned about how this will impact development times. Not to worry, though: IBM Cloud Private in tandem with Secure Service Container technology actually encourages—with support for microservices and agile DevOps—cloud-application development. Organizations can go about their normal development routines and then allow Secure Service Container technology to become the deployment environment to which users can drive their critical applications, complete with OS virtualization layers, management interfaces, REST APIs and security.
“Some people think there’s an ‘easy button’ when they look at third-party cloud hosting because somebody else is going to give them speed they need,” Dotson says. “But other platforms can’t provide the security that’s necessary to deliver what users require. I think that’s where IBM Cloud Private can come into play. It can kind of merge those worlds, providing development agility while ensuring in-system security.”
Useful and Secure
DevSecOps, IBM Cloud Private and Secure Service Container technology have made cloud computing increasingly secure, but more than that, they’re also encouraging developers to bake security into their DevOps environments—and not as an afterthought. This can have ripples throughout an organization, as developers consider how they can integrate security into every application, from concept to completion to ongoing support—with agility.
“At the end of the day,” Badlaney says, “most of our clients’ concerns about moving to the cloud have to do with data and compliance. But if they’re on IBM Z or LinuxONE and using IBM Cloud Private and Secure Service Containers, many of those concerns can be pushed to the side. After all, our goal is to make the cloud useful, easy to manage and very secure.”