The Special Attributes of Computer Security Hardware
Many of us think about security with primarily a software focus. You might be surprised to know about the special security hardware and its role in safeguarding data.
This week, I continue the computer security topic with a focus on computer security hardware. Many of us think about security with primarily a software focus. It seems to us that protecting and hacking is mainly about understanding and using software. You might be surprised to know about the special security hardware and its role in safeguarding data and other resources.
A Security Hardware Example
A prime example of computer security hardware is a hardware security module or HSM. The HSM is a physical computing device, sometimes also called CryptoCards that protect and manage digital keys for strong authentication and cryptoprocessing. HSMs can come in the form of a plug-in card or an external device that attaches directly to a computer or network server.
The main advantage of HSMs is their cryptography processing, which is an essential tool in secure processing. When an application must communicate with other distributed elements, or declare or determine the validity of data that it is processing, programmers find cryptography to be an essential tool.
Another advantage of these devices is that they typically perform faster than software alternatives and can make a big difference in application performance depending on how the application was written to make use of security features. Also, these devices are unique and specialized, which makes them more difficult for hackers to understand and crack.
Available in Multiple Environments
The HSMs from IBM are available in different environments. The IBM PCIe Cryptographic Coprocessor Version 2 (PCIeCC2) is the latest generation of IBM’s HSMs. The PCIeCC2 cryptographic processes are performed within an enclosure on the HSM that is designed to meet the requirements of FIPS PUB 140-2, Security Requirements for Cryptographic Modules, Overall Security Level 4. Level 4 is the highest level of certification attainable for commercial cryptographic devices. The PCIeCC2 is available on IBM Z mainframes (z14, z13s, and z13 only), on select IBM-approved x86 servers and IBM Power Systems.
On IBM Z mainframe computers
The PCIeCC2 is available as feature code 0890, called Crypto Express5S or CEX5S, on IBM z14, z13s, and z13 mainframes. Support is for either z/OS or Linux on IBM Z. On z/OS, IBM offers the Integrated Cryptographic Service Facility (ICSF) component that ships with the base product. ICSF is the software on z/OS that provides access to the IBM Z CEX5S cryptographic hardware feature through the use of callable services that comply with IBM’s Common Cryptographic Architecture (CCA). ICSF together with the IBM Resource Access Control Facility (RACF) licensed program provide cryptographic services using the CCA security API.
On Linux on Z, IBM offers a CCA API for the CEX5S and a PKCS #11 (EP11) API to the user.
On Select IBM-approved x86 architecture servers
The PCIeCC2 is available as a machine type-model 4767-002 on select IBM-approved x86 architecture servers on Microsoft Windows Server, SUSE Linux Enterprise Server (SLES), or Red Hat Enterprise Linux (RHEL) 64-bit operating systems. IBM offers a CCA support program for the IBM 4767 PCIe Cryptographic Coprocessor, at no charge, to the user.
On IBM Power Systems
The PCIeCC2 is available under a couple different feature codes (depending on the hardware configuration) on IBM POWER8 servers, either on IBM AIX, IBM i, or PowerLinux (RHEL, SLES, or Ubuntu) operating systems.
The HSM is important and IBM makes it available on these different hardware platforms under a variety of operating systems. Clearly this CryptoCard is an important component of a comprehensive security program.
What’s Next?
Next week, I’ll continue the computer security topic with a focus on software. A good place to start will be the software used to support the PCIeCC2 HSM. This is just a beginning of the security software journey.