Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · •...
Transcript of Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · •...
1
Dr Chris PooleIBM Master InventorHyper Protect Containers
@chrispoole
Ensuring Your Customers' Data Privacy with Applications Secured on IBM Z
Pleasenote
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice and at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
3
“Within one Kubernetes pod, access credentials were exposed to Tesla's AWS environment which contained an Amazon S3 bucket that had sensitive data such as telemetry.
https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/
4https://www.engadget.com/2018/09/18/us-government-payment-site-leaks-14-million-customer-records-GovPayNow/?platform=hootsuite&guccounter=1
5
73%Allow root access
2%Corporate data encrypted
58%Threats from insiders
https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-17425&S_PKG=ov59678&https://www.techrepublic.com/article/tesla-public-cloud-environment-hacked-attackers-accessed-non-public-company-data/
https://healthitsecurity.com/news/58-of-healthcare-phi-data-breaches-caused-by-insiders
6
“Move to the cloud”?
7
“Move to the cloud”?
7
Apps with SPI?
• Rewrite yourselves– Encrypt the data… all of it? Metadata?
• Security consultancy• IBM Cloud Hyper Protect Services• ibm.com/cloud/hyper-protect-services
Toolinge.g., Docker Config Discovery Routing Observability
Databases
Operational
Development
Policy
{All stateless ideally
Understand what’s happening
Other services need to be able to
find each other
To build
Need to configure as it’s going out
Message sending requires routing
Store here only
Container scheduling
Language: PL/I, COBOL, Java, etc.
Architectural & security compliance
10
SPI MicroserviceSPI Microservice
Data layer
Frontend Frontend
Backend Backend
Microservice
Frontend
Backend
Cloud computing
• Abstract away the infrastructure• Who do you trust?
Attack vectors
• Insider threat: sysprogs• Remote access• Privilege escalation
Existing cloud
LinuxDocker
Worker 1 Worker 2
(Virtual) server
Existing cloud
LinuxDocker
Worker 1 Worker 2
(Virtual) server
EAL5+
PR/SM
SSC LPAR SSC LPAR
Secure Service Container
Worker 1
VM
Worker 2
Isol
atio
n
VM
Hyper Protect cloud
Integrated HSM
On-chip cryptography
On-chip cryptographic accelerator
Crypto Express HSM –Tamper resistant Secure Key –FIPS 140-2 Level 4–Keys never leave the HSM
Secure Service ContainersEAL5+
PR/SM
SSC LPAR SSC LPAR
Secure Service Container
Worker 1
VM
Worker 2
Isol
atio
n
VM
• No system admin access• Data at rest, transport protection• Once the appliance image is built,
OS access (ssh) is not possible• Memory access disabled• Encrypted disk• Debug data (dumps) encrypted• Signed docker images• Secure boot
IBM Cloud Hyper Protect Services
Think 2018 / 8249.PPTX / March 2018 / © 2018 IBM Corporation 17
IBM-hosted services:
IBM Cloud Hyper Protect Crypto Services
IBM Cloud Hyper Protect DBaaS
IBM Cloud Hyper Protect Containers
IBM Cloud Hyper Protect Crypto Services
Think 2018 / 8249.PPTX / March 2018 / © 2018 IBM Corporation 18
Provides state of the art security and cryptographic capabilities in IBM Cloud.
• 4X faster than other cloud encryption appliances• PKCS#11 API interfaces
• Generate symmetric key and asymmetric key pairs• Digitally sign and verify documents• Provide digital fingerprints (digest/hash)• Random number generation
• Seamless integration with IBM Key Protect for securely storing root and data encryption keys in a dedicated key store protected with FIPS 140-2 Level 4 compliant hardware
Secure:• Tamper protection during installation and run time• Customer data and keys are shielded from sysadmins
Secure Service Container
Providing Hyper Protect Crypto Services
19
Isolated Container Runtime Environment
IBM Z/LinuxONE platform
HSM Card (Crypto Express)Domain 00 Domain 84
Acme Soda
Hyper Protect Crypto Services
Dedicated KeyStore
Soda App
Acme Pop
Hyper Protect Crypto Services
Dedicated KeyStore
Pop App
Acme Cola
Hyper ProtectCrypto Services
Dedicated KeyStore
Cola AppApplications connect with PKCS11 via OpenSSL
Dedicated KeyStore per Customer
Secure enclaves ensure keys are never leaked
FIPS 140-2 Level 4 compliant HSM for highest physical protection of secrets
HSM Card (Crypto Express)Domain 00 Domain 84
Simplify Protecting Data-in-Transit for Cloud Native Apps
20
Secure sensitive transactions ensuring security of data while in-transit
Secure handling of SSL/TLS keys and certificates
• Customers can terminate secure connection (TLS) for their apps, at container front door
• Secure all communications between micro services inside a container cluster that could be enabled through policies
• SSL keys are offloaded to Hyper Protect Crypto Services to ensure security and protection of those sensitive keys
• Certificate lifecycle management getting common approach to managing certs, and visibility to cert expiration
A'
B
B’
SSL offloading A
Hyper Secure Crypto Services
Certificate Management
IBM Cloud Hyper Protect DBaaS
Think 2018 / 8249.PPTX / March 2018 / © 2018 IBM Corporation 21
Hyper Protect Database as a Service implements structured and unstructured data stores that are secure and private.
MongoDB EE:• Up to 8TB on IBM z13; up to 16TB with IBM z14• 2–4x more throughput compared to AWS–EC2
PostgreSQL
Secure:• Tamper protection during installation and run time• Customer data shielded from sysadmins• Encryption, access control, audit
Demo
Starter Kits?
Starter Kits?print(”hello world”)
Starter Kits?
Starter Kits
BackendStarter Kit
MBaaSStarter Kit
Hyper Protect DBaaS
Kitura
Swift iOS app
Hyper Protect Crypto
Services
Mobile analytics
Push notifications
Client Cloud
Improving application development• Recognition that an app isn’t just the source code:
libraries etc.• DevOps encourages ownership by the dev team• Test, lift, drop, deploy• Containers as lightweight alternative to VMs
Orchestrate your containers• Kubernetes• HA• Load balancing• Master, worker nodes
Master
Worker
Worker
Demo
40
ibm.com/cloud/hyper-protect-services
41
Summary
Creating an app, want encryption to tick the compliance boxes?
• Security without code change• Cloud-hosted Kubernetes, DBaaS, and crypto services
• Starter kits• Trial offerings
[email protected]@chrispoole