1

Dr Chris PooleIBM Master InventorHyper Protect Containers

@chrispoole

Ensuring Your Customers' Data Privacy with Applications Secured on IBM Z

Pleasenote

• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice and at IBM’s sole discretion.

• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.

• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

3

“Within one Kubernetes pod, access credentials were exposed to Tesla's AWS environment which contained an Amazon S3 bucket that had sensitive data such as telemetry.

https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/

4https://www.engadget.com/2018/09/18/us-government-payment-site-leaks-14-million-customer-records-GovPayNow/?platform=hootsuite&guccounter=1

5

73%Allow root access

2%Corporate data encrypted

58%Threats from insiders

https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-17425&S_PKG=ov59678&https://www.techrepublic.com/article/tesla-public-cloud-environment-hacked-attackers-accessed-non-public-company-data/

https://healthitsecurity.com/news/58-of-healthcare-phi-data-breaches-caused-by-insiders

6

“Move to the cloud”?

7

“Move to the cloud”?

7

Apps with SPI?

• Rewrite yourselves– Encrypt the data… all of it? Metadata?

• Security consultancy• IBM Cloud Hyper Protect Services• ibm.com/cloud/hyper-protect-services

Toolinge.g., Docker Config Discovery Routing Observability

Databases

Operational

Development

Policy

{All stateless ideally

Understand what’s happening

Other services need to be able to

find each other

To build

Need to configure as it’s going out

Message sending requires routing

Store here only

Container scheduling

Language: PL/I, COBOL, Java, etc.

Architectural & security compliance

10

SPI MicroserviceSPI Microservice

Data layer

Frontend Frontend

Backend Backend

Microservice

Frontend

Backend

Cloud computing

• Abstract away the infrastructure• Who do you trust?

Attack vectors

• Insider threat: sysprogs• Remote access• Privilege escalation

Existing cloud

LinuxDocker

Worker 1 Worker 2

(Virtual) server

Existing cloud

LinuxDocker

Worker 1 Worker 2

(Virtual) server

EAL5+

PR/SM

SSC LPAR SSC LPAR

Secure Service Container

Worker 1

VM

Worker 2

Isol

atio

n

VM

Hyper Protect cloud

Integrated HSM

On-chip cryptography

On-chip cryptographic accelerator

Crypto Express HSM –Tamper resistant Secure Key –FIPS 140-2 Level 4–Keys never leave the HSM

Secure Service ContainersEAL5+

PR/SM

SSC LPAR SSC LPAR

Secure Service Container

Worker 1

VM

Worker 2

Isol

atio

n

VM

• No system admin access• Data at rest, transport protection• Once the appliance image is built,

OS access (ssh) is not possible• Memory access disabled• Encrypted disk• Debug data (dumps) encrypted• Signed docker images• Secure boot

IBM Cloud Hyper Protect Services

Think 2018 / 8249.PPTX / March 2018 / © 2018 IBM Corporation 17

IBM-hosted services:

IBM Cloud Hyper Protect Crypto Services

IBM Cloud Hyper Protect DBaaS

IBM Cloud Hyper Protect Containers

IBM Cloud Hyper Protect Crypto Services

Think 2018 / 8249.PPTX / March 2018 / © 2018 IBM Corporation 18

Provides state of the art security and cryptographic capabilities in IBM Cloud.

• 4X faster than other cloud encryption appliances• PKCS#11 API interfaces

• Generate symmetric key and asymmetric key pairs• Digitally sign and verify documents• Provide digital fingerprints (digest/hash)• Random number generation

• Seamless integration with IBM Key Protect for securely storing root and data encryption keys in a dedicated key store protected with FIPS 140-2 Level 4 compliant hardware

Secure:• Tamper protection during installation and run time• Customer data and keys are shielded from sysadmins

Secure Service Container

Providing Hyper Protect Crypto Services

19

Isolated Container Runtime Environment

IBM Z/LinuxONE platform

HSM Card (Crypto Express)Domain 00 Domain 84

Acme Soda

Hyper Protect Crypto Services

Dedicated KeyStore

Soda App

Acme Pop

Hyper Protect Crypto Services

Dedicated KeyStore

Pop App

Acme Cola

Hyper ProtectCrypto Services

Dedicated KeyStore

Cola AppApplications connect with PKCS11 via OpenSSL

Dedicated KeyStore per Customer

Secure enclaves ensure keys are never leaked

FIPS 140-2 Level 4 compliant HSM for highest physical protection of secrets

HSM Card (Crypto Express)Domain 00 Domain 84

Simplify Protecting Data-in-Transit for Cloud Native Apps

20

Secure sensitive transactions ensuring security of data while in-transit

Secure handling of SSL/TLS keys and certificates

• Customers can terminate secure connection (TLS) for their apps, at container front door

• Secure all communications between micro services inside a container cluster that could be enabled through policies

• SSL keys are offloaded to Hyper Protect Crypto Services to ensure security and protection of those sensitive keys

• Certificate lifecycle management getting common approach to managing certs, and visibility to cert expiration

A'

B

B’

SSL offloading A

Hyper Secure Crypto Services

Certificate Management

IBM Cloud Hyper Protect DBaaS

Think 2018 / 8249.PPTX / March 2018 / © 2018 IBM Corporation 21

Hyper Protect Database as a Service implements structured and unstructured data stores that are secure and private.

MongoDB EE:• Up to 8TB on IBM z13; up to 16TB with IBM z14• 2–4x more throughput compared to AWS–EC2

PostgreSQL

Secure:• Tamper protection during installation and run time• Customer data shielded from sysadmins• Encryption, access control, audit

Demo

Starter Kits?

Starter Kits?print(”hello world”)

Starter Kits?

Starter Kits

BackendStarter Kit

MBaaSStarter Kit

Hyper Protect DBaaS

Kitura

Swift iOS app

Hyper Protect Crypto

Services

Mobile analytics

Push notifications

Client Cloud

Improving application development• Recognition that an app isn’t just the source code:

libraries etc.• DevOps encourages ownership by the dev team• Test, lift, drop, deploy• Containers as lightweight alternative to VMs

Orchestrate your containers• Kubernetes• HA• Load balancing• Master, worker nodes

Master

Worker

Worker

Demo

40

ibm.com/cloud/hyper-protect-services

41

Summary

Creating an app, want encryption to tick the compliance boxes?

• Security without code change• Cloud-hosted Kubernetes, DBaaS, and crypto services

• Starter kits• Trial offerings

chrispoole@uk.ibm.com@chrispoole