Introduction to security on IBM LinuxONE
This chapter provides an introduction to security on IBM LinuxONE. Also described are the specifics of IBM z/Architecture® Virtual Machine (IBM z/VM) security, and the benefits of the use of an external security manager (ESM); for example, IBM Resource Access Control Facility (RACF®) for z/VM.
z/VM virtual machines are also referred to as guests, user IDs, or service machines.
With IBM LinuxONE Architecture, you have many security features that you can use to secure your applications. However, you do not only set up the features; you also must customize them correctly.
Because operating systems alone cannot provide the necessary security, this chapter also provides a brief overview of hardware security features.
|
Note: If you must comply with the requirements of the Common Criteria Operating System Protection Profile (OSPP), you must install RACF and the Single System Image (SSI) feature because evaluation for z/VM was done only with these features enabled. For more information, see z/VM Secure Configuration Guide, SC24-6323.
|
This chapter includes the following topics:
2.1 Why security matters
Security is essential in many ways. This axiom is true for physical security, but because electronic services are more prevalent, it is evident that companies must secure and protect these services, too.
Every company that handles customer information or offers services through internet platforms must make sure that processed data is secured against all threats.
All precautions to prevent data leakage and to assure system and data integrity must be taken. It is no longer sufficient to state that data processing is secure today. You also must offer proof to auditors and comply with regulations to establish trust in your services.
Most important, you must prevent a loss of revenue and reputation because of security exposures.
Therefore, it is a preferred practice to establish the strongest security mechanisms at all levels of data processing, including the physical security of the machine rooms at your data center (controlling access to the facilities) and implementing appropriate access levels to applications, programs, data, archives, and so on. The principle of least privilege should be met at all levels.
This chapter provides guidelines about how to meet security demands in a cloud environment that is provided by z/VM and Linux on IBM LinuxONE.
2.2 Hardware security features overview
The hardware security features provide a fundamental part of the security definitions of software techniques and solutions. The available operating systems for IBM LinuxONE, z/VM, and Linux on IBM LinuxONE each use these hardware features to some degree.
Understanding IBM LinuxONE hardware and architecture are key to understanding how operating systems and applications maintain data, process, and application integrity.
Security features on the mainframe are integrated into the hardware. The following hardware security features are available:
•With the pervasive encryption, it is possible to encrypt all the data that is associated with an application or a database at once. The LinuxONE platform includes dedicated hardware, which is the one-chip encryption co-processor that is on every compute chip next to the main processor and can encrypt up to 13 GB of data per second per core.
•With the Hardware Management Console (HMC), logical partitions (LPARs) can be defined and isolated from each other. Also, all of the resources that are needed to run the operating systems are defined through LPAR profiles by the HMC. These resources are storage and processors and Direct Access Storage Device (DASD) and tape units.
•Crypto-Express Cards can encrypt session traffic and physical data on DASDs and tape. Cryptographic coprocessors are used for better performance. For more information, see 3.5.2, “z/VM Cryptographic definitions” on page 44.
•Signed microcode is applied to the hardware to ensure microcode authenticity.
z/VM provides a host of features that isolates virtual machines (VMs) (also called guests) from one another. This isolation is implemented in the z/VM Control Program (CP), which can be considered the kernel of the hypervisor.
Separation of guest workloads is a vital component of system integrity. It provides the foundation of the security context on which the IBM LinuxONE Integrity Statement is based. For more information about the z/VM CP, see z/VM CP Planning and Administration, SC24-6271.
2.3 Pervasive encryption
Data protection and security are business imperatives, and regulatory compliance is increasing in complexity. Extensive use of encryption is one of the best ways to reduce the risks and financial losses of a data breach and meet complex compliance mandates. However, implementing encryption can be a complex process for organizations. They must determine the following factors:
•What data should be encrypted?
•Where should encryption occur?
•Who is responsible for encryption?
Because the data is the new perimeter, encryption policies must cover both data in-flight and data at-rest. However, they should not require costly application changes to achieve this goal. Organizations need a transparent and consumable approach to enable extensive encryption of data in-flight and at-rest to substantially simplify and reduce the costs that are associated with protecting the data at the core of their enterprise and achieving compliance mandates.
With solutions around privileged identity management, sensitive data protection, and integrated security intelligence, IBM LinuxONE security offers the next generation of secure, trusted transactions.
Pervasive encryption is a data-centric approach to information security that entails protecting data that is entering and exiting the IBM LinuxONE platform. It involves encrypting data in-flight and at-rest to meet complex compliance mandates and reduce the risks and financial losses of a data breach. It is a paradigm shift from selective encryption (where only the data that is required to achieve compliance is encrypted) to pervasive encryption.
Pervasive encryption with IBM LinuxONE is enabled through tight platform integration that includes the following features:
•Integrated cryptographic hardware: CPACF is a co-processor on every processor unit that accelerates encryption. Crypto-Express features can be used as hardware security modules (HSMs).
•Data set and file encryption: You can protect Linux file systems by using policy-controlled encryption that is transparent to applications and databases.
•Network encryption: You can protect network data traffic by using standards-based encryption from endpoint to endpoint.
•Full disk encryption: You can use disk drive encryption that protects data at rest when disk drives are retired, sent for repair, or repurposed.
•Secure Service Container: Secure deployment of software appliances, including tamper protection during installation and run time, restricted administrator access, and encryption of data and code in-flight and at-rest.
Pervasive encryption has the following advantages:
•The ability to encrypt data by policy without application change.
•A simplified way to protect data at a much coarser scale with industry best performance.
•Greatly simplified audit, enabling clients to pass compliance audits more easily.
IBM LinuxONE excels with security features that are built into the hardware, firmware, and operating systems. The built-in features range from storage protection keys and workload isolation to granular audit capabilities, and more. The CPACF, standard on every core, supports pervasive encryption and provides hardware acceleration for encryption operations. In addition, the new Crypto-Express6S gets a performance boost on IBM LinuxONE.
Security in individual layers might be enough to keep the data integrity, confidentiality, and availability at the destination. However, it is important to secure the data while it is in transit during communication.
Some solutions can be implemented at the client side, but the organization cannot rely on client-side only security. Users might forget to update their security software, security operating system updates might unknowingly install malware on their devices that prevents the execution of the security software, or the users might not install the security software.
What the organization can do is make sure the communication between the client and the server is encrypted with a secure cryptographic protocol. New vulnerabilities are often discovered on cryptographic protocols, cipheralgorithms, and protocol implementation, so the security team must be up to date about what is secure to be used, and new vulnerabilities that must be mitigated as soon as they are reported.
The encryption of data is expensive and can heavily affect performance, throughput, or CPU load of a system. IBM LinuxONE provides hardware encryption support that can be used to reduce the effect of expensive encryption operations. Because the encryption operations are offloaded to the IBM LinuxONE CPACF processor or to the Crypto-Express6S card, the performance and throughput of your workload is less affected.
2.4 IBM LinuxONE cryptographic hardware features
Servers of the IBM LinuxONE family provide two different types of hardware support for cryptographic operations: CPACF and Crypto-Express (CEX) features.
2.4.1 CP Assist for Cryptographic Function
CP Assist for Cryptographic Function (CPACF) offers a set of symmetric cryptographic functions for high-performance encryption and decryption with clear key operations for SSL/TLS, VPN, and data-storing applications that do not require FIPS 140-2 level 4 security.
CPACF is an optional feature that is integrated with the compression unit in the coprocessor in the IBM LinuxONE microprocessor core. CPACF is available on every Processor Unit that is defined as a CP or IFL.
The CPACF protected key is a function that facilitates the continued privacy of cryptographic key material while keeping the wanted high performance. CPACF ensures that key material is not visible to applications or operating systems during encryption operations. A CPACF protected key provides substantial throughput improvements for large-volume data encryption and low latency for encryption of small blocks of data.
2.4.2 Crypto-Express6S
The Crypto-Express6S represents the newest generation of the Peripheral Component Interconnect® Express (PCIe) cryptographic coprocessors, an optional feature exclusive to the IBM LinuxONE. HSMs provide the high-security cryptographic processing that is required by banking and other industries. This feature provides a secure programming and hardware environment wherein crypto-processes are performed.
Each cryptographic coprocessor includes general-purpose processors, non-volatile storage, and specialized cryptographic electronics, all contained within a tamper-sensing and tamper-responsive enclosure that destroys all keys and sensitive data on any attempt to tamper with the device. The security features of the HSM are designed to meet the requirements of FIPS 140-2, Level 4, the highest security level defined.
The Crypto-Express6S has one PCIe adapter per feature. For availability reasons, a minimum of two features is required. Up to 16 Crypto-Express6S features are supported. The Crypto-Express6S feature occupies one I/O slot in a PCIe I/O drawer.
Each adapter can be configured as a Secure IBM CCA coprocessor, a Secure IBM Enterprise PKCS #11 (EP11) coprocessor, or as an accelerator.
A cryptographic coprocessor is divided into multiple domains, also called AP queues. Each AP queue acts as an independent cryptographic device (HSM) with its own state, including its own master key. Crypto-Express6S provides domain support for up to 85 logical partitions.
Adapter management is done with the SE or the HMC by performing the following actions:
•Selection of adapter type (firmware load)
•Assignment of adapters and domains to LPARs
|
Note: The Trusted Key Entry (TKE) Workstation feature is required for supporting the administration of the Crypto-Express6S when configured as an Enterprise PKCS #11 coprocessor or managing the new CCA mode PCI-HSM.
|
For more information about pervasive encryption, see Getting Started with Linux on Z Encryption for Data At-Rest, SG24-8436.
2.5 Benefits of hardware crypto
The encryption of data is expensive and can heavily affect performance, throughput, or CPU load of a system. IBM LinuxONE provides hardware encryption support that can be used to reduce the effect of expensive encryption operations. Because the encryption operations are offloaded to the IBM LinuxONE CPACF processor or to the Crypto-Express6S card, the performance and throughput of your workload is less affected.
For the first time, IBM LinuxONE makes it possible for organizations to pervasively encrypt data that is associated with an entire application, cloud service, or database in flight or at rest with one click. The standard practice today is to encrypt small chunks of data at a time, and invest significant labor to select and manage individual fields.
This bulk encryption at cloud scale is made possible by a massive 7x increase in cryptographic performance over the previous IBM LinuxONE generation. This increase is driven by a 4x increase in silicon that is dedicated to cryptographic algorithms. This rate is 18x faster compared to x86 systems (that today focus on only limited slices of data) and at just five percent of the cost of comparable x86-based solutions.
A top concern for organizations is protection of encryption keys. In large organizations, hackers often target encryption keys, which are routinely exposed in memory as they are used. IBM LinuxONE can protect millions of keys (and the process of accessing, generating, and recycling them) in “tamper responding” hardware that causes keys to be invalidated at any sign of intrusion. The keys can then be restored in safety.
The IBM LinuxONE key management system is designed to meet Federal Information Processing Standards (FIPS) Level 4 standards, whereas the norm for high security in the industry is Level 2. This IBM LinuxONE capability can be extended beyond the CEC to other devices, such as storage systems and servers in the cloud. In addition, IBM Secure Service Container protects against insider threats from contractors and privileged users, provides automatic encryption of data and code in-flight and at-rest, and tamper-resistance during installation and run time.
2.6 Using RACF to secure your cloud infrastructure
If you are running applications that must meet mandatory regulations, such as the rules of the Payment Card Industry Data Security Standard (PCI DSS), you must adhere to several controls and evidences to pass auditor checks. You can meet this requirement by setting the auditing controls according to your installation’s needs, as described in 5.4, “Auditing” on page 130.
In addition to the operating system built-in security mechanisms, such as isolation of virtual storage by the z/VM CP, Resource Access Control Facility (RACF) provides ways to better control access to resources in your system. However, meeting the regulatory needs is not done by setting up only the RACF databases and defining profiles to protect resources. Your entire organization should implement a security policy and set up the RACF definitions according to a defined policy.
Implementing security processes is an ongoing process in your company and needs the full support of all managers of your organization. Implementing security processes needs much organizational work that is done with documentation processes and reviews, both of which are deeply integrated in your company’s structure. This process means a reasonable amount of work for security administrator staff and many departments of an organization.
With RACF installed, you can perform the following tasks:
•Track who uses privileged accounts; that is, MAINT and MAINT710.
•Prevent technical support user IDs and VM guests from being revoked by a password revocation policy. To do so, you define these IDs as Protected user IDs. Together with the RACF class SURROGAT logonby policy, you can get full information about who used the VM.
•Provide logging mechanisms (SMF records) to show the following information:
– Who accessed what resources.
– Which access violations occurred.
•Meet Segregation of Duty needs by separating defined Security Administrators from System Programmer staff. Principles of RACF operations
RACF provides the tools to manage user access to critical resources. RACF is an add-on software product that provides basic security for a mainframe system (examples of other security software packages include ACF2 and Top Secret, both from Computer Associates).
RACF protects resources by granting access only to authorized users of the protected resources. RACF retains information about users, resources, and access authorities in special structures that are called profiles in its database, and it refers to these profiles when deciding which users should be permitted access to protected system resources.
Modern z/VM security requires an ESM, such as the RACF for z/VM feature. This security server functions as a Policy Decision Point and Policy Enforcement Point for all security-relevant events in your virtual infrastructure (and by extension, your cloud). RACF for z/VM can be configured to handle resource authorization, privileged command access, and logon controls.
RACF provides services for authentication and authorization to resources.
To have the services of z/VM RACF available, a RACF database must be set up, and a user ID in which the RACF binary files are available must be started. In z/VM RACF, this VM is RACFVM.
|
Note: If RACF is installed, users’ passwords are never stored in clear text in the system; instead, they are stored in encrypted form in the RACF database. For more information about encryption algorithms, see “Password encryption algorithm” on page 74.
Also, the passwords in the USER directory are no longer in effect.
With the z/VM 7.1, password encryption support for KDFAES is available. Using this algorithm provides better protection against brute-force attacks if an offline copy of the RACF database becomes exposed.
|
The RACF database is used to store all information about users, groups, and resources. Access to resources is controlled through entries in the following lists:
•Standard access control lists of the resource profiles
•Conditional access control lists of resource profiles (resource access is allowed only through a certain program)
|
Note: The preferred practice of RACF administrators is to give access rights to groups rather than users.
|
For more information about how to get started with RACF and how to adopt RACF definitions to your business demands for a security structure, see Chapter 4 “IBM Resource Access Control Facility Security Server for IBM z/VM, and z/VM RACF Security Server Security Administrator’s Guide, SC24-6311.
2.6.1 Principle of best matching profile
RACF uses the principle of best matching profiles to check whether access might be granted because of the access rights that are stored in a RACF database.
A profile that covers the name of a resource is best used to check the access. The access intent must at least meet the access that is stored in the RACF profile’s access list. For more information about this principle, see z/VM RACF Security Server Security Administrator’s Guide, SC24-6311.
If you run z/VM in an SSI cluster environment, RACFVM is an identity service machine, which means it runs on every z/VM image in the cluster. To provide this service, a RACF database is needed and shared among the SSI members. The RACF database and its backup are on two distinct DASD volumes, each of which is shared in an SSI cluster. For more information about RACF databases, see 2.7, “RACF DB organization and structure” on page 22.
2.7 RACF DB organization and structure
This section describes the RACF database, how it is defined to the system, and its internal organization.
2.7.1 Database definition to the system
The RACF database is referenced by the database name table (ICHRDSNT) in the system. You can set up the RACF database by running the RACDSF, RACALLOC, and RACINITD RACF commands. For more information about these commands, see Chapter 4, “Operating Considerations unique to z/VM”, in RACF Security Server System Programmer’s Guide SC24-6312.
|
Note: Allocation and DASD sharing options depend on the type of z/VM installation you use. Set up RACF database sharing correctly according to your system’s installation, or RACF database corruption might occur. In an SSI environment, the RACF database must be shared among all members of the cluster.
More changes to the definition of RACF database devices apply if you run an IBM Geographically Dispersed Parallel Sysplex™ (IBM GDPS®) controlled system.
|
The number of physical extents of the RACF database is 1 by default. It is controlled through the RACF database range table (ICHRRNG), which is a load module. This table is in RACFLPA LOADLIB on the RACFVM 305 minidisk.
For more information about the RACF database range table, see Chapter 3, “RACF Customization”, in RACF Security Server System Programmer’s Guide, SC24-6312.
2.7.2 Internal organization of RACF database specifying class options
RACF can protect the following types of resources:
•Users
•Groups
•General resources
Classes of general resources are defined in the class descriptor table (CDT). Each general resource class is defined by a unique entry in the CDT.
The CDT describes the structure of profiles for the general resource classes. If you do not comply to the settings in the CDT for the general resource class, one of the following conditions might apply:
•You cannot define the profile.
•RACF cannot determine the matching profile for the access check, which leaves resources unprotected by RACF in the system.
For example, we define a resource entry for a VMLAN VSWITCH entry by using the command that is shown in Example 2-1.
Example 2-1 RACF VMLAN definition
RAC RDEF VMLAN SYSTEM.VSWITCH1.010 UACC(NONE) OW(SYS1)
Because CDT for VMLAN defines the last qualifier as a four-digit value, RACF issues the message that is shown in Example 2-2.
Example 2-2 RACF error message
IKJ56702I INVALID ENTITY, SYSTEM.VSWITCH.010
To correct this error, ensure that you define the profile as SYSTEM.VSWITCH1.0010.
Also, the CDT is used to determine whether a RACF class can be RACLISTed or GENLISTed by running the SETROPTS command. RACLIST is a performance option, profiles of the classes are kept in storage, and no I/O operation occurs on the RACF database when checking on these profiles. However, changes to the profiles need an in-storage refresh of RACLISTed profiles. This process is done by running the SETROPTS REFRESH command.
In addition, the following CDT entry types are available:
•ICHRRCDX is the name for the IBM-supplied class entries.
•ICHRRCDE is the name for installation-defined class entries.
|
Note: Do not delete or modify any of the class entries in the IBM-supplied load module ICHRRCDX.
|
For more information about IBM-supplied class entries, see Appendix B, “Description of the RACF classes”, in RACF Security Server System Programmer’s Guide, SC24-6312.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.