Embed Size (px)
Citation preview
Secure Hybrid Cloud on ZDave [email protected] Cloud Hyper Protect Services
6 November 2019
Session PH
Agenda
• The Challenge
• Hyper Protect – Base Technology
• Hyper Protect Services Overview
• Hyper Protect in a Private Cloud
IBM Cloud Hyper Protect Services | © 2019 IBM Corporation
trusttransitive verb\ ˈtrəst \1a: to rely on the truthfulness or accuracy ofb: to place confidence inc: to hope or expect confidently soon2a: to commit or place in one's care or keepingb: to permit to stay or go or to do something without fear or misgiving
https://www.merriam-webster.com/dictionary/trust
In whom or what do you trust?What is most important to you?
Your EnterpriseThird Party
Mr. Malicious
IBM Cloud SRE
Application AdminGovernment Agent
Network Admin
Application User
Database Admin
Developer
Hardware Vendor Software Vendor Storage Admin
IBM Cloud Hyper Protect Services | © 2019 IBM Corporation
IBM Cloud Hyper Protect Services | © 2019 IBM Corporation
Your EnterpriseThird Party
Mr. Malicious
IBM Cloud SRE
Application AdminGovernment Agent
Network Admin
Application User
Database Admin
Developer
Hardware Vendor Software Vendor Storage Admin
6
73%… of organizations allow the root user account to be used to perform activities, which goes against security best practices. --RedLock, 2018
83%of vulnerable hosts in the cloud are receiving suspicious traffic.
58%… of Healthcare PHI Data Breaches Caused by Insiders
Verizon found that healthcare PHI data breaches are most likely due to insider threats, with healthcare the only industry where internal actors are the greatest threat.
16%… of organizations have user accounts that have potentially been compromised, the report stated.
8%of organizations have been impacted by cryptocurrency mining
https://www.techrepublic.com/article/tesla-public-cloud-environment-hacked-attackers-accessed-non-public-company-data/https://healthitsecurity.com/news/58-of-healthcare-phi-data-breaches-caused-by-insiders
Secure Service Containers
EAL5+
PR/SM
SSC LPAR SSC LPAR
Secure Service Container
Container 1
VM
Container 2
Isol
atio
n
VM
• No system admin access• Data at rest, transport protection• Once the appliance image is built,
OS access (ssh) is not possible• Memory access disabled• Encrypted disk• Debug data (dumps) encrypted• Signed Docker images• Secure boot
https://www.threatstack.com/blog/73-of-companies-have-critical-aws-security-misconfigurations
Inside datacenter physical attack Remote attack (shell access) Privilege escalation
IBM Cloud Hyper Protect services are based on LinuxONE secure enclave technology.
• Firmware sets no memory (dump) access
• Encryption keys stored in only public cloud FIPS 140-2 level 4 compliant HSM.
73% of AWS users analyzed leave SSH wide open to the internet, allowing potential compromise. Console access is also common.
Secure enclave technology has:
• No SSH, console or shell access, of any kind to the host layer.
Kubernetes workers and containers on shared hosts allow potential exploits, B2B or, when wholly-owned by one org, dept. to dept.
IBM Cloud Hyper Protect:
• Uses runq, not runc, to isolate each worker in an SSC secure enclave
• SSC LPARs have EAL5+ isolation.
9
IBM Cloud Hyper Protect ServicesIndustry-leading security for Cloud data, digital assets and workloads
Hyper Protect Crypto Services
Keep your own keys for cloud data encryption protected by a dedicated cloud HSM*
* Industry’s only FIPS 140-2 level 4 certified HSM
Hyper Protect DBaaS
Complete data confidentiality for your sensitive data
(PostgreSQL, MongoDB EE)
IBM Cloud Hyper Protect Virtual Servers
Instantiate Linux VMs with own public ssh key to maintain exclusive access to code and data
(Ubuntu)
IBM Hyper Protect Virtual Servers
Build and instantiate your own Linux VM based applications with integrity and established provenance on your own LinuxONE
(Ubuntu)
GA BetaGA
Built On LinuxONE secure enclaves
Tech Preview
10
Dallas MZR
Frankfurt MZR
Sydney MZRIBM Hyper Protect Regions 2019https://www.ibm.com/cloud/hyper-protect-services
IBM Hyper Protect Regions: 1H2019
• IBM Hyper Protect Crypto Services
• Dedicated key management and cloud HSM service
• Keep your own keys for cloud data encryp3on in a dedicated cloud HSM
Ø IBM Cloud admins do not ever have access to customer keys
Ø Key Lifecycle Management and support for Keep Your Own Key (KYOK) for cloud data encryption, with keys protected by customer controlled, dedicated cloud HSMs
Ø Integrates using Key Protect APIs to secure IBM Cloud data and storage services
Ø Provides industry's first and only FIPS 140-2 Level 4 certified HSMs in the public cloud market today
Ø First cloud provider to provide dedicated (cloud) CLI for HSM Key Ceremony, supporting multiple personnel with crypto key responsibilities
Ø Supports industry standards – PKCS #11
• Customer Benefits:
Ø Full control of the entire key hierarchy including the HSM Master Key
Ø Industry-leading security for Cloud data and digital assets
Ø Reduced data compromise risk due to in-built protection against privileged access threats
Ø Regulatory compliance through data encryption and controls on privileged access
BYOK: Bring Your Own KeyKYOK: Keep Your Own KeyHSM: Hardware Security ModulePKCS: Public Key Cryptography Standards
• IBM Hyper Protect DBaaS
• Provision and manage highly secure, high volume databases*
for your sensitive data• * PostgreSQL and MongoDB EE
Ø IBM cloud admins cannot ever access customer dataØ Industry-leading data confidentiality through built-in
workload isolation, restricted administrator access, tamper protection against internal threats
Ø High availability and reliability for mission critical applications
Ø Supports industry compliance and certifications - GDPR *
Ø Provides standard APIs to provision, manage, maintain and monitor multiple database types
Ø Integrates with IBM Cloud services for access management, logging and monitoring
• Customer Benefits:
Ø Data owner maintains complete control over data
Ø Application developers can easily provision secure data stores for sensitive data without specialized skills
• IBM Cloud Hyper Protect Virtual Servers - Beta
• Instantiate Linux VMs with own public SSH key to maintain exclusive access to code and data
• Ubuntu based VM
Ø IBM Cloud admins cannot ever access customer VMs
ØSelect and deploy a dedicated Linux VM in a Secure Service Container
ØSecure customized data and code vaults that can only be accessed via APIs
ØAccess to all software available in Docker hub for S390X, and run it as a dedicated VM
Øhttps://www.ibm.com/cloud/blog/announcements/announcing-ibm-cloud-hyper-protect-virtual-servers-beta
• Customer Benefits:
Ø An easy-to-use UI to spin up new virtual server instances and to maintain and monitor the instances
Ø No changes to application code
Ø Support for industry certifications and client regulatory compliance activities
IBM Hyper Protect Virtual Servers – Tech Preview
Before we begin … Docker ™From VMs ….
To containers …
Virtual appliance plaPorm
Based upon hypervisor
Hardware abstracQon
VM includes full OS
Windows on macOS, Linux on Windows, macOS on macOS
Images start big
Images grow like Topsy
Share host OS kernel
Process isolaQon
Each container is its own process
Typically Unix-based
Images typically much smaller than VMs
Vastly enables app portability
Linux on Linux, Linux on macOS
Windows ( on Windows ) containers now available
Docker Docs - Get Started, Part 1: Orientation and setup
ApplicaQon Secrets
Virtualisation
As-Is: Run a Virtual Server as a Container
Build/TestCode
App
Deploy
Data
Infrastructure Manager (Manage VirtualisaQon and Data Storage)
Application Manager
ApplicaQon Builder
Application Developer
Package
App
Registry
App
Store
Server
Server
App
Server
Secrets
xApp
Server
Secrets
StaQc Code Scanning
Image Vulnerability Scanning
Image Vulnerability Scanning
StaQc Code Scanning
ApplicaQon Secrets
Virtualisation
As-Is: Run a Virtual Server as a Container
Build/TestCode
App
Deploy
Data
Infrastructure Manager (Manage VirtualisaQon and Data Storage)
Application Manager
ApplicaQon Developer
Package
App
Registry
App
Store
Server
Server
App
Server
Secrets
App
Server
SecretsApplicaQon Builder
Direct Memory access?
Data access?Where did this come
from?
Need to see all secrets?
Is this code safe?
Did they build what they were supposed to?
ApplicaQon Developer• Role: Develops the applicaQon source code and tests it out• Key Threat: Could deliberately or accidently introduce vulnerabiliQes into the source
ApplicaQon Builder• Role: Builds the applicaQon source wriaen by the applicaQon developer, probably using a CICD
pipeline.• Key Threat: Could build alternaQve source code to what they are supposed to, introducing
vulnerabiliQesApplicaQon Manager
• Role: A trusted role that deploys applicaQons into the producQon environment• Key Threat: Deployments require vendor and user secrets to access images and data, with
those secrets they are in a posiQon to misuse them.Infrastructure Manager
• Role: A trusted role that manages the infrastructure that the client’s applicaQon runs on• Key Threat: Could misuse infrastructure access to gain access to secrets and data
IBM Hyper Protect Virtual Servers - Personas
Public and Private Cloud Services
HosQng Appliance
Infrastructure Manager (Manage Servers and Data Storage)
REST
Application Secrets
Use Case: Restrict infrastructure manager’s access to application data
Build/TestCode
App
Deploy
LocalData
ApplicaQon Manager
Application Builder
Application Developer
Package
App
Registry
App
Store
Server
Server
App
Server
Secrets
App
Server
Secrets LocalData
Remote Data/
Service
Keys used to encrypt and decrypt local data
StaQc Code Scanning
Image Vulnerability Scanning
Public and Private Cloud Services
HosQng Appliance
Use Case: Restrict Application Manager’s access to builder/vendor secrets
Build/TestCode
AppLocalData
Infrastructure Manager (Manage Servers and Data Storage)
Application Builder
ApplicaQon Developer
Package
App
Registry
App
Store
Server
Server
App
Server
Secrets
App
Server
Secrets
REST
LocalData
Remote Data/
Service
Registration File signing public key
HosQng Appliance RegistraQon File Public KeyHosting Appliance Registration File Private Key
+ User’sApplication
Secrets
Deploy
ApplicaCon Builder
Registration FIle
Builder ApplicaQon
Secrets
Image location
ApplicaCon Manager
Sign and EncryptRegistration File signing private key
StaQc Code Scanning
Image Vulnerability Scanning
Public and Private Cloud Services
+ User’sApplicaQon
Secrets
Hosting Appliance
Use Case: Ensure Integrity of Images
Build/Test
Code
LocalData
Infrastructure Manager (Manage Servers and Data Storage)
Application Developer
Registry
Store
App
Server
Secrets
App
Server
Secrets
REST
LocalData
Remote Data/
Service
Code Repository
App
Server
RegistraQon FIle
Builder Application
SecretsDeploy
Application Builder
Image locaQon Application
Manager
Sign and EncryptDCT public key
Secure Build
Application Builder
App
Server
REST
DCT private key
Static Code Scanning
Image Vulnerability Scanning
Public and Private Cloud Services
+ User’sApplication
Secrets
HosQng Appliance
Use Case: Determine the provenance of Images
Build/Test
Code
Secure Build
LocalData
Infrastructure Manager (Manage Servers and Data Storage)
Registry
App
Store
Server
App
Server
Secrets
App
Server
Secrets
REST
LocalData
Remote Data/
Service
REST
Code Repository
App
Server
Deploy
Registration FIle
Builder ApplicaQon
Secrets
Image location
Application Builder
ApplicaCon Developer
Manifest
Code
Image locaQon
Audit Image Approval to use
Application Manager
Manifest signing public key
Manifest signing private key
StaQc Code Scanning
Image Vulnerability Scanning
Key SummaryKey Usage Actors with access Where key is located
Generic keys Represent keys that are used to access locally stored data encrypted at rest
None Application runtime infrastructure
Hosting Appliance Registration File Public Key
Encrypting JSON format registration files All In IBM HPVS CLI tool
Hosting Appliance Registration File Private Key
Decrypting JSON format registration files None Internally within the Hosting Appliance
Registration File signing public key Validation of updates to a JSON format registration file by the Hosting Appliance
Application Builder JSON format registration file
Registration File signing private key
Signing a JSON format registration file before encryption
Application Builder at a minimum
Location managed by application builder or application builder’s org
Manifest signing public key Validating the signature of a build manifest file Application Builder In the secure build and where needed to validate manifest signature
Manifest signing private key Signing a build manifest file None Internally
Docker Content Trust (DCT) public key
Validating image integrity Anyone with access to the Docker notary
Secure build and Docker notary
DCT private key Signing an image None Secure build only
24
Tech Preview - Support to build your own image
ØWhich Docker FROM?Ø Choose from 2 images based upon the IBM Cloud Hyper Protect Virtual Servers
image1. With SSH access2. With NO SSH access
ØThe supplied images use quotagroups within the SSC for dataØCLIØ Build image using a secure buildØ Create registration file to describe the application imageØ Deploy your virtual server image(s)Ø Managing your virtual servers
The CLI tool runs here• securebuild create• securebuild update• securebuild log• regfile create• repository create• hpvs startetc.For the record, the CLI tool is also a Docker container J
Developer builds a Dockerfilein a GitHub repository
SBS clones and builds from GitHub repository
SBS tags, signs and pushes image to Docker Hub repository CLI directs
SSC to pull and run trusted image from Docker Hub
SBS optionally pushes Docker manifest to Cloud Object Store
AB
C
D
E
From GitHub to Docker Hub
https://github.com/logos
https://www.docker.com/company/newsroom/media-resources
26
IBM Cloud Hyper Protect ServicesIndustry-leading security for Cloud data, digital assets and workloads
Hyper Protect Crypto Services
Keep your own keys for cloud data encryption protected by a dedicated cloud HSM*
* Industry’s only FIPS 140-2 level 4 certified HSM
Hyper Protect DBaaS
Complete data confidentiality for your sensitive data
(PostgreSQL, MongoDB EE)
IBM Cloud Hyper Protect Virtual Servers
Instantiate Linux VMs with own public ssh key to maintain exclusive access to code and data
(Ubuntu)
IBM Hyper Protect Virtual Servers
Build and instantiate your own Linux VM based applications with integrity and established provenance on your own LinuxONE
(Ubuntu)
GA BetaGA
Built On LinuxONE secure enclaves
Tech Preview
Any Questions?
And finally …..
https://www.meetup.com/MainframerZ-London/
Please submit your session feedback!
• Do it online at http://conferences.gse.org.uk/2019/feedback/PH• This session is PH
