IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

Transcription

1 IBM PowerSC Security and compliance solution designed to protect virtualised data centres Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance regulations Ensure virtualised environments meet same security levels as physical servers Improve the audit capabilities for virtualised systems Reduce time and skills required for preparation of security audits Improve detection of security exposures in virtualised environments. Security and compliance are vital to many businesses, especially now that they must adhere to regulatory requirements designed to safeguard personal data and company information from security attacks. Ensuring that IT systems are compliant with common industry security standards and maintaining system security can be a challenging, labour-intensive activity especially with today s virtualised IT infrastructures. IBM Power Security and Compliance (PowerSC) provides a security and compliance solution optimised for virtualised environments on Power Systems servers, running PowerVM. PowerSC enables security compliance automation and includes reporting for compliance measurement and audit. Its compliance automation features also help businesses reduce the cost of security compliance. Automation capabilities include supplying prebuilt system profiles that enforce compliance to various industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, the US Department of Defence Security Technical Implementation Guide and Control Objectives for Information and Related Technology (COBIT) best practices. PowerSC also helps improve detection and visibility of security exposures by deploying trusted security extensions to highlight altered boot volumes and systems that are not at the site-specified patch levels. Trusted audit logs are used to centralise and protect logging integrity in virtualised environments.

2 Automate systems settings for optimal security and compliance Ensuring system compliance with third-party security standards is often a labour intensive and time consuming process. Compliance standards are typically long, complex documents that are difficult to translate into the appropriate AIX or Linux operating system (OS) settings. Often standards encompass many different areas of OS and virtualisation software, they may have required using several different administrative interfaces to configure a system appropriately. With its simple administration interface and preconfigured compliance profiles, PowerSC is designed to simplify the administrative effort associated with complying with some of the most common external standards for security and compliance. PowerSC security and compliance automation provides profiles for the PCI DSS, the HIPAA Privacy and Security Rules and US Department of Defence Security Technical Implementation Guide for UNIX (DoD STIG) standards, as well as supporting the implementation of best practices specified by the COBIT standard. Public companies that are subject to the U.S. Sarbanes-Oxley Act of 2002 often adopt the COBIT best practices. PowerSC also provides a security automation profile to automate configuration of optimal security for database servers. With PowerSC the configuration of all relevant system parameters are automated as required by these security standards. This automation is best deployed using the AIX Profile Manager for AIX systems, which is an advanced plug-in to IBM Systems Director. This profile manager provides for both the centralised application of security profiles and the centralised reporting for compliance to standards. Linux system compliance automation and reporting is available only through a command line interface and is available for the payment card industry standard and the HIPAA standard. The profiles include recommended settings for several areas of AIX and Linux configuration, including aspects such as minimum password length, password reuse, number of unsuccessful log in attempts before lockout and other system security configuration settings. Easy-to-run reports are available with PowerSC that confirm whether the system is configured to be compliant. These reports provide alerts for unauthorised parameter changes and to provide a consistent foundation for compliance audits. 2

3 Since all external security standards include aspects outside the realm of system configuration settings, the use of the security and compliance automation will not, by itself, ensure standards compliance. Nonetheless, PowerSC security and compliance automation does significantly simplify systems configuration settings management, allowing security administrators the time to focus on the other aspects of standards compliance. Improve visibility and hardening of the virtual infrastructure IT managers continually strive to guarantee trustworthy and secure systems that prevent unauthorised accesses to business systems and data. In today s virtualised data centre s (DC), they are now particularly concerned with ensuring their virtual machines (VM) meet the same trusted levels as their physical servers. PowerSC provides a range of capabilities to ensure a root of trust for VM, including Trusted Boot, a virtual implementation of the Trusted Platform Module (TPM) from the Trusted Computing Group. The PowerSC Trusted Boot feature provides virtual TPM functionality for AIX VM running with the PowerVM hypervisor on Power Systems. The TPM functionality measures the system boot process in each VM and with cooperation from the AIX Trusted Execution technology, provides security, trust and assurance of the boot image on disk, the entire OS and the application layers. Each VM has its own separate virtual TPM that holds its measurement data used to validate the root of trust. This functionality is available on IBM POWER7 systems running efw7.4 firmware or higher. A trust monitor, OpenPTS, is also provided with PowerSC that enables administrators to monitor and attest to the trust of their AIX VM. The monitor makes clear the trust and security level of Power Systems running PowerVM virtualisation. Comply with site security policies for virtual machines Maintaining VM across multiple systems presents different administrative challenges to traditional physical systems deployment. For example, VM may be suspended or powered off or even moved to other servers during a patch application process. Moving a VM, for example, may open a window of vulnerability by potentially having a different patch level than is required on a target physical system. Trusted Network Connect (TNC) and Patch Management in PowerSC can detect AIX VMs that do not meet the corporate patch policies that have been established for a virtualised DC. Alerts are triggered if a noncompliant VM is detected. TNC and Patch Management analyses data from both the Service Update Manager Assistant (SUMA) and the Network Installation Manager (NIM) to check each VM during activation. Activation events that are monitored include: Normal boot Resumption after suspension Activation as a result of a live partition mobility event. TNC and Patch Management also monitor the IBM Electronic Customer Care system and provide alerts for new security patches or updates that affect AIX systems. Alerts can also be configured simply to send short message service (SMS) messages to mobile devices. Harden audit trails in virtual environments One of the foundations of compliance is the ability to audit an environment and to guarantee that audit trails, such as audit logs and system logs cannot be altered. These logs help provide transparency and prevent covering of security breaches. Trusted Logging in PowerSC centralises the AIX system logs across all 3

4 VM on a server, enabling the logs to be kept on a single instance of the PowerVM Virtual I/O Server (VIOS). This secure VIOS VM protects the entire log data received from each AIX VM. No administrator of any AIX VM can remove or alter the system logs held on the secure VIOS Server. With the introduction of centralised logging and administration provided by Trusted Logging, backup, archive and audit of system logs is significantly simplified for the security administrator. Control and enforce compliance for virtual networks Network security within the virtual DC is a key component for controlling and maintaining security and compliance. Network firewalls are an integral part of the network security operating environment which control and enforce network access control policies. Traditional firewalls operate at the physical network and can be used to control virtual infrastructures. However, virtual firewalls provide an additional capability to provide the filtering and control within the virtualisation framework. The Trusted Firewall feature in PowerSC provides a virtual firewall that allows network filtering and control within the local server virtualisation. This virtual firewall is a policy controlled firewall which can monitor and control network layers 2, 3 and 4 in the Open System Interconnection (OSI) model. The virtual firewall improves performance and reduces resource consumption of network resources by allowing direct and secure local VM to VM network traffic. The Trusted Firewall has the ability to monitor traffic and provide advice as to which traffic should be added to the firewall. This advisor can generate the appropriate commands to add the VM network segments to the Trusted Firewall. Monitor compliance to network segregation policies Virtualisation network change is accelerating as new deployment models like cloud computing are being introduced. This new rate of change introduces the possibility of configuration drift which can cause network security segregation policies to be violated. PowerSC Trusted Surveyor provides the capability to monitor network configuration drift and to report on network compliance adherence to defined policies. This provides an independent audit and governance of virtualised network infrastructure which ensures consistent and controlled configuration change. The information that Trusted Surveyor provides lowers administration costs by automating the network compliance monitoring. The Trusted Surveyor compliance monitoring solution works for all Power VM types which include AIX, IBM i and Linux. Choose the right PowerSC editions PowerSC editions offer a choice of security and compliance functionality. PowerSC Express Edition is available for both Linux and AIX systems running on Power Systems and is designed for basic automation of compliance to external standards. Express Edition is best deployed used in conjunction with the AIX Profile Manager (a plug-in to IBM Systems Director), for AIX systems which automates and centralises compliance, control and reporting. The Express Edition also offers command line administration which is the only option for Linux systems. Real-time compliance monitoring is only available for AIX systems. 4

5 PowerSC Standard Edition includes the features of the PowerSC Express Edition and adds security and compliance capability for virtual machines running with PowerVM. Standard Edition features the following major trusted security features for AIX virtual machines: Trusted Boot (requires POWER7 and efw7.4 or higher firmware) Trusted Logging Trusted Network Connect and Patch Management Trusted Firewall. PowerSC Trusted Surveyor is offered separately and is not included in the PowerSC edition structure. The following functionality is available for AIX, IBM i and Linux VM: Trusted Firewall Trusted Surveyor. Feature Security and compliance automation Real-time Compliance Monitoring Compliance reports Preconfigured profiles for PCI,DOD STIG,HIPAA, COBIT security standards and database servers Trusted Boot Trusted Monitoring Trusted Logging Trusted Network Connect And Patch Management Trusted Firewall Trusted Surveyor Benefits Reduces administration costs for complying with industry security standards Continuous monitoring and alerting if changes occur that cause systems to be non-compliant to security policies. Reduces time and cost to provide security and compliance reports to auditors Saves time, cost and risk associated with deploying industry security standards Reduces risk of compromised security by guaranteeing that an AIX operating system image has not been inadvertently or maliciously altered Ensures high levels of trust by displaying the status of all AIX systems participating in a trusted system configuration Prevents tampering or covering security issues by storing AIX VM system logs securely on a central PowerVM VIOS Reduces backup and archive time via storing audit logs in a central location Ensures that site patch levels policies are adhered to in virtual workloads Provides notification of noncompliance when back-level systems are activated Improves performance and reduces network resource consumption by providing firewall services locally with the virtualisation layer Provides visibility to ensure segregation of virtual networks to maintain security compliance 5

6 Why IBM? IBM is the trusted security advisor to thousands of the world s leading businesses and governments. IBM offers a complete range of server, storage, application and services offerings that have been architected with security at the core of their design. IBM s depth and breadth of expertise in security and compliance with IBM Power Systems is virtually unmatched. IBM has worldwide Global Services technical consultants that not only have long-time familiarity with security and compliance, but they also maintain intimate knowledge of emerging technologies, security trends, software releases and hardware enhancements that maximise security and compliance. When you work with IBM to implement PowerSC you can benefit from the extensive intellectual capital that the entire IBM Global Services team has accumulated, tested and proven. For more information To learn more about IBM PowerSC, please contact your IBM marketing representative or IBM Business Partner (BP), or visit the following website: ibm.com/systems/power/software/security/index.html Additionally, IBM Global Financing (IGF) can help you acquire the IT solutions that your business needs in the most cost-effective and strategic way possible. We will partner with credit-qualified clients to customise an IT financing solution to suit your business goals, enable effective cash management and improve your total cost of ownership (TCO). IGF is your smartest choice to fund critical IT investments and propel your business forward. For more information, visit: ibm.com/financing/uk IBM United Kingdom Limited PO Box 41 North Harbour Portsmouth Hampshire PO6 3AU United Kingdom IBM Ireland Limited Oldbrook House Pembroke Road Dublin 4 IBM Ireland Limited registered in Ireland under company number The IBM home page can be found at ibm.com IBM, the IBM logo, ibm.com, AIX, IBM Systems Director, POWER 7, PowerSC and PowerVM are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at ibm.com/legal/copytrade.shtml Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries Other company, product and service names may be trademarks, or service marks of others. References in this publication to IBM products, programs or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program or service is not intended to imply that only IBM products, programs or services may be used. Any functionally equivalent product, program or service may be used instead. IBM hardware products are manufactured from new parts, or new and used parts. In some cases, the hardware product may not be new and may have been previously installed. Regardless, IBM warranty terms apply. This publication is for general guidance only. Information is subject to change without notice. Please contact your local IBM sales office or reseller for latest information on IBM products and services. This publication contains non-ibm Internet addresses. IBM is not responsible for information found at these Web sites. IBM does not provide legal, accounting or audit advice or represent or warrant that its products or services ensure compliance with laws. Clients are responsible for compliance with applicable securities laws and regulations, including national laws and regulations. Photographs may show design models. Copyright IBM Corporation 2013 Please Recycle POD03063-GBEN-05