IBM PowerSC Security and compliance solution designed to protect virtualized datacenters Highlights Simplify security management and compliance measurement Reduce administration costs of meeting compliance regulations Ensure virtualized environments meet same security levels as physical servers Improve the audit capabilities for virtualized systems Reduce time and skills required for preparation of security audits Improve detection of security exposures in virtualized environments Security and compliance are vital to many businesses, especially now that they must adhere to regulatory requirements designed to safeguard personal data and company information from security attacks. Ensuring that IT systems are compliant with common industry security standards and maintaining system security can be a challenging, labor-intensive activity especially with today s virtualized IT infrastructures. IBM Power Security and Compliance (PowerSC ) provides a security and compliance solution optimized for virtualized environments on Power Systems servers, running PowerVM. PowerSC enables security compliance automation and includes reporting for compliance measurement and audit. It s compliance automation features also help businesses reduce the cost of security compliance. Automation capabilities include supplying prebuilt system profiles that enforce compliance to various industry standards, such as the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act Privacy and Security Rules, the US Department of Defense Security Technical Implementation Guide and COBIT best practices. PowerSC also helps improve detection and visibility of security exposures by deploying trusted security extensions to highlight altered boot volumes and systems that are not at the site-specified patch levels. Trusted audit logs are used to centralize and protect logging integrity in virtualized environments.
Automate systems settings for optimal security and compliance Ensuring system compliance with third-party security standards is often a labor intensive and time consuming process. Compliance standards are typically long, complex documents that are difficult to translate into the appropriate AIX or Linux operating system settings. And, because standards often encompass many different areas of operating system and virtualization software, they may have required using several different administrative interfaces to configure a system appropriately. With its simple administration interface and preconfigured compliance profiles, PowerSC is designed to simplify the administrative effort associated with complying with some of the most common external standards for security and compliance. PowerSC security and compliance automation provides profiles for the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act Privacy and Security Rules (HIPAA) and US Department of Defense Security Technical Implementation Guide for UNIX (DoD STIG) standards, as well as supporting the implementation of best practices specified by the Control Objectives for Information and related Technology (COBIT) standard. Public companies that are subject to the U.S. Sarbanes-Oxley Act of 2002 often adopt the COBIT best practices. PowerSC also provides a security automation profile to automate configuration of optimal security for database servers. With PowerSC the configuration of all relevant system parameters are automated as required by these security standards. This automation is best deployed using the AIX Profile Manager for AIX systems, which is an advanced plug-in to IBM Systems Director. This profile manager provides for both the centralized application of security profiles and the centralized reporting for compliance to standards. Linux system compliance automation and reporting is available only through a command line interface and is available for the payment card industry standard and the HIPAA standard. The profiles include recommended settings for several areas of AIX and Linux configuration, including aspects such as minimum password length, password reuse, number of unsuccessful log in attempts before lockout and other system security configuration settings. Easy-to-run reports are available with PowerSC that confirm whether the system is configured to be compliant. These reports provide alerts for unauthorized parameter changes and to provide a consistent foundation for compliance audits. 2
Since all external security standards include aspects outside the realm of system configuration settings, the use of the security and compliance automation will not, by itself, ensure standards compliance. Nonetheless, PowerSC security and compliance automation does significantly simplify systems configuration settings management, allowing security administrators the time to focus on the other aspects of standards compliance. Improve visibility and hardening of the virtual infrastructure IT managers continually strive to guarantee trustworthy and secure systems that prevent unauthorized accesses to business systems and data. In today s virtualized datacenter s, they are now particularly concerned with ensuring their virtual machines meet the same trusted levels as their physical servers. PowerSC provides a range of capabilities to ensure a root of trust for virtual machines, including Trusted Boot, a virtual implementation of the Trusted Platform Module (TPM) from the Trusted Computing Group. The PowerSC Trusted Boot feature provides virtual TPM functionality for AIX virtual machines running with the PowerVM hypervisor on Power Systems. The TPM functionality measures the system boot process in each virtual machine, and with cooperation from the AIX Trusted Execution technology, provides security, trust and assurance of the boot image on disk, the entire operating system and the application layers. Each virtual machine has its own separate virtual TPM that holds its unique measurement data used to validate the root of trust. This functionality is available on IBM POWER7 systems running efw7.4 firmware or higher. A trust monitor, OpenPTS, is also provided with PowerSC that enables administrators to monitor and attest to the trust of their AIX virtual machines. The monitor makes clear the trust and security level of Power Systems running PowerVM virtualization. Comply with site security policies for virtual machines Maintaining virtual machines across multiple systems presents different administrative challenges to traditional physical systems deployment. For example, virtual machines may be suspended or powered off or even moved to other servers during a patch application process. Moving a virtual machine, for example, may open a window of vulnerability by potentially having a different patch level than is required on a target physical system. Trusted Network Connect (TNC) and Patch Management in PowerSC can detect AIX virtual machines that do not meet the corporate patch policies that have been established for a virtualized data center. Alerts are triggered if a noncompliant virtual machine is detected. TNC and Patch Management analyzes data from both the Service Update Manager Assistant (SUMA) and the Network Installation Manager (NIM) to check each virtual machine during activation. Activation events that are monitored include: Normal boot Resumption after suspension Activation as a result of a live partition mobility event TNC and Patch Management also monitor the IBM Electronic Customer Care system and provide alerts for new security patches or updates that affect AIX systems. Alerts can also be configured simply to send SMS messages to mobile devices. Harden audit trails in virtual environments One of the foundations of compliance is the ability to audit an environment and to guarantee that audit trails, such as audit logs and system logs cannot be altered. These logs help provide 3
transparency and prevent covering of security breaches. Trusted Logging in PowerSC centralizes the AIX system logs across all virtual machines on a server, enabling the logs to be kept on a single instance of the PowerVM Virtual I/O Server (VIOS). This secure VIOS virtual machine protects the entire log data received from each AIX virtual machine. No administrator of any AIX virtual machine can remove or alter the system logs held on the secure VIOS Server. With the introduction of centralized logging and administration provided by Trusted Logging, backup, archive and audit of system logs is significantly simplified for the security administrator. Control and enforce compliance for virtual networks Network security within the virtual data center is a key component for controlling and maintaining security and compliance. Network firewalls are an integral part of the network security operating environment which control and enforce network access control policies. Traditional firewalls operate at the physical network and can be used to control virtual infrastructures. However, virtual firewalls provide an additional capability to provide the filtering and control within the virtualization framework. The Trusted Firewall feature in PowerSC provides a virtual firewall that allows network filtering and control within the local server virtualization. This virtual firewall is a policy controlled firewall which can monitor and control network layers 2, 3 and 4 in the OSI model. The virtual firewall improves performance and reduces resource consumption of network resources by allowing direct and secure local VM to VM network traffic. The Trusted Firewall has the ability to monitor traffic and provide advice as to which traffic should be added to the firewall. This advisor can generate the appropriate commands to add the VM network segments to the Trusted Firewall. Monitor compliance to network segregation policies Virtualization network change is accelerating as new deployment models like cloud computing are being introduced. This new rate of change introduces the possibility of configuration drift which can cause network security segregation policies to be violated. PowerSC Trusted Surveyor provides the capability to monitor network configuration drift and to report on network compliance adherence to defined policies. This provides an independent audit and governance of virtualized network infrastructure which ensures consistent and controlled configuration change. The information that Trusted Surveyor provides lowers administration costs by automating the network compliance monitoring. The Trusted Surveyor compliance monitoring solution works for all Power VM types which include AIX, IBM i and Linux. Choose the right PowerSC editions PowerSC editions offer a choice of security and compliance functionality. PowerSC Express Edition is available for both Linux and AIX systems running on Power Systems and is designed for basic automation of compliance to external standards. Express Edition is best deployed used in conjunction with the AIX Profile Manager (a plug-in to IBM Systems Director), for AIX systems which automates and centralizes compliance, control and reporting. The Express Edition also offers command line administration which is the only option for Linux systems. Real-time compliance monitoring is only available for AIX systems. 4
PowerSC Standard Edition includes the features of the PowerSC Express Edition and adds security and compliance capability for virtual machines running with PowerVM. Standard Edition features the following major trusted security features for AIX virtual machines: Trusted Boot (requires POWER7 and efw7.4 or higher firmware) Trusted Logging Trusted Network Connect and Patch Management Trusted Firewall PowerSC Trusted Surveyor is offered separately and is not included in the PowerSC edition structure. The following functionality is available for AIX, IBM i and Linux virtual machines: Trusted Firewall Trusted Surveyor Feature Security and compliance automation Real-time Compliance Monitoring Compliance reports Preconfigured profiles for PCI,DOD STIG,HIPAA, COBIT security standards and database servers Trusted Boot Trusted Monitoring Trusted Logging Trusted Network Connect And Patch Management Trusted Firewall Trusted Surveyor Benefits Reduces administration costs for complying with industry security standards Continuous monitoring and alerting if changes occur that cause systems to be non- compliant to security policies. Reduces time and cost to provide security and compliance reports to auditors Saves time, cost and risk associated with deploying industry security standards Reduces risk of compromised security by guaranteeing that an AIX operating system image has not been inadvertently or maliciously altered Ensures high levels of trust by displaying the status of all AIX systems participating in a trusted system configuration Prevents tampering or covering security issues by storing AIX virtual machine system logs securely on a central PowerVM Virtual I/ O Server Reduces backup and archive time via storing audit logs in a central location Ensures that site patch levels policies are adhered to in virtual workloads Provides notification of noncompliance when back- level systems are activated Improves performance and reduces network resource consumption by providing firewall services locally with the virtualization layer Provides visibility to ensure segregation of virtual networks to maintain security compliance 5
Why IBM? IBM is the trusted security advisor to thousands of the world s leading businesses and governments. IBM offers a complete range of server, storage, application and services offerings that have been architected with security at the core of their design. IBM s depth and breadth of expertise in security and compliance with IBM Power Systems is virtually unmatched. IBM has worldwide Global Services technical consultants that not only have long-time familiarity with security and compliance, but they also maintain intimate knowledge of emerging technologies, security trends, software releases and hardware enhancements that maximize security and compliance. When you work with IBM to implement PowerSC you can benefit from the extensive intellectual capital that the entire IBM Global Services team has accumulated, tested and proven. For more information To learn more about IBM PowerSC, please contact your IBM marketing representative or IBM Business Partner, or visit the following website: ibm.com/systems/power/software/security/index.html Additionally, IBM Global Financing can help you acquire the IT solutions that your business needs in the most cost-effective and strategic way possible. We ll partner with credit-qualified clients to customize an IT financing solution to suit your business goals, enable effective cash management, and improve your total cost of ownership. IBM Global Financing is your smartest choice to fund critical IT investments and propel your business forward. For more information, visit: ibm.com/financing Copyright IBM Corporation 2013 IBM Corporation Systems and Technology Group Route 100 Somers, NY 10589 Produced in the United States of America October 2013 IBM, the IBM logo, ibm.com, AIX, Power Systems, PowerVM, PowerSC, and POWER7 are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml Other company, product or service names may be trademarks or service marks of others. Please Recycle POD03063-USEN-05