20
Thu, Jun
3 New Articles

PowerSC Promises to Lock Down Virtualized Systems

Compliance / Privacy
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

A new security paradigm for the cloud, PowerSC defines your known "good" system rather than  try to defend against a known "bad" threat.

 

With the proliferation of virtual systems and internal cloud environments, all aspects of system administration have become more complex and challenging. As expected, this includes managing IBM Power Systems security on each of the virtual servers you create, any one of which can present new threat vulnerabilities.

 

Not only are there new challenges in managing security in a virtualized environment, but being able to prove to an auditor that your systems are in compliance with a variety of government and industry standards—from PCI, to Sarbanes-Oxley, to DOD—presents its own set of challenges.

 

IBM has recently released a new security offering for Power Systems called PowerSC that is part of a larger security framework the company has assembled to protect large and small enterprises alike.

 

PowerSC is a security and compliance solution that works in conjunction with the IBM Power Systems hypervisor, PowerVM. Initially offered on AIX, PowerSC undoubtedly will be rolled out to integrate with IBM i and Linux in the near future. It is a collection of four modules—for now—that takes an approach to security designed to stay one step ahead of existing, as well as yet-to-be created, external and internal threats. Some of the security features are currently available for IBM i from independent software providers, such as SkyView Partners and Raz-Lee Security, while others appear to be quite avant-garde and more closely integrated with PowerVM. Nevertheless, they are designed to work together seamlessly to protect high-value systems, particularly cloud environments.

 

The fear of a security breach to data residing in the cloud has kept many IBM i shops from moving to a cloud environment and has raised serious concerns by everyone else, even if they have started the migration. IBM simply had to do something to allay these fears. It really needed to design a system security approach that would work. They're hoping that PowerSC is the answer.

 

PowerSC consists of four main modules:

  • Security Compliance Automation is a set of pre-built compliance profiles for the three main industry and government standards that is activated and reported on centrally using AIX Profile Manager.
  • Trusted Boot guarantees that the operating system hasn't been hacked by comparing cryptographically signed boot and OS images.
  • Trusted Network Connect and Patch Management, as its name implies, gives you a heads up if a system doesn't have all available security patches applied. It uses a sophisticated integration with Service Update Manager Assistant (SUMA) and Network Installation Manager (NIM).
  • Trusted Logging captures all audit and system log information in real time and whisks it away to a secure centralized location within the virtual I/O server. In larger shops, it allows for the sharing of responsibilities by both the AIX system manager and individuals overseeing the virtualized infrastructure.

 

PowerSC comes in two editions, PowerSC Express, which is basic security and compliance automation, and PowerSC Standard, which supports Trusted Logging, Trusted Boot, and Trusted Network Connect and Patch Management. Trusted Boot works only on Power7 hardware with firmware update 7.4.

 

In conjunction with the announcement about PowerSC, IBM also released new features of PowerVM that, in many cases, integrate with PowerSC. Let's focus on the latter for the moment, however, and drill down into these four new PowerSC modules for a closer look.

 

Knowing, as well as showing, that your system is in compliance with the industry or government standards that affect your business can be a very expensive undertaking indeed. Security Compliance Automation is intended to help reduce the burdensome costs of getting and staying in compliance as well as being able to prove that you are on top of things. With IBM's pre-built profiles, Security Compliance Automation covers about 70 percent of the regulatory security requirements to which you might be subject. Others, such as physical security, which really go beyond "system security," are outside the scope of the product. Nevertheless, 70 percent is more than a good start.

 

The included profiles are Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act of 2002 (SOX), Control Objectives for Information and Related Technology (COBIT), and the Department of Defense (DOD). If you need to meet some other standard not listed here, then this product may not be for you.

 

One of the nice features about this module is that it allows you to set security profiles for numerous systems and then looks at reports to see if they are in compliance, all without the use of extensive logs or having to resort to guessing. You use a Systems Director plug-in called AIX Profile Manager with a clear and simple interface that tells you if the designated system is in compliance. If it flags one, you can use the same tool to investigate why it's not in compliance and what needs to be addressed.

 

Trusted Boot, which needs the latest Power7 hardware and 7.4 firmware update to work—and no, it does not work on Power6 or Power5 hardware—is, quite naturally, a very cool module. It changes the security paradigm from responding to a known "bad" threat to documenting your "good" system and not allowing anything unknown to run on it. Every virtual machine has its own Virtual Trusted Platform Module (VTPM), which is configured when you configure a new virtual machine. During boot-up, there is a sophisticated metric created, with the boot image and the operating system being cryptographically signed and validated against the VTPM. PowerSC and PowerVM work together to take the "snapshot" and do the image comparisons.

 

The beauty of Trusted Boot is that you can show the system is safe by reporting on its status with a GUI interface called OpenPTS Monitor that offers an easy-to-read view of flagged untrustworthy systems. It notes any changes in kernel extension, user commands, or applications and pinpoints any changed files.

 

Trusted Network Connect and Patch Management integrates with SUMA and NIM so that, during boot-up, the part of the module residing in an LPAR communicates with the TNC server in the Virtual I/O Server (VIOS). Every system is assigned a specific patch level, and the administrator is notified automatically of the conformance, or nonconformance, to the assigned patch level. It's a simple matter to determine whether all security patches have been applied to the system.

 

Trusted Logging employs a special virtual SCSI device that is managed by the VIOS and sends system log and audit log data to a central location within the VIOS that is tamper-proof and outside even the touch of the system administrator. No AIX administrator—or anyone else—can modify the logs, which provide a gold standard of what's happened on the system. You might be able to change the system, or even the system log, but you can't change the logs stored in the VIOS…or so IBM says. Having two copies of the logs also allows two groups to oversee operations: the system administrator and the virtual infrastructure folks. Nice.

 

PowerSC does not a complete framework make, and IBM offers appliances to protect against network threats. But at the system level, PowerSC takes security to the next level. It's likely that IBM will not stop with just four modules in the PowerSC offering, and there are more interfaces and more integrations to be made with, say, Systems Director. While AIX is the launch pad for this particular offering, a version for IBM i can't be far behind. If it convinces users that there is security in the cloud, then it's a job well done.

Chris Smith

Chris Smith was the Senior News Editor at MC Press Online from 2007 to 2012 and was responsible for the news content on the company's Web site. Chris has been writing about the IBM midrange industry since 1992 when he signed on with Duke Communications as West Coast Editor of News 3X/400. With a bachelor's from the University of California at Berkeley, where he majored in English and minored in Journalism, and a master's in Journalism from the University of Colorado, Boulder, Chris later studied computer programming and AS/400 operations at Long Beach City College. An award-winning writer with two Maggie Awards, four business books, and a collection of poetry to his credit, Chris began his newspaper career as a reporter in northern California, later worked as night city editor for the Rocky Mountain News in Denver, and went on to edit a national cable television trade magazine. He was Communications Manager for McDonnell Douglas Corp. in Long Beach, Calif., before it merged with Boeing, and oversaw implementation of the company's first IBM desktop publishing system there. An editor for MC Press Online since 2007, Chris has authored some 300 articles on a broad range of topics surrounding the IBM midrange platform that have appeared in the company's eight industry-leading newsletters. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$0.00 Raised:
$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: