Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · •...
Transcript of Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · •...
![Page 1: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/1.jpg)
1
Dr Chris PooleIBM Master InventorHyper Protect Containers
@chrispoole
Ensuring Your Customers' Data Privacy with Applications Secured on IBM Z
![Page 2: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/2.jpg)
Pleasenote
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice and at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
![Page 3: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/3.jpg)
3
“Within one Kubernetes pod, access credentials were exposed to Tesla's AWS environment which contained an Amazon S3 bucket that had sensitive data such as telemetry.
https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/
![Page 4: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/4.jpg)
4https://www.engadget.com/2018/09/18/us-government-payment-site-leaks-14-million-customer-records-GovPayNow/?platform=hootsuite&guccounter=1
![Page 5: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/5.jpg)
5
73%Allow root access
2%Corporate data encrypted
58%Threats from insiders
https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-17425&S_PKG=ov59678&https://www.techrepublic.com/article/tesla-public-cloud-environment-hacked-attackers-accessed-non-public-company-data/
https://healthitsecurity.com/news/58-of-healthcare-phi-data-breaches-caused-by-insiders
![Page 6: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/6.jpg)
6
“Move to the cloud”?
![Page 7: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/7.jpg)
7
“Move to the cloud”?
7
![Page 8: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/8.jpg)
Apps with SPI?
• Rewrite yourselves– Encrypt the data… all of it? Metadata?
• Security consultancy• IBM Cloud Hyper Protect Services• ibm.com/cloud/hyper-protect-services
![Page 9: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/9.jpg)
Toolinge.g., Docker Config Discovery Routing Observability
Databases
Operational
Development
Policy
{All stateless ideally
Understand what’s happening
Other services need to be able to
find each other
To build
Need to configure as it’s going out
Message sending requires routing
Store here only
Container scheduling
Language: PL/I, COBOL, Java, etc.
Architectural & security compliance
![Page 10: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/10.jpg)
10
SPI MicroserviceSPI Microservice
Data layer
Frontend Frontend
Backend Backend
Microservice
Frontend
Backend
![Page 11: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/11.jpg)
Cloud computing
• Abstract away the infrastructure• Who do you trust?
![Page 12: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/12.jpg)
Attack vectors
• Insider threat: sysprogs• Remote access• Privilege escalation
![Page 13: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/13.jpg)
Existing cloud
LinuxDocker
Worker 1 Worker 2
(Virtual) server
![Page 14: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/14.jpg)
Existing cloud
LinuxDocker
Worker 1 Worker 2
(Virtual) server
EAL5+
PR/SM
SSC LPAR SSC LPAR
Secure Service Container
Worker 1
VM
Worker 2
Isol
atio
n
VM
Hyper Protect cloud
![Page 15: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/15.jpg)
Integrated HSM
On-chip cryptography
On-chip cryptographic accelerator
Crypto Express HSM –Tamper resistant Secure Key –FIPS 140-2 Level 4–Keys never leave the HSM
![Page 16: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/16.jpg)
Secure Service ContainersEAL5+
PR/SM
SSC LPAR SSC LPAR
Secure Service Container
Worker 1
VM
Worker 2
Isol
atio
n
VM
• No system admin access• Data at rest, transport protection• Once the appliance image is built,
OS access (ssh) is not possible• Memory access disabled• Encrypted disk• Debug data (dumps) encrypted• Signed docker images• Secure boot
![Page 17: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/17.jpg)
IBM Cloud Hyper Protect Services
Think 2018 / 8249.PPTX / March 2018 / © 2018 IBM Corporation 17
IBM-hosted services:
IBM Cloud Hyper Protect Crypto Services
IBM Cloud Hyper Protect DBaaS
IBM Cloud Hyper Protect Containers
![Page 18: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/18.jpg)
IBM Cloud Hyper Protect Crypto Services
Think 2018 / 8249.PPTX / March 2018 / © 2018 IBM Corporation 18
Provides state of the art security and cryptographic capabilities in IBM Cloud.
• 4X faster than other cloud encryption appliances• PKCS#11 API interfaces
• Generate symmetric key and asymmetric key pairs• Digitally sign and verify documents• Provide digital fingerprints (digest/hash)• Random number generation
• Seamless integration with IBM Key Protect for securely storing root and data encryption keys in a dedicated key store protected with FIPS 140-2 Level 4 compliant hardware
Secure:• Tamper protection during installation and run time• Customer data and keys are shielded from sysadmins
![Page 19: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/19.jpg)
Secure Service Container
Providing Hyper Protect Crypto Services
19
Isolated Container Runtime Environment
IBM Z/LinuxONE platform
HSM Card (Crypto Express)Domain 00 Domain 84
Acme Soda
Hyper Protect Crypto Services
Dedicated KeyStore
Soda App
Acme Pop
Hyper Protect Crypto Services
Dedicated KeyStore
Pop App
Acme Cola
Hyper ProtectCrypto Services
Dedicated KeyStore
Cola AppApplications connect with PKCS11 via OpenSSL
Dedicated KeyStore per Customer
Secure enclaves ensure keys are never leaked
FIPS 140-2 Level 4 compliant HSM for highest physical protection of secrets
HSM Card (Crypto Express)Domain 00 Domain 84
![Page 20: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/20.jpg)
Simplify Protecting Data-in-Transit for Cloud Native Apps
20
Secure sensitive transactions ensuring security of data while in-transit
Secure handling of SSL/TLS keys and certificates
• Customers can terminate secure connection (TLS) for their apps, at container front door
• Secure all communications between micro services inside a container cluster that could be enabled through policies
• SSL keys are offloaded to Hyper Protect Crypto Services to ensure security and protection of those sensitive keys
• Certificate lifecycle management getting common approach to managing certs, and visibility to cert expiration
A'
B
B’
SSL offloading A
Hyper Secure Crypto Services
Certificate Management
![Page 21: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/21.jpg)
IBM Cloud Hyper Protect DBaaS
Think 2018 / 8249.PPTX / March 2018 / © 2018 IBM Corporation 21
Hyper Protect Database as a Service implements structured and unstructured data stores that are secure and private.
MongoDB EE:• Up to 8TB on IBM z13; up to 16TB with IBM z14• 2–4x more throughput compared to AWS–EC2
PostgreSQL
Secure:• Tamper protection during installation and run time• Customer data shielded from sysadmins• Encryption, access control, audit
![Page 22: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/22.jpg)
Demo
![Page 23: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/23.jpg)
Starter Kits?
![Page 24: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/24.jpg)
Starter Kits?print(”hello world”)
![Page 25: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/25.jpg)
Starter Kits?
![Page 26: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/26.jpg)
Starter Kits
BackendStarter Kit
MBaaSStarter Kit
Hyper Protect DBaaS
Kitura
Swift iOS app
Hyper Protect Crypto
Services
Mobile analytics
Push notifications
Client Cloud
![Page 27: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/27.jpg)
Improving application development• Recognition that an app isn’t just the source code:
libraries etc.• DevOps encourages ownership by the dev team• Test, lift, drop, deploy• Containers as lightweight alternative to VMs
![Page 28: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/28.jpg)
Orchestrate your containers• Kubernetes• HA• Load balancing• Master, worker nodes
Master
Worker
Worker
![Page 29: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/29.jpg)
Demo
![Page 30: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/30.jpg)
40
ibm.com/cloud/hyper-protect-services
![Page 31: Ensuring Your Customers' Data Privacy with Applications Secured … · 2020-05-17 · • IBM’sstatements regarding its plans, directions, and intent are subject tochange ... Kitura](https://reader034.fdocuments.us/reader034/viewer/2022042307/5ed2d88b51a89a533c3d3b4c/html5/thumbnails/31.jpg)
41
Summary
Creating an app, want encryption to tick the compliance boxes?
• Security without code change• Cloud-hosted Kubernetes, DBaaS, and crypto services
• Starter kits• Trial offerings
[email protected]@chrispoole