System z building blocks
From Web transactions to customer data privacy, IBM System z offer solutions designed to address your business security challenges. Here is an overview of the key building blocks in the System z security solutions:
Encryption Facility for z/OS
Announcing the Encryption Facility for z/OS V1.1 (US), a new host based software solution designed to help businesses protect data from loss and inadvertent or deliberate compromise.
Encryption, a powerful and widely used technology, is now being leveraged by z/OS to help businesses more safely share sensitive data with trusted partners. And by storing encrypted data on tape for storage and archival purposes, the Encryption Facility for z/OS is also capable of extending protection to data at rest. Additionally, the Encryption Facility for z/OS is designed to leverage existing centralized key management and access authentication capabilities provided by ICSF.
With this latest product announcement mainframe customers can also benefit from existing hardware capabilities such as compression and exceptional performance provided by cryptography coprocessors and accelerators that can be individually configured to address various encryption needs.
Learn about, architect, and implement the IBM Encryption Facility in your enterprise. (US)
IBM Cryptography Holds Industry's Top Hardware Rating—
FIPS 140-2 Level 4
Since 1991, System z integrated hardware encryption has consistently been an industry leader, both in level of security provided and performance. Hardware encryption devices are designed to provide a tamper-proof security boundary that can be a requirement for financial applications.
CPACF, which delivers a high symmetric encryption performance for clear key encryption, is a standard feature shipped with every IBM System z9 EC and BC, z990 and z890 central processor and Integrated Facility for Linux (IFL) engine ordered. With the introduction of the z9 System, CPACF has been enhanced to support the Advanced Encryption Standard (AES) for 128-bit keys, Secure Hash Algorithm-256 (SHA-256), and Pseudo Random Number Generation (PRNG). As these cryptographic functions are implemented in each IBM System z9 EC central processor (CP) or IFL engine the potential throughput is anticipated to scale with the number of processor units (PUs) installed.
For customers who require support for Secure Key encryption the optional Crypto Express2 feature is available on the z890, z990 and System z9 EC and BC. To provide flexibility, the Crypto Express2 feature now provides two PCI-X adapters which can be configured as Coprocessors, Accelerators or a combination of one Coprocessor and one Accelerator. When defined as a Coprocessor the Crypto Express2 feature supports highly secure cryptographic functions, use of secure encrypted key values and User-Defined Extensions (UDX). When configured as an Accelerator, the Crypto Express2 feature can significantly improve the performance of complex RSA cryptographic operations used with Secure Socket Layer (SSL) and potentially with Transport Layer Security (TLS) protocols that typically support on demand business capabilities. In a recent test using a System z9 EC with four CPs and both PCI-X adapters configured as accelerators the Crypto Express2 feature supported up to 6000 SSL handshakes per second. This represents, about a 3X¹ (US) performance improvement on a per card basis when compared to the z990 when using either a PCI Cryptographic Accelerator (PCICA) feature with two PCI accelerators per feature or the current Crypto Express2 feature with two PCI-X adapters per feature. Cryptography is a core technology that supports several elements of security on System z processors. One of these elements is user identification and authentication.
TKE 4.2 workstation with Smart Card Reader support
The Trusted Key Entry (TKE) workstation with the 4.2 level of Licensed Internal Code is an optional feature of the System z that provides a security-rich key management system. The key management system provides authorized persons a method of key identification, exchange, separation, update, and management.
Support for an optional smart card reader attached to the TKE 4.2 workstation allows the use of smart cards, which resemble credit cards in size and shape, but contain an embedded microprocessor and associated memory for data storage. Access to and the use of confidential data on the smart cards is protected by a user-defined personal identification number (PIN).
User identification and authentication
Developed by IBM over 25 years ago, Resource Access Control Facility (RACF) (US), remains a key element, instrumental to providing internal and external access to resources. RACF provides centralized security functions such as user identification and authentication, resource access control and auditing for both the operating system and applications running on the system. Identification and authentication technology, in one form or another, is implemented within several components of System z operating systems, using multiple security technologies.
A digital certificate can also be used to identify and authenticate one user, resource, or server to another and as the basis for generation of cryptographic keys for secure communication between trusted third parties. The use of X.509
version 3 digital certificates with an associated Public Key Infrastructure (PKI) (US) and Kerberos (US) are two examples of modern trusted third-party identification and authentication techniques that are in common use.
Secure Sockets Layer (SSL) has several characteristics that can be used by an on demand application to communicate with large numbers of users via common Internet browser software. SSL currently represents the single most important user of cryptography in the spectrum of secure e-business applications and continues to be a key technology in support of secure e-commerce. SSL is the public key cryptography based extension to the TCP/IP Socket?interface. With the introduction of System z9, when properly configured, the optional Crypto Express2 feature can significantly improve SSL acceleration when both PCI-X adapters are configured as Accelerators.
Auditing and logging
RACF (US) provides auditors with several utilities that handle data analysis and reduction to help ensure that users are adhering to the company's security policy. With RACF there are multiple ways to specify what security-relevant events are recorded in the audit stream and how that information is reduced and analyzed. Following through on our long-standing intention to deliver advanced security solutions for the mainframe we are now working with Vanguard Integrity Professionals Inc. to provide our customers with a comprehensive toolset for security administration, reporting, auditing and intrusion detection for RACF.
Digital Certificate Hosting
PKI Services, now IdenTrust certified, allows you to establish a Public Key Infrastructure (US) and serve as a Certificate Authority for your internal and external users, issuing and administering digital certificates that can comply with your business defined security policy. Find out more about how your users can use a PKI Services to request and obtain certificates through their Web browsers, while your authorized PKI administrators approve, modify, or reject these requests through their Web browsers. PKI Services can represent a significant savings to businesses that are using third-party Certificate Authorities to issue and manage their digital certificates.
Directory services
The LDAP protocol provides an industry-standard access mechanism with the LDAP server extending the native security services provided by RACF to distributed security capabilities provided by cross-platform applications and services. The RACF registry is a directory for RACF users and groups. The z/OS
implementation of LDAP is designed to complement RACF and interoperate with it, in support of the integration of the centralized computing model, traditionally supported by RACF, into the emerging distributed computing models, such as those provided by the Enterprise JavaBeans™ (EJB) environment via WebSphere.
Networking and communications security
The z/OS Communications Server (US) provides networking and communications security on System z such as services for accessing applications over both SNA and IP networks. The Communications Server is designed to protect:
- data in the network using secure protocols based on cryptography, such as IP Security, SSL, and SNA session level encryption
- system resources and data from unauthorized access using standard RACF services
- the system from the network (e.g. denial-of-service attacks)
The Communication Server for Linux on System z (US) opens the door to independent protocol networking by connecting diverse networks and consolidating communications workloads.
Certifications
Common Criteria Security Certification (US) is widely recognized among IT professionals, government agencies and customers as a seal of approval for mission-critical hardware and software. Common Criteria (CC) is an internationally recognized ISO standard (ISO/IEC 15408) used by the Federal government and other organizations to assess security and assurance of technology products. Now the z9 EC and the z9 BC have joined this elite group by achieving EAL5 certification for the security of its logical partition (LPAR) technology. The IBM PCI-X Cryptographic Coprocessor (PCIXCC) has also received the highest level of Federal Information Processing Standard (FIPS) 140-2, certification. For more information about our current certifications, visit Certifications (US).
On June 9, 2005 IBM announced that the PCIX Cryptographic Coprocessor Security Module earned the highest certification for commercial security awarded by the U.S. and Canadian governments—Federal Information Processing Standard (FIPS) 140-2 Level 4 (US). Cryptography, essential to Internet transaction security, is a core technology that supports several security elements such as user identification and authentication on System z processors.
IdenTrust Compliant
PKI Services for z/OS V1 R5 has been certified IdenTrust compliant (US) for CA software at the Identrus 3.1 specification level. The IdenTrust Compliant program certifies that PKI Services meets IdenTrust specifications and interoperability requirements providing a solid foundation for trust between financial institutions and their customers. The IdenTrust system is a global trust network designed to provide technical criteria as well as the standards necessary to enable trust and payment related services that help to mitigate e-commerce risks across a range of industries.
¹ (US) The SSL rate was achieved with a System z9 with four processors and two Crypto Express2 cards (one feature, both configured as accelerators), z/OS V1R7 with Cryptographic Support for z/OS V1R6/V1R7 Web deliverable and ICSF FMID HCR7730. These measurements are examples of the maximum transactions per second achieved in a laboratory environment with no other processing occurring and do not represent actual field measurements. Details available upon request.
Note, the previously reported SSL performance of 4995 handshakes per second was obtained on a 4-way z990 with four Crypto Express2 Coprocessors (CEX2C) features, whereas in this case the performance was measured on a 4-way zSystem 9 with one Crypto Express2 feature with both configured as accelerators. It would be expected that the SSL performance on a 16-way zSystem 9 with six Crypto Express2 features would be greater than that obtained on a z990, however, actual measurements have not been taken.
|
