IBM PowerSC™ provides a security and compliance solution that is optimized for virtualized environments on IBM Power Systems™ servers, running IBM PowerVM™ and IBM AIX®. Security control and compliance are some of the key components that are needed to defend the virtualized data center and cloud infrastructure against ever evolving new threats. Tursted Surveyor is one of the separately available components of PowerSC that can provide an independent audit and governance of the virtualized network infrastructure.
Security control and compliance are some of the key components that are needed to defend the virtualized data center and cloud infrastructure against ever evolving new threats. Security control and compliance are also becoming more vital to many organizations that must adhere to regulatory requirements that safeguard personal data and enterprise information from security attacks.
In addition, security guidelines are implemented to address security exposures to virtual machines (VM) in the data center, for example, are the VMs directly facing an Internet connection or are they running a back-office database? Based on the various levels of vulnerabilities, regulatory compliance requirements group the virtual machines into separate entities, called security zones.
But today, where IT technologies, like cloud computing, allow dynamic live relocations of virtual machines on physical machines, the physical security zone boundaries tend to blur. Many organizations struggle to ensure that their security zones are isolated always, and that their security policies are enforced. As security zones are implemented by network segregation, as shown in Figure 1, IBM® PowerSC™ Trusted Surveyor can monitor network configuration drift and report on the network compliance posture for all the virtual machines in the data center.
IBM PowerSC Trusted Surveyor can provide an independent audit and governance of the virtualized network infrastructure, which helps ensure consistent and controlled configuration change management. The information that Trusted Surveyor provides can lower administration costs by automating the network compliance monitoring for the virtualized data center.
Figure 1. Security zone segregation in a virtual environment
Did you know?
The Center for the Protection of National Infrastructure (CPNI) recommends Network Boundary Defense Control and Secure Network Engineering Control within its top critical controls for effective cyber defense.
The Payment Card Industry requires that Cardholder Data Environment (CDE) virtual machines be separated from non-CDE virtual machines. PCI DSS requirement 2.4 allows shared hosting providers to host multiple customer environments on a single server while requiring that "... shared hosting providers must protect each entity's hosted environment and cardholder data" (Source: https://www.pcisecuritystandards.org/security_standards/). However, PCI DSS requires that appropriate controls must be in place to prevent one virtual system from increasing the risk to cardholder data on another virtual system to mitigate the specific risks that come with shared hosting. The Cardholder Data Environment (CDE) and its inherent network segregation must be maintained and monitored always in order to be enforced in the data center.
The National Institute of Standards and Technology (NIST) defines, in their document NISTIR 7628 Guidelines for Smart Grid Cyber Security v1.0 – Aug 2010, inadequate Network Segregation as one of the six biggest vulnerabilities. The NIST defines that "Network architectures often do a poor job of defining security zones and controlling traffic between security zones, thus providing what is considered a flat network wherein traffic from any portion of the network is allowed to communicate with any other portion of the network" and give the two following examples: Failure to define security zones, and failure to control traffic between security zones (Source: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf). It is highly recommended to employ a “zoning model” to differentiate and segregate servers from business to operational ones according to system and data content and associated risk.
Business value and solution overview
IBM PowerSC Trusted Surveyor is a stand-alone offering in the PowerSC family that provides a consolidated view of the virtual data center's virtual machine network isolation landscape. It extracts configuration data from multiple virtualized environments, and transforms the data into a normalized graph representation for subsequent analysis of its security properties.
A report is created by securely probing all of the Hardware Management Consoles (HMCs) in the virtual data center. The results are displayed in a web browser, but also can be saved externally so that this data can be used by other tools, such as Microsoft Excel. Trusted Surveyor takes snapshots of a virtual data center either on demand or at predetermined intervals. Snapshots are used to validate LPAR isolation by VLAN IDs and physical systems so that you can verify and monitor configuration changes in the virtual data center.
Trusted Surveyor is implemented as a stand-alone web server-based product that is installed on a single server. The information is gathered through interrogating the HMC. Trusted Surveyor normalizes the configuration data of each virtual system and presents an overall view of the data center’s security isolation and interconnects. The report Trusted Surveyor generates displays VM groups and highlights group interconnects that violate security policy. Policy enforcement is based on a static (built-in) set of rules that are provided with the tool. Parameterized data that is provided by the user completes the static rule set.
Business and compliance security requirements are described by the IT security department in the form of written security policy and guidelines. The administrators read these policies and manually configure their OS, virtual system, or network accordingly. For example, the Payment Card Industry (PCI) Data Security Standard mandates that all IT systems that process credit card Primary Account Numbers (PANs) are isolated and protected. These IT systems must be on a separate network or VLAN. This requirement must be described in the IT security department’s written policy. If there are three PCI LPARs that are dedicated to credit card processing, they must be on their own VLAN. It is difficult to know whether another LPAR on a separate physical system, under a different HMC and administered by a different virtual administrator, is configured incorrectly to be on the same VLAN as the PCI LPARs.
Trusted Surveyor brings the entire Power based virtual data center configuration into a single automated view with a Microsoft Excel report that shows every LPAR and VLAN. It can take a snapshot of the virtual data center VLAN interconnect, establish a baseline policy, and highlight any change or incorrect configuration that violates the policy and poses a security risk.
Solution architecture
Trusted Surveyor is installed and configured on a server that runs the IBM AIX® operating system. A report is generated when a probe connects to an HMC to query and identify the systems and their virtual configurations that are managed by that HMC. All defined and enabled probes for the current domain are run when a snapshot acquisition is triggered for that domain. All of the available report options are based on the snapshots that are available for an identified domain. The resulting report identifies all of the LPARs, their associated physical systems, the VLANs to which they are connected, and the isolation zones that are created by these VLANs. Isolation zones are the separation of the resources that are created to control access to resources.
These reports are used to ensure that the current configuration meets the requirements for the isolation and protection of LPAR groups. When the initial compliance requirements are established, the reports and the snapshot can be used to provide an approved version or gold master compliance policy. By setting up regularly scheduled probes, snapshots can be created for additional reports. The approved snapshot can be compared to the current snapshot to identify changes that might cause noncompliant situations by highlighting the differences between the snapshots. The dynamic nature of cloud and virtual environments makes this type of change control and monitoring necessary.
Most resources that are used in Trusted Surveyor are given a name for identification when you use the command line. In some cases, you can use the commands to provide your own name for the resources.
Before we explain these concepts in more detail, see Figure 2 for an overview.
Figure 2. Trusted Surveyor conceptual flow
Domains
Domains represent the main environment in which you work when you use Trusted Surveyor. Some configurations are simple enough to require only a single domain, which is created when you install Trusted Surveyor. It is not necessary to create additional domains.
More complex configurations might benefit from the creation of additional domains. Data center resources can be grouped into domains. Because you can access only one domain at a time, it is helpful to group similar resources together.
Probes
Trusted Surveyor uses probes to query information from a virtual management console, such as an HMC. Probes gather information about the configuration of the data center or the cloud. Then, this information is filtered and consolidated into a snapshot that represents the configuration.
Snapshots
Snapshots are representations of the environment that are created by consolidating the information that is captured by the probe acquisitions. Snapshots can be used to provide a detailed representation of a data center. Two snapshots can also be used to see how the environment changed in the time between the creation of the two snapshots.
When you work with snapshots, a snapID variable is used to identify a specific snapshot. The snapID can be either the name that is assigned to the snapshot with the command-line interface (CLI) or the graphical interface, or the unique integer name that is provided by Trusted Surveyor in the format of snapshot-ID.
Basic components
The following basic components are required for Trusted Surveyor:
Program name | PID number | Charge unit description |
IBM PowerSC Trusted Surveyor | 5765-PTS | Per HMC |
SW Maintenance Registration/Renewal 1 Year | 5660-PTS | Per HMC |
SW Maintenance After License 1 Year | 5661-PTS | Per HMC |
SW Maintenance Registration 3 Year | 5662-PTS | Per HMC |
SW Maintenance After License 3 Year | 5664-PTS | Per HMC |
IBM PowerSC Trusted Surveyor DVD | 5692-A6P | Feature 3345-1100 or 3345 -1101 |
The material included in this document is in DRAFT form and is provided 'as is' without warranty of any kind. IBM is not responsible for the accuracy or completeness of the material, and may update the document at any time. The final, published document may not include any, or all, of the material included herein. Client assumes all risks associated with Client's use of this document.