You are previewing Cloud Security Guidelines for IBM Power Systems.
O'Reilly logo
Cloud Security Guidelines for IBM Power Systems

Book Description

This IBM® Redbooks® publication is a comprehensive guide that covers cloud security considerations for IBM Power Systems™. The first objectives of this book are to examine how Power Systems can fit into the current and developing cloud computing landscape and to outline the proven Cloud Computing Reference Architecture (CCRA) that IBM employs in building private and hybrid cloud environments.

We then look more closely at the underlying technology and hone in on the security aspects for the following subsystems:

  • IBM Hardware Management Console

  • IBM PowerVM®

  • IBM PowerKVM

  • IBM PowerVC

  • IBM Cloud Manager with OpenStack


  • This publication is geared toward professionals who are involved in security design and implementation regarding planning and deploying cloud infrastructures using IBM Power Systems.

    Table of Contents

    1. Front cover
    2. Notices
      1. Trademarks
    3. IBM Redbooks promotions
    4. Preface
      1. Authors
      2. Now you can become a published author, too!
      3. Comments welcome
      4. Stay connected to IBM Redbooks
    5. Part 1 Business context and architecture considerations
    6. Chapter 1. Business context
      1. 1.1 Overview
        1. 1.1.1 Definitions
      2. 1.2 Business drivers for cloud computing
      3. 1.3 IBM Power Systems and the cloud
        1. 1.3.1 Hypervisors
        2. 1.3.2 Platform management
        3. 1.3.3 Advanced virtualization management
        4. 1.3.4 Cloud management
      4. 1.4 Conclusion
    7. Chapter 2. Cloud security reference architecture
      1. 2.1 IBM Cloud Computing Reference Architecture
        1. 2.1.1 Adoption patterns
        2. 2.1.2 Cloud Enabled Data Centers (or IaaS)
      2. 2.2 Security and the CCRA
        1. 2.2.1 Business drivers for a secure reference architecture
        2. 2.2.2 Security requirements
      3. 2.3 Cloud computing and regulatory compliance
        1. 2.3.1 Government regulations and agencies
        2. 2.3.2 Standards organizations
        3. 2.3.3 Industry bodies
        4. 2.3.4 Summary
      4. 2.4 Security guidance
        1. 2.4.1 Manage identities and access
        2. 2.4.2 Secure virtual machines
        3. 2.4.3 Patch default images
        4. 2.4.4 Manage logs and audit data
        5. 2.4.5 Network isolation
      5. 2.5 Usage scenarios
        1. 2.5.1 Generic use case with Cloud Enabled Data Center
        2. 2.5.2 Typical PowerKVM use case
        3. 2.5.3 Typical PowerVM use case
      6. 2.6 Integration with IBM Software
        1. 2.6.1 Security Information and Event Management (SIEM)
        2. 2.6.2 Identity and access management
        3. 2.6.3 Endpoint management
        4. 2.6.4 Threat and intrusion prevention
      7. 2.7 Conclusion
    8. Part 2 Power cloud components
    9. Chapter 3. IBM Hardware Management Console security
      1. 3.1 Introduction
      2. 3.2 User interfaces
        1. 3.2.1 User interface security
      3. 3.3 Network interfaces
        1. 3.3.1 Connectivity to the Flexible Service Processor
      4. 3.4 User and role management
        1. 3.4.1 Users
        2. 3.4.2 Roles
        3. 3.4.3 Practical scenario of using users and customized roles
      5. 3.5 Monitoring and auditing HMC access
        1. 3.5.1 Access monitoring
        2. 3.5.2 Access auditing
      6. 3.6 Security enhancements and compliance
        1. 3.6.1 Security compliance
        2. 3.6.2 HMC security enhancements
        3. 3.6.3 Data replication
        4. 3.6.4 Customizing HMC encryption
      7. 3.7 Conclusion
    10. Chapter 4. IBM PowerVM security
      1. 4.1 IBM PowerVM overview
      2. 4.2 Isolation requirements for logical partitions
        1. 4.2.1 Processor isolation
        2. 4.2.2 Memory isolation
        3. 4.2.3 I/O isolation
      3. 4.3 IBM Power processors
        1. 4.3.1 Hypervisor mode
        2. 4.3.2 Privileged mode
        3. 4.3.3 User mode
      4. 4.4 POWER Hypervisor
        1. 4.4.1 POWER Hypervisor integrity
        2. 4.4.2 POWER Hypervisor and CPU sharing
        3. 4.4.3 POWER Hypervisor and memory sharing
        4. 4.4.4 POWER Hypervisor and I/O sharing
      5. 4.5 Memory isolation
        1. 4.5.1 Effective memory
        2. 4.5.2 Virtual memory
        3. 4.5.3 Physical memory
        4. 4.5.4 Real memory
        5. 4.5.5 Logical memory
        6. 4.5.6 Page tables
      6. 4.6 I/O isolation
      7. 4.7 Logical partitions (LPARs)
        1. 4.7.1 LPAR management
        2. 4.7.2 LPAR operating systems
      8. 4.8 Virtualization of I/O devices
        1. 4.8.1 Disk access for logical partitions
        2. 4.8.2 Network access for logical partitions
      9. 4.9 IBM PowerVM security management with PowerSC
        1. 4.9.1 Security and Compliance Automation
        2. 4.9.2 Trusted Boot
        3. 4.9.3 Trusted Firewall
        4. 4.9.4 Trusted Logging
        5. 4.9.5 Real-Time Compliance
        6. 4.9.6 Trusted Network Connect and Patch management
        7. 4.9.7 Trusted Surveyor
      10. 4.10 Secure Logical Partition Mobility
        1. 4.10.1 Live Partition Mobility
        2. 4.10.2 Practical scenario for secure LPM
        3. 4.10.3 Conclusion
    11. Chapter 5. IBM PowerKVM security
      1. 5.1 PowerKVM architecture overview
        1. 5.1.1 PowerKVM host
        2. 5.1.2 PowerKVM guest
        3. 5.1.3 Quick EMUlator (QEMU)
        4. 5.1.4 The libvirt library
        5. 5.1.5 The virsh virtualization shell tool
        6. 5.1.6 Kimchi
      2. 5.2 PowerKVM security considerations
        1. 5.2.1 Authentication
        2. 5.2.2 Networking
        3. 5.2.3 Firewall functionality with firewalld and iptables
        4. 5.2.4 Network filter driver
        5. 5.2.5 The sVirt service
        6. 5.2.6 Audit
        7. 5.2.7 PowerKVM guest image encryption
        8. 5.2.8 Guest live migration
      3. 5.3 Conclusion
    12. Chapter 6. IBM PowerVC security
      1. 6.1 Introduction to PowerVC and security topics
        1. 6.1.1 PowerVC architecture overview
        2. 6.1.2 Security enhancement features
        3. 6.1.3 Secure communications
      2. 6.2 Identity management
        1. 6.2.1 Remove root account from PowerVC admin group
        2. 6.2.2 PowerVC users, groups, roles, and policies
        3. 6.2.3 Service and Qpid users and passwords
        4. 6.2.4 Using LDAP for PowerVC identity management
      3. 6.3 API security
        1. 6.3.1 Authentication
        2. 6.3.2 Secure communication for PowerVC APIs
        3. 6.3.3 Strict network access control
      4. 6.4 Audit
        1. 6.4.1 Enabling and disabling PowerVC audit
        2. 6.4.2 Retrieving audit log information
        3. 6.4.3 Important log files
      5. 6.5 Patch management
        1. 6.5.1 Where to get PowerVC security patch information
        2. 6.5.2 Consideration on OpenStack vulnerability
        3. 6.5.3 Managing Apache HTTP server, Apache Qpid, and IBM DB2
      6. 6.6 Conclusion
    13. Chapter 7. IBM Cloud Manager with OpenStack security
      1. 7.1 Introducing IBM Cloud Manager with OpenStack
        1. 7.1.1 OpenStack and Chef
        2. 7.1.2 Enhancements to OpenStack
        3. 7.1.3 Power Systems Hypervisor support
        4. 7.1.4 Deployment models
      2. 7.2 Identity
        1. 7.2.1 Local database, Keystone and LDAP identities
        2. 7.2.2 Configuring Keystone authentication
        3. 7.2.3 Configuring LDAP
        4. 7.2.4 Projects, roles and users
        5. 7.2.5 Changing default passwords
        6. 7.2.6 Changing the default administrator user account
      3. 7.3 Access
        1. 7.3.1 Access to provisioned virtual machines
        2. 7.3.2 Updating the default security policy
        3. 7.3.3 Generating and uploading SSH keys
        4. 7.3.4 Configuring SSL communication with self-service portal
        5. 7.3.5 Configuring SSL for OpenStack Dashboard
        6. 7.3.6 Network Time Protocol
        7. 7.3.7 Session timeout and lockout
        8. 7.3.8 TCP/IP ports used by IBM Cloud Manager with OpenStack
      4. 7.4 Patch management
      5. 7.5 Audit and logging
      6. 7.6 Image management
        1. 7.6.1 SSH host key entropy
        2. 7.6.2 Image staging project
      7. 7.7 REST API security
      8. 7.8 Conclusion
    14. Part 3 Appendixes
    15. Appendix A. Troubleshooting SSL and TLS handshake
      1. Collecting network data by using tcpdump
      2. Examining packet captures with Wireshark
      3. Other tools
    16. Related publications
      1. IBM Redbooks
      2. Online resources
      3. Help from IBM
    17. Back cover
    18. IBM System x Reference Architecture for Hadoop: IBM InfoSphere BigInsights Reference Architecture
      1. Introduction
      2. Business problem and business value
      3. Reference architecture use
      4. Requirements
      5. InfoSphere BigInsights predefined configuration
      6. InfoSphere BigInsights HBase predefined configuration
      7. Deployment considerations
      8. Customizing the predefined configurations
      9. Predefined configuration bill of materials
      10. References
      11. The team who wrote this paper
      12. Now you can become a published author, too!
      13. Stay connected to IBM Redbooks
    19. Notices
      1. Trademarks