You are previewing Cloud Security Guidelines for IBM Power Systems.
O'Reilly logo
Cloud Security Guidelines for IBM Power Systems

Book Description

This IBM® Redbooks® publication is a comprehensive guide that covers cloud security considerations for IBM Power Systems™. The first objectives of this book are to examine how Power Systems can fit into the current and developing cloud computing landscape and to outline the proven Cloud Computing Reference Architecture (CCRA) that IBM employs in building private and hybrid cloud environments.

The book then looks more closely at the underlying technology and hones in on the security aspects for the following subsystems:

  • IBM Hardware Management Console

  • IBM PowerVM

  • IBM PowerKVM

  • IBM PowerVC

  • IBM Cloud Manager with OpenStack

  • IBM Bluemix


  • This publication is for professionals who are involved in security design with regard to planning and deploying cloud infrastructures using IBM Power Systems.

    Table of Contents

    1. Front cover
    2. Notices
      1. Trademarks
    3. IBM Redbooks promotions
    4. Preface
      1. Authors
      2. Now you can become a published author, too!
      3. Comments welcome
      4. Stay connected to IBM Redbooks
    5. Part 1 Business context and architecture considerations
    6. Chapter 1. Business context
      1. 1.1 Overview
        1. 1.1.1 Cloud deployment models
        2. 1.1.2 Cloud service models
      2. 1.2 Business drivers for cloud computing
      3. 1.3 IBM Power Systems and the cloud
        1. 1.3.1 Hypervisors
        2. 1.3.2 Platform management
        3. 1.3.3 Advanced virtualization management
        4. 1.3.4 Cloud management
      4. 1.4 Conclusion
    7. Chapter 2. Cloud security reference architecture
      1. 2.1 IBM Cloud Computing Reference Architecture
        1. 2.1.1 Adoption patterns
        2. 2.1.2 Cloud Enabled Data Centers (or IaaS)
      2. 2.2 Security and the CCRA
        1. 2.2.1 Business drivers for a secure reference architecture
        2. 2.2.2 Security requirements
      3. 2.3 Cloud computing and regulatory compliance
        1. 2.3.1 Government regulations and agencies
        2. 2.3.2 Standards organizations
        3. 2.3.3 Industry bodies
        4. 2.3.4 Summary
      4. 2.4 Security guidance
        1. 2.4.1 Manage identities and access
        2. 2.4.2 Secure virtual machines
        3. 2.4.3 Patch default images
        4. 2.4.4 Manage logs and audit data
        5. 2.4.5 Network isolation
      5. 2.5 Usage scenarios
        1. 2.5.1 Generic use case with cloud-enabled data center
        2. 2.5.2 Typical PowerKVM use case
        3. 2.5.3 Typical PowerVM use case
      6. 2.6 Integration with IBM software
        1. 2.6.1 Security Information and Event Management (SIEM)
        2. 2.6.2 Identity and access management
        3. 2.6.3 Endpoint management
        4. 2.6.4 Threat and intrusion prevention
      7. 2.7 Conclusion
    8. Part 2 Power cloud components
    9. Chapter 3. IBM Hardware Management Console (HMC) security
      1. 3.1 Introduction to the HMC
      2. 3.2 User interfaces
      3. 3.3 Network interfaces
      4. 3.4 User and role management
        1. 3.4.1 Users
        2. 3.4.2 Roles
        3. 3.4.3 Practical scenario of using users and customized roles
      5. 3.5 Monitoring and auditing HMC access
        1. 3.5.1 Access monitoring
        2. 3.5.2 Access auditing
      6. 3.6 Security enhancements and compliance
        1. 3.6.1 Security compliance
        2. 3.6.2 HMC security enhancements
        3. 3.6.3 Data replication
        4. 3.6.4 Customizing HMC encryption
      7. 3.7 HMC and security zones
        1. 3.7.1 Virtual switches
        2. 3.7.2 Enforcement of ACLs on virtual switches
        3. 3.7.3 ACL support for LPM
      8. 3.8 Conclusion
    10. Chapter 4. IBM PowerVM security
      1. 4.1 IBM PowerVM overview
      2. 4.2 Isolation requirements for logical partitions
        1. 4.2.1 Workload isolation
        2. 4.2.2 Processor core isolation
        3. 4.2.3 Memory isolation
        4. 4.2.4 I/O isolation
      3. 4.3 Domains of IBM Power processor cores
        1. 4.3.1 Application domain
        2. 4.3.2 Kernel domain
        3. 4.3.3 Hypervisor domain
      4. 4.4 Processor core access modes
      5. 4.5 POWER Hypervisor
        1. 4.5.1 POWER Hypervisor integrity
        2. 4.5.2 POWER Hypervisor and processor core sharing
        3. 4.5.3 POWER Hypervisor and memory sharing
        4. 4.5.4 POWER Hypervisor and I/O sharing
      6. 4.6 Memory isolation
        1. 4.6.1 Effective memory
        2. 4.6.2 Virtual memory
        3. 4.6.3 Physical memory
        4. 4.6.4 Real memory
        5. 4.6.5 Logical memory
        6. 4.6.6 Partition page tables
      7. 4.7 I/O isolation
      8. 4.8 Logical partitions (LPARs)
        1. 4.8.1 LPAR management
        2. 4.8.2 LPAR operating systems
      9. 4.9 Virtualization of I/O devices
        1. 4.9.1 Disk access for logical partitions
        2. 4.9.2 Network access for logical partitions
      10. 4.10 Security of DLPAR operations
      11. 4.11 IBM PowerVM security management with PowerSC
      12. 4.12 Secure Logical Partition Mobility
        1. 4.12.1 Live Partition Mobility
        2. 4.12.2 Practical scenario for secure LPM
      13. 4.13 PowerVM NovaLink
      14. 4.14 Conclusion
    11. Chapter 5. IBM PowerKVM security
      1. 5.1 PowerKVM architecture overview
        1. 5.1.1 PowerKVM host
        2. 5.1.2 PowerKVM guest
        3. 5.1.3 Quick Emulator (QEMU)
        4. 5.1.4 The libvirt library
        5. 5.1.5 The virsh virtualization shell tool
        6. 5.1.6 Kimchi
      2. 5.2 PowerKVM security considerations
        1. 5.2.1 Authentication
        2. 5.2.2 Networking
        3. 5.2.3 Firewall functionality with firewalld and iptables
        4. 5.2.4 Network filter driver
        5. 5.2.5 The sVirt service
        6. 5.2.6 Audit
        7. 5.2.7 PowerKVM guest image encryption
        8. 5.2.8 Guest live migration
      3. 5.3 Conclusion
    12. Chapter 6. IBM PowerVC security
      1. 6.1 Introduction to PowerVC and security topics
        1. 6.1.1 PowerVC architecture overview
        2. 6.1.2 Security enhancement features
        3. 6.1.3 Secure communications
      2. 6.2 Identity management
        1. 6.2.1 Removing the root account from the PowerVC admin group
        2. 6.2.2 PowerVC users, groups, roles, and policies
        3. 6.2.3 Using LDAP for PowerVC identity management
      3. 6.3 API security
        1. 6.3.1 Authentication
        2. 6.3.2 Secure communication for PowerVC APIs
        3. 6.3.3 Strict network access control
      4. 6.4 Audit
        1. 6.4.1 Enabling and disabling PowerVC audit
        2. 6.4.2 Retrieving audit log information
        3. 6.4.3 Important log files
      5. 6.5 Security options using powervc-config command
        1. 6.5.1 Setting the maximum image size
        2. 6.5.2 Setting the maximum amount of per-user image storage
      6. 6.6 Patch management
        1. 6.6.1 Where to get PowerVC security patch information
        2. 6.6.2 Consideration on OpenStack vulnerability
        3. 6.6.3 Managing Open Source components like Apache HTTP server, OpenSSL, and OpenSSH
      7. 6.7 Conclusion
    13. Chapter 7. IBM Cloud Manager with OpenStack security
      1. 7.1 Introducing IBM Cloud Manager with OpenStack
        1. 7.1.1 OpenStack and Chef
        2. 7.1.2 Enhancements to OpenStack
        3. 7.1.3 Power Systems hypervisor support
        4. 7.1.4 Deployment models
      2. 7.2 Identity
        1. 7.2.1 Keystone and LDAP identities
        2. 7.2.2 Configuring LDAP
        3. 7.2.3 Projects, roles, and users
        4. 7.2.4 Changing default passwords
        5. 7.2.5 Changing the default administrator user account
      3. 7.3 Access
        1. 7.3.1 Access to provisioned virtual machines
        2. 7.3.2 Updating the default security policy
        3. 7.3.3 Generating and uploading SSH keys
        4. 7.3.4 Configuring SSL communication with self-service portal
        5. 7.3.5 Configuring SSL for OpenStack Dashboard
        6. 7.3.6 Network Time Protocol (NTP)
        7. 7.3.7 Session timeout and lockout
        8. 7.3.8 TCP/IP ports used by IBM Cloud Manager with OpenStack
      4. 7.4 Patch management
      5. 7.5 Audit and logging
      6. 7.6 Image management
        1. 7.6.1 SSH host key entropy
        2. 7.6.2 Image staging project
      7. 7.7 REST API security
      8. 7.8 Conclusion
    14. Chapter 8. IBM Bluemix secure gateway
      1. 8.1 IBM Bluemix overview
        1. 8.1.1 How IBM Bluemix works
        2. 8.1.2 IBM Bluemix management
      2. 8.2 IBM Bluemix Secure Gateway
        1. 8.2.1 IBM Bluemix Secure Gateway configuration
        2. 8.2.2 IBM Bluemix Secure Gateway service status
      3. 8.3 Other security options of IBM Bluemix
    15. Part 3 Appendixes
    16. Appendix A. Troubleshooting SSL and TLS handshake
      1. Collecting network data by using tcpdump
      2. Examining packet captures with Wireshark
      3. Other tools
    17. Appendix B. VMware vRealize Automation for Power Systems
    18. Related publications
      1. IBM Redbooks
      2. Online resources
      3. Help from IBM
    19. Back cover