IBM Secure Service Container explained

IBM Secure Service Container is the trusted execution environment available for IBM Z and IBM LinuxONE servers.

History

In 2016 IBM introduced the z Appliance Container Infrastructure ("zACI") feature for the IBM z13, z13s, LinuxONE Rockhopper, and LinuxONE Emperor servers, delivered via a driver (firmware) update (driver level 27). IBM originally conceived its trusted execution environment as best suited for software "appliances," such as its own z/VSE Network Appliance, zAware, and GDPS Virtual Appliance offerings.[1] As IBM improved zACI and broadened its applicability, the company quickly changed its name to IBM Secure Service Container (SSC) when the IBM z14 and LinuxONE Emperor II models launched in 2017.[2]

Details

IBM Secure Service Container consists of a combination of hardware, firmware, and software technologies that are commercially available in recent IBM Z and IBM LinuxONE servers. The hardware and firmware elements are primarily extensions to IBM's PR/SM logical partitioning technologies which are Common Criteria Enterprise Assurance Level (EAL) 5+ certified for separation and isolation.[3] A logical partition (LPAR) type of "SSC" is available, and up to 16 TiB of usable main system memory can be allocated per LPAR (the limit as of the IBM z14 and IBM Emperor II server models introduced in 2017).

IBM also supplies a generalized, open source-based software framework for SSCs in the form of IBM Secure Service Container for IBM Cloud Private and a paired, firmware-based enabling feature. This generalized software framework facilitates running conventional virtual machines (VMs) and Docker containers on Linux within the SSC, without requiring special programming to adapt to SSC architecture.[4] In other words, the IBM Secure Service Container (SSC) is the outer "envelope" within which VMs and software containers (such as Docker containers) run in a highly secure, trusted execution environment.

IBM uses SSCs to host many of its own public cloud services, including IBM Cloud Hyper Protect Services. First adopters of IBM SSC technologies include organizations with extremely demanding security requirements, including digital asset and cryptocurrency firms such as Digital Asset Custody Services (DACS).[5] Most organizations using IBM Secure Service Container also rely heavily on the services that IBM's FIPS 140-2 Level 4 certified Crypto Express hardware security modules and Trusted Key Entry (TKE) equipment provide, although these IBM Z and IBM LinuxONE system features can also be used separately, on their own.

See also

External links

Notes and References

  1. Web site: Expanding the IBM Systems' portfolio with additions to IBM z Systems and IBM LinuxONE. ibm.com. 2016-02-16. 2019-07-12.
  2. Web site: Secure Service Containers are a Virtual Appliance Framework for Sensitive Workloads. IBM Systems Magazine . 2017-07-01. 2019-07-12.
  3. Web site: Security Considerations for Critical Environments. ibm.com. 2018-10-22. 2019-07-12.
  4. Web site: IBM Secure Service Container. ibm.com. 2019-07-12.
  5. Web site: Digital Asset Custody Services (DACS). ibm.com. 2019-07-12.