Reducing cybersecurity risk is a central concern for businesses today. As hackers become more sophisticated, and as more business is done on mobile devices, risks have increased, and that means organizations may benefit from a “defense in depth,” or multilayered, approach to their security strategy. IBM Power Systems and the POWER9 processor facilitate the “defense in depth” security approach by providing key security features for hardware, operating systems, firmware, hypervisor and security tool suites like IBM PowerSC.
IBM Power Systems’ security capabilities also support a wide range of operating systems, and in this post we’ll focus on key IBM AIX security features you should consider adopting as you move to IBM POWER9.
1. AIX Secure Boot and AIX Trusted Execution
The Center for Internet Security (CIS) provides universal cybersecurity recommendations that are applicable to all types of organizations. CIS ranks “Inventory and Control of Software Assets” as the second prioritized control out of 20, where each control is essentially a category of cyber defense. The IBM AIX Secure Boot and Trusted Execution features fall into this category. Using the CIS 7.1 standard as a basis, I believe these tools are two of the most important cybersecurity defenses for your AIX enterprise environment.PowerVM’s Secure Boot feature uses digital signatures to verify the integrity of PowerVM firmware, including HostBoot, Power hypervisor (PHYP) and partition firmware (PFW). The AIX Secure Boot extends the firmware verification done by the PowerVM Secure Boot feature by cryptographically verifying the authenticity of the OS bootloader, the kernel and the runtime environment, including device drivers, kernel extension, applications and shared libraries.
After AIX Secure Boot has verified the integrity of the boot process, you can then use AIX Trusted Execution to safeguard the integrity of the AIX runtime execution environment by cryptographically verifying the integrity of scripts, executables, kernel extensions and libraries that are loaded by the AIX kernel after the system has completed the secure boot process. When correctly utilized, AIX Secure Boot and AIX Trusted Execution are designed to provide a powerful measure for preventing or detecting malicious code executing on your POWER9 AIX systems.
Why are these two features so important? In numerous security breaches, attackers commonly use malware. In some breaches, attackers have used multiple types of malware to facilitate their successful breach. Attackers can also use hacking tools to enable them to further penetrate a victim’s environment. Additionally, these two features are part of the prioritized cybersecurity controls recommended by the Center for Internet Security’s CIS 7.1 standard mentioned above. This second control states: “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution.”
>>Need help choosing the right OS for operational excellence?
The following are prerequisites for AIX Secure Boot:
- Hardware: POWER9 systems (Power E950 and above)
- Firmware: 920
- HMC: Release 9 Version 920
- AIX: AIX 7.2 TL3 SP1 (72M)
NOTE: The IBM PowerSC Graphical User Interface provides centralized management functionality to simplify management of Trusted Execution to multiple AIX partitions.
2. New cybersecurity compliance profiles available with PowerSC Graphical User Interface
IBM PowerSC is an integrated technology designed to assist Power Systems clients with general cybersecurity and cybersecurity compliance in cloud and virtual environments. It can help you save time and reduce risk by increasing visibility across your IBM Power Systems stack. PowerSC 1.3.0.0, which was released on December 13, 2019, has provided two new security hardening profiles. The PowerSC Graphical User Interface provides the ability to apply a set of recommended settings to multiple systems.One of the new security hardening profiles is based on the CIS Security Benchmark settings for AIX 7.1. This new CIS profile provides universal security hardening settings that can be utilized by all AIX enterprise environments using AIX 6.1, 7.1 or 7.2.
The other new security hardening profile is for Department of Defense (DoD) organizations. This is the new DISA STIG profile.
3. Fileset changes
One of the goals in reducing the attack surface of any operating system is to not install software that’s not needed on the operating system. Eliminating unnecessary software can not only provide fewer elements for a hacker to exploit but can also reduce the superset of software that must be managed for security patches.To provide you with more control over the software that’s installed on your system, the bos.net.tcp.client and bos.net.tcp.server filesets in IBM AIX are split into 33 new filesets. This new fileset design allows you to design more granular build images that only include the filesets needed by your system.
Learn more at IBM TechU – The Virtual Edition
4. In-core cryptographic functionality
The OpenSSL version 1.0.2.1100 fileset and AIX 7 with 7200-03 can use the in-core cryptographic function that’s available starting with POWER8 systems. This new support is engineered for better performance when cryptographic operations are involved with the following ciphers:
- AES-128-CBC
- AES-192-CBC
- AES-256-CBC
- AES-128-ECB
- AES-192-ECB
- AES-256-ECB
- AES-128-GCM
- AES-192-GCM
- AES-256-GCM
- AES-128-XTS
- AES-192-XTS
- AES-256-XTS
- SHA1
- SHA224
- SHA256
- SHA384
- SHA512
Although this feature is more directly related to performance, it’s also related to cybersecurity since we have seen that the utilization of more computationally intensive cryptographic ciphers is sometimes hindered because of the hit to performance. So, removing any possible hinderance to utilizing computationally intensive ciphers can result in improving security in certain instances.
Defend yourself against cyberattack
Cybercriminals are making significant strides in improving their ability to attack organizations. This cyber war is a constantly moving target, as hackers never stop creating new methods for attacking organizations. A defense in depth cybersecurity approach is fundamental to reducing your security risk. The features mentioned in this post are four positive steps towards realizing a robust defense in depth security implementation that may be the difference in preventing or reducing the effects of a data breach for your organization.
Learn more about a multilayered approach to security with IBM POWER9.
IBM Systems Lab Services provides an AIX Security Assessment for CIS 7.1. This consulting service is the first step in realizing what it takes to implement a defense in depth cybersecurity implementation for AIX systems. For more information on this service or anything related to AIX security, please contact us today.