January 21, 2020 By Stephen Dominguez 4 min read

Reducing cybersecurity risk is a central concern for businesses today. As hackers become more sophisticated, and as more business is done on mobile devices, risks have increased, and that means organizations may benefit from a “defense in depth,” or multilayered, approach to their security strategy. IBM Power Systems and the POWER9 processor facilitate the “defense in depth” security approach by providing key security features for hardware, operating systems, firmware, hypervisor and security tool suites like IBM PowerSC.

IBM Power Systems’ security capabilities also support a wide range of operating systems, and in this post we’ll focus on key IBM AIX security features you should consider adopting as you move to IBM POWER9.

1. AIX Secure Boot and AIX Trusted Execution

The Center for Internet Security (CIS) provides universal cybersecurity recommendations that are applicable to all types of organizations. CIS ranks “Inventory and Control of Software Assets” as the second prioritized control out of 20, where each control is essentially a category of cyber defense. The IBM AIX Secure Boot and Trusted Execution features fall into this category. Using the CIS 7.1 standard as a basis, I believe these tools are two of the most important cybersecurity defenses for your AIX enterprise environment.PowerVM’s Secure Boot feature uses digital signatures to verify the integrity of PowerVM firmware, including HostBoot, Power hypervisor (PHYP) and partition firmware (PFW). The AIX Secure Boot extends the firmware verification done by the PowerVM Secure Boot feature by cryptographically verifying the authenticity of the OS bootloader, the kernel and the runtime environment, including device drivers, kernel extension, applications and shared libraries.

After AIX Secure Boot has verified the integrity of the boot process, you can then use AIX Trusted Execution to safeguard the integrity of the AIX runtime execution environment by cryptographically verifying the integrity of scripts, executables, kernel extensions and libraries that are loaded by the AIX kernel after the system has completed the secure boot process. When correctly utilized, AIX Secure Boot and AIX Trusted Execution are designed to provide a powerful measure for preventing or detecting malicious code executing on your POWER9 AIX systems.

Why are these two features so important? In numerous security breaches, attackers commonly use malware. In some breaches, attackers have used multiple types of malware to facilitate their successful breach. Attackers can also use hacking tools to enable them to further penetrate a victim’s environment. Additionally, these two features are part of the prioritized cybersecurity controls recommended by the Center for Internet Security’s CIS 7.1 standard mentioned above. This second control states: “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution.”

The following are prerequisites for AIX Secure Boot:

  • Hardware: POWER9 systems (Power E950 and above)
  • Firmware: 920
  • HMC: Release 9 Version 920
  • AIX: AIX 7.2 TL3 SP1 (72M)

NOTE: The IBM PowerSC Graphical User Interface provides centralized management functionality to simplify management of Trusted Execution to multiple AIX partitions.

2. New cybersecurity compliance profiles available with PowerSC Graphical User Interface

IBM PowerSC is an integrated technology designed to assist Power Systems clients with general cybersecurity and cybersecurity compliance in cloud and virtual environments. It can help you save time and reduce risk by increasing visibility across your IBM Power Systems stack. PowerSC, which was released on December 13, 2019, has provided two new security hardening profiles. The PowerSC Graphical User Interface provides the ability to apply a set of recommended settings to multiple systems.One of the new security hardening profiles is based on the CIS Security Benchmark settings for AIX 7.1. This new CIS profile provides universal security hardening settings that can be utilized by all AIX enterprise environments using AIX 6.1, 7.1 or 7.2.

The other new security hardening profile is for Department of Defense (DoD) organizations. This is the new DISA STIG profile.

3. Fileset changes

One of the goals in reducing the attack surface of any operating system is to not install software that’s not needed on the operating system. Eliminating unnecessary software can not only provide fewer elements for a hacker to exploit but can also reduce the superset of software that must be managed for security patches.To provide you with more control over the software that’s installed on your system, the bos.net.tcp.client and bos.net.tcp.server filesets in IBM AIX are split into 33 new filesets. This new fileset design allows you to design more granular build images that only include the filesets needed by your system.

4. In-core cryptographic functionality

The OpenSSL version fileset and AIX 7 with 7200-03 can use the in-core cryptographic function that’s available starting with POWER8 systems. This new support is engineered for better performance when cryptographic operations are involved with the following ciphers:

  • AES-128-CBC
  • AES-192-CBC
  • AES-256-CBC
  • AES-128-ECB
  • AES-192-ECB
  • AES-256-ECB
  • AES-128-GCM
  • AES-192-GCM
  • AES-256-GCM
  • AES-128-XTS
  • AES-192-XTS
  • AES-256-XTS
  • SHA1
  • SHA224
  • SHA256
  • SHA384
  • SHA512

Although this feature is more directly related to performance, it’s also related to cybersecurity since we have seen that the utilization of more computationally intensive cryptographic ciphers is sometimes hindered because of the hit to performance. So, removing any possible hinderance to utilizing computationally intensive ciphers can result in improving security in certain instances.

Defend yourself against cyberattack

Cybercriminals are making significant strides in improving their ability to attack organizations.  This cyber war is a constantly moving target, as hackers never stop creating new methods for attacking organizations. A defense in depth cybersecurity approach is fundamental to reducing your security risk. The features mentioned in this post are four positive steps towards realizing a robust defense in depth security implementation that may be the difference in preventing or reducing the effects of a data breach for your organization.

Learn more about a multilayered approach to security with IBM POWER9.

IBM Systems Lab Services provides an AIX Security Assessment for CIS 7.1. This consulting service is the first step in realizing what it takes to implement a defense in depth cybersecurity implementation for AIX systems. For more information on this service or anything related to AIX security, please contact us today.

Was this article helpful?

More from Cloud

IBM Tech Now: April 8, 2024

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 96 On this episode, we're covering the following topics: IBM Cloud Logs A collaboration with IBM watsonx.ai and Anaconda IBM offerings in the G2 Spring Reports Stay plugged in You can check out the…

The advantages and disadvantages of private cloud 

6 min read - The popularity of private cloud is growing, primarily driven by the need for greater data security. Across industries like education, retail and government, organizations are choosing private cloud settings to conduct business use cases involving workloads with sensitive information and to comply with data privacy and compliance needs. In a report from Technavio (link resides outside ibm.com), the private cloud services market size is estimated to grow at a CAGR of 26.71% between 2023 and 2028, and it is forecast to increase by…

Optimize observability with IBM Cloud Logs to help improve infrastructure and app performance

5 min read - There is a dilemma facing infrastructure and app performance—as workloads generate an expanding amount of observability data, it puts increased pressure on collection tool abilities to process it all. The resulting data stress becomes expensive to manage and makes it harder to obtain actionable insights from the data itself, making it harder to have fast, effective, and cost-efficient performance management. A recent IDC study found that 57% of large enterprises are either collecting too much or too little observability data.…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters