What is IBM Secure Execution?
IBM® Secure Execution for Linux® is a z/Architecture® security technology that is introduced with IBM z15® and LinuxONE III. It protects data of workloads that run in a KVM guest from being inspected or modified by the server environment.
In particular, no hardware administrator, no KVM code, and no KVM administrator can access the data in a guest that was started as an IBM Secure Execution guest.
- In flight with secure network protocols like TLS, SSH or IPsec
- At rest with volume encryption like dm-crypt or file system encryption like with IBM Spectrum® Scale
- In use in the memory of a running guest with IBM Secure Execution protection
- Intruders who might gain root privileges of the hypervisor due to some error in the security administration.
- Malicious hypervisor code that might be introduced by exploits, including zero-day exploits, or intruders.
- Malicious virtual machines that, hypothetically, can escape the control of the hypervisor, and gain hypervisor privileges.
- A malicious hardware operator who inspects the memory of an LPAR.
To provide a secure hosting environment, a cloud provider might log every key stroke and conduct expensive audits to log any management action and deter any malicious actor.
With the introduction of pervasive encryption, all your data at rest could be encrypted with no application changes and at reasonable CPU cost.
With IBM Secure Execution, data is protected during processing. As a workload owner, your data in your KVM guest that is deployed in a cloud, which runs on IBM Z servers with IBM Secure Execution, are as safe as if you ran it in your own data center. In fact, it is safer. It is also protected from insider attacks. Only the workload owner can access the data.