Security of Secure Service Container for IBM Cloud Private
The Secure Service Container for IBM Cloud Private offering provides various security advantages by using the IBM Secure Service Container as the hosting environment.
IBM Secure Service Container is designed to support the deployment of software container technology without requiring application changes to leverage the security capabilities. This is especially useful considering the regulatory focus on protecting critical data from internal and external threats. For example:
- The infrastructure and data are protected against access and abuse by root users, system administrator credentials and other privileged user access.
- Infrastructure management organizations can manage the physical IT infrastructure without having visibility to the end-user's applications and customer data.
As a system or appliance administrator who manages the underlying infrastructure, you can simply download the appliance, deploy it, and then make it available on your system for your developers.
As a developer, you can focus on creating your dockerized solution and deploy it into this environment, and still know that your docker solution is not visible to the system or appliance administrator.
Security mechanisms
Various security mechanisms are also applied to protect the data in the Secure Service Container for IBM Cloud Private solution.
- Persistence data is encrypted by using the automatic file system encryption technology Linux Unified Key Setup (LUKS). The encryption keys are stored within appliances and not accessible to administrators, and keys are managed based on the appliance lifecyle. The Docker container data mounted to disk is also encrypted.
- In-flight data is encrypted by using the automatic network encryption technology Transport Layer Security (TLS). Data is transferred through encrypted management REST API interfaces among Secure Service Container partitions.
- Diagnostic data is encrypted, which includes first-failure data capture (FFDC) data required to fix problems, Dump data including log message buffers, and so on. Such data is only accessible to the service team.
- Operating system access to the underlying Secure Service Container appliance is prohibited, and back doors to this host level are eliminated because SSH is disabled on the Secure Service Container partitions by default. Access to the cluster nodes are via SSH keys that are protected by the cloud administrator. Users traditionally with OS access are not allowed to access application data and customer data.
Encryption algorithms
Encryption algorithms used for storage and data transport are provided by the IBM Secure Service Container in the offering.
The web server of IBM Secure Service Container is nginx. The following table contains the utilized subset (default) of cryptographic capabilities of the Secure Service Container web server.
Table 1. Cryptographic capabilities of the Secure Service Container web server
| openSSL ciphers | Protocol | Key Exchange | Authentication | Encryption | MAC |
|---|---|---|---|---|---|
| ECDHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=AESGCM(256) | Mac=AEAD |
| ECDHE-ECDSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AESGCM(256) | Mac=AEAD |
| ECDHE-RSA-AES256-SHA384 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=AES(256) | Mac=SHA384 |
| ECDHE-ECDSA-AES256-SHA384 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AES(256) | Mac=SHA384 |
| DHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AESGCM(256) | Mac=AEAD |
| DHE-RSA-AES256-SHA256 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AES(256) | Mac=SHA256 |
| ECDH-RSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=ECDH/RSA | Au=ECDH | Enc=AESGCM(256) | Mac=AEAD |
| ECDH-ECDSA-AES256-GCM-SHA384 | TLSv1.2 | Kx=ECDH/ECDSA | Au=ECDH | Enc=AESGCM(256) | Mac=AEAD |
| ECDH-RSA-AES256-SHA384 | TLSv1.2 | Kx=ECDH/RSA | Au=ECDH | Enc=AES(256) | Mac=SHA384 |
| ECDH-ECDSA-AES256-SHA384 | TLSv1.2 | Kx=ECDH/ECDSA | Au=ECDH | Enc=AES(256) | Mac=SHA384 |
| AES256-GCM-SHA384 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AESGCM(256) | Mac=AEAD |
| AES256-SHA256 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AES(256) | Mac=SHA256 |
| ECDHE-RSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=AESGCM(128) | Mac=AEAD |
| ECDHE-ECDSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AESGCM(128) | Mac=AEAD |
| ECDHE-RSA-AES128-SHA256 | TLSv1.2 | Kx=ECDH | Au=RSA | Enc=AES(128) | Mac=SHA256 |
| ECDHE-ECDSA-AES128-SHA256 | TLSv1.2 | Kx=ECDH | Au=ECDSA | Enc=AES(128) | Mac=SHA256 |
| DHE-RSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AESGCM(128) | Mac=AEAD |
| DHE-RSA-AES128-SHA256 | TLSv1.2 | Kx=DH | Au=RSA | Enc=AES(128) | Mac=SHA256 |
| ECDH-RSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=ECDH/RSA | Au=ECDH | Enc=AESGCM(128) | Mac=AEAD |
| ECDH-ECDSA-AES128-GCM-SHA256 | TLSv1.2 | Kx=ECDH/ECDSA | Au=ECDH | Enc=AESGCM(128) | Mac=AEAD |
| ECDH-RSA-AES128-SHA256 | TLSv1.2 | Kx=ECDH/RSA | Au=ECDH | Enc=AES(128) | Mac=SHA256 |
| ECDH-ECDSA-AES128-SHA256 | TLSv1.2 | Kx=ECDH/ECDSA | Au=ECDH | Enc=AES(128) | Mac=SHA256 |
| AES128-GCM-SHA256 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AESGCM(128) | Mac=AEAD |
| AES128-SHA256 | TLSv1.2 | Kx=RSA | Au=RSA | Enc=AES(128) | Mac=SHA256 |
Note:
Authenticated Encryption with Associated Data (AEAD) is not a hash function. AEAD is an implicit integrity check in AEAD ciphers (for example, AESGCM). Therefore you can declare AESGCM ciphers as:
- Algorithm Application: Data Encryption, Integrity Check
- Type: Encryption Algorithm
Table 2. AEAD algorithm application and type
| Purpose | Protocol | Algorithm Application | Type | Name | Value |
|---|---|---|---|---|---|
| SSL (secure data transmission) | TLS V1.2 | Data Encryption, Integrity Check | Encryption Algorithm | AES-GCM | 256 |
Appliance Component Communication
This table only lists the utilized subset of cryptographic capabilities supported by GnuPG. See The GNU Privacy Guard for more information about GnuPG.
Table 3. Subset of cryptographic capabilities supported by GnuPG
| Purpose | Protocol | Algorithm Application | Type | Name | Value |
|---|---|---|---|---|---|
| Data Encryption (GnuPG) | OpenPGP | Data Encryption | Encryption Algorithm | AES | 256 |
| Data Encryption (GnuPG) | OpenPGP | Key Exchange | Encryption Algorithm | RSA | 4096 |
| Data Encryption (GnuPG) | OpenPGP | Authenticity | Encryption Algorithm | RSA | 4096 |
| Data Encryption (GnuPG) | OpenPGP | Integrity Check | Hash Function | MD5 | 128 |
| Data Encryption (GnuPG) | OpenPGP | Integrity Check | Hash Function | SHA-1 | 160 |
| Data Encryption (GnuPG) | OpenPGP | Integrity Check | Hash Function | SHA-2 | 512 |
Additional Information: The currently used cipher for AES under GnuPG is CFB.
Filesystem Encryption
This table only lists the utilized subset of cryptographic capabilities supported by cryptsetup or dm-crypt system.
Table 4. Subset of cryptographic capabilities supported by cryptsetup or dm-crypt
| Purpose | Protocol | Algorithm Application | Type | Name | Value |
|---|---|---|---|---|---|
| Filesystem Encryption | LUKS | Data Encryption | Encryption Algorithm | AES | 256 |
| Filesystem Encryption | OpenPGP | Passphrase Exchange | Encryption Algorithm | RSA | 4096 |