Ever since the creation of the Power Systems brand, you’ve been introduced to products that span the IBM Power Systems family, at least at some level. For example, the hypervisor that sits below IBM i, AIX and Linux is PowerVM. The PowerHA product set addresses the same kinds of high availability requirements no matter which operating system sits beneath it. And then there’s IBM Systems Director, which can manage all of the operating systems, and more.
Recently, another product has been announced, called PowerSC. The “SC” refers to security and compliance. The product is focused primarily on AIX workloads, but some functions work on any type of VM. I thought I’d spend today’s blog talking about that, because this product demonstrates one of the differentiating attributes between the Power operating systems.
As long time users of this operating system are well aware, “i” stands for integration. As they are also aware, the IBM i operating system has an underlying security and integrity architecture that provides an exceptional level of protection, control and auditability. When the PowerSC product was conceived for AIX, we took a look at the planned functions for PowerSC and noticed that several of the key features are already integrated into the IBM i architecture.
As a recognition of that fact, we are applying the PowerSC name to a couple of key security and integrity functions within IBM i.
PowerSC Trusted Audit Data Repository in IBM i: One of PowerSC’s added functions is called “Trusted Logging.” This feature helps AIX clients implement a logging scheme that will satisfy security auditors. What it accomplishes on AIX is very similar to the auditing features which are very familiar to our IBM i clients. The audit data repository itself, the QAUDJRN journal and associated journal receivers, are read-only objects. This means that once the OS deposits an entry in the audit journal, the data itself cannot be modified by any user on the system, including security officers. And, of course, these features are built into the IBM i OS, without having to buy or install anything else.
PowerSC Trusted Digital Signature Verification in IBM i: Another key feature of PowerSC for AIX is called “Trusted Boot.” This allows a customer to be assured that, when AIX is booted, it is booted from an unaltered version of the booted code. Security auditors are concerned about ensuring that data integrity cannot be compromised by loading a version of the operating system, which has been altered. What about IBM i?
The IBM i OS provides the ability to digitally sign and verify any executable on the server. This includes user and business partner applications. The CHKOBJITG command allows signature verification for everything, including verifying OS executables.
When you buy the IBM i OS and program products, everything (IBM program products, the OS, the licensed internal code, the firmware and any subsequent PTF delivered by IBM) are digitally signed by IBM. This means you can verify the executables (at any time) to ensure no patches/alterations have been made to the IBM delivered executables. This allows you to look for instruction streams that have been patched after the executable has been created. And most of this capability has been in the operating system for a long time: most of it was introduced in V5R1 of OS/400 in 2001, with the latest enhancements delivered in 2008 with version 6.1.
PowerSC also has other specific functions for security, compliance and real-time compliance. IBM i has built in functions that can be used to setup, monitor and enforce things like password security, authorization to files, programs, manage users, manage system wide security configuration settings, etc. In addition, more than 30 IBM business partners provide security and compliance solutions based on the IBM i integrated functions, and these security partners provide advanced capabilities.
However, I want to point out that PowerSC does have two features that can help all users of Power Systems though, and which might be important in some customer environments: Trusted Firewall and Trusted Surveyor.
The Trusted Firewall, which is shipped as part of the PowerSC product, is really a performance assist function that creates a fast path between VLAN when the VMs are on the same server. This includes support for AIX, IBM i and Linux partitions. Customers still use traditional firewalls to protect VMs externally.
Trusted Surveyor discovers virtual networks and monitors compliance to network segregation. It also monitors configuration drift by allowing the network configuration to be captured at a point in time and allows comparison of the current configuration to the previous configuration.
The members of the Power Systems family of operating systems are clearly different from one another. They have different architectures, different histories and different value propositions. Nevertheless, business customers have similar needs, no matter what platform they happen to use. Like other UNIX implementations, AIX provides answers to some of those needs via products that require additional purchase and additional installation and management. However, as the “Power Systems Integrated Operating System,” IBM i has key integrated features that are delivered as part of the OS.
So, when you hear about PowerSC, or other products in the future, you might want to take a look at whether these new products provide something for you, as an IBM i client, or whether your integrated operating system was ahead of its time, giving you those capabilities along with the rest of this secure, reliable platform.