IBM Secure Service Container is the trusted execution environment available for

IBM Z IBM Z is a family name used by IBM for all of its z/Architecture mainframe computers. In July 2017, with another generation of products, the official family was changed to IBM Z from IBM z Systems; the IBM Z family now includes the newest mo ...

and IBM LinuxONE servers.

History

In 2016 IBM introduced the z Appliance Container Infrastructure ("zACI") feature for the IBM z13, z13s, LinuxONE Rockhopper, and LinuxONE Emperor servers, delivered via a driver (firmware) update (driver level 27). IBM originally conceived its trusted execution environment as best suited for software "appliances," such as its own z/VSE Network Appliance, zAware, and GDPS Virtual Appliance offerings. As IBM improved zACI and broadened its applicability, the company quickly changed its name to IBM Secure Service Container (SSC) when the IBM z14 and LinuxONE Emperor II models launched in 2017.

Details

IBM Secure Service Container consists of a combination of hardware, firmware, and software technologies that are commercially available in recent IBM Z and IBM LinuxONE servers. The hardware and firmware elements are primarily extensions to IBM's PR/SM logical partitioning technologies which are Common Criteria Enterprise Assurance Level (EAL) 5+ certified for separation and isolation. A logical partition (LPAR) type of "SSC" is available, and up to 16 TiB of usable main system memory can be allocated per LPAR (the limit as of the IBM z14 and IBM Emperor II server models introduced in 2017). IBM also supplies a generalized, open source-based software framework for SSCs in the form of IBM Secure Service Container for IBM Cloud Private and a paired, firmware-based enabling feature. This generalized software framework facilitates running conventional

virtual machine In computing, a virtual machine (VM) is the virtualization/ emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized har ...

s (VMs) and Docker containers on Linux within the SSC, without requiring special programming to adapt to SSC architecture. In other words, the IBM Secure Service Container (SSC) is the outer "envelope" within which VMs and software containers (such as Docker containers) run in a highly secure, trusted execution environment. IBM uses SSCs to host many of its own public cloud services, includin
IBM Cloud Hyper Protect Services
First adopters of IBM SSC technologies include organizations with extremely demanding security requirements, including digital asset and

cryptocurrency A cryptocurrency, crypto-currency, or crypto is a digital currency designed to work as a medium of exchange through a computer network that is not reliant on any central authority, such as a government or bank, to uphold or maintain it. It ...

firms such as Digital Asset Custody Services (DACS). Most organizations using IBM Secure Service Container also rely heavily on the services that IBM's

FIPS 140-2 The Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard used to approve cryptographic modules. The title is ''Security Requirements for Cryptographic Modules''. Initial pu ...

Level 4 certified Crypto Express

hardware security module A hardware security module (HSM) is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptogra ...

s and Trusted Key Entry (TKE) equipment provide, although these IBM Z and IBM LinuxONE system features can also be used separately, on their own.

References

{{Reflist, 30em Security Security technology IBM software

History

Details

See also

References