1. 2020 z Security Webinars Series
Luigi Perrone
IBM Security Thought Leader
Security & Audit for zSystem & enterprise
Security Intelligence solution
luigi_perrone@it.ibm.com
https://www.linkedin.com/in/luigiperrone/
2. A quick view of the security evolution
Bolt-on security
for IT projects
SECURITY
INTELLIGENCE
APPS
MOBILE
ENDPOINT
THREAT
INTEL
NETWORK
ADVANCED
FRAUD
IDENTITY
& ACCESS
DATA
Security intelligence
across the enterprise
Connected security for
all, at the “speed of
cloud”
AI, quantum,
blockchain and
IoT security
5. Why Should All Data at Rest be Encrypted?
Keeps sensitive information confidential
- Insider threat
- Lost/stolen tape or disk
- Disk being repaired (Solid-state disks fail in a read-only state)
• Addresses Regulations and Standards
- Privacy breach disclosure laws
- Protection of financial and healthcare data
• Simplifies end-of-life-of-media/data scenarios
- Destroy the key and the data is unusable
- Cryptographic Erasure (NIST SP800-88)
- Reducing media disposal costs
8. SKLM
Data at RestVMWare, Apps, and IOT
Align with PCI &
NIST Guidance
Manage
Encryption Keys
Transparent
Encryption and
Key
Management
Automatic Key
Rotation
Manage IBM and
non-IBM
products via
KMIP
Broadening Footprint (IPP, KMIP, & REST-compatible)
Tape
Storage
Disk
Storage
Cloud and
Elastic
Storage
Lenovo
ServersIOT
Network
Storage
Flash
Storage
Multi-
Cloud
Apps
DB
VMware
vSAN &
vCenter
IBM Security Key Lifecycle Manager
Enforce
Separation of
Duties
IBM’s centralized key management solution for all data-at-rest encryption solutions
9. This standardization makes it easier for servers to support the growing number
of encryption clients who are supporting KMIP
The importance of KMIP support
• Key Management Interoperability Protocol (KMIP)
• Protocol for key management to encryption client
• Enables key lifecycle management (generation, submission, retrieval, and deletion)
44. SKLM Container Edition : what is ?
• SKLM Container Edition will be formally GA’d 2H2020 ( v.4.1 Beta1)
• Beta use of SKLM C.E. requires an active entitlement to SKLM Basic Edition
45. SKLM C.E. components
DB2
Version 11.5
WASLiberty Base
Postgres
SQL
Version 12.2
You can also deploy SKLM containers on Kubernetes cluster using Helm charts (v.2.0)
https://kubernetes.io/docs/setup/
https://helm.sh/docs/intro/install/
46. SKLM Container
DB2 Container
Base ImagesUbuntu IBM DB2
Docker Volumes
Docker Engine
SKLM C.E. - High Level View
Admin REST Interface
Admin GUI Interface
Rest Based Key Serving
IPP Server
DB2 Database
Files
SKLM Data and
Artifacts
SKLM App and User DB
Environment
Variables
KMIP Server
*CLI is not
supported in
container
47. • CLI commands. Alternatively, use REST APIs.
• Multi-Master cluster
• Replication
• LDAP
• HSM
• Password change from the user interface
• Server restart is not supported. (you must restart
the application container)
• After user management changes, you must restart
the application container.
SKLM C.E. : restrictions
48. SKLM CE : conclusions
More information for deploying SKLM Container Edition can be found here:
• DockerHub link to SKLM Container Edition:
https://hub.docker.com/r/ibmcom/sklm
• System Requirements:
https://www.ibm.com/support/pages/deploying-ibm-security-key-lifecycle-manager-containerized-
environment-beta-release
• A License Activation File is required. It can be obtained from PPA or from Software Sellers Link.
More information can be found at:
https://www.ibm.com/support/pages/deploying-ibm-security-key-lifecycle-manager-containerized-
environment-beta-release
This is a BETA Release of SKLM C.E,
not designed or hardened for production use.