IBM HYPER PROTECT DIGITAL ASSETS PLATFORM:
Protect Digital Assets with Hyper Protect Services on LinuxONE
Blockchain/Distributed Ledgers, smart contract and related digital asset technology show promise to revolutionize value transfer across many industries. We have seen that institutional investors, crypto funds, exchanges, token projects, banks, corporations, high net-worth individuals and wealth managers have started using digital assets for lending, depository, escrow and payments services, and crypto-specific applications such as token redemption are emerging.
Digital Assets represent a growing industry. Our expectation is that the types of assets being digitally represented will continue to expand rapidly. We think that by representing physical assets as a digital token on a distributed ledger or blockchain it is possible to unlock the value of physical assets and make them highly liquid.
To unlock the full transformative potential of these new technologies, corporations and individuals need to be able to store and transfer assets securely.
Protecting Keys for DLT/Blockchain
Protecting the digital representation of assets relies on secured key management when working with digital ledgers. Digital assets are held and secured by public-private key pairs. The public key represents an “address” in a given distributed ledger ecosystem. The private key, used to sign transactions, is the most valuable component of a digital asset solution. Protecting that key should encompass all reasonable measures since the breach or loss of those keys can represent catastrophic or even existential loss.There are a variety of options for key management. Keys can be stored online in “hot wallets” to facilitate liquidity and access but with a greater exposure to malicious actors and other vulnerabilities. Alternatively, keys can be stored offline in a “cold wallet” at the expense of liquidity and potentially resilience should the cold “wallet” be destroyed or rendered defective. The IBM Hyper Protect Digital Assets Platform is designed to address common attack vectors for hot wallets, such as dumping memory to discover the seeds of a wallet. This robust platform provides exchanges and custodians with a place in which hot wallets, in conjunction with a properly secured exchange or custody application, can be deployed with increased protection while decreasing the time it takes in accessing those assets.
What’s in the IBM Hyper Protect Digital Assets Platform?
Whether on-premises with IBM Hyper Protect Virtual Server and IBM LinuxONE/Linux on IBM Z or in the IBM public cloud with IBM Cloud Hyper Protect Services, the IBM Hyper Protect Digital Assets Platform provides clients with a robust environment for digital asset management. At its core are:
IBM LinuxONE:
- Can deliver 100% encryption of application, cloud service, and database data1
- Is designed for 99.999% availability
- Is designed to isolate workloads for multi-tenant cloud protection
- Has an assessed risk rating that is 1/20 compared to other platforms2 ,based on IBM sponsored study
- When an IBM study running mixed workloads consisting of both open source and IBM proprietary software was completed, IBM z15 requires 23 times fewer cores than the compared x86 servers and delivers a 20% lower overall TCO over 5 years3
- Includes a FIPS 140-2 Level 4 Certified Hardware Security Module4
IBM Hyper Protect Virtual Servers are designed to extend the security of IBM LinuxONE and enable:
- Developers to build their applications in an environment with integrity with robust security
- IT infrastructure providers to manage the servers and virtualized environment where the applications are deployed without having access to those applications or their sensitive data
- Application users to validate that applications originate from a known source by integrating this validation into their own auditing processes
- Chief Information Security Officers (CISOs) to be confident that their data is protected from internal and external threats
IBM Hyper Protect Virtual Servers are engineered to enforce encryption by default for all data in transit and at rest. You do not have to decide whether or not you want your data encrypted and subsequently pay for and add on additional services to do so.
How does it work?
The IBM Hyper Protect Digital Assets Platform is built upon IBM Hyper Protect Virtual Servers. The IBM Hyper Protect Virtual Servers are specialized technology for installing and executing specific firmware or software appliances. These appliances also host cloud workloads on IBM LinuxONE™ in the IBM Cloud™.
Hyper Protect Virtual Servers are designed to deliver:
- Tamper protection during installation time
- Restricted administrator access to help prevent the misuse of privileged user credentials
- Automatic encryption of data both in flight and at rest
Figure 1. Sample asset management solution in the IBM Hyper Protect Digital Assets Platform
In addition, Hyper Protect Virtual Servers are engineered to radically reduce the likelihood of internal breach :
- There is no system administrator access. This removes the potential for all sorts of administrator related intentional or unintentional data leakage
- Memory access from outside the Hyper Protect Virtual Server is disabled
- Storage volumes are encrypted
- Debug data (dumps) are encrypted
And, building on top of those, the external attack surface is also designed to be radically reduced by:
- preventing OS-level access to the services (IBM or external). There is no shell access to the services
- only permitting user and administrator access through secured remote APIs which helps prevent attackers from “fishing” around for vulnerabilities in the underlying infrastructure
The platform, in conjunction with strong operational security practices, is designed to help you secure your most valuable assets and is built upon a foundation of security and over 50 years of experience in enterprise computing. The IBM Hyper Protect Digital Assets Platform is designed to provide a secured framework robust basis for banks, exchanges and custodians to deploy their commercial or custom solutions for managing digital assets.
To learn more about the IBM Hyper Protect Digital Assets Platform register here
References
[1] See “Enabling pervasive encryption through IBM Z stack innovations” in IBM Journal of Research & Development, Vol. 62, No. 3, March-May 2018
[2] See Solitaire white paper,sponsored by IBM. “Scaling the Digital Mountain: Enabling a secure, agile and efficient organization” ”SIL risk profiling sets the LinuxONE platform risk rating at less than 1/20 of any of the alternative solutions.”
[3] When running mixed workloads consisting of both open source and IBM proprietary software, IBM z15 requires 23 times fewer cores than the compared x86 servers and delivers a 20% lower overall TCO over 5 years.
This is an IBM internal study designed to replicate a typical IBM customer workload usage in the marketplace. Results may vary.
Disclaimer: The workloads consisted of an airline flight reservation system (running MongoDB and node.js) and a transactional core banking application (running WAS and Db2). Four instances of the airline system were run, one instance simulating a Dev/QA environment, and three instances simulating a Production environment. Seven instances of the core banking application were run, one instance simulating a Dev/QA environment and six instances simulating a Production environment. Dev/Test and Production environments were differentiated by their CPU utilization levels. Intel servers are generally run at an average of 10-30% utilization per IT Economics data.
On z15, the airline system ran on Ubuntu 16.04 in an LPAR with z/VM 7.1, 4GB-8GB memory and 4 virtual CPs. The banking application ran on RHEL 7.6 in an LPAR with z/VM 7.1, with 4GB-16 GB memory and 4 virtual CPs. The total number of IBM Z cores needed to deliver the workloads was 28.For the x86 environment, the applications ran on a range of standard model, 2-processor x86 system, with speeds ranging from 2.4-3.2 GHz. The total number of cores needed to deliver the workloads on the x86 servers was 648.
Both the x86 and z15 environments had access to the same storage array.
Total Cost of Ownership is defined here to include hardware, software, labor, networking, floor space and energy costs over a period of 5 years. IBM internal hardware list prices were used. x86 server prices were acquired from IDC. IBM software pricing was standard list prices with 20% discount applied.
[4] See https://www.ibm.com/security/cryptocards