Tên: Phạm Minh Quân, MSSV: 052206006301

III Security Features:

The IBM z15 T02 is one of the most advanced enterprise server systems available today,
distinguished by its comprehensive security capabilities that meet the stringent requirements
of modern IT environments. The system’s security features focus on data protection, privacy
assurance, and compliance with international legal regulations.
1 Data Privacy Passports:
1.1 Concept:
- Data Privacy Passports (DPP) is an advanced data protection mechanism that enables organizations to
maintain control over their data not only while it resides within the IBM z15 system but also after it has
been shared externally.
1.2 Operating Principle:
- Each data file is tagged with a "passport," which includes a set of access rules and permissions.
- When data leaves the z15 system and is transferred elsewhere, the Data Privacy Passport remains effe
- Users are required to authenticate to access the data and are only allowed to view content if they meet
the conditions defined in the passport.
1.3 Flexible Access Policy Configuration:
- System administrators can customize data access conditions, including:
+ User Role: Only allow users with appropriate roles and permissions to access the data.
+ Geographic Location: Restrict access by region, country, or IP address.
+ Time: Set access limits based on time windows, specific days of the week, or specific periods.
1.4 Remote Access Revocation:
- Administrators can revoke access at any time, even if the data has already been downloaded or copied
to another system.
- This is especially useful in cases of security breaches, personnel changes, or abnormal access behaviors.

2. Pervasive Encryption:
2.1 Concept:
- Pervasive Encryption is IBM's comprehensive security strategy, allowing encryption of all data across
the entire IBM system, including: data at rest, data in transit, and data in use.
2.2 Encryption Levels:
2.2.1 Data at Rest Encryption:
- Automatically encrypts data stored on disks or within databases.
- No application changes required.
- Integrated with storage systems such as IBM DS8900F.
2.2.2 Data in Transit Encryption:
- Encrypts communications between the z15 system and endpoints or external systems.
- Supports secure protocols such as TLS, SSL, and IPsec.
- Protects data while moving between data centers and within hybrid clouds.
2.2.3 Data in Use Encryption:
- Uses Secure Execution and secure partitions (LPAR, z/VM) to protect data even while in memory or
CPU.
- Ensures isolated and secure environments between different workloads or tenants.
2.3 Hardware Support: CPACF and Crypto Express:
- CPACF (Central Processor Assist for Cryptographic Function)
+ An integrated encryption accelerator within the z15 processor.
+ Supports strong encryption algorithms such as AES, DES, RSA…
+ Performs high-speed encryption with minimal impact on overall system performance.
- Crypto Express Adapters
+ Dedicated hardware encryption processors.
+ Ideal for applications requiring very high security like key management, digital signatures, and HSM
authentication.

3 Trusted Execution Environment:

3.1 Concept:
- TEE is a securely isolated processing environment within the IBM z15 T02, where applications and data
can execute and reside securely, preventing unauthorized access or tampering from inside or outside the
system.
3.2 Operating Mechanism:
- When an application is deployed in a TEE, it is loaded into a separate memory region, inaccessible to
the OS, hypervisor, or even system administrators.
- Data and code are encrypted in memory and only decrypted temporarily during execution.
- After execution, no data remnants remain and memory analysis tools cannot recover any information.
3.3 Security Layers:
3.3.1 Isolation:
- Applications and data running in the TEE cannot be accessed by any other partition or software.
- Ensures total workload isolation, preventing data leaks between tenants or processes.
3.3.2 Integrity Protection:
- The system verifies that application code has not been modified before loading into the TEE.
- Execution is immediately halted if any tampering is detected.
3.3.3 Confidentiality:
- Data remains encrypted in RAM, on disk, and even during processing.
- Each TEE has a unique encryption key, making data extraction impossible even with physical hardware
access.
3.4 Real – World Applications:
- Processing sensitive data: personal info, financial data, confidential client information.
- Running cryptographic or authentication modules requiring maximum security.
- Secure cloud environments: Enables enterprises to run workloads in a hybrid cloud while maintaining
data control and security.

4 Secure Boot and Integrity Verification:

4.1 Concept:
- Secure Boot and Integrity Verification are critical components of IBM z15's security architecture. Only
verified, untampered software is allowed to start and run on the system.
4.2 Secure Boot:
- Upon system startup, firmware and bootloader are validated via digital signatures.
- If system software (like BIOS, HMC firmware, z/OS loader...) does not match IBM’s authenticated keys,
the boot process halts.
4.3 Integrity Verification:
- After Secure Boot, the system continues to scan and verify the integrity of software components, OS,
libraries, and configurations.
- Each component is compared against securely stored hash values to detect any tampering.
- This feature remains active during system operation, detecting unauthorized changes in real-time.
4.4 Authentication Layers:
4.4.1 Firmware Validation:
- IBM-issued firmware is digitally signed and only runs if successfully authenticated.
4.4.2 Hardware Root of Trust:
- IBM z15 uses a hardware-based root of trust storing encryption keys and validation algorithms,
preventing tampering or forgery.
4.4.3 Dynamic Integrity Checking:
- LPARs and virtual machines (z/VM) undergo regular runtime checks to ensure no malware or
misconfiguration interferes with operations.
5 Key Management:
5.1 Concept:
- Key Management is a core element in any encryption system, because: Without good key protection,
data encryption becomes meaningless.
5.2 IBM Enterprise Key Management Foundation (EKMF):
EKMF is IBM's key management platform dedicated to the enterprise environment, with outstanding
features:
- Centralized creation and storage of encryption keys, ensuring standardization, easy control and security
protection throughout the lifecycle of use.
- Automated distribution and rotation of keys periodically or by security events.
- Manage detailed key access policies, for example, only certain partitions or applications are allowed to
access specific keys.
- Support key management for both on-premises and cloud data.
5.3 Crypto Express Adapters:
IBM z15 integrates Crypto Express Adapters, which are enterprise-grade Hardware Security Modules
with the following features:
- Key generation and encryption processing entirely in hardware, ensuring high speed and security.
- Key storage in a physical secure area, cannot be copied or extracted, even with system administrator
rights.
- Supports strong encryption algorithms such as:
+ AES (Advanced Encryption Standard)
+ RSA, ECC (Elliptic Curve Cryptography)
+ SHA (Secure Hash Algorithms)
- Can be configured in 2 modes:
+ CCA (Common Cryptographic Architecture) for z/OS environment
+ EP11 - PKCS#11 compatible, serving open environments such as Linux, Java, cloud
5.4 Logical Key Separation:
A key strength of the IBM z15 is the ability to logical key separation:
- Even though workloads (applications) run on the same physical server, each workload can be assigned a
separate set of encryption keys.
- The key of workload A cannot be accessed or used by workload B, even with high system privileges.
6 Resilient and Isolated LPARs:
6.1 Concept:
- LPAR is a key feature of the IBM Z server line, allowing to divide a single physical system (such as the
IBM z15 T02) into multiple independent logical partitions, operating as separate servers.
6.2 Technical specifications of LPARs on the IBM z15:
- Up to 85 LPARs on a physical system.
- Each LPAR can be configured to run: z/OS, z/VM, Linux on Z or hypervisors such as KVM.
6.3 High security and isolation features:
6.3.1 Logical Data Separation:
- Data in LPAR A cannot be accessed by LPAR B, even if the two LPARs belong to the same enterprise or
organization.
- This is a mandatory requirement in a multi-tenant environment.
6.3.2 Hardware Enforcement:
- Isolation measures are controlled by PR/SM, a low-level system software of IBM, which operates
directly on the hardware and cannot be overwritten or controlled by the user.
6.3.3 Srcure Boot and Integrity Check for each LPAR:
- Each LPAR will have a separate integrity and authentication check process when booting.
6.4 High resilience:
- When an LPAR fails, is overloaded or attacked, the other LPARs are not affected.
- Workloads can be moved from one LPAR to another without interrupting the entire system.
- Dynamic Partitioning and Capacity on Demand features allow for flexible resource reallocation when
needed.
7 Compliance and Audit Reainess:
7.1 Concept:
- "Compliance & Audit Readiness" refers to the system's ability to: Automatically monitor, store logs,
detect abnormal behavior and support testing and evaluation of compliance with legal, security and
industry standards.
7.2 Main functions:
7.2.1 Comprehensive logging and monitoring:
- IBM z15 can record and store full security events such as:
+ Data access
+ Configuration changes
+ Application startup
+ Interaction with other partitions
7.2.2 Real-time monitoring support:
- IBM z15 supports Real-time Monitoring tool to track abnormal behavior as soon as it occurs.
- Can automatically alert when detecting: Unauthorized access, Abnormal transactions, Override of
permissions or changes in security policies.
7.3 Integration with SIEM:
IBM z15 easily integrates with SIEM (Security Information and Event Management) platforms, the most
prominent of which are:
- IBM QRadar:
+ Automatically collect logs from IBM z15.
+ Analyze behavior, assess risks and identify potential threats.
+ Visualize log data via dashboard.
+ Create automatic reports for auditing or post-incident investigation.
In addition to QRadar, IBM z15 also supports integration with other popular SIEM solutions such as:
Splunk, ArcSight, LogRhythm, Elastic SIEM.