IBM Secure Service Container


IBM Secure Service Container is the trusted execution environment available for IBM Z and IBM LinuxONE servers.

History

In 2016 IBM introduced the z Appliance Container Infrastructure feature for the IBM z13, z13s, LinuxONE Rockhopper, and LinuxONE Emperor servers, delivered via a driver update. IBM originally conceived its trusted execution environment as best suited for software "appliances," such as its own z/VSE Network Appliance, zAware, and GDPS Virtual Appliance offerings. As IBM improved zACI and broadened its applicability, the company quickly changed its name to IBM Secure Service Container when the IBM z14 and LinuxONE Emperor II models launched in 2017.

Details

IBM Secure Service Container consists of a combination of hardware, firmware, and software technologies that are commercially available in recent IBM Z and IBM LinuxONE servers. The hardware and firmware elements are primarily extensions to IBM's PR/SM logical partitioning technologies which are Common Criteria Enterprise Assurance Level 5+ certified for separation and isolation. A logical partition type of "SSC" is available, and up to 16 TiB of usable main system memory can be allocated per LPAR.
IBM also supplies a generalized, open source-based software framework for SSCs in the form of IBM Secure Service Container for IBM Cloud Private and a paired, firmware-based enabling feature. This generalized software framework facilitates running conventional virtual machines and Docker containers on Linux within the SSC, without requiring special programming to adapt to SSC architecture. In other words, the IBM Secure Service Container is the outer "envelope" within which VMs and software containers run in a highly secure, trusted execution environment.
IBM uses SSCs to host many of its own public cloud services, including . First adopters of IBM SSC technologies include organizations with extremely demanding security requirements, including digital asset and cryptocurrency firms such as Digital Asset Custody Services. Most organizations using IBM Secure Service Container also rely heavily on the services that IBM's FIPS 140-2 Level 4 certified Crypto Express hardware security modules and Trusted Key Entry equipment provide, although these IBM Z and IBM LinuxONE system features can also be used separately, on their own.