Hybrid Cloud & Key Management for Financial Service Platforms: IBM's New CCA 7.0 and the Mainframe z15

by Ulrich Scholten (guest) & Stefan Hansen on 16. September 2020

In response to changing and more dynamic market demands, banks and financial institutions are turning into financial service platforms. They increase the extent of their digital transformations across the hybrid cloud, guided by three motivating factors:

  • Responsiveness
  • Flexibility
  • Cost

IBM’s Mainframe Service Architecture

IBM launched their zSeries of mainframe computers (originally marketed as System/360) in 1964 and maintained full backward compatibility. Z stands for “Zero Downtime”. The product was intended as a highly reliable and highly secure computer environment. Globally, it achieved a market dominating role in architectures handling ATM-based payment for financial institutions and retail banking infrastructures.

In September 2019, IBM launched the next generation zSeries designed to embrace the hybrid Cloud. IBM reengineered their mainframe service architecture to help these organizations get to avoid the challenges that a complex migration presents along with possible cloud security risks.

IBM’s new z15™ single and multi-frame system design was shaped in close collaboration with customers in need for a successful digital transformation. The IBM z15 provides scalable privacy, security, and resilience, making it a valuable component of any bank or financial institution’s enterprise-wide cloud infrastructure.

The IBM z15 enables cloud native services and extends the value of critical data and application investments for businesses. These features help address the current challenges and future considerations for transformative growth for banks and other financial institutions along with the following benefits:

  • Cloud native, allowing digital and AI-infused services to be developed and deployed in the cloud
  • Encryption to protect data and manage privacy through policy across the business’s ecosystem
  • Cyber resilient to protect against both insider and outside attacks while delivering continuous service and mitigating downtime
  • Flexible computing for organizations of all sizes with any cloud, regardless if it is public, private, or hybrid

Enhanced Common Cryptographic Architecture (CCA 7.0)

Security requirements across the globe are continually changing regarding key management and distribution, protecting enterprise data, and data management and compliance. Enhancements to the z15 are designed to address these critical needs. Common Cryptographic Architecture Release 7.0 is designed to be certified under Payment Card Industry Security Standards for hardware security modules (HSMs). Its design allows for easy migration of keys and applications along with the addition of new support for cryptographic algorithms. CCA 7.0 includes the enhancements for HSM support that were previously provided with CCA 6.3’s limited availability release.

CCA 7.0 provides an additional key distribution method through callable services that support AASC X9’s Technical Report 34. TR-34 gives an outline of an interoperable protocol for using asymmetric techniques for securing the distribution of symmetric keys. This protocol allows the distribution of symmetric keys from host systems to key receiving devices like point-of-sale terminals or ATMs. Using the TR-34 protocol now supported by CCA 7.0p can help banks and other financial institutions eliminate costs that are commonly associated with requiring two separate employees to physically load keys into key-receiving devices, including ATMs. Having access to this feature allows for a secure and cost-effective method for the remote management of encryption keys.

The IBM z15’s enhanced CCA includes full native support for X.509 certificates used for RSA or ECC public keys. All CCA services that accept public keys can now also accept X.509 certificates. This certificate is validated and can be authenticated against internally-managed Public Key Infrastructure (PKI) to the CEX6S / CEX7S. Using security from a Trusted Key Entry (TKE) workstation, trust anchors that underpin the PKI are loaded to assist in enabling a secured management path. The expansion of support for X.509 certificates also includes the previously mentioned X9 TR-34 services.

Enhancements in CCA 7.0’s release also allow the creation of PCI HSM compliant-tagged RSA and AES key tokens. These tokens are managed by CCA firmware under the requirements of its PCI-HSM compliance mode.

Compliance-based methods are included to check master keys that are added to CCA. For example, the Key Test2 callable service can be used to verify an ANS X9.24 Part 1-defined master key value using either CMAC, a NIST SP 800-38B block cipher-based MAC algorithm or the encrypt zeros method. This feature will be useful during compliance audits.

For banks and financial institutions, CCA 7.0’s enhanced features support the use of the AES algorithm in banking applications. This includes a new method to format PAN data for authenticated PAN change request that are based on the ISO 9564-1 standard.

New Call-to-action

An AES-based key management feature is also included in this method that enforces the special usage of authentication keys to translate PINs in ISO-4 PIN blocks. This adds an additional level of control of protection to this sensitive operation.

Lastly, CCA 7.0 adds two new callable services that support the German Banking Industry Committee’s Die Deutsche Kreditwirtschaft (DK) financial services requirements. IBM is committed to adding enhancements as standards for the banking and finance industry are updated or new releases are made with support for AES-based protocols and methods.

Being in full control of key management

Cryptomathic's Crypto Crypto Key Management System (CKMS) fully integrates into the IBM z / CCA world in any location of the hybrid cloud. It allows banks and financial institutions to manage the key life-cycle and distribution of the cryptographic keys in a secure, compliant and automated way.

However banking infrastructure is rarely restricted to one vendor solution. In addition to the IBM zSeries, there might be services provided by Cloud Service Providers (CSPs), diverse local datacenter-infrastructures and hardware security modules (see figure blow).

Seamless banking grade key management from the data center to the cloud

Figure: CKMS in the data center with multiple integration points

CKMS provides off-the-shelf and proven integration points to all of the infrastructures and applications shown above, embedding zSeries into a holistic and integrated crypto across the bank’s hybrid cloud.

The benefits include:

  • Securely sharing keys between mainframe, on-premise and cloud applications
  • Centrally managing the life-cycle of cryptographic keys at large scale
  • Automating key management activities and on-line key distribution
  • Reducing the risk of key compromise and human errors
  • Providing tamper-evident audit and usage logs for compliance
  • Based on industry-standard APIs and key-formats

Read White Paper


Photo: "Pulling Money from an ATM" by courtesy of OTA photos (CC BY-SA 2.0)

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.