IBM CCA: Hybrid Cloud & Key Management for Financial Service Platforms

In response to changing and more dynamic market demands, banks and financial institutions are turning into financial service platforms. They increase the extent of their digital transformations across the hybrid cloud, guided by three motivating factors:

• Responsiveness
• Flexibility
• Cost
  
  

IBM’s Mainframe Service Architecture

IBM launched their zSeries of mainframe computers (originally marketed as System/360) in 1964 and maintained full backward compatibility. Z stands for “Zero Downtime”. The product was intended as a highly reliable and highly secure computing environment. It achieved a market-dominating role in architectures handling ATM-based payment for financial institutions and retail banking infrastructures.

In September 2019, IBM launched the next generation zSeries, designed to embrace the hybrid Cloud. IBM reengineered its mainframe service architecture to help these organizations avoid the challenges of complex migration and possible cloud security risks.

IBM’s new z15™ single and multi-frame system design was shaped in close collaboration with customers needing a successful digital transformation. The IBM z15 provides scalable privacy, security, and resilience, making it a valuable component of any bank or financial institution’s enterprise-wide cloud infrastructure.

The IBM z15 enables cloud-native services and extends the value of critical data and application investments for businesses. These features help address the current challenges and future considerations for transformative growth for banks and other financial institutions, along with the following benefits:

• Cloud-native, enabling the development and deployment of digital and AI-infused services in the cloud.
• Encryption to protect data and manage privacy through policy across the business’s ecosystem
• Cyber-resilient to protect against both internal and external attacks, while delivering uninterrupted service and minimizing downtime.
• Flexible computing for organizations of all sizes with any public, private, or hybrid cloud. 
  
  

Enhanced Common Cryptographic Architecture (CCA 7.0)

Security requirements across the globe are continually changing regarding key management and distribution, protecting enterprise data, and data management and compliance. Enhancements to the z15 are designed to address these critical needs. Common Cryptographic Architecture Release 7.0 is designed to be certified under Payment Card Industry Security Standards for hardware security modules (HSMs). Its design facilitates the migration of keys and applications, as well as the addition of new cryptographic algorithm support. CCA 7.0 includes the HSM support enhancements that were included in the limited availability release of CCA 6.3.

CCA 7.0 provides an additional key distribution method through callable services that support AASC X9’s Technical Report 34. TR-34 outlines an interoperable protocol for using asymmetric techniques to secure the distribution of symmetric keys. This protocol allows the distribution of symmetric keys from host systems to key-receiving devices like point-of-sale terminals or ATMs. Using the TR-34 protocol now supported by CCA 7.0p can help banks and other financial institutions eliminate costs that are commonly associated with requiring two separate employees. Access to this feature allows for a secure and cost-effective method for the remote management of encryption keys.

The IBM z15’s enhanced CCA includes full native support for X.509 certificates used for RSA or ECC public keys. All CCA services that accept public keys can now also accept X.509 certificates. This certificate is validated and can be authenticated against internally-managed Public Key Infrastructure (PKI) to the CEX6S / CEX7S. Using security from a Trusted Key Entry (TKE) workstation, trust anchors that underpin the PKI are loaded to assist in enabling a secured management path. Expanding support for X.509 certificates also includes the previously mentioned X9 TR-34 services.

Enhancements in CCA 7.0’s release also allow the creation of PCI HSM-compliant tagged RSA and AES key tokens. These tokens are managed by CCA firmware under the requirements of its PCI-HSM compliance mode.

Compliance-based methods are included to check master keys that are added to CCA. For example, the Key Test2 callable service can be used to verify an ANS X9.24 Part 1-defined master key value using either CMAC, a NIST SP 800-38B block cipher-based MAC algorithm, or the encrypt zeros method. This feature will be useful during compliance audits.

For banks and financial institutions, CCA 7.0’s enhanced features support the use of the AES algorithm in banking applications. This includes a new method to format PAN data for authenticated PAN change requests based on the ISO 9564-1 standard. 

An AES-based key management feature is also included in this method that enforces the special usage of authentication keys to translate PINs in ISO-4 PIN blocks. This provides an additional level of protection for this security-sensitive operation.

Lastly, CCA 7.0 adds two new callable services that support the German Banking Industry Committee’s Die Deutsche Kreditwirtschaft (DK) financial services requirements. IBM is committed to adding enhancements as standards for the banking and finance industry are updated, or new releases are made with support for AES-based protocols and methods.

Being in full control of key management

Cryptomathic's Crypto Key Management System (CKMS) fully integrates into the IBM z / CCA world in any hybrid cloud location. It allows banks and financial institutions to manage the key life-cycle and distribution of cryptographic keys in a secure, compliant, and automated way.

However, banking infrastructure is rarely restricted to one vendor solution. In addition to the IBM zSeries, there might be services provided by Cloud Service Providers (CSPs), diverse local data center infrastructures, and hardware security modules (see figure below).

Figure: CKMS in the data center with multiple integration points

CKMS provides off-the-shelf and proven integration points to all the infrastructures and applications shown above, embedding zSeries into holistic, integrated crypto across the bank’s hybrid cloud.

The benefits include:

• Securely sharing keys between mainframe, on-premise, and cloud applications
• Centrally managing the life-cycle of cryptographic keys at large scale
• Automating key management activities and online key distribution
• Reducing the risk of key compromise and human errors
• Providing tamper-evident audit and usage logs for compliance
• APIs and key formats based on industry standards

References

• Selected articles on IBM Mainframes in Banking Infrastructure (2019-today) by Martin Schmitt and more
• Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
• Selected articles on Key Management in the Cloud (2017-today) by Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more
• Key Management in a Multi-Cloud Environment - A blessing or a curse? (2017), by Johannes “Jo” Lintzen
• Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs

• NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker

• CKMS Product Sheet (2016), by Cryptomathic

• White Paper – Deploying CKMS Within a Business (2017), by Cryptomathic

• Digital Bank: Strategies to launch or become a digital bank Kindle Edition (2014), by Chris Skinner

Photo: "Pulling Money from an ATM" by courtesy of OTA photos (CC BY-SA 2.0)