IBM’s Crypto Card Now a Cloud Service from FNTS
June 28, 2023 Alex Woodie
IBM i shops that want to utilize IBM’s powerful cryptographical processor card to encrypt transactions but don’t want the hassle of buying and maintaining the setup can now tap into a new cloud-based encryption service that utilizes the IBM crypto card and is managed by First National Technology Solutions.
Representatives with First National Technology Solutions and CLAI PAYMENTS Technologies shared details of their joint IBM i encryption solution at COMMON’s recent POWERUp conference in Denver, Colorado. An executive from IBM, which has given its blessing to the offering, was also in attendance at the session.
The need for encryption is large at the moment and it shows no sign of letting up, said Keith Zblewski, the business development manager for FNTS, the Omaha, Nebraska-based bank-turned-managed-service-provider that’s well-versed in IBM i and Power Systems.
“You have this perfect storm of a tremendous amount of growth in digital commerce brought on in part by the pandemic . . . We have things like digital currency and all these require now encryption,” Zblewski said during the POWERUp presentation. “The second item of that perfect storm is you have growth in the number of standards that you have to follow. It’s not just PCI and SOC2. It’s now at the country level, at the state level, and every industry is adopting some sort of standard and you have to comply.”
One provider of encryption capability is IBM and its cryptographical coprocessor card, a hardware security module (HSM) that plugs directly into the PCIe backplane of IBM Power servers. This is a time-tested setup that has protected many transactions over decades of service.
However, not everyone is a good candidate for the IBM crypto card. They aren’t free, for starters, and they can be hard to program with the API provided by IBM, Zblewski said. It typically requires engineering talent to get up and running. In that regard, it sounds like a perfect candidate to be made into a cloud service. But more obstacles emerge.
“These encryption cards were never really designed to be shared,” Zblewski said. “Because of the hardware security module nature of these cards, they weren’t designed to be shared in a shared computing model in the cloud.”
FNTS worked with its partner CLAI PAYMENTS Technologies, which has offices throughout Latin America, to take the IBM crypto cards and bundle them into a managed service offering. Fernando Carmona, the owner and CEO of CLAI PAYMENTS Technologies, provided a technical description of how the setup works during the Denver POWERUp session.
Carmona has been working with IBM i cryptographic technologies for more than two and a half decades. It was a challenge to encrypt transactions with the AS/400 before IBM launched the crypto card. He and his midrange clients got around that by communicating payment transactions over the X25 protocol to external host security modules. There was a lot of work involved and it was difficult, he said.
The advent of the IBM crypto card helped to streamline some of that work. With more than 300 built-in encryption algorithms running right in the Power server, the crypto card helped to reduce the complexity challenges.
The introduction of cloud computing over the past few years has forced a return to external host security modules. That’s because, while the IBM Cloud is a solid cloud offering that’s used by many CLAI customers, it has a limitation in that it doesn’t support the IBM crypto card, Carmona said.
“IBM Cloud is very good. We are working with them very well,” Carmona said. “But one problem [that] appeared is how to add cryptography. Because in PowerVS [IBM Power Virtual Server], you cannot ask for a crypto card because it’s not a device that can be verified.”
FNTS and CLAI showcased their jointly developed cryptography-as-a-service offering at POWERUp 2023.
CLAI and FNTS addressed this limitation by working to develop a solution that leverages CLAI’s payment software was installed on Power servers that contain the IBM crypto cards running in FNTS data centers in Omaha and Chicago, Illinois.
The two vendors demonstrated the setup with Power servers running in IBM Cloud data centers in Montreal, Quebec, and Washington, D.C., utilizing TCP/IP sockets as the communications protocols.
When a customer signs up for the cryptography-as-a-service, the first thing that FNTS does is build a secure VPN connection to both FNTS data centers, Zblewski said. “And then of course we have to build a very high speed site-to-site network between the two to make replication work,” he said.
The cryptography-as-a-service solutions runs on IBM i servers, but it’s not limited to accepting transactions from IBM i servers. In fact, any server running any operating system can tap into the offering.
While IBM could have developed offered the crypto cards through its own cloud, the company didn’t want to build something that only 5 percent of its customers would use, an IBM executive said. Instead, it relied on partners to deliver a solution that could be more tailored to their specific needs, he said.
RELATED STORIES
FNTS Launches Managed Services for Power Servers in IBM Cloud
