Security in IBM Cloud Local
The IBM Cloud Local is unique in that it provides customers with data center and infrastructure facilities while retaining ownership of its physical security.
Figure 1. IBM Cloud Platform Security Overview
When it comes to IBM Cloud Local, users have the ability to host IBM Cloud using their company firewall within their own data center. For this reason, users are themselves responsible for most security aspects.
The image below details the different areas of security that are owned by the user and the security areas that are owned and managed by IBM.
Figure 2. IBM Cloud Local platform security overview
IBM installs, monitors, as well as remotely manages IBM Cloud Local in their user’s data center with the help of Relay. Relay is a delivery capability that comes with IBM Cloud Local. It has the ability to securely connect certificates that are specific to individual IBM Cloud Local instance. Additional information on Relay and IBM Cloud Local can be found at Bluemix Local.
How Functional Security is Implemented in IBM?
IBM Cloud provides users with a number of different security capabilities These include access authorization, user authentication, data protection and the auditing of critical operations.
IBM Cloud utilizes Cloud Foundry to make sure that every application developer’s access is limited to just the applications and service instances that they created. Authorization is based on OAuth. External users are restricted from accessing IBM Cloud Platform’s internal endpoints.
Authentication to IBM Cloud for application developers are completed using their IBM web identity. In case of IBM Cloud Dedicated and Local, authentication is achieved using LDAP which is supported by default. If requested, authentication via IBM web identity can be initiated instead of IBM Cloud.
All IBM Cloud traffic needs to pass through the IBM WebSphere DataPower SOA Appliances. This provides reverse proxy, load balancing, and SSL termination functions. The HTTP methods allowed are –
All HTTP inactivity times out at 2 minutes.
The headers below are populated using DataPower:
- $wsis – Set to true if client-side connection is secure (HTTPS), set to false otherwise.
- $wssc – Set to one of the following schemes of client connection: https, http, ws, or wss.
- $wssn – Set to host name that is sent by client.
- $wssp – Set to server port that client connects to.
- x-client-ip – Set to client IP address.
- x-forwarded-proto – Set to one of the following schemes of client connection: https, http, ws, or wss.
Audit logs are created and maintained for each successful and unsuccessful authentication attempt initiated by application developers. Audit logs are also created for privileged access to Linux systems which host containers where IBM Cloud applications are executed.
Development Best Practices
When it comes to IBM Cloud, whether Public or Dedicated, frequent and periodic security vulnerability scans are performed on a number of different IBM Cloud components using the IBM Security AppScan Dynamic Analyzer.
Threat modeling and penetration testing is performed to assist in detecting and addressing potential vulnerabilities for the various IBM Cloud deployments. Additionally, application developers have the ability to utilize the AppScan Dynamic Analyzer service to ensure that the web apps deployed on IBM Cloud are secure. Apart from that, IBM Cloud is capable of implementing all phases of SDLC securely as long as you stick with the right Enterprise Design Thinking practices.
How Infrastructure Security is implemented in IBM?
IBM Cloud builds upon Cloud Foundry and provides an all-round foundation for the successful running of a user’s applications. Several components are provided within the architecture to assist with security and isolation. Additionally, change management as well as backup and recovery procedures, are carefully implemented ensuring data availability and integrity.
Firewalls are put in place to help limit the access to the IBM Cloud network. When it comes to IBM Cloud Local, the user’s company firewall separates the rest of their company’s network from the IBM Cloud instance.
Secure Application Container Management
Every IBM Cloud application is isolated and runs in its individual container. These containers have predefined resource limits for the processor, memory as well as disk.
For the IBM Public Cloud, the production and development environments are isolated from one other. This is done with the goal to enhance application security and stability.
The IBM Dedicated as well as Public Cloud has the ability to protect against intrusion as well as uncover threats that can be addressed in a timely manner.
Operating System Security Hardening
IBM administrators regularly undertake operating system and network hardening with the help of tools like IBM Endpoint Manager.
What about Operational Security?
IBM Cloud also supports an all-round operational security environment using the following controls.
IBM Cloud makes use of Nessus, the Tenable Network Security vulnerability to assist with the detection of vulnerabilities with the network or host configurations
Automated Fix Management
IBM Cloud administrators make sure that operating systems fixes are applied when needed. These automated fixes are enabled using IBM Endpoint Manager.
Audit Log Consolidation and Analysis
With the help of IBMSecurity QRadar, IBM Cloud is able to consolidate Linux logs to monitor access on Linux systems. Additionally, it uses IBM QRadar security information and event management (SIEM) to monitor login attempts by application developers.
User Access Management
When it comes to IBM Cloud, its Separation of Duties guidelines assigns granular access privileges to users. This ensures users are restricted to the level of access that is needed to perform their jobs based on the principle of least privilege. Refer to Managing Bluemix Local and IBM Cloud Dedicated for more details.
Physical Security Constraints
When it comes to physical network security, IBM’s Public and Dedicated Cloud relies on the network-within-a-network topology of IBM Cloud. This makes sure that all systems are accessible only to authorized users. For IBM Cloud Local, users retain ownership of the physical security for their local instance. The user’s data center is secured behind their company’s firewall.
When it comes to the IBM Cloud network-within-a-network, the public network layer handles all public traffic to websites and online resources. The private network layer allows for out-of-band management through a stand-alone carrier via PPTP, SSL, or IPSec VPN gateways. Data center to data center network layers provide secure and free connectivity between servers housed within separate IBM Cloud facilities.
Each IBM Cloud data center is completely secured and utilizes controls that are in accordance with SSAE 16 and other related industry-accepted requirements.
IBM Data Security
As a user, if you are using IBM Cloud then securing your data against unwanted access is a joint effort between you and the IBM Cloud.
All data that is linked to a running application can be in any of 3 states: data-in-transit, data-at-rest, and data-in-use. These are explained below –
- Data-in-transit. Data that is currently being transferred between nodes on a network.
- Data-at-rest. Data that has already been stored.
- Data-in-use. Data that is not currently stored, nor is being acted upon at an endpoint.
Each of these types of data has to be considered when planning for data security. IBM’s Cloud platform secures data-in-transit by securing the user’s access to the application via SSL at the boundary of the IBM Cloud internal network.
IBM’s DataPower Gateway provides SSL termination from where the application IPSEC is used to secure the data during transit from the IBM DataPower Gateway to the application.
Security for data-in-use and data-at-rest is the responsibility of the user as they usually develop their own application. Users can take advantage of a number of different data-related services made available in the IBM Cloud catalog to assist with these concerns.
Security of IBM Cloud Applications
If you are an application developer, you would be able to enable security configurations, including application data protection, for applications that execute on IBM Cloud.
Application developers are able to use security capabilities provided by IBM Cloud services to secure their applications.
IBM UrbanCode Plug-in for Application Security Testing
The IBM Application Security Testing for IBM Cloud plug-in allows you to perform security scans on web and Android apps hosted on IBM Cloud.
For further details, you can visit IBM Application Security Testing for IBM Cloud
An SQL database, DB2 Hosted is provisioned for cloud users. Users are able to make use of DB2 Hosted in a manner similar to using any other database software, however, without the expense and overhead of software installation, maintenance or hardware setup.
Users can also install a local DB2 database via the free DB2 Developer Edition download.This installs a ready-to-use developer edition of DB2 along with tools within a Docker container. More information can be found at Getting started with DB2 Hosted.
The Secure Gateway service enables users to connect IBM Cloud apps to remote locations securely, either in the cloud or on premises. It provides secure connectivity and establishes a tunnel between the user’s IBM Cloud organization and the remote location where the connection needs to be established. Users are able to configure and create secure gateways using IBM Cloud’s user interface or a compatible API package.
Security Information and event management
Security information and event management (SIEM) tools can be used to analyze security alerts in application logs. An example is IBM Security QRadar SIEM. This provides security intelligence in cloud environments. To know more, visit IBM QRadar Security Intelligence Platform.