IBM SmartCloud Enterprise (IBM Cloud) employs a shared responsibility model for security. IBM provides a physically and logically secure management infrastructure and base operating system environments for customers to build deployments in a public cloud environment. In this environment, the customer holds the responsibility for maintaining the security of the virtual resources once they are provisioned.
The IBM Cloud is an agile cloud Infrastructure as a Service (IaaS) offering designed to provide rapid access to enterprise-class virtual server environments. Specifically, it is an IBM-hosted multi-tenant cloud offering where customers share a common infrastructure. This sharing allows customer to take advantages of a lower cost alternative to other infrastructure solutions.
This article describes the shared responsibility model and the topics you should consider when you provision a virtual machine in the IBM Cloud.
Shared responsibility approach
IBM Cloud takes a shared responsibility approach to security. That is, IBM owns the security of the cloud management infrastructure (hypervisor and below) and the customer owns all aspects of security above the hypervisor. Figure 1 illustrates the breakdown of these responsibilities:
Figure 1. Division of responsibilities
As mentioned, IBM holds responsibility of the physical infrastructure that makes up the IBM Cloud environment and all components from the hypervisor level and below. Following are specifics on the parts of the IBM Cloud IBM is responsible for.
IBM has a long-standing history in the data center and hosting business with many locations worldwide. Today the IBM SmartCloud Enterprise leverages locations in the USA, Canada, Germany, Japan, and Singapore, exploiting the experience, tools, and approaches that IBM already has in place for physical security. These include but are not limited to:
- Digital closed circuit television (CCTV) within the data center is either recorded 24x7 or event-driven (motion-activated). CCTV surveillance data is maintained for at least30 days.
- Data center access doors are equipped with local audible alarm.
- A computer-based controlled access system (CAS) uses badge readers to restrict access to only those with approval to enter controlled areas. All entries and exits to these areas are logged.
- Biometric and card security is present where appropriate.
- Anti-pass back (badge-out) function prevents multiple users from using the same badge for data center entry.
- Facility design and fire protection help prevent cascading failures of other systems.
Management of hardware and software below the hypervisor
IBM provides management and maintenance of the provisioning environment including the actual hypervisor, physical network, and underlying hardware infrastructure. These systems are managed using ITIL-based processes (Information Technology Infrastructure Library).
IBM internal IT management processes are stringently applied and regular internal audits are performed. IBM leverages both commercially available products and internal tools to manage the infrastructure. These include service offerings such as the IBM Managed Security Services offering for intrusion protection and vulnerability scanning.
IBM performs regular vulnerability scanning, patch management, automated health checking, and code reviews of the IBM Cloud environment, including the network infrastructure.
Intrusion Prevention/Intrusion Detection System (IPS/IDS)
An IPS/IDS is applied against the IBM infrastructure in real time. IPS/IDS somewhat shields the customer virtual machines.
Security of the self-service portal and application programming interfaces (APIs)
There are two ways for a user to provision resources in the IBM Cloud environment:
- With the IBM Cloud self-service portal.
- With the IBM Cloud application programming interfaces (APIs).
The infrastructure used to implement these entry points are all deployed in secured IBM facilities using a zoned, multi-tier architecture. These resources are subject to stringent IBM internal security requirements and processes and IBM uses recognized offerings and products (such as Rational AppScan) to scan, monitor, and manage them. All communications to these resources between the customer client (for example, a web browser or custom-built application using APIs) are secured using Secure Sockets Layer (SSL) over Hypertext Transport Protocol (HTTP).
Public image catalog
IBM provides a public catalog of operating system and middleware images. These images are built to the specification of our vendors and IBM Software Group organizations. Patch management of the base images in the catalog are the responsibility of IBM and adhere to IBM internal standards for deployment of security related fixes. These images are updated on a regular basis and on an as-needed basis for "hot" fixes.
Once the customer provisions an instance from the IBM Cloud catalog, the customer is responsible for all patch management of that running instance and any images created from that instance. Customers should always verify that the instances they provision adhere to their own company security standards.
As part of the shared responsibility model of IBM SmartCloud Enterprise, the customer is responsible for all aspects of security of provisioned resources in the cloud environment. The following sections examine most, but not all, of what this encompasses in more detail.
Identity management and access control
There are two aspects of identity management in any cloud environment:
- The IBM Cloud provisioning environment.
- The guest operating system.
For identity management in the IBM Cloud provisioning environment, the standard IBM Web Identity system used by all ibm.com systems is employed.
Once a customer has signed up for the IBM Cloud service, the ID specified during the sign-up process is assigned as the enterprise account administrator. Through the IBM Cloud self-service portal, the account administrator has the ability to add, delete, and modify additional user IDs that can be used to provision cloud resources such as instances, images, and storage.
When adding additional user IDs to the IBM Cloud provisioning environment, it is the customers' responsibility to manage all account user IDs based upon their own requirements.
Some typical best practices for ID management are (but are not limited to):
- User ID request process.
- User ID approval process.
- User ID revalidation process.
- User ID revocation process.
- Password management guidelines.
- Password strength guidelines.
- Requiring users to perform regular password changes.
Once a virtual machine is provisioned in the IBM Cloud, identity management for the operating system, running on the virtual machine, needs to be addressed. This aspect of identity management is the responsibility of the customer who provisioned the virtual machine.
By default, when a virtual machine is provisioned in the IBM Cloud, the only access to that instance is restricted. This access varies by the operating system of the virtual instance:
- For Red Hat or SuSE Linux®: A single user ID is enabled in the operating system to remotely access the instance via SSH with the key created by the IBM Cloud user that provisioned the instance.
- For Microsoft® Windows®: A single user ID and password are specified by the IBM Cloud user at the time the instance is provisioned. This ID/password combination can be used to access the instance via a Microsoft remote desktop connection.
At this point the owner of the instance can implement any number of identity management systems on the running virtual machine. This could include the default operating system, a common user repository like LDAP or Microsoft Active Directory, or some other third-party identity management system.
Guest operating systems
The IBM Cloud provides a self-service environment for provisioning cloud resources. IBM takes a "no touch" policy for all customer-provisioned resources; in other words, once a customer provisions a resource in the IBM Cloud, the customer is responsible for all security of that resource above the physical and hypervisor layers.
When a customer provisions an instance (virtual machine) in the IBM Cloud environment, the customer receives full root or administrator privileges on the guest operating system. With this level of privilege, customers can secure provisioned resources based upon their internal requirements or standards.
The following list contains tasks that every customer should consider in the management of provisioned resources. Note that this list is not all encompassing and customers should manage their cloud OS resources with the same care they use to manage resources contained in their own enterprise.
- Patch management and security fixes: OS vendors regularly patch their products to meet new threats and the customer fully controls to what extent and when these patches are applied. IBM suggests customers regularly monitor the OS vendor's security bulletins and apply updates and fixes as best meet their requirements.
- Secure additional software: When installing, configuring, and managing any software on the guest operating system, the customer should take care to properly secure the software and any access to the system the software might expose. Software vendors regularly patch their products when security vulnerabilities are found. IBM suggests customers regularly monitor the software vendor's security bulletins and apply patches when required.
- Creating and implementing security policies on the guest operating system: Include the following (but are not limited to):
- Firewall policies of the guest operating system.
- Protection and distribution of guest operating system SSH keys.
- Encryption of data on the operating system.
- Choice of anti-virus software where appropriate.
- Removal of packages and services that are deemed not needed.
By default, each instance (virtual machine) provisioned in the IBM Cloud is assigned one or more publicly routable IP address and is accessed through the Internet.
An optional offering of the IBM Cloud is a virtual private network service (VPN). Each optional VPN provides the customer an Internet Protocol Security-based (IPsec) VPN tunnel over the Internet between a customer's IPsec-capable gateway and one IBM Cloud data center. With the VPN option, the customer will receive a private Virtual Local Area Network (VLAN). With the VPN option, when the customer provisions an instance, the customer is able to choose between provisioning the instance on the public VLAN or the private VLAN. The VPN option provides the customer with encrypted communication of data over the Internet and an additional level of isolation within the IBM Cloud virtual network.
Under the VPN option, a customer can provision an instance that spans both the public VLAN and the customer's private VLAN. This ability allows for greater flexibility in creating tiered deployment architectures in the IBM Cloud. This capability should be protected using software firewalls (either those that come with the operating system or from a third party) to limit both host and port access. For more information on this capability, read the developerWorks article: "IBM SmartCloud Enterprise tip: Span virtual local area networks."
Hypervisor and guest firewall rules
The IBM Cloud allows customers to set up custom firewall rules at the host and guest operating system levels. Each image is also configured by default to carry software firewall rules that will do nominal port filtering. Linux images are configured to use IPTables and by default allow TCP port 22 (SSH). Windows instances are configured to allow TCP port 3389 (RDP) by default.
Figure 2. Host- and guest-based firewall rules
By creating a custom image and managing the parameters.xml file, customers can set up host-based firewall rules. This feature gives a customer the ability to filter network traffic before it is sent to the guest operating system. For more information on how to perform these customizations, documentation is available in the support section of the compute cloud control panel as an asset named "Creating and customizing images" (you must be logged into your IBM Cloud account). More information on using the image parameters.xml file can be found in these developerWorks articles:
- Parameterize cloud images for custom instances on the fly
- Convert IBM Cloud image parameters into Java using JAXB
- Deploy products using rapid deployment service
- Tailor image validation rules on the fly
Through Windows Firewall or through IPTables on Linux systems, customers are always able to add additional layers of protection to their instance.
As stated previously, the default access to the virtual machine operating system is to allow full privileges to the customer. As a result, customers have full control over how data is handled within their IBM Cloud environment. A customer can implement any software tooling to move data and is responsible for the maintenance of that tooling and administration of any access controls. Customers may want to consider additional security measures for their data such as file system encryption.
As a policy, IBM does not move or migrate a customer's provisioned resources (images, instances, persistent storage, etc.) from one data center to another. When the customer provisions a resource, the customer chooses which data center that resource is provisioned in. This policy can be important to customers that have security concerns with data moving outside of certain geographies.
Additional customer configuration options
The following configuration options can be important for customers:
- Firewall rules can be used in both the hypervisor and iptables (in Linux) or Windows Firewall (in Windows Server) in the guest to provide defense in depth.
- In a Linux operating system, privileged user authorizations can be accessed be through the use of
sudowith discrete user IDs for each user.
sudocan be utilized to grant privileges to run as other system middleware IDs (for example, db2user) .
- SSH keyed authentication can be used in Linux instances.
- Initial passwords and SSH keys may be changed immediately upon taking control of an instance. It is common to set accounts to force a password change upon first login.
- The IBM Cloud allows for the implementation of monitoring functions or applications to monitor guest security.
- The IBM Cloud allows for the implementation of guest auditing and logging where appropriate.
- A customer may choose to not allow root access to instances.
- Use accounts other than the defaults. Use something other than the middleware default account name to help keep accounts from being compromised. Common or known account names are often exploited because they account name is already known.
- Restricting remote access to only those accounts that require it.
- Removing any unneeded packages or software from an instance.
- Determining if any services are unnecessary. Stopping and disabling or removing services that are not considered necessary.
- The IBM Cloud allows a customer to perform routine scans of Internet-facing assets.
- Adding a host based Intrusion Detection System (IDS) .
- How to regularly check for and apply patches to operating systems, software, and middleware.
This discussion of the shared responsibility model for cloud security that IBM uses on the IBM Cloud alerts you to your security responsibilities as a customer and provides suggestions to help you correct any potential security gaps you might be opening by provisioning an instance on the IBM Cloud.
- The National Vulnerability Database is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
- The IBM X-Force Trend and Risk Report is produced twice per year: Once at mid-year and once at year-end. This report provides statistical information about all aspects of threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity.
For more on how to perform tasks in the IBM Cloud, visit these resources:
- Up and download files from a Windows instance.
- Install IIS web server on Windows 2008 R2.
- Create an IBM Cloud instance with the Linux command line.
- Create an IBM Cloud instance with the Windows command line.
- Extend your corporate network with the IBM Cloud.
- High availability apps in the IBM Cloud.
- Parameterize cloud images for custom instances on the fly.
- Windows-targeted approaches to IBM Cloud provisioning.
- Deploy products using rapid deployment service.
- Integrate your authentication policy using a proxy.
- Configure the Linux Logical Volume Manager.
- Deploy a complex topology using a deployment utility tool.
- Provision and configure an instance that spans a public and private VLAN.
- Secure IBM Cloud access for Android devices.
- Recover data in IBM SmartCloud Enterprise.
- In the developerWorks cloud developer resources, discover and share knowledge and experience of application and services developers building their projects for cloud deployment.
- Find out how to access IBM SmartCloud Enterprise.
Get products and technologies
- See the product images available for IBM SmartCloud Enterprise.
- Join a cloud computing group on developerWorks.
- Read all the great cloud blogs on developerWorks.
- Join the developerWorks community, a professional network and unified set of community tools for connecting, sharing, and collaborating.
Dig deeper into Cloud computing on developerWorks
Experiment with new directions in software development.
Complete cloud software, infrastructure, and platform knowledge.
Software development in the cloud. Register today and get free private projects through 2014.
Evaluate IBM software and solutions, and transform challenges into opportunities.