Cloud
Security
January 30, 2023 By Henrik Loeser 4 min read

Check out our new tutorial to learn how to enhance security for your IBM Cloud environment by utilizing context-based restrictions.

Context-based restrictions (CBRs) give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud resources based on the context of the access request (e.g., network attributes). In an IBM Cloud account, both Identity and Access Management (IAM) policies and CBRs enforce access, so context-based restrictions can offer protection even in the face of compromised or mismanaged credentials or privileges.

To get you started with CBRs, we just published a new tutorial, “Enhance cloud security by applying context-based restrictions.” It helps you learn about CBRs to protect your cloud resources. The tutorial leverages our existing tutorial “Apply end-to-end security to a cloud application” and its sample code, and it also adds an extra layer of security. The diagram below shows the solution architecture of the existing security tutorial. The additional boxes with dashed, blue lines around some components denote CBRs implemented as context rules.

In this blog post, I’ll briefly introduce context-based restrictions. Then I’ll show you how to learn more and be able to implement, test and monitor CBRs with the help of our new tutorial:

Context rules governing access to services of the sample solution.

Overview: Context-based restrictions

IBM Cloud introduced context-based restrictions (CBRs) in late 2021. These restrictions work with traditional IAM policies to provide an extra layer of protection. This is because IAM policies are based on identity (e.g., user, service ID or trusted profile) while CBRs are based on the context of request (e.g., network addresses, originating services or accessed endpoint types).

A CBR rule governs access to a resource identified by its service name and type as well as by additional attributes. They can include the region, resource group and other service-specific properties. The attributes in a rule are mostly optional so that you could govern, for example, all IBM Key Protect for IBM Cloud instances together or target just a specific key ring in an identified Key Protect instance.

The context for a restriction is made up of network zones and service endpoints. You might want to define zones based on specific IP addresses or ranges or by configuring traffic originating from one or more VPCs or cloud services. With that, access to the sample Key Protect instance might only be allowed from, for example, a specific IBM Cloud Object Storage instance, a well-known range of IP addresses and only via the private endpoint.

Network zones can be used for the definition of multiple rules. Rules have an enforcement mode that is one of disabled, report-only or enabled.

New tutorial and sample code

You can use our recently published tutorial, “Enhance cloud security by applying context-based restrictions,” to meet the following objectives:

  • Learn about context-based restrictions to protect your cloud resources.
  • Define network zones to identify traffic sources for allowed and denied access.
  • Create rules that define context for access to your cloud resources.
  • Learn how to test and monitor context rules.

The tutorial walks you through the creation of CBR network zones and context rules with both the IBM Cloud console and Terraform code. The latter helps to establish security rules in an automated way. Once the rules are in place, next are testing and monitoring that they will work (reporting mode) or actually work (enforced mode).

To test, access resources covered by CBR rules via different origins and paths. Using the IBM Cloud Activity Tracker, you can see log entries for matching rules that are in report mode. Each log record has details on the context and the rule-based decision. That is, the log shows the request origin, involved network zones, the targeted service and if the rule would have rendered a “Deny” or “Permit.”

Once rules are enforced, after testing for at least a month, only denied access is reported. An Activitity Tracker log record for such an event is shown in the following screenshot. The tutorial provides guidance on how to find the relevant log records:

Log entry in IBM Cloud Activity Tracker showing denied access.

Conclusions

Context-based restrictions help to enhance cloud security. They add an extra layer of protection to your cloud resources and complement the existing Identity and Access Management policies. With our new IBM Cloud solution tutorial, you learn how to create network zones and context rules, how test and monitor them. Here are the resources to get you started:

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik), Mastodon (@data_henrik@mastodon.social) or LinkedIn.

Was this article helpful?
YesNo
Henrik Loeser
Technical Offering Manager / Developer Advocate

More from Cloud
April 8, 2024

IBM Tech Now: April 8, 2024

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 96 On this episode, we're covering the following topics: IBM Cloud Logs A collaboration with IBM watsonx.ai and Anaconda IBM offerings in the G2 Spring Reports Stay plugged in You can check out the…

April 4, 2024

The advantages and disadvantages of private cloud 

6 min read - The popularity of private cloud is growing, primarily driven by the need for greater data security. Across industries like education, retail and government, organizations are choosing private cloud settings to conduct business use cases involving workloads with sensitive information and to comply with data privacy and compliance needs. In a report from Technavio (link resides outside ibm.com), the private cloud services market size is estimated to grow at a CAGR of 26.71% between 2023 and 2028, and it is forecast to increase by…

March 29, 2024

Optimize observability with IBM Cloud Logs to help improve infrastructure and app performance

5 min read - There is a dilemma facing infrastructure and app performance—as workloads generate an expanding amount of observability data, it puts increased pressure on collection tool abilities to process it all. The resulting data stress becomes expensive to manage and makes it harder to obtain actionable insights from the data itself, making it harder to have fast, effective, and cost-efficient performance management. A recent IDC study found that 57% of large enterprises are either collecting too much or too little observability data.…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters