IBM Containerized Software Security Summary

The Security Summary is a PDF file that explains the security posture of an IBM Containerized product. The summary indicates compliance with several IBM Certification security metrics. The security metrics that are included are based on IBM standards, guidelines, and best practices for delivering secure, enterprise grade software for Red Hat® OpenShift® Container Platform.

Why does IBM provide these summaries?

The Security Summary provides IBM customers with a simple way to understand the product's software posture before deployment. The summary helps IBM make the security posture of its products apparent, known, and easily understandable.

Who is the intended audience?

The summary is intended for Red Hat OpenShift Container Platform system and application administrators, and security professionals who deploy, plan to deploy, evaluate, or secure container workloads on Red Hat OpenShift Container Platform. These metrics can be used to apply the appropriate controls and configurations to the Red Hat OpenShift Container Platform cluster and topology to protect workloads and provide secure access.

How does IBM determine the compliance?

All IBM containerized software goes through a process that is called IBM Certification before publishing. An overview of the process is described in this IBM Developer blog post. IBM assesses over 100 metrics through this certification process to measure and ensure compliance with a rigorous set of standards and best practices. One of the attributes of IBM Certification is the IBM Security and Privacy by Design (SPbD) program. For more information about SPbD, see IBM Security and Privacy by Design.

This summary takes a few critical security metrics from the certification process and externalizes it. Through that process, some of the metrics are automated in the continuous integration and delivery pipeline while others are verified with documentation. The attributes with "automated" in their name are validated by an IBM internal linter tool.

Which Cloud Pak for Data components provide the summary?

The following Cloud Pak for Data components provide the Security Summary.

Cluster-wide components
  • Certificate manager
  • License Service
  • Scheduling service
Required instance-level components
  • IBM Cloud Pak® for Data
  • IBM Cloud Pak foundational services
Services
  • Analytics Engine powered by Apache Spark
  • Cognos® Dashboards
  • Data Privacy
  • DataStage®
  • Db2® Big SQL
  • Db2 Data Gate
  • Db2 Data Management Console
  • Decision Optimization
  • Execution Engine for Apache Hadoop
  • IBM® Match 360 with Watson™
  • Informix®
  • OpenPages®
  • Planning Analytics
  • Product Master
  • SPSS® Modeler
  • Watson Assistant
  • Watson Discovery
  • Watson Knowledge Catalog
  • Watson Knowledge Studio
  • Watson Machine Learning
  • Watson Machine Learning Accelerator
  • Watson OpenScale
  • Watson Pipelines
  • Watson Query
  • Watson Speech services
  • Watson Studio
  • Watson Studio Runtimes
Dependencies
  • Common core services
  • Db2 as a service
  • Db2U
  • FoundationDB

Where is the summary?

The summary is included as part of the software's Container Application Software for Enterprises (CASE) package. A CASE package is a well-defined file structure that provides packaging and metadata about the software, including its certification state and provenance.

To view the Security Summary, follow these steps:

  1. Browse to IBM Cloud Pak GitHub CASE repository.
  2. Browse to the appropriate product and version of the CASE package.

    CASE package versions are listed in Operator and operand versions.

  3. Download the tgz file.
  4. Extract the tgz file. For example:
    tar -xzvf <path-to-the-downloaded-tgz-file>
  5. The summary is named ExternalSecurityReport.pdf and is located in the certifications/files directory.