Security and Privacy by Design (SPbD)

Security and Privacy by Design (SPbD) at IBM is an agile set of focused security and privacy practices, including threat models, privacy assessments, security testing, and vulnerability management.

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM Cloud Pak for AIOps that you can configure, and aspects of the product’s use, to consider for GDPR readiness. This information is not an exhaustive list, due to the many ways that customers can choose and configure features, and the product can be used in itself and with third-party applications and systems.

IBM developed a set of SPbD processes and tools that are used by all of its business units. For more information about the IBM Secure Engineering Framework (SEF) and SPbD, see the IBM Redbooks Security in Development - The IBM Secure Engineering Framework (available in PDF format) Opens in a new tab .

IBM also provides information about the features of IBM Netcool Operations Insight that you can configure, how to use the product securely, and what to consider to help your organization with GDPR readiness. For more information, see Platform considerations for GDPR readiness.

As part of being secure by default, all intra-product communication is encrypted with TLS on deployments of IBM Cloud Pak for AIOps on Linux and Red Hat OpenShift Container Platform. In addition, both deployment options adhere to best practices such as running containers as non-root. Deployments of IBM Cloud Pak for AIOps on Red Hat OpenShift Container Platform also take advantage of additional security that is provided by Red Hat OpenShift Container Platform. For more information about container security, see the Red Hat documentation: Security and compliance Opens in a new tab .

As an additional layer of security, all communications between Red Hat OpenShift Container Platform nodes can be transparently encrypted (in additional to the TLS encryption at the application layer). To ensure that encryption in motion is enabled between each service or node within your Red Hat OpenShift Container Platform cluster, you must enable IPsec on Red Hat OpenShift Container Platform. When you install Red Hat OpenShift Container Platform, specify an empty object for the ipsecConfig parameter to enable IPsec encryption, as in the following example: 
apiVersion: operator.openshift.io/v1
kind: Network
metadata:
  name: cluster
spec:
  defaultNetwork:
    type: OVNKubernetes
    ovnKubernetesConfig:
      ipsecConfig: {}
Note: IPsec enablement status cannot be changed after cluster installation.

For more information, see IPsec encryption configurationOpens in a new tab and Specifying advanced network configurationOpens in a new tab in the Red Hat OpenShift Container Platform documentation.