IBM Cloud Pak for Security Gen 3 License Guide

Listing of licenses by type

These licenses are used when creating instances of the IBM Cloud Pak for Security Gen 2 components in the spec.license.license field of each custom resource:

Full License

Full Licenses include OpenShift® Container Platform support entitlements. These licenses can be deployed in the Production or Non-production environment. See Products that can be deployed on Red Hat OpenShift for more details on Red Hat® OpenShift Container Platform support entitlements.

Disaster Recovery License

Disaster Recovery Licenses include OpenShift Container Platform support entitlements. These licenses are meant to be deployed for use in Disaster Recovery environments. See Products that can be deployed on Red Hat OpenShift for more details on Red Hat OpenShift Container Platform support entitlements.

The following table shows license versions.

What do you get with your purchase of IBM Cloud Pak for Security Gen 3 and what is your entitlement?

IBM Cloud Pak for Security Gen 3 helps your organization detect and investigate threats, orchestrate, and automate actions; and respond faster to security incidents across hybrid multi-cloud environments. It includes enterprise ready, containerized and non-containerized software programs/capabilities. The containerized software requires Red Hat OpenShift. Containerized software is supported on Linux® 64-bit (X86_64) only today.

The following containerized and non-containerized software are bundled in with the IBM Cloud Pak for Security Gen 3 Program.

When deploying any of the bundled offerings under the IBM Cloud Pak for Security Gen 3, licensee must not exceed the maximum entitlement at any time. Deployments can include a mix of different deployed products, either deployment in containerized format, or deployment in non-containerized format, or a combination of both. Licensee can change the deployed offerings at any time as long as they never exceed their maximum entitlement. See Products that can be deployed on Red Hat OpenShift to learn more about which deployments require the Red Hat OpenShift Container Platform.

License options and pricing models for IBM Cloud Pak for Security Gen 3

Licensee can purchase Resource Units and apply them to the products and pricing model of choice. Licensee has the option to pick from the following two pricing models.

When licensing any of the following products: QRadar SIEM, NDR, SOAR, Breach Response , Data Explorer, Threat Investigator and Threat Intelligence Insights, the following pricing models apply.

Enterprise model

This model offers predictable pricing at enterprise scale, and is based on the size of the IT infrastructure. The pricing metric is Managed Virtual Servers (MVS). All Physical and Virtual Server are counted in the customer environment. This model offers unlimited users, actions, and data ingestion.

Usage model

This model is usage-based, and is ideal for starting small and scaling as you grow. Pricing metrics vary based on the product. See usage pricing metric under each product section.

License cannot mix or match pricing models across the same product in the package. Licensee cannot mix license entitlements for IBM Cloud Pak for Security Gen 3 program and the stand-alone products. For example, IBM Security QRadar SIEM from the Gen 3 package and IIBM Security QRadar Capacity stand-alone license entitlement.

License must license a minimum of 100 MVS to use the Enterprise license. For example: If a Licensee has 80 servers in their organization, they should use the Usage model.

When licensing any of the following products: Guardium Data Protection, GVA and GI the following pricing models apply.

Licensee can purchase Resource Units and apply them to the programs and pricing model of their choice. Licensee has the option to pick from the following two models and can mix the two models across the same program in Guardium Package (except for SOAR, SOAR Breach Response, and Risk Manager programs).

Enterprise model

The pricing metric is Managed Virtual Servers (MVS). Here the number of the servers in the enterprise that the Guardium programs (Guardium Data Protection, Guardium Vulnerability Assessment, and Guardium Insights) protect are counted. MVS metric is used to support data sources, which are on-premises, including cloud hosted IaaS deployments, yet is not limited to those data sources.

Usage model

The unit of measure is primarily Virtual Processor Core (VPC). Here the number of processor cores that are allocated to the data sources (for example, DBaaS) that Guardium programs (Guardium Data Protection, Guardium Vulnerability Assessment, and Guardium Insights) protect are counted. For cloud-based (Cloud DBaaS) and containerized data sources, VPC (compute assigned) metric is typically more relevant and is easier to find and report yet does not need to be used for these data sources.

See License ratios for information on MVS and VPC license metrics.

License ratios

Deployed instances of products in IBM Cloud Pak for Security Gen 3 are charged at different rates based on their ratios.

Entitlements of IBM Cloud Pak for Security Gen 3 that are deployed can be redeployed to other products, as long as the total entitlement is not exceeded, using the ratios to calculate your total entitlements. There is no limit to the number of times that entitlements can be used in different combinations.

The following table shows the license ratios.

Products that can be deployed on Red Hat OpenShift

The following Bundled programs require the deployment of Red Hat OpenShift Container Platform.

• QRadar SOAR
• QRadar SOAR Breach Response -Add On
• QRadar EDR
• QRadar EDR Enterprise
• Risk Manager
• Guardium Insights
• Data Explorer
• Threat Intelligence Insights
• Threat Investigator

The following capabilities are now included with QRadar SOAR, QRadar SIEM, and QRadar NDR entitlements. There are no additional license entitlements that are required to use these capabilities.

• Data Explorer
• Threat Investigator
• Threat Intelligence Insights

Red Hat OpenShift Container Platform entitlements

For the purpose of this section “entitlement” to the Red Hat OpenShift Container Platform means the software subscription and support for the Red Hat OpenShift Container Platform. “Restricted license entitlement” means that software subscription and support for the Red Hat OpenShift Container Platform acquired pursuant to your IBM Cloud Pak for Security Gen 3 license is only provided for use of the Red Hat OpenShift Container Platform specifically for IBM Cloud Pak for Security Gen 3 and not non-IBM Cloud Pak for Security Gen 3 workloads.

When deploying programs under the containerized deployment, as part of an IBM Cloud Pak for Security Gen 3 deployment, deployment of Red Hat OpenShift is required. Restricted license entitlement for the Red Hat OpenShift is provided as follows:

• 50 VPCs of Red Hat OpenShift Container Platform if Licensee obtains 0-25,000 RU entitlement(s) of the Program
• 100 VPCs of Red Hat OpenShift Container Platform if Licensee obtains 25,001-100,000 RU entitlement(s) of the Program
• 200 VPCs of Red Hat OpenShift Container Platform if Licensee obtains 100,001 or more RU entitlement(s) of the Program

The above licenses can be used only for deployments of IBM Cloud Pak for Security Gen 3 instances, not for other third-party deployments or custom code. If you deploy other code or components (such as agents used for monitoring IBM Cloud Pak for Security Gen 3 capabilities), you must purchase separate Red Hat OpenShift entitlements to make available to the cluster, or the deployment of the non-IBM Cloud Pak for Security Gen 3 workload on those Red Hat OpenShift licenses will result in those Red Hat OpenShift cores, and potentially the workload itself, being unsupported. These additional Red Hat OpenShift entitlements for running non-IBM Cloud Pak for Security Gen 3 workload must be procured separately from the Red Hat OpenShift entitlements granted through IBM Cloud Pak for Security Gen 3. The workload that you run on separately purchased Red Hat OpenShift entitlement doesn’t need to be deployed separately from IBM Cloud Pak for Security Gen 3 workload running on IBM Cloud Pak for Security Gen 3-procured Red Hat OpenShift cores. But the number of separately purchased Red Hat OpenShift cores must be equal to or greater than the number of cores of non-IBM Cloud Pak for Security Gen 3 workloads deployed on them in order to receive support for the complete deployment of non-IBM Cloud Pak for Security Gen 3 workloads.

An example of IBM Cloud Pak for Security Gen 3 workload might be agents for monitoring. These agents, which run alongside the IBM Cloud Pak for Security Gen 3 components and then send the monitoring data out to a separate monitoring server component, can be run in the same nodes or namespaces as components running in Red Hat OpenShift cores using entitlements under IBM Cloud Pak for Security Gen 3. For all non-IBM Cloud Pak for Security Gen 3 workloads, not just monitoring agents, you are recommended to ensure you have separately-procured software subscription and support entitlements

The number of cores of Red Hat OpenShift entitled with IBM Cloud Pak for Security Gen 3 varies by the number of Resource Units purchased & doesn’t vary by the ratio of the bundled offerings, which are deployed under IBM Cloud Pak for Security Gen 3 entitlement. Therefore, the number of cores that are required for deployment of bundled offerings IBM Cloud Pak for Security Gen 3 can, in some scenarios, exceed the number of Red Hat OpenShift cores available as part of the entitlement for IBM Cloud Pak for Security Gen 3. In such cases, the customer should acquire additional entitlement for Red Hat OpenShift to ensure that they are always correctly licensed. Only Red Hat OpenShift cores that are deployed as worker nodes count against the Red Hat OpenShift entitlement.

IBM Storage Fusion additional flat entitlement

Limited entitlements of IBM Storage Fusion are included with IBM Cloud Pak for Security Gen 3. Max usable capacity of 12 Terabytes (TB) per Red Hat OpenShift cluster is included. Use of IBM Storage Fusion as part of IBM Cloud Pak for Security Gen 3 entitlement is limited to Fusion Data Foundation in internal deployment mode only, and when in internal deployment mode, also excludes disaster recovery, backup components, data cataloguing, and advanced encryption with KMS.

IBM Security QRadar SOAR

Licensee has the choice of installing QRadar SOAR using one of the following options:

• Install the containerized QRadar SOAR application on Red Hat OpenShift
• Install stand-alone QRadar SOAR on a virtual appliance.
• Install stand-alone QRadar SOAR on RHEL - Bring Your Own License (BYOL).

The following capabilities - Data Explorer, Threat Investigator, and Threat Intelligence Insights are included as part of the QRadar SOAR Entitlement. If the licensee plans to install any of these capabilities, the licensee will need to deploy the Red Hat OpenShift Container Platform.

A license key is required to access QRadar SOAR capabilities. Once the QRadar SOAR installation is complete, the licensee must install the SOAR license Key. For more information, see Installing the Orchestration & Automation license.

To acquire a license key for QRadar SOAR or SOAR Breach Response entitlements, send an email to q1pd@us.ibm.com and include the following information in your request:

• IBM Customer Number (IBM Content Navigator)
• Site ID or your Proof of Entitlement (POE)

To acquire a License key for our Enterprise Licensing Agreement (ELA) Customers, contact your IBM Sales Representative.

Licensee must have entitlement for QRadar SOAR to use the QRadar SOAR Breach Response add-on. Licensee must license a matching set of entitlements for QRadar SOAR and QRadar SOAR Breach Response.

QRadar SOAR and QRadar SOAR Breach Response are licensed on either Enterprise Pricing Model or Usage Model. For more information, see License options and pricing models for QRadar Suite Software. Pricing Metric for Enterprise Model is Managed Virtual Server and the Pricing Metric for the Usage model is Authorized User. Licensee is required to license a minimum quantity of two (2) the Authorized Users when licensing by the Usage Model.

QRadar SOAR and QRadar SOAR Breach Response can only be licensed on MVS metric if Licensee is licensing the QRadar SIEM under the same metric.

IBM Security QRadar SIEM and QRadar NDR

QRadar SIEM or QRadar NDR is available as a virtual appliance only. This is available as a virtual appliance and hence does not require deployment of the Red Hat OpenShift Container Platform.

A license key is required to access IBM QRadar SIEM or QRadar NDR capabilities.

To acquire a license key, contact q1pd@us.ibm.com and include the following information in your request:

• IBM Customer Number (ICN).
• Site ID or your Proof of Entitlement (POE).
• For QRadar SIEM, include the quantity of Multiple Virtual Storage (MVS™) or Events per Second (EPS) purchased.
• For QRadar NDR, include the quantity of MVS or flows per minute (FPM) purchased.

QRadar SIEM and QRadar NDR are licensed on either Enterprise Pricing Model or Usage Model. For more details, see License options and pricing models for QRadar Suite Software. Pricing Metric for Enterprise Model is Managed Virtual Server (MVS) and the Pricing Metric for the Usage model is Events per Second (EPS) for SIEM and Flow Per Minute (FPM) for NDR.

Physical and Virtual Servers exclude Network Infrastructure and Client Devices, even if the IP address appears in QRadar SIEM as a log source.

The following image is an example of what is counted as an MVS.

The following capabilities - Data Explorer, Threat Investigator, and Threat Intelligence Insights are included as part of the QRadar SIEM or QRadar NDR entitlement. If the licensee plans to install any of these capabilities, the licensee will need to deploy Red Hat OpenShift Container Platform.

IBM Security Risk Manager

IBM Security Risk Manager is only available on the IBM Security Platform and hence requires deployment of the Red Hat OpenShift Container Platform.

Risk Manager is licensed on either Enterprise Pricing Model or Usage Model. Pricing Metric for Enterprise and Usage Model is Managed Virtual. In case of the Enterprise Model licensee need to count all physical and virtual servers in the Enterprise, and in case of Usage they count only the managed physical and virtual servers in the Enterprise.

IBM Security Data Explorer

IBM Security Data Explorer is only available on the IBM Security Platform and hence requires deployment of the Red Hat OpenShift Container Platform.

Data Explorer is licensed on either Enterprise Pricing Model or Usage Model. Pricing Metric for Enterprise Model is Managed Virtual Server and for Usage Model is Authorized User.

Data Explorer is now included with QRadar SOAR, QRadar SIEM and QRadar NDR and if deployed with any of these programs, it will not consume any entitlements.

IBM Security Threat Intelligence Insights

IBM Security Threat Intelligence Insights is only available on the IBM Security Platform and hence requires deployment of the Red Hat OpenShift Container Platform.

Threat Intelligence Insights is licensed on either Enterprise Pricing Model or Usage Model. Pricing Metric for Enterprise Model is Managed Virtual Server and for Usage Model is Authorized User.

Threat Intelligence Insights is now included with QRadar SOAR, QRadar SIEM and QRadar NDR and if deployed with any of these programs, it will not consume any entitlements.

IBM Security Threat Investigator

IBM Security Threat Investigator is only available on the IBM Security Platform and hence requires deployment of the Red Hat OpenShift Container Platform.

Threat Investigator is licensed on either Enterprise Pricing Model or Usage Model. Pricing Metric for Enterprise Model is Managed Virtual Server and for Usage Model is Authorized User.

Threat Investigator is now included with QRadar SOAR, QRadar SIEM and QRadar NDR and if deployed with any of these programs, it will not consume any entitlements.

IBM Security Guardium Data Protection

Guardium Data Protection is available as a virtual appliance only. It is not available on the IBM Security Platform and hence does not require deployment of the Red Hat OpenShift Container Platform.

A license key is required to access Guardium Data Protection capabilities and is provided in the software download. For more information, see https://www.ibm.com/docs/en/guardium/12.0?topic=system-license-keys.

The Licensee must obtain the sufficient quantity of Enterprise Model and/or Usage Model needed to protect their data.

Nonproduction activities for IBM Security Guardium Data Protection are defined as anything other than actively monitoring or protecting data. For clarity, monitoring or protecting data in a nonproduction environment is considered productive use, and therefore requires sufficient entitlements.

For details on how to report on Guardium Data Protection license usage see the Guardium Data Protection Usage Reporting Guide.

For example, applied to Guardium Data Protection, consider the following scenarios:

IBM Security Guardium Vulnerability Assessment

Guardium Vulnerability Assessment is available as a virtual appliance only. It is not available on the IBM Security Platform and hence does not require deployment of the Red Hat OpenShift Container Platform.

An Append license key is required to access Guardium Vulnerability Assessment capabilities and is provided in the software download. For more information, see https://www.ibm.com/docs/en/guardium/12.0?topic=system-license-keys.

Licensee must obtain sufficient quantity of Enterprise Model and/or Usage Model needed to protect their data.

Nonproduction activities for Guardium Vulnerability Assessment are defined as anything other than running scans to harden the environment. For clarity, scanning data in a nonproduction environment is considered productive use, and therefore requires sufficient entitlements.

For details on how to report on Guardium Vulnerability Assessment license usage see the Guardium Data Protection Usage Reporting Guide.

For example, applied to Guardium Vulnerability Assessment, consider the following scenarios:

IBM Security Guardium Insights

Guardium Insights is a containerized program and hence requires deployment of the Red Hat OpenShift Container Platform.

Guardium Insights does not use license keys.

Licensee must obtain sufficient Resource Unit (RU) allocation that is needed to protect the data sources in their deployed environments. Guardium Insights for Cloud Pak for Security is the bundled program in Guardium Package.

Guardium Insights software today does not offer software functionality to track the number of data sources protected. An organization needs to count the number of data sources to ensure sufficient entitlements, applying the definitions of the MVS and/or VPC unit of measures and then mapping to Resource Units (see License ratios).

Typically, the MVS unit of measure is applied to data sources, which are on-premises, including cloud hosted IaaS deployments. First, determine the data sources to be protected by Guardium Insights. Then, calculate the associated number of data base physical / virtual servers that are associated with those data sources. For the cloud-based data sources (cloud DBaaS) and containerized data sources, the VPC unit of measure is typically more relevant and straightforward to determine, based on the quantity of processor cores used for the relevant data sources.

For example, consider the following scenario for Guardium Insights. An organization chooses to use a combination of the enterprise model (for on-premises database servers in their deployed environment) and the usage model (for DbaaS data servers that they opt to include).

Nonproduction activities for Guardium Insights are defined as anything other than actively monitoring or protecting data. For clarity, monitoring or protecting data in a nonproduction environment is considered productive use, and therefore requires sufficient entitlements.