IBM® Cloud Private Cloud Foundry platform considerations for GDPR readiness

Notice

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of the IBM Cloud Private Cloud Foundry platform that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

• GDPR
• Product Configuration for GDPR
• Data Life Cycle
• Data Collection
• Data Storage
• Data Access
• Data Processing
• Data Deletion
• Data Monitoring
• Capability for Restricting Use of Personal Data
• Appendix

GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union ("EU") and applies from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

• New and enhanced rights for individuals
• Widened definition of personal data
• New obligations for processors
• Potential for significant financial penalties for non-compliance
• Compulsory data breach notification

Read more about GDPR

• EU GDPR Information Portal
• ibm.com/GDPR website

Product Configuration – considerations for GDPR Readiness

The following sections describe aspects of data management within the IBM Cloud Private Cloud Foundry platform and provide information on capabilities to help clients with GDPR readiness.

Data Life Cycle

IBM Cloud Private Cloud Foundry is an application platform for developing and managing on-premises applications. It is an integrated environment for managing applications and container applications that includes the Cloud Foundry, a management console, and monitoring frameworks.

As such, the IBM Cloud Private Cloud Foundry platform deals primarily with technical data that is related to the configuration and management of the platform, some of which might be subject to GDPR. The IBM Cloud Private Cloud Foundry platform also deals with information about users who manage the platform. This data is described throughout this document to help clients with GDPR readiness.

This data is persisted on the platform on local or remote file systems as configuration files or in databases. Applications that are developed to run on the IBM Cloud Private Cloud Foundry platform might deal with other forms of personal data subject to GDPR. The mechanisms that are used to protect and manage platform data are also available to applications that run on the platform. Additional mechanisms might be required to manage and protect personal data that is collected by applications that are run on the IBM Cloud Private Cloud Foundry platform.

To best understand the IBM Cloud Private Cloud Foundry platform and its data flows, you must understand how Cloud Foundry works. You use Cloud Foundry to host instances of applications, which are built programming language buildpacks. The buildpack contains the compiler and key runtime components, a garden container is used to sandbox your application and the buildpack, and together these components publish your application on the platform.

IBM Cloud Private Cloud Foundry includes a number of commercial and community buildpacks (languages). To view a list of all the IBM Cloud Private Cloud Foundry buildpacks, see What's new in IBM Cloud Private Cloud Foundry. For considerations regarding GDPR for the buildpacks, consult the documentation for those products. Information on the available IBM Cloud Private bundles, which contain the core IBM Cloud Private platform and available entitled software, is available here IBM Cloud Private Cloud Foundry bundles. Some of the buildpacks are open source software. It is the client’s responsibility to determine and implement any appropriate GDPR controls for open source software.

Documentation on IBM Cloud Private platform can be found in the IBM Cloud Private collection in IBM Knowledge Center.

What types of data flow through IBM Cloud Private Cloud Foundry platform

As a platform, IBM Cloud Private Cloud Foundry deals with several categories of technical data that could be considered as personal data, such as a default admin user ID and password, service user IDs and passwords, IP addresses, Cloud Foundry organization names and Cloud Foundry space names. The IBM Cloud Private Cloud Foundry platform also deals with information about users who manage the platform. Applications that run on the platform might introduce other categories of personal data unknown to the platform.

Information on how this technical data is collected, created, stored, accessed, secured, logged, and deleted is described in later sections of this document.

Personal data used for online contact with IBM

IBM Cloud Private Cloud Foundry clients can submit online comments/feedback/requests to contact IBM about IBM Cloud Private Cloud Foundry subjects in a variety of ways, primarily:

• The public IBM Cloud Private-CE (Community Edition) Slack Community
• Public comments area on pages of IBM Cloud Private product documentation in the IBM Knowledge Center
• Public comments in the IBM Cloud Private space of dW Answers

Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement .

Data Collection

The IBM Cloud Private Cloud Foundry platform does not collect sensitive personal data. It does create and manage technical data, such as a default admin user ID and password, service user IDs and passwords, and IP addresses, which might be considered personal data. The IBM Cloud Private Cloud Foundry platform also deals with information about users who manage the platform. All such information is only accessible by the system administrator through a management console with role-based access control or by the system administrator though login to an IBM Cloud Private Cloud Foundry platform node.

Applications that run on the IBM Cloud Private Cloud Foundry platform might collect personal data.

When you assess the use of the IBM Cloud Private Cloud Foundry platform running applications and your need to meet the requirements of GDPR, you must consider the types of personal data that are collected by the application and aspects of how that data is managed, such as:

• How is the data protected as it flows to and from the application? Is the data encrypted in transit?
• How is the data stored by the application? Is the data encrypted at rest?
• How are credentials that are used to access the application collected and stored?
• How are credentials that are used by the application to access data sources collected and stored?
• How is data collected by the application removed as needed?

This list is not a definitive list of the types of data that are collected by the IBM Cloud Private Cloud Foundry platform. It is provided as an example for consideration. If you have any questions about the types of data, contact IBM.

Data storage

The IBM Cloud Private Cloud Foundry platform persists technical data that is related to configuration and management of the platform in stateful stores on local or remote file systems as configuration files or in databases. Consideration must be given to securing all data at rest. The IBM Cloud Private Cloud Foundry platform allows encryption of data at rest through your existing corporate tools. For more information, see Using customer encryption tools as IBM Cloud Private Cloud Foundry extensions. Another option is to use SAN, NAS or vSAN devices that support encryption at rest.

The following items highlight the areas where data is stored, which you might want to consider for GDPR.

• Platform Configuration Data: The IBM Cloud Private Cloud Foundry platform configuration can be customized by updating a configuration YAML file with properties for general settings. This data is used as input to the IBM Cloud Private Cloud Foundry platform installer for deploying Cloud Foundry. The properties also include a default admin user ID and password that are used for bootstrap. For more information, see Installing Cloud Foundry.
• Cloud Foundry Configuration Data: Is stored in a Postgres database.
• User Authentication Data, including user IDs and passwords: User ID and password management are handled through a client enterprise LDAP directory. Users that are defined in LDAP can be added to IBM Cloud Private Cloud Foundry platform organizations and spaces, and assigned access roles. IBM Cloud Private Cloud Foundry platform stores the userid from LDAP, but does not store the password. Securing user data at rest in the enterprise LDAP must be considered.
• Service authentication data, including user IDs and passwords: Credentials that are used by IBM Cloud Private Cloud Foundry applications to access external services have their vcap service metadata encrypted inside the Cloud Controller database. The encryption key is generated during install or can be supplied by you.
• Service data: IBM Cloud Private Cloud Foundry platform includes a catalog of external services cataloged by you.
• Monitoring Data: You can use IBM Cloud Private Cloud Foundry platform monitoring to monitor the status of your Cloud Foundry and applications. This service can use Grafana and Prometheus to present detailed information about cluster nodes and containers. Additional monitoring stacks can be deployed for application monitoring. Monitoring data might be persisted using Kubernetes PersistentVolumes. For more information, see optional Prometheus plugins and Splunk plugin.
• Logging Data: IBM Cloud Private Cloud Foundry platform uses default Cloud Foundry rolling logs. The system can be pointed to an external ELK stack. ELK is an abbreviation for three products, Elasticsearch, Logstash, and Kibana, that are built by Elastic and together comprise a stack of tools that you can use to stream, store, search, and monitor logs. For more information, see Integrating syslog with ELK.

Data access

IBM Cloud Private Cloud Foundry platform data can be accessed through the following defined set of product interfaces.

• Web user interface (the management console)
• Cloud Foundry CLI

These interfaces are designed to allow you to make administrative changes to your IBM Cloud Private Cloud Foundry platform. Administration access to IBM Cloud Private Cloud Foundry can be secured and involves three logical, ordered stages when a request is made: authentication, role-mapping, and authorization.

Authentication

The IBM Cloud Private Cloud Foundry CLI or console requests access to the platform API. The API directs the CLI to the User Account and Authentication (UAA) servers. The UAA redirects the request to the login server. The login server accepts and validates the user ID and password against the configured LDAP server. If authentication is successful, access roles are provided with a token for access.

For all subsequent authentication requests made from the management console, the token is used with the request and is validated by calling the User Account and Authentication server.

The IBM Cloud Private Cloud Foundry platform CLI requires the user to provide credentials to log in.

Role Mapping

IBM Cloud Private Cloud Foundry platform supports role-based access control (RBAC). In the role mapping stage, the user name that is provided in the authentication stage is associated with organizations and spaces. The user ID can be granted roles in multiple areas by the administrator. The user ID can also be granted administrative roles by using the User Account and Authentication CLI (uaac).

Authorization

IBM Cloud Private Cloud Foundry platform roles control access to applications and services.

Bosh Security

Bosh is used to manage the virtual platform infrastructure. For more information, see Bosh Frequent Commands.

Data Processing

Users of IBM Cloud Private Cloud Foundry can control the way that technical data that is related to configuration and management is processed and secured through system configuration.

Role-based access control (RBAC) controls what data and functions can be accessed by users.

Bosh security is used to set up and control the virtual infrastructure.

Data-in-transit is protected by using TLS. HTTPS (TLS underlying) is used for secure data transfer between user client and inbound proxy devices. Users can specify the root and wildcard certificates to use for this transfer during installation. TLS can be extended to the GoRouter as well through an IBM Cloud Private Cloud Foundry customization.

Data-at-rest protection is supported by using customer encryption tools as IBM Cloud Private Cloud Foundry extensions or by encrypting using infrastructure level encryption capabilities.

Data retention periods for logging (ELK) and monitoring (Prometheus) are configurable and deletion of data is supported.

These same platform mechanisms that are used to manage and secure IBM Cloud Private Cloud Foundry platform technical data can be used to manage and secure personal data for user-developed or user-provided applications. You can develop your own capabilities to implement further controls.

Data Deletion

IBM Cloud Private Cloud Foundry platform provides commands, application programming interfaces (APIs), and user interface actions to delete data that is created or collected by the product. These functions enable users to delete technical data, such as service user IDs and passwords, IP addresses or any other platform configuration data, as well as information about users who manage the platform.

Areas of IBM Cloud Private Cloud Foundry platform to consider for support of data deletion:

• The data retention period for logging data is customer controlled.
• The data retention period for monitoring data (Prometheus) is customer controlled.
• When you use ELK, logging data can be deleted from the ELK stack by using Elasticsearch APIs.
• When you use Prometheus, monitoring data can be deleted from Prometheus by using Prometheus APIs.
• All technical data that is related to platform configuration can be deleted through the management console or the Cloud Foundry API.

Areas of IBM Cloud Private Cloud Foundry platform to consider for support of account data deletion:

• All technical data that is related to platform configuration can be deleted through the Cloud Foundry API.

Function to remove user ID and password data that is managed through an enterprise LDAP directory would be provided by the LDAP product that is used with IBM Cloud Private Cloud Foundry platform.

Personal data that is persisted by platform logging and monitoring consists of IP addresses of virtual machines and some user IDs. User-developed or user-provided applications might include other personal data in their use of logging and monitoring. The same mechanisms that are used for deletion of system logging or monitoring data can be used for application logging and monitoring data. Personal data that is collected by applications outside of these services require application provided mechanisms to delete data. For more information, see

• IBM Cloud Private logging
• IBM Cloud Private Cloud Foundry monitoring service
• Prometheus Documentation

Data monitoring

• Optional: IBM Cloud Private platform provides a monitoring service to monitor the status of your IBM Cloud Private Cloud Foundry and applications. This service uses Grafana and Prometheus to present detailed information about cluster nodes and containers. Monitoring can be configured to generate alerts or integrated with external alert providers. Platform monitoring is enabled by default. Additional monitoring stacks can be deployed for application monitoring. For more information, see IBM Cloud Private Monitoring Service and IBM Cloud Private Cloud Foundry Cluster Monitoring.
• You can bring your own Prometheus monitoring service.
• Optional: IBM Cloud Private platform provides a logging service that is based on the ELK stack to stream, store, search, and monitor logs. The ELK stack that is provided with IBM Cloud Private platform uses the official ELK stack images that are published by Elastic. Additional ELK stacks can be deployed for application logging. For more information, see IBM Cloud Private logging.
• You can bring your own ELK logging service.
• Logging is configured by default to collect system logs for the IBM Cloud Private Cloud Foundry platform by using syslog.

Capability for Restricting Use of Personal Data

Using the facilities that are summarized in this document, IBM Cloud Private Cloud Foundry platform enables an end user to restrict usage of any technical data within the platform that is considered personal data.

Under GDPR, users have rights to access, modify, and restrict processing. Refer to other sections of this document to control the following:

• Right to access
  • IBM Cloud Private Cloud Foundry platform administrators can use IBM Cloud Private Cloud Foundry platform features to provide individuals access to their data.
  • IBM Cloud Private Cloud Foundry platform administrators can use IBM Cloud Private Cloud Foundry platform features to provide individuals information about what data IBM Cloud Private Cloud Foundry platform holds about the individual.
• Right to modify
  • IBM Cloud Private Cloud Foundry platform administrators can use IBM Cloud Private Cloud Foundry platform features to allow an individual to modify or correct their data.
  • IBM Cloud Private Cloud Foundry platform administrators can use IBM Cloud Private Cloud Foundry platform features to correct an individual's data for them.
• Right to restrict processing
  • IBM Cloud Private Cloud Foundry platform administrators can use IBM Cloud Private Cloud Foundry platform features to stop processing an individual's data.

Appendix - Data logged by IBM Cloud Private Cloud Foundry platform

As a platform, IBM Cloud Private Cloud Foundry deals with several categories of technical data that could be considered as personal data, such as a default admin user ID and password, service user IDs and passwords, IP addresses, and organizations/spaces names. IBM Cloud Private Cloud Foundry platform also deals with information about users who manage the platform. Applications that run on the platform might introduce other categories of personal data that are unknown to the platform.

This appendix includes details on data that is logged by the platform services.

IBM Cloud Private Cloud Foundry security

• What data is logged
  • User ID, and IP address of logged in users
• When data is logged
  • With login requests
• Where data is logged
  • In the audit logs at /var/vcap/sys/log default
• How to delete data
  • Search for the user specific data and delete the record from the log

IBM Cloud Private Cloud Foundry platform API

• What data is logged
  • User ID and IP address of logged in users
• When data is logged
  • With each API request (log level dependent)
• Where data is logged
  • syslog is the default
  • External logging service that you configured
• How to delete data
  • Search the logs on the cc_core virtual machine /var/vcap/sys/log
  • If ELK is being used, search the ELK logs and remove the appropriate entries

IBM Cloud Private Cloud Foundry monitoring OPTIONALLY enabled

• What data is logged
  • IP address, name of environment, name of deployment, release, stemcell
  • Data scraped from client-developed applications could include personal data
• When data is logged
  • When Prometheus scrapes metrics from configured targets
• Where data is logged
  • In the Prometheus server or configured persistent volumes
• How to delete data
  • Search for and delete data by using the Prometheus API

For more information, see: Prometheus Documentation and Logs and metrics management for Prometheus. You can use your own Prometheus. By default, no monitoring data is captured.

IBM Cloud Private Cloud Foundry Cloud Foundry

• What data is logged
  • Information about the platform operation
  • Platform configuration
  • User ID in API, UAA and login jobs
• When data is logged
  • Ongoing information about the system's health and operation
• Where data is logged
  • Default is /var/vcap/sys/log
  • Alternate is user provided logging service
  • Alternate is IBM Cloud Private Cloud Foundry ELK
• How to delete data
  • Clear the /var/vcap/sys/log
  • Alternate is user provided logging service delete