IBM Cloud Transformation Advisor considerations for GDPR readiness

This document is intended to help you configure your version of IBM® Cloud Transformation Advisor to align with GDPR rules and standards. Here you will find information about features of IBM Cloud Transformation Advisor that you are able to edit and adjust, as well as other aspects of the product’s use that you should consider to help your organization stay aligned with GDPR rules. This is not an exhaustive list as there are many ways that clients can choose and configure features. There’s also a lot of different ways the product can be used in itself as well as with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

  1. GDPR
  2. Product Configuration for GDPR
  3. Data Life Cycle
  4. Data Collection
  5. Data Storage
  6. Data Access
  7. Data Processing
  8. Data Deletion
  9. Data Monitoring

GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union (“EU”) and applies from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification

Read more about GDPR

Product Configuration - considerations for GDPR Readiness

The following sections provide considerations for configuring IBM Cloud Transformation Advisor to help your organization with GDPR readiness.

Data Life Cycle

Transformation Advisor is an application that runs on the IBM Cloud Pak for Applications platform. Its purpose is to aid developers in modernizing their application portfolio and migrating their application to cloud platforms. The software gathers and processes meta data from Java Enterprise applications running on IBM WebSphere Application Servers, and creates recommendations on how these applications can be updated or restructured to run in a container on a Cloud platform.

Transformation Advisor deals primarily with technical data that is related to Java programming structures and associated application configuration data. This does not include the gathering or processing of personal data.

Data Collection

Transformation Advisor tool does not collect personal data. It does process technical data such as IP addresses of servers but not personal workstations that could identify an end user. All of this information is only accessible by the system administrator through a management console with role-based access control or by the system administrator through login to an IBM Cloud Pak for Applications platform node.

Another piece of data Transformation Advisor requests from the user is a Git username and password to enable the tool to push the artifacts it generates to help with application migration to the Github repository. This data is not stored and must be re-entered on each use. The data is transmitted to Git and is encrypted in transit.

This is not a definitive list of the types of data that are collected by the Transformation Advisor tool. It is provided as an example for consideration. If you have any questions about the types of data, contact IBM: https://www.ibm.com/data-responsibility/gdpr/.

Data Storage

Transformation Advisor persists technical data in stateful stores on local or remote file systems as files or in a CouchDB database. Consideration must be given to securing all data at rest. Transformation Advisor supports encryption of data at rest in stateful stores that use dm-crypt. For more information, see Encrypting volumes by using dm-crypt (https://www.ibm.com/support/knowledgecenter/SSBS6K_3.2.1/installing/etcd.html?view=kc)

The following items highlight the areas where data is stored, which you might want to consider for GDPR.

Application Data: Transformation Advisor uses CouchDB as a backing data store to persist the technical data that is related to Java programming recommendations and associated application configuration data. CouchDB uses the underlying GlusterFS on which it is deployed for storage. Consider encrypting the volumes where GlusterFS storage is deployed for more security. View IBM Documentation here for more information: (https://www.ibm.com/support/knowledgecenter/SSBS6K_3.2.1/installing/etcd.html?view=kc)

Logging Data: Some technical data such as the IP address of the users browser may be stored in access logs. Logging is configured by default for the IBM Cloud Pak for Applications platform services.

User Authentication Data, (including User IDs and passwords): This type of data is not stored by Transformation Advisor ___________________________________

Data Access

Transformation Advisor application data contains no personal information and is accessible through a web user interface. Access to this user interface is authenticated. Transformation Advisor logging data access can be accessed through the Kubernetes kubectl CLI These interfaces are designed to allow administration access and can be secured involving three logical, ordered stages when a request is made: authentication, role-mapping, and authorization.

Data Processing

Users of IBM Cloud Transformation Advisor can control the way that data is processed and secured through system configuration.

Pod security policies are used to set up cluster-level control over what a pod can do or what it can access.

Data-in-transit is protected by using TLS and IPSEC. HTTPS (TLS underlying) is used for secure data transfer between user client and back end services. Users can specify the root certificate to use during installation. All inter-node data traffic can be encrypted out of the box by using IPSEC without changing any applications.

Data-at-rest protection is supported by using dm-crypt to encrypt data.

Data Deletion

Commands, application programming interfaces (APIs), and user interface actions sre provided to delete data that is created or collected by Transformation Advisor.

.