Data security and encryption

Db2® SaaS has security built into all levels of its architecture.

The following methods are used to secure your data:

The default keys for all components deployed in the Data Plane are managed by Azure Managed Keys
Backups are stored in Azure Blob storage and encryption is enabled on this bucket.
Data in motion is encrypted through SSL/TLS. The current supported version of this encryption is TLS 1.3.
All Db2 SaaS storage is provided on storage encrypted by using AES-256 encryption.
Database-level security is supported through Role-Based Access Control (RBAC) and Row and Column Access Control (RCAC)

Security Monitoring Advisory for Data Plane AKS Pods

When deploying Db2 SaaS Bring Your Own Cloud offerings into your environment, it is critical to closely monitor the security posture of all pods running on the Data Plane AKS cluster. Some of these containers may operate with privileged access to the host nodes, which can pose elevated security risks if not properly monitored.

We strongly recommend the following:

Implement continuous security monitoring and EDR practices using tools such as IBM QRadar, Microsoft Sentinel, Microsoft Defender for Cloud, or equivalent Azure-native or third-party solutions like Crowdstrike Falcon Prevent.
Enable logging and alerting for anomalous behaviour or unauthorized access attempts.
Within your own cloud account we encourage all publicly available Service Endpoints be fronted with a Web Application Firewall with industry standard rulesets such as OWASP Top 10 and CIS benchmark requirements.
Regularly review and update your security monitoring policies.

Failure to monitor these components may expose your infrastructure to potential compromise or privilege escalation attacks.