Security on Guardium Data Security Center
IBM Guardium® Data Security Center supports several different mechanisms for securing your environment and your data.
Quick links
Secure engineering practices
Guardium Data Security Center follows IBM Security and Privacy by Design (SPbD). Security and Privacy by Design (SPbD) at IBM is a set of focused security and privacy practices, including vulnerability management, threat modeling, penetration testing, privacy assessments, security testing, and patch management.
For more information about the IBM Secure Engineering Framework (SEF) and SPbD, see the following resources:
Basic security features on Red Hat OpenShift Container Platform
Security is required for every enterprise, especially for organizations in the government, financial services, and healthcare sectors. OpenShift® container platform provides a set of security features. These features protect sensitive customer data with strong encryption controls and improve the oversight of access control across applications and the platform itself.
Guardium Data Security Center builds on the security that is hardened features that are provided by OpenShift by creating Security Context Constraints (SCC), service accounts, and roles so that Guardium Data Security Center pods and users have the lowest level of privileges to the OpenShift platform that is needed for them. Guardium Data Security Center is also security on the OpenShift platform and is installed in a secure and transparent manner.
For more information, see Basic security features on Red Hat OpenShift Container Platform .
Authentication and authorization
By default, Guardium Data Security Center user records are stored in an internal LDAP. The initial setup of Guardium Data Security Center uses the internal LDAP. However, after you set up Guardium Data Security Center, it is recommended that you use an enterprise-grade password management solution, such as SAML SSO or an LDAP provider for password management. After you grant Guardium Data Security Center administrator privileges to a user in your LDAP server, it is recommended that you disable or remove all users from the internal database repository.
- User management
- For more information, see the following resources:
- Authorization
- Guardium Data Security Center provides user management capabilities to authorize users. For more information, see Managing users
- Tokens and API keys
- You can use tokens and API keys to securely access Guardium Data Security Center instances, services, and APIs.
- By using API keys, you are able to authenticate to Guardium Data Security Center instances or services with your own credentials.
For more information, see Creating API keys.
You must use an API key to access Guardium Data Security Center APIs. .
- By using API keys, you are able to authenticate to Guardium Data Security Center instances or services with your own credentials.
For more information, see Creating API keys.
- Idle web client session timeout
- You can configure the idle web client session timeout in accordance with your security and compliance requirements. When a user leaves their session idle in a web browser for the specified length of time, the user is automatically logged out of the web client.
Encryption
Guardium Data Security Center supports protection of data at rest and in motion. It supports FIPS (Federal Information Processing Standard) compliant encryption for all encryption needs.
- Data
-
- In general, data security is managed by your remote data sources. OpenShift uses resources that are known as
Security Context Constraints
(SCCs) to enforce the security context of a Pod or a Container (the Kubernetes equivalent is thePodSecurityPolicy
).Guardium Data Security Center containers use restricted SCC by default. Restricted SCC deny access to all host features and requires pods to run with a UID, SELinux context that is scoped within the namespace. For more information, see Storage considerations.
- In general, data security is managed by your remote data sources. OpenShift uses resources that are known as
- Communications
- You can use TLS or SSL to encrypt communications to and from Guardium Data Security Center.
Network access requirements
To ensure secure transmission of network traffic to and from the Guardium Data Security Center cluster, you need to configure the communication ports used by the Guardium Data Security Center cluster.
- Primary port
- The primary port is what the Red Hat OpenShift router exposes.
Audit logging
Audit logging provides accountability, traceability, and regulatory compliance. The regulatory compliance must be set in a way that it allows access to and modification of data.
For more information, see Auditing Guardium Data Security Center .
Regulatory compliance
Guardium Data Security Center is assessed for various Privacy and Compliance regulations. Guardium Data Security Center provides features that can be used by its customers in preparation for various privacy and compliance assessments. These features are not an exhaustive list. It is difficult to assemble such an exhaustive list of features, since customers can choose and configure the features in many ways. Furthermore, Guardium Data Security Center can be used in various ways as a stand-alone product or with third-party applications and systems.
Guardium Data Security Center is not aware of the nature of data that it is handling other than at a technical level (for example, encoding, data type, size). Therefore, Guardium Data Security Center can never be aware of the presence or lack of personal data. Customers must track whether personal information is present in the data that is being used by Guardium Data Security Center.
Additional security measures
To protect your Guardium Data Security Center instance, consider the following best practices.
- Network isolation
- As a best practice, network isolation is to be used to isolate the Red Hat OpenShift project (Kubernetes namespace) where Guardium Data Security Center is deployed. Then, you must ensure that only the appropriate services are accessible outside the namespace or outside the cluster. For more information about network isolation, review the following OpenShift documentation.
- Setting up an elastic load balancer
- To filter out unwanted network traffic, such as protecting against Distributed Denial of Service (DDoS) attacks, use an elastic load balancer that accepts only full HTTPS connections. Using an elastic load balancer that is configured with an HTTPS profile inspects the packets and forward only the HTTPS requests that are complete to the Guardium Data Security Center web server. For more information, see Protecting Against DDos Attacks.
- Disabling the external registry route
- For the registry server, you can disable the external route that is used to push images to the registry server when you are not installing Guardium Data Security Center. However, if you leave the route disabled when you try to install Guardium Data Security Center, the installation fails.