Security on Guardium Insights
IBM Guardium® Insights supports several different mechanisms for securing your environment and your data.
Quick links
Secure engineering practices
Guardium Insights follows IBM Security and Privacy by Design (SPbD). Security and Privacy by Design (SPbD) at IBM is a set of focused security and privacy practices, including vulnerability management, threat modeling, penetration testing, privacy assessments, security testing, and patch management.
For more information about the IBM Secure Engineering Framework (SEF) and SPbD, see the following resources:
Basic security features on Red Hat OpenShift Container Platform
Security is required for every enterprise, especially for organizations in the government, financial services, and healthcare sectors. OpenShift® container platform provides a set of security features. These features protect sensitive customer data with strong encryption controls and improve the oversight of access control across applications and the platform itself.
Guardium Insights builds on the security that is hardened features that are provided by OpenShift by creating Security Context Constraints (SCC), service accounts, and roles so that Guardium Insights pods and users have the lowest level of privileges to the OpenShift platform that is needed for them. Guardium Insights is also security on the OpenShift platform and is installed in a secure and transparent manner.
For more information, see Basic security features on Red Hat OpenShift Container Platform .
Authentication and authorization
By default, Guardium Insights user records are stored in an internal LDAP. The initial setup of Guardium Insights uses the internal LDAP. However, after you set up Guardium Insights, it is recommended that you use an enterprise-grade password management solution, such as SAML SSO or an LDAP provider for password management. After you grant Guardium Insights administrator privileges to a user in your LDAP server, it is recommended that you disable or remove all users from the internal database repository.
- User management
- For more information, see the following resources:
- Authorization
- Guardium Insights provides user management capabilities to authorize users. For more information, see Managing users
- Tokens and API keys
- You can use tokens and API keys to securely access Guardium Insights instances, services, and APIs.
- By using API keys, you are able to authenticate to Guardium Insights instances or services with your own credentials.
For more information, see Creating API keys.
You must use an API key to access Guardium Insights APIs. .
- By using API keys, you are able to authenticate to Guardium Insights instances or services with your own credentials.
For more information, see Creating API keys.
- Idle web client session timeout
- You can configure the idle web client session timeout in accordance with your security and compliance requirements. When a user leaves their session idle in a web browser for the specified length of time, the user is automatically logged out of the web client.
Encryption
Guardium Insights supports protection of data at rest and in motion. It supports FIPS (Federal Information Processing Standard) compliant encryption for all encryption needs.
- Data
-
- In general, data security is managed by your remote data sources. OpenShift uses resources that are known as
Security Context Constraints
(SCCs) to enforce the security context of a Pod or a Container (the Kubernetes equivalent is thePodSecurityPolicy
).Guardium Insights containers use restricted SCC by default. Restricted SCC deny access to all host features and requires pods to run with a UID, SELinux context that is scoped within the namespace. For more information, see Storage considerations.
- In general, data security is managed by your remote data sources. OpenShift uses resources that are known as
- Communications
- You can use TLS or SSL to encrypt communications to and from Guardium Insights.
Network access requirements
To ensure secure transmission of network traffic to and from the Guardium Insights cluster, you need to configure the communication ports used by the Guardium Insights cluster.
- Primary port
- The primary port is what the Red Hat OpenShift router exposes.
Audit logging
Audit logging provides accountability, traceability, and regulatory compliance. The regulatory compliance must be set in a way that it allows access to and modification of data.
For more information, see Auditing Guardium Insights .
Regulatory compliance
Guardium Insights is assessed for various Privacy and Compliance regulations. Guardium Insights provides features that can be used by its customers in preparation for various privacy and compliance assessments. These features are not an exhaustive list. It is difficult to assemble such an exhaustive list of features, since customers can choose and configure the features in many ways. Furthermore, Guardium Insights can be used in various ways as a stand-alone product or with third-party applications and systems.
Guardium Insights is not aware of the nature of data that it is handling other than at a technical level (for example, encoding, data type, size). Therefore, Guardium Insights can never be aware of the presence or lack of personal data. Customers must track whether personal information is present in the data that is being used by Guardium Insights.
Additional security measures
To protect your Guardium Insights instance, consider the following best practices.
- Network isolation
- As a best practice, network isolation is to be used to isolate the Red Hat OpenShift project (Kubernetes namespace) where Guardium Insights is deployed. Then, you must ensure that only the appropriate services are accessible outside the namespace or outside the cluster. For more information about network isolation, review the following OpenShift documentation.
- Setting up an elastic load balancer
- To filter out unwanted network traffic, such as protecting against Distributed Denial of Service (DDoS) attacks, use an elastic load balancer that accepts only full HTTPS connections. Using an elastic load balancer that is configured with an HTTPS profile inspects the packets and forward only the HTTPS requests that are complete to the Guardium Insights web server. For more information, see Protecting Against DDos Attacks.
- Disabling the external registry route
- For the registry server, you can disable the external route that is used to push images to the registry server when you are not installing Guardium Insights. However, if you leave the route disabled when you try to install Guardium Insights, the installation fails.