Security on Guardium Insights

IBM Guardium® Insights supports several different mechanisms for securing your environment and your data.

Quick links

Secure engineering practices

Guardium Insights follows IBM Security and Privacy by Design (SPbD). Security and Privacy by Design (SPbD) at IBM is a set of focused security and privacy practices, including vulnerability management, threat modeling, penetration testing, privacy assessments, security testing, and patch management.

For more information about the IBM Secure Engineering Framework (SEF) and SPbD, see the following resources:

Basic security features on Red Hat OpenShift Container Platform

Security is required for every enterprise, especially for organizations in the government, financial services, and healthcare sectors. OpenShift® container platform provides a set of security features. These features protect sensitive customer data with strong encryption controls and improve the oversight of access control across applications and the platform itself.

Guardium Insights builds on the security that is hardened features that are provided by OpenShift by creating Security Context Constraints (SCC), service accounts, and roles so that Guardium Insights pods and users have the lowest level of privileges to the OpenShift platform that is needed for them. Guardium Insights is also security on the OpenShift platform and is installed in a secure and transparent manner.

For more information, see Basic security features on Red Hat OpenShift Container Platform .

Authentication and authorization

By default, Guardium Insights user records are stored in an internal LDAP. The initial setup of Guardium Insights uses the internal LDAP. However, after you set up Guardium Insights, it is recommended that you use an enterprise-grade password management solution, such as SAML SSO or an LDAP provider for password management. After you grant Guardium Insights administrator privileges to a user in your LDAP server, it is recommended that you disable or remove all users from the internal database repository.

User management
For more information, see the following resources:
Authorization
Guardium Insights provides user management capabilities to authorize users. For more information, see Managing users
Tokens and API keys
You can use tokens and API keys to securely access Guardium Insights instances, services, and APIs.
  • By using API keys, you are able to authenticate to Guardium Insights instances or services with your own credentials. For more information, see Creating API keys.

    You must use an API key to access Guardium Insights APIs. .

Idle web client session timeout
You can configure the idle web client session timeout in accordance with your security and compliance requirements. When a user leaves their session idle in a web browser for the specified length of time, the user is automatically logged out of the web client.
For more information, see Tenant settings.

Encryption

Guardium Insights supports protection of data at rest and in motion. It supports FIPS (Federal Information Processing Standard) compliant encryption for all encryption needs.

Data
  • In general, data security is managed by your remote data sources. OpenShift uses resources that are known as Security Context Constraints (SCCs) to enforce the security context of a Pod or a Container (the Kubernetes equivalent is the PodSecurityPolicy).Guardium Insights containers use restricted SCC by default. Restricted SCC deny access to all host features and requires pods to run with a UID, SELinux context that is scoped within the namespace. For more information, see Storage considerations.
Communications
You can use TLS or SSL to encrypt communications to and from Guardium Insights.
  • If you plan to configure a secret server to access PAM data then you need to assign the Server URL with a secret server IP address that uses a TLS connection that starts with HTTPS only. For example,
    • https://your.company.com/SecretServer
    • https://your.company.com:8443/SecretServer
    Also it supports self-signed certificates for the secret server if you are running a self-signed TLS server. It needs a server certificate, all intermediate certificates, and a rootCA.
  • If you configure an SMTP service so that Guardium Insights can email notifications to users and administrators, you must specify a secure SSL port on the SMTP server when you configure the connection to the server. Self-signed public SSL certificates are required for the SMTP server.
  • If you plan to configure a Service Now, IBM Resilient, or CP4S Cases ticketing server to create tickets and if it employs an SSL certificate then you must provide the certificate to Guardium Insights so that it can connect to the system. This must be done before creating the connection:
    • Required: Alias: Enter an alias for the certificate.
    • Required: Details: In this field, paste the certificate from the browser. The certificate will start with -----BEGIN CERTIFICATE----- and it will end with -----END CERTIFICATE----- - and must be copied in its entirety (including these two begin and end lines).
  • If you configure a Guardium Collector (GDP) system to communicate with a Guardium Insightsinstance you will need to use the GDP CLI to import the Insights root CA certificate and then create an API key encoded token and use that token to register the system.
  • If you configure a Webhook service for alerts and data enrichment from Guardium Insights then optionally the public SSL certificate of the webhook services can be added for secure communication. The certificate will start with -----BEGIN CERTIFICATE----- and it will end with -----END CERTIFICATE----- - and must be copied in its entirety (including these two begin and end lines).
  • If you plan to configure an SFTP server to allow you to export data to or import data from a variety of sources into Guardium Insights:
    • Required: Host key: SFTP uses SSH to connect to the SFTP server. Host keys are .pub files usually stored in the /etc/ssh directory. They are used for authenticating computers over the SSH protocol. Open the .pub file. Copy the key for this SFTP server.
Important: It is recommended that you disable TLS 1.0 and TLS 1.1 from Red Hat OpenShift Container Platform HAProxy routers on port 443. For more information, see Disable TLS1.0 and TLS1.1 in HAproxy routers.

Network access requirements

To ensure secure transmission of network traffic to and from the Guardium Insights cluster, you need to configure the communication ports used by the Guardium Insights cluster.

Primary port
The primary port is what the Red Hat OpenShift router exposes.
For more information, see Network Access Requirements.

Audit logging

Audit logging provides accountability, traceability, and regulatory compliance. The regulatory compliance must be set in a way that it allows access to and modification of data.

For more information, see Auditing Guardium Insights .

Regulatory compliance

Guardium Insights is assessed for various Privacy and Compliance regulations. Guardium Insights provides features that can be used by its customers in preparation for various privacy and compliance assessments. These features are not an exhaustive list. It is difficult to assemble such an exhaustive list of features, since customers can choose and configure the features in many ways. Furthermore, Guardium Insights can be used in various ways as a stand-alone product or with third-party applications and systems.

Guardium Insights is not aware of the nature of data that it is handling other than at a technical level (for example, encoding, data type, size). Therefore, Guardium Insights can never be aware of the presence or lack of personal data. Customers must track whether personal information is present in the data that is being used by Guardium Insights.

Additional security measures

To protect your Guardium Insights instance, consider the following best practices.

Network isolation
As a best practice, network isolation is to be used to isolate the Red Hat OpenShift project (Kubernetes namespace) where Guardium Insights is deployed. Then, you must ensure that only the appropriate services are accessible outside the namespace or outside the cluster. For more information about network isolation, review the following OpenShift documentation.
Setting up an elastic load balancer
To filter out unwanted network traffic, such as protecting against Distributed Denial of Service (DDoS) attacks, use an elastic load balancer that accepts only full HTTPS connections. Using an elastic load balancer that is configured with an HTTPS profile inspects the packets and forward only the HTTPS requests that are complete to the Guardium Insights web server. For more information, see Protecting Against DDos Attacks.
Disabling the external registry route
For the registry server, you can disable the external route that is used to push images to the registry server when you are not installing Guardium Insights. However, if you leave the route disabled when you try to install Guardium Insights, the installation fails.