Additional security responsibilities for IBM Hyper Protect Virtual Servers

Learn about the security related responsibilities that you must observe when you use IBM Hyper Protect Virtual Servers.

You must observe the following security best practices that help in maintaining a more secure environment:

  • When you need to grant SSH access to the Hyper Protect Virtual Server to multiple users, use the principle of least privilege.
  • It is your responsibility to keep the SSH private key secure.
  • Ensure that you update the environment regularly to the latest available images when they are made available. For details about the latest images, see Components.
  • Take the required actions on regular security notifications from IBM.
  • After the key is generated, ensure that you keep the key safe, to prevent inadvertent security issues.
  • Additionally, for SSH enabled base images, ensure that you run the apt-get upgrade command before you start working with the virtual server. Running this command ensures that the latest packages are applied which contains the latest fixes for any security issues.
  • Ensure only required ports are opened and the ports are secured (TLS enabled). For more information about enabling ports, see Enabling ports.
  • Ensure only trusted or known users are allowed access to the environment and virtual servers.
  • You must observe the following best practices for BYOI (Bring Your Own Images):
  • Avoid storing secrets in the Dockerfile. Use environment variables to pass secrets by encrypting and decrypting them in your container image.
  • Scan your images for identifying known security vulnerabilities in your Docker images so that you can fix them before pushing them to Docker Hub or IBM Cloud Container Registry.
  • Run containers as a non root user, and specify the user (username) in the Dockerfile.
  • When adding Linux capabilities to your virtual server, to enable all privileges you can use cap_add:["ALL"], but as a good security practice, provide the least possible privileges to your virtual server. For more information about Linux capabilities, see Preparing the configuration, and Create repository registration.