Additional security responsibilities for IBM Hyper Protect Virtual Servers

Learn about the security related responsibilities that you must observe when you use IBM Hyper Protect Virtual Servers.

You must observe the following security best practices that help in maintaining a more secure environment:

  • Ensure that you update the environment regularly to the latest available images when they are made available.
  • Take the required actions on regular security notifications from IBM.
  • Ensure that only required ports are opened and the ports are secured (TLS enabled). If you want to enable any port on the virtual server instance, ensure that you follow the security best practices. IBM is not responsible for any security incidents that arise form the usage of the ports.
  • Ensure only trusted or known users are allowed access to the environment and virtual servers.
  • Employ the principle of least privilege where it is essential for minimizing security risks in your Docker environment. Avoid running containers as non-root users, or as privileged containers.
  • The AppArmor Linux kernel security module is enabled on IBM Hyper Protect Virtual Servers. For more information, see Using AppArmor.
  • You must observe the following best practices for the contract:
    • It is recommended that all IBM Hyper Protect Virtual Servers sections of contract are encrypted. For more information, see Contract encryption.
    • To ensure the integrity of the contract, it is recommended that you sign the contract. For more information, see Contract signature.
    • The container images can be signed. For more information, see images.
    • It is your responsibility to keep the copy of the contract that you created safe to prevent inadvertent security risks because you won't be able to retrieve it once it is lost.
    • Input data can be validated by using the attestation record. For more information, see Attestation.
    • You can validate the certificates that you download for contract encryption and attestation. For more information, see Validating the certificates.
    • Ensure that the seeds you use in the contract are not easy to guess or crack.
    • Ensure that all software you define in the contract are from trusted sources.