Secure Engineering Practices

IBM Automatic Data Lineage, follows IBM Security and Privacy by Design (SPbD). Security and Privacy by Design (SPbD) at IBM is a set of focused security and privacy practices, including vulnerability management, threat modeling, penetration testing, privacy assessments, security testing, and patch management. For more information about the IBM Secure Engineering Framework (SEF) and SPbD, see the following resources:

• IBM Security in Development
• Security in Development - The IBM Secure Engineering Framework

Manta Flow Security Architecture

To see a high-level security architecture, go to Manta Flow Security Architecture.

Authentication and authorization

User Roles

The application uses several user roles to authorize specific operations within the metadata repository. The roles are described in User Roles. For the roles used in Manta Admin UI check User Roles Used in Manta Admin UI.

Access Rights for the Metadata Repository

It is possible to define access rights to the metadata repository. This means that some parts of the metadata repository may only be visible to particular users. For more information, see Access Rights for the Metadata Repository.

Applying the Changes

To apply changes to the preceding CSV configuration files, it is necessary to restart the Manta Server or enter an HTTP GET request using the following format: http://<server_name>:<port>/manta-dataflow-server/api/refresh, where the <server_name> and <port> are provided by your application administrator. If the repository.permissions-enabled property has been changed, a Manta Server restart is necessary.

Authentication Configuration

For more information, see Authentication Configuration.

Tokens and API keys

Keycloak enables the use of token-based authentication to access IBM Automatic Data Lineage APIs. For more information, see API Token-Based Authentication.

Encryption

Automatic Data Lineage supports protection of data at rest and in motion.

Data

Data resides on customers hard drives and we recommend volume encryption to keep all data safe.

Communications

You can use TLS or SSL to encrypt communications to and from Automatic Data Lineage. For more information about TLS, see TLS in Automatic Data Lineage.

FIPS

Automatic Data Lineage supports FIPS (Federal Information Processing Standard) compliant encryption.

Using an allowlist to prevent SSRF attacks

In a Server Side Request Forgery (SSRF) attack, an attacker can create requests from a vulnerable server. Typically, this happens when an application accepts URLs, IP addresses, or domain names from a user who has access to the server. The attacker can use this vulnerability to inject URLs with port details or with internal IP addresses, and then observe the internal network or enable the application to process malicious code.

The most robust way to avoid an SSRF attack is to set up an allowlist for the DNS name or IP address that your application needs to access. Alternatively, if you use a blocklist, it's important to validate the user input properly. For example, do not allow requests to private (nonroutable) IP addresses. This can be configured on Keycloak.

Additional security measures

To protect your Automatic Data Lineage instance, consider the following best practice.

Setting up an elastic load balancer

To filter out unwanted network traffic, such as protecting against Distributed Denial of Service (DDoS) attacks, use an elastic load balancer that accepts only full HTTP connections. Using an elastic load balancer that is configured with an HTTP profile inspects the packets and forward only the HTTP requests that are complete to the Manta web server.