Security and Privacy by Design (SPbD)
Security and Privacy by Design (SPbD) at IBM®® is an agile set of focused security and privacy practices, including threat models, privacy assessments, security testing, and vulnerability management.
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM Netcool Operations Insight® that you can configure, and aspects of the product’s use, to consider for GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
IBM developed a set of SPbD processes and tools that are used by all of its business units. For more information about the IBM Secure Engineering Framework (SEF) and SPbD, see the IBM Redbooks® Security in Development - The IBM Secure Engineering Framework available in PDF format.
IBM also provides information about the features of IBM Netcool Operations Insight that you can configure, how to use the product securely, and what to consider to help your organization with GDPR readiness. For more information, see Deployment guidelines for GDPR readiness.
For information about container security, see the Security and compliance in the Red Hat® OpenShift® Container Platform documentation.
Security hardening
For production environments, ensure that the Red Hat OpenShift Container Platform cluster where you are installing IBM Netcool Operations Insight is configured securely. To help harden the security for your cluster, consider completing the following tasks:
-
Configure the Red Hat OpenShift Container Platform to enable etcd data encryption. For more information, see Encrypting etcd data in the Red Hat OpenShift Container Platform documentation.
-
Implement a network egress policy that strictly controls what outbound calls can be made from applications in the cluster and from the IBM Netcool Operations Insight project (namespace). For more information, see the Red Hat OpenShift Container Platform documentation about Creating a network policy .
-
If you use your own certificate authority (CA), replace the default certificate manager CA with your own CA.
-
Ensure that your Red Hat OpenShift Container Platform and Kubernetes environment is configured according to the Center for Internet Security (CIS) Benchmark for Red Hat Enterprise Linux® based OpenShift 4 and Kubernetes 1.6 security hardening. For more information, see the Center for Internet Security (CIS) Benchmarks about Securing Kubernetes .
-
Configure lockout mechanisms on your authentication server to handle excessive login attempts.
-
Shorten session timeouts to the shortest tolerable duration.
-
Use your own certificate authority and monitor certificate expiration dates.
-
Configure rate limiting connections for basic protection against distributed denial-of-service (DDoS) attacks. For more information about how to configure this limiting, see the Red Hat OpenShift Container Platform documentation about Route configuration .
Encryption in motion
ipsecConfig
parameter to enable IPsec encryption,
as in the following example:apiVersion: operator.openshift.io/v1
kind: Network
metadata:
name: cluster
spec:
defaultNetwork:
type: OVNKubernetes
ovnKubernetesConfig:
ipsecConfig: {}