Security and Privacy by Design (SPbD)

Security and Privacy by Design (SPbD) at IBM®® is an agile set of focused security and privacy practices, including threat models, privacy assessments, security testing, and vulnerability management.

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM Netcool Operations Insight® that you can configure, and aspects of the product’s use, to consider for GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

IBM developed a set of SPbD processes and tools that are used by all of its business units. For more information about the IBM Secure Engineering Framework (SEF) and SPbD, see the IBM Redbooks® Security in Development - The IBM Secure Engineering Framework external link available in PDF format.

IBM also provides information about the features of IBM Netcool Operations Insight that you can configure, how to use the product securely, and what to consider to help your organization with GDPR readiness. For more information, see Deployment guidelines for GDPR readiness.

For information about container security, see the Security and compliance external link in the Red Hat® OpenShift® Container Platform documentation.

Security hardening

For production environments, ensure that the Red Hat OpenShift Container Platform cluster where you are installing IBM Netcool Operations Insight is configured securely. To help harden the security for your cluster, consider completing the following tasks:

  • Configure the Red Hat OpenShift Container Platform to enable etcd data encryption. For more information, see Encrypting etcd data external icon in the Red Hat OpenShift Container Platform documentation.

  • Implement a network egress policy that strictly controls what outbound calls can be made from applications in the cluster and from the IBM Netcool Operations Insight project (namespace). For more information, see the Red Hat OpenShift Container Platform documentation about Creating a network policy external icon.

  • If you use your own certificate authority (CA), replace the default certificate manager CA with your own CA.

  • Ensure that your Red Hat OpenShift Container Platform and Kubernetes environment is configured according to the Center for Internet Security (CIS) Benchmark for Red Hat Enterprise Linux® based OpenShift 4 and Kubernetes 1.6 security hardening. For more information, see the Center for Internet Security (CIS) Benchmarks about Securing Kubernetes external icon.

  • Configure lockout mechanisms on your authentication server to handle excessive login attempts.

  • Shorten session timeouts to the shortest tolerable duration.

  • Use your own certificate authority and monitor certificate expiration dates.

  • Configure rate limiting connections for basic protection against distributed denial-of-service (DDoS) attacks. For more information about how to configure this limiting, see the Red Hat OpenShift Container Platform documentation about Route configuration external icon.

Encryption in motion

To ensure that encryption in motion is enabled between each service or node within your Red Hat OpenShift Container Platform cluster, you must enable IPsec in Red Hat OpenShift Container Platform. When you install Red Hat OpenShift Container Platform, specify an empty object for the ipsecConfig parameter to enable IPsec encryption, as in the following example:
apiVersion: operator.openshift.io/v1
kind: Network
metadata:
  name: cluster
spec:
  defaultNetwork:
    type: OVNKubernetes
    ovnKubernetesConfig:
      ipsecConfig: {}
Note: IPsec enablement status cannot be changed after cluster installation.
For more information, see IPsec encryption configuration external icon and Specifying advanced network configuration external icon in the Red Hat OpenShift Container Platform documentation.