How is the metadata protected

End-to end protection is provided for the metadata that is collected, delivered, and stored for your IBM Storage Insights service in the IBM® Cloud data center. This protection includes meeting the requirements of the General Data Protection Regulation (GDPR).

Metadata collection, delivery, and storage in the cloud

To transform the metadata into insights and present them in IBM Storage Insights, the data collector / call home forwards metadata packages for analysis and storage to the IBM Cloud data center (located in Dallas).

Protected metadata

To keep the metadata package safe on its journey to the cloud, the data collector / call home uses Hypertext Transfer Protocol Secure (HTTPS), which encrypts the metadata and sends the metadata package through a secure channel to the IBM Cloud data center.

At the reverse proxy gateway

At the gateway, or reverse proxy gateway, the metadata package gets instructions to deliver the package to your IBM Storage Insights service. Only data collectors that are associated with your service can collect and deliver metadata about your storage environment.

When the metadata package is delivered, the metadata is decrypted, analyzed, and stored.

From your data center to the internet

HTTPS connections are used to compress and encrypt the metadata that is collected about your storage systems and sent to the IBM Cloud data center.

After you sign up, you're provided with a host name and port number for your IBM Storage Insights service. To secure the outbound communication between the data collector and IBM Storage Insights at the well-defined and secure network endpoint https://insights.ibm.com:443, a Secure Sockets Layer (SSL) certificate is used. HTTPS connections use certificates issued by Google Trust Services and use TLS 1.2 and TLS 1.3 with 256-byte keys.

To send the metadata, complete the following tasks for your firewall:
  • Update your firewall rules to allow outbound communication on the default HTTPS port 443 using the Transmission Control Protocol (TCP). The User Datagram Protocol (UDP) is not supported.
  • Update your firewall rules to allow outbound communication to the following network endpoint: https://insights.ibm.com. If you use a proxy server with a separate firewall, ensure that you also update its rules.
Tip: The security of your web browser session is also important. To protect your session, you're automatically logged out after 2 hours 30 minutes of inactivity. For more security during extended use, the duration of an active login session is limited to approximately 8 hours. When you are logged out, you can log in again and pick up right where you left off.

At the IBM Cloud data center

IBM Storage Insights are hosted in IBM Cloud data centers, which comply with high physical, technical, and organizational security standards.

Key security

Each instance of IBM Storage Insights uses a local keystore that is dedicated to that instance and is password protected. The password for the keystore is generated randomly when the instance is created. The certificate in the keystore is unique to each instance and the keystore password is encrypted. (The encryption doesn't include hardware encryption.) The master password is kept encrypted in the service payload configuration in a secure location in IBM Cloud®.

There is only one external customer key, which is the public key that is certified by DigiCert. As part of the TLS Handshake and certificate exchange, the client (Web Browser) uses the signed certificate to verify that it is communicating with the IBM Storage Insights gateway in IBM Cloud and that communications are not tampered with. For internal traffic, each customer's instance of IBM Storage Insights has a unique key, which is protected with a unique, encrypted password, and which is self-signed by IBM to validate that the communication is between the customer and the customer's instance.
Key rotation: A new master key is created and added to the keystore when the instance is created and when the instance is upgraded. Instances are upgraded at least once every three months, which results in an implicit key rotation of not less than 90 days. The public key that is certified by DigiCert is updated every 2 years.

This results in end-to-end privacy and encryption for each instance of IBM Storage Insights.

Physical protection

The data centers are rigorously controlled and onsite security is provided round the clock. Access to server-rooms is limited to certified employees and security controls are vetted by third-party auditors.

See https://www.ibm.com/cloud-computing/bluemix/data-centers and https://www.ibm.com/cloud/security.

Technical security

IBM Storage Insights is built with a multi-tenant SaaS architecture. Multiple SaaS instances, or tenants, are hosted from a single multi-tenant application that spans the resources of many shared servers and services. Even though any two tenants might share common resources, each tenant does not see the data of other tenants; let alone even knows others exist.

In this multi-tenant SaaS architecture, IBM Storage Insights uses a virtualization technology called "containers". If you are familiar with Docker, containers is the technology behind it. The resulting container consists of just the application and a very small overhead for dependencies. The application within the container is comprised of multiple, independent micro-services based on a functional area. For example, there is one micro-service for the web server and another to process performance data. A collection of all the containers for the various micro-service applications make up the entire multi-tenant IBM Storage Insights server.

To keep track of all the IBM Storage Insights containers, Kubernetes is used as the container management tool. Kubernetes organizes containers into pods that are deployed on nodes in the cluster. Each IBM Storage Insights tenant is containerized within a Kubernetes cluster, which enables scalability, high-availability, and disaster tolerance. The Kubernetes cluster uses enterprise class IBM Cloud security, providing optimal communication and lower front-end latency to IBM Storage Insights containers and services. Additionally, back-end storage and SAN resources utilize the same enterprise class IBM Cloud security.

On a day-to-day basis, the following security software and services are used:
  • Crowdstrike EDR and Crowdstrike Prevent to protect against malware
  • IBM SOS® to comply with security and regulatory requirements
  • IBM Security QRadar® SIEM to store and monitor system and application logs

For more information about IBM Cloud's compliance and certifications, see https://cloud.ibm.com/docs/overview?topic=overview-security.

Database security

IBM Storage Insights uses IBM Cloud databases built on Apache Cassandra. It’s designed to power real-time applications with high availability and massive scalability. With its NoSQL workloads, a smooth and secured experience is natively integrated into the IBM Cloud. Cassandra database protects against unauthorized access, provides data resiliency, is SOC/ISO certified, and GDPR/HIPAA/PCI DSS compliant.

For more information about Cassandra's compliance and certifications, see https://cloud.ibm.com/docs/databases-for-cassandra?topic=databases-for-cassandra-security-compliance.

Organizational security
Access to the infrastructure and instances for IBM Storage Insights, is controlled:
  • By restricting access to the members of the DevOps team and cloud service infrastructure teams who qualify as privileged users.
  • By conducting regular system health and vulnerability scans at the source code level and on the running instances.
  • By conducting regular penetration tests. External companies conduct the penetration tests.
GDPR: IBM Storage Insights meets the requirements of the EU General Data Protection Regulation (GDPR). Additional information related to IBM's privacy policy can be found at https://www.ibm.com/privacy/us/en/.