Security
Protecting application data for large-scale web and mobile apps can be complex, especially with distributed and NoSQL databases.
Just as it reduces the effort of maintaining your databases to keep them running and growing nonstop, IBM® Cloudant® for IBM Cloud® also ensures your data stays secure and protected.
Tier one physical platforms
The IBM Cloudant DBaaS is physically hosted on Tier-1 cloud infrastructure providers such as IBM Cloud® and Amazon. Therefore, your data is protected by the network and physical security measures that are employed by those providers, including (but not limited to):
- Certifications - Compliance with SSAE16, SOC2 Type 1, ISAE 3402, ISO 27001, CSA, and other standards.
- Access and identity management.
- General physical security of data centers and network operations center monitoring.
- Server hardening.
- IBM Cloudant gives you the flexibility to choose or switch among the different providers as your SLA and cost requirements change.
More details about the certifications are available in the Compliance information.
Secure access control
IBM Cloudant has a multitude of built-in security features for you to control access to data:
| Feature | Description |
|---|---|
| Authentication | IBM Cloudant is accessed by using an HTTPS API. Where the API endpoint requires it, the user is authenticated for every HTTPS request IBM Cloudant receives. IBM Cloudant supports both legacy and IAM access controls. For more information, see the IAM guide or the legacy Authentication API document. |
| Authorization | IBM Cloudant supports both legacy and IAM access controls. The IBM Cloudant team recommends that you use IAM access controls for authentication whenever possible. If you're using IBM Cloudant legacy authentication, IBM Cloudant team recommends that you use API keys rather than account-level credentials for programmatic access and replication jobs. For more information, see the IAM guide or the legacy Authentication document and the legacy Authorization document. |
| At-rest encryption | All data that is stored in an IBM Cloudant instance is encrypted at rest by using LUKS1 with 256-bit Advanced Encryption Standard (AES-256). By default, IBM Cloudant manages the encryption keys for all environments. If you require bring-your-own-key (BYOK) encryption for encryption-at-rest, BYOK is enabled by using your encryption key that is stored in an IBM Cloud Key Protect instance. IBM Cloudant supports the BYOK feature for new IBM Cloudant Dedicated Hardware plan instances that are deployed in all regions. For more information, see the Creating an IBM Cloudant Dedicated Hardware plan instance tutorial for details on how to choose BYOK at provisioning time. |
| In-flight encryption | All access to IBM Cloudant is encrypted by using HTTPS. |
| Client-side encryption | Customers can use client-side encryption to ensure that the data protection is controlled by the data owner and the data is never visible to the service provider. |
| TLS | IBM Cloudant requires the use of TLS 1.2+. IBM Cloudant strongly recommends that you do not pin certificates in your application. Certificates renew regularly, at least annually, and intermediate and root certificates could change when they do. IBM Cloudant does not send out notifications before certificate renewals. We recommend that you keep your certificate truststore up to date with the latest root certificates. IBM Cloudant acquires its certificates from DigiCert. You can find their root certificates on the DigiCert Trusted Root Authority Certificates page. IBM Cloudant sends a notification if we move to a different certificate authority. |
| Public Endpoints | All IBM Cloudant instances are provided with external endpoints that are publicly accessible. |
| Private Endpoints | All instances that you deploy on Dedicated Hardware plan environments also have private (internal) endpoints. Using private endpoints allows customers to connect to an IBM Cloudant instance through the internal IBM Cloud® network to avoid upstream application traffic from going over the public network and incurring bandwidth charges. For more information, see Service Endpoint documentation, and also, see documentation about enabling Service Endpoints for your IBM Cloud® account. If you want to allow only a subset of IP addresses to be able to access your application, refer to IP allowlisting in the next row. |
| IP allowlisting | IBM Cloudant customers, who have an IBM Cloudant Dedicated Hardware plan environment, can allowlist IP addresses to restrict access to only specified servers and users. IP allowlisting isn't available for any IBM Cloud Public Lite or Standard plans that are deployed on multi-tenant environments. Open a support ticket to request an IP allowlist for a specific set of IP addresses or IP ranges. The public and private network allowlists can be managed independently, and the public allowlist can be set to block all traffic so that all traffic is over the private endpoints. IP allowlists apply to both the IBM Cloudant API and Dashboard, so be mindful to include any administrator IP addresses that need to access the IBM Cloudant Dashboard directly. |
| CORS | Enable CORS support for specific domains by using the IBM Cloudant Dashboard or API. For more information, see the CORS API documentation. |
Protection against data loss or corruption
IBM Cloudant has a number of features to help you maintain data quality and availability:
| Feature | Description |
|---|---|
| Redundant and durable data storage | By default, IBM Cloudant saves to disk three copies of every document to three different nodes in a cluster. Saving the copies ensures that a working failover copy of your data is always available, regardless of failures. |
| Data Replication and export | You can replicate your databases continuously between clusters in different data centers or Apache CouchDB. Another option is to export data from IBM Cloudant (in JSON format) to other locations or sources (such as your own data center) for added data redundancy. |