Securing your data
To ensure that you can securely manage your data when you use Activity Tracker Event Routing, it is important to know exactly what data is stored and encrypted, and how you can delete any stored data.
What data is stored in Activity Tracker Event Routing
When you use Activity Tracker Event Routing to manage your audit events, you should differentiate between configuration data and audit data.
Configuration data
To configure Activity Tracker Event Routing, you must configure account settings, targets, and routes. You can configure Activity Tracker Event Routing via REST API calls, CLI commands, or by using terraform scripts. The definitions of these resources are hosted on the IBM Cloud.
-
You can configure the Activity Tracker Event Routing account settings to indicate the primary and backup metadata locations where global definitions are stored such as route definitions and the type of endpoints that are enabled.
You can set the primary metadata location by configuring the account settings. Alternatively, when you define the first target in the account; the location where the target is defined is automatically set as the primary location.
You must configure the account settings to define the backup metadata location. This location is optional.
-
You can define targets in any supported region.
You can control the locations in the account where a target is defined by specifying the allowed locations in the Activity Tracker Event Routing account settings.
Target definitions are stored in the primary metadata location. If you have a backup metadata location, target definitions are also stored there.
-
Route definitions are stored in the primary metadata location. If you have a backup metadata location, route definitions are also stored there.
Auditing data
Activity Tracker Event Routing routes management and data events from IBM Cloud services and resources:
- Management Events are generated when an API call changes the state of a Cloud resource. A resource might be an entire service instance or a resource managed by the service.
- Data Events are generated when an API call reads or modifies a resource's data.
Data from IBM Cloud services and resources is generated automatically. However, you might need to upgrade the service plan, apply a configuration setting, or both, to enable events in your account for selected services.
Activity Tracker Event Routing does not store auditing events. By configuring Activity Tracker Event Routing, you define the target where the auditing data that is generated in the account is routed and uploaded. You can route auditing events to targets that are available in the account or in a different account.
How your data is stored and encrypted
Configuration data
You can configure Activity Tracker Event Routing resources by using public and private endpoints.
To ensure that you have enhanced control and security over your data, your account must be virtual routing and forwarding (VRF) enabled and you must use private routes to IBM Cloud® service endpoints. Consider configuring Activity Tracker Event Routing resources over a private network connection.
Activity Tracker Event Routing stores the configuration of settings, targets and routes for your account.
- Connections use TLS/SSL encryption for data in transit. The current supported version of this encryption is TLS 1.2.
- The storage where the configuration is stored is encrypted with LUKS using AES-256.
Auditing data
You can define 1 or more routing rules that define how auditing events are routed in the account. Auditing data from an IBM Cloud service to your target service in IBM Cloud is secure via private connection. The connection supports TLS 1.2.
You can route auditing data to any of the following target types:
- An IBM Cloud Object Storage bucket: You create and manage the bucket, and the data that is collected in the bucket. For more information about COS data security, see Data security.
- An Activity Tracker instance: You manage the instance and the data that is collected in the instance. For more information, see Data security.
- An IBM Cloud Logs instance: You manage the instance and the data that is collected in the instance.
- An Event Streams topic: You create and manage the topic. For more information, see Data security.
How can you delete any stored data
Configuration data
Activity Tracker Event Routing stores configuration data only.
You can delete any route or target by using the API, the CLI or terraform scripts. You can also reset account setting configuration, other than the primary metadata region, to empty values.
- To stop Activity Tracker Event Routing from routing audit events to the configured targets, you must remove any default targets and delete all routes.
- To delete auditing event destinations, you must delete the target definitions.
- To remove any account setting, you can reset the account default settings.
Auditing data
To delete auditing data, check the target type instructions.
- For IBM Cloud Object Storage bucket, see Data security.
- For Activity Tracker instance, see Data security.
- For Event Streams, see Data security.