Security and Compliance
Protection Against Unauthorized Access
IBM Cloud® Messages for RabbitMQ use the following methods to protect data in transit or in storage.
- All Messages for RabbitMQ connections use TLS/SSL encryption for data in transit. The current supported version of this encryption is TLS 1.2.
- Access to the Account, Management Console UI, and API is secured via Identity and Access Management (IAM).
- Access to the database is secured through the standard access controls provided by the database. These access controls are configured to require valid database-level credentials that are obtainable only through prior access to the database or through our Management Console UI or API.
- All Messages for RabbitMQ disk is provided on storage encrypted with LUKS using AES-256. The default keys are managed by Key Protect. Bring-your-own-key (BYOK) for encryption is also available through Key Protect Integration.
- IP allowlisting - All deployments support allowlisting IP addresses to restrict access to the service.
- Public and Private Networking - Messages for RabbitMQ is integrated with Service Endpoints. You can select whether to use connections over the public network, the IBM Cloud internal network, or both.
- Dedicated Cores - Allocating dedicated cores to your deployment introduces hypervisor-level isolation to your database instance, using isolated virtual machines to ensure your data processing remains separated from other customers. It also provides a guaranteed minimum number of CPUs to your deployment. Deployments with dedicated cores in the same Resource Group and IBM Cloud Region can share a virtual machine.
Data Resilience
- Backups are included in the service. Messages for RabbitMQ backups reside in IBM Cloud Object Storage and are also encrypted.
- RabbitMQ backups contain only definitions, topology, and metadata. Messages are not stored in backups.
- All Messages for RabbitMQ deployments are configured with replication. Deployments contain a cluster with three nodes where all three nodes are equal peers. Queues are mirrored on all three nodes.
- If you deploy to an IBM Cloud Single-Zone Region (SZR), each database node resides on a different host in the data center.
- If you deploy to an IBM Cloud Multi-Zone Region (MZR), the nodes are spread over the region's availability zone locations.
SOC 2 Type 2 Certification
IBM provides a Service Organization Controls (SOC) 2 Type 2 report for Messages for RabbitMQ. The reports evaluate IBM's operational controls according to the criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The Trust Services Principles define adequate control systems and establish industry standards for service providers such as IBM Cloud to safeguard their customers' data and information.
You can request an SOC 2 Type 2 report from the customer portal or contact your sales representative. Alternatively, you can open a support ticket with IBM Cloud support
ISO 27017, ISO 27018
Messages for RabbitMQ conforms to the guidelines for information security controls applicable to the provision and use of cloud services that are defined in ISO 27017 and ISO 27018.
General Data Protection Regulation (GDPR)
If you have an account with IBM Cloud, your personal data is held by IBM Cloud. The IBM Data Processing Addendum (Addendum) applies to the processing of client's personal data by IBM on behalf of client in order to provide IBM standard services.
Messages for RabbitMQ processes limited client Personal Information (PI) in the course of running the service and optimizing the user experience.
Messages for RabbitMQ provides a Data Sheet Addendum (DSA) with its policies as a Data Processor regarding content and data protection.
HIPAA
Messages for RabbitMQ meets the required IBM controls that are commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements. These requirements include the appropriate administrative, physical, and technical safeguards required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164. HIPAA must be requested at the time of provisioning and requires a representative to sign a Business Associate Addendum (BAA) agreement with IBM.
PCI DSS
{{site.data.keyword.databases-for-rabbitmq}} are compliant with the Payment Card Industry Data Security Standard (PCI DSS). IBM Cloud completes annual PCI DSS assessments by using an approved Qualified Security Assessor (QSA), and the resulting Attestations of Compliance (AOCs) and Service Responsibility Matrix (SRM) guides are available upon customer request. Auditors reviewed {{site.data.keyword.databases-for-rabbitmq}} for compliance under PCI DSS version 3.2.1 at Service Provider Level 1.
Customers are responsible for the storing, processing, and transmission of their cardholder data, and can create cardholder data environments (CDEs) that can store, transmit, or process cardholder data by using {{site.data.keyword.databases-for-rabbitmq}}. Customers can request and use the IBM Cloud AOCs and SRM guides when they seek their own PCI DSS certifications. It is the responsibility of the customer to document and operate CDEs and applications that are built by using IBM Cloud Platform services in a PCI DSS-compliant manner.
It is the customer’s responsibility to familiarize themselves with these processes and to manage data retention and removal from the service according to the customer’s policies.
A full list of PCI DSS-ready IBM Cloud Platform services, and options to request a PCI DSS AOC and SRM guide, can be found at the IBM Cloud compliance page.