Architecture decisions for security

There are 2 sets of architectural decisions in this pattern, one pertains to IBM Cloud Satellite and the other to IBM Maximo Application Suite.

Architecture decisions for data security: Encryption in Maximo Application Suite

The following are architecture decisions about security for IBM Maximo Application Suite.

Data encryption architecture decisions for Maximo Application Suite
Architecture decision	Requirement	Option	Decision	Rationale
Encryption of databases	Encrypt data in database to protect it from unauthorized disclosure	Use system-generated values Bring Your Own encryption keys	Use system-generated values	Encryption keys and encryption algorithms are specified when configuring IBM Maximo Application Suite Manage. Choose the fields that require security. The secret is automatically generated.
Data encryption of backups	Encrypt and compress backup data to protect it from unauthorized access	Use tar command n\ - Bring Your Own encryption tool and service	Bring Your Own encryption tool and service	The admin can run the tar command. Remember to decrypt when restoring data from backup.
Data encryption of logs	Encrypt all operational and audit logs at rest to protect them from unauthorized disclosure.	Bring Your Own encryption tool and service	Bring Your Own encryption tool and service

Architecture decisions for data security: Key management in Maximo Application Suite

Key management architecture decisions for Maximo Application Suite
Architecture decision	Requirement	Option	Decision	Rationale
Key lifecycle management and hardware security modules	Encrypt data at rest and in transit by using customer-managed keys to protect them from unauthorized access.	Key Protect Hyper Protect Crypto Services (HPCS)	Key Protect	Key Protect is recommended for applications that need to comply with regulations requiring encryption of data with customer-managed keys. Key Protect provides key management services by using a shared multi-tenant FIPS 140-2 Level 3 certified hardware security modules.
Certificate management	Manage and deploy SSL/TLS certificates for Maximo apps	IBM Certificate Manager Bring Your Own Certificate Manager	IBM Certificate Manager	IBM Certificate Manager controls certificate management in IBM Maximo Application Suite 8.8 and above. It is automatically installed as part of IBM Maximo Application Suite installation.

Architecture decisions for identity and access management in Maximo Application Suite

Identity and access management architecture decisions for Maximo Application Suite
Architecture decision	Requirement	Option	Decision	Rationale
Identity & access management (IAM)	Administer users	Local users Lightweight Directory Access Protocol (LDAP) users External users	Local users	IBM Maximo Application Suite user records are stored in the MongoDB core database. For more information, see Administering users and user access.
IAM	Use a method to authenticate users	Local authentication LDAP authentication Security Assertion Markup Language (SAML) authentication	Local authentication	With local authentication, IBM Maximo Application Suite provides single sign-on (SSO) for all fully integrated applications. For more information, see Authentication methods.
IAM	Securely authenticate users for platform services and control access to resources consistently across IBM Cloud	IBM Cloud IAM	IBM Cloud IAM	Create IBM Cloud Account then use IAM access policies to assign users, service IDs, and trusted profiles access to resources within the IBM Cloud account. For more information, see Creating your IBM Cloud account and configuring permissions.
Privileged access management	Ensure that all operator actions are run securely through a bastion host	Bastion Host	Bastion Host	Bastion Host VM is used to provision the OCP bootstrap node. It is provisioned through SSH over a private network to securely access resources within IBM Cloud’s private network. For more information, see Maximo Application Suite on-premises installation topologye.

Architecture decisions for application security in Maximo Application Suite

Application security architecture decisions for IBM Maximo Application Suite
Architecture decision	Requirement	Option	Decision	Rationale
DDoS	Enforce information flow policies and protect the boundaries of the application. Protect against or limit the effects of denial-of-service attacks.	IBM Cloud Internet Services (CIS)	IBM CIS	IBM CIS provide DDoS protection if exposed to the public network. For more information, see Installing Cloud Internet Services.

Architecture decisions for license management in Maximo Application Suite

License management architecture decisions for Maximo Application Suite
Architecture decision	Requirement	Option	Decision	Rationale
License management	Manage virtualized environments and measure license utilization	Suite License Service (SLS)	SLS	The Suite License Service (SLS) stores and manages the Maximo® Application Suite license. The license file is uploaded to the SLS server as part of initial setup. For more information, see Suite License Service.
Administering licenses	Administer licenses and AppPoint usage	Customer managed IBM managed	IBM managed	IBM managed is handled by IBM Maximo Application Suite representative. For more information, see customer-managed.

The following sections summarize the security architecture decisions for the IBM Cloud Satellite on-premises location.

Architecture decisions for data encryption in Satellite

The following are architecture decisions about security for IBM Cloud Satellite.

Data encryption architecture decisions for Satellite
Architecture decision	Requirement	Option	Decision	Rationale
Data encryption	Encryption at rest Satellite worker nodes data	Worker nodes storage encryption: Customer	Worker nodes storage encryption: Customer	The customer is responsible for encrypting the boot disk and any additional disks that you add to the Satellite worker nodes hosts to keep data secure and meet regulatory requirements.
	Encryption at rest Red Hat OpenShift persistent storage	Backing-storage device encryption Cluster volume encryption with Kubernetes Secret IBM® Key Protect Bring your own Hardware Security Module (HSM)	Cluster volume encryption with Kubernetes Secret	The customer is responsible for encrypting persistent storage by configuring storage device encryption or cluster encryption, if supported by the storage provider. In this solution, Portworx is used to provide persistent storage for Red Hat OpenShift cluster workloads. Example Portworx set up: volume encryption with customers keys stored in Kubernetes Secret to encrypt data in transit and at rest. Add Kubernetes Secret encryption
	Encryption at rest and in transit Backup storage	IBM Cloud Object Storage encrypted with provider keys IBM Cloud Object Storage encrypted with Key Management Service (KMS)	IBM Cloud Object Storage encrypted with provider keys	IBM-managed backups of the Satellite location control plane data are stored in customer created IBM Cloud Object Storage buckets. Customer can select to encrypt IBM Cloud Object Storage bucket with IBM Cloud keys or KMS (Key Protect or Hyper Protect Crypto Services) created in IBM Cloud MZR used to manage Satellite. In this solution, the customer IBM Cloud Object Storage bucket is encrypted with IBM Cloud keys.
	Encryption in transit Satellite link	Satellite link encryption	Satellite Link encryption	All data that is transported over Satellite link is encrypted by using TLS 1.3 standards. This level of encryption is managed by IBM.
	Encryption in transit Red Hat OpenShift cluster workloads	App level encryption that uses TLS Red Hat OpenShift service mesh	App-level encryption that uses TLS	Encryption in transit of application data is the customer’s responsibility. Applications can encrypt data by using TLS 1.2 at a minimum.
Certificates	Certificate lifecycle management	Secrets Manager on IBM Cloud Bring your own certificates	Bring your own certificates	The customer is responsible for providing and managing TLS certificates that are used for encrypting communication for workloads that are deployed on Satellite clusters.

Architecture decisions for identity and access management in Satellite

Identity and access management architecture decisions for Satellite
Architecture decision	Requirement	Option	Decision	Rationale
IBM Cloud® Identity and Access Management (IAM)	Satellite location hosts	Cloud Identity and Access Management	Cloud Identity and Access Management	After a host is assigned to a Satellite location, root SSH access is disabled (per CIS benchmark) and access to the host is controlled by IAM access
	Satellite location	IBM Cloud account setup Account and resource organization IBM Cloud IAM roles and access groups	IBM Cloud account setup Account and resource organization IBM Cloud IAM roles and access groups	Account structure and access management with IAM role-based access control enables zero trust through separation of duty and least privileged access. For more information, see Account and resource organization and IBM Cloud IAM roles and access groups. IBM Cloud Satellite platform and service access roles in IAM are used to authenticate requests to the service and authorize user actions.
	Red Hat OpenShift clusters	IAM roles federated with a customer active directory Kubernetes RBAC Roles	IBM Cloud IAM roles Kubernetes role-based access control roles	Red Hat OpenShift on IBM Cloud uses IAM platform and service access roles to grant users access to the cluster Role-based access control roles and cluster roles define a set of permissions for how users can interact with Kubernetes resources in the cluster. - Role-based access control roles can be applied to individual users, groups of users, or service accounts. For more granular access policies to perform specific Kubernetes actions, you can apply custom RBAC policies.

Architecture decisions for application security in Satellite

Application security architecture decisions for Satellite
Architecture decision	Requirement	Option	Decision	Rationale
Application security	Enforce runtime security to protect against distributed denial-of-service (DDOS) attacks.	Bring your own edge security	Bring your own edge security	The customer is responsible for providing edge solution at Satellite location to protect IBM Maximo Application Suite applications that are exposed to the public network.

Edge security generally protects against attacks and creates secure connections. It includes intrusion detection and prevention, URL and domain filtering, secure web gateway, zero trust network access (ZTNA), and other technologies, which help in isolating the Satellite location.

Architecture decisions for infrastructure and endpoint in Satellite

Infrastructure and endpoint architecture decisions for Satellite
Architecture decision	Requirement	Option	Decision	Rationale
Network protection	Core network protection	Subnets and firewall rules	Subnets and firewall rules	The customer is responsible for setting up and managing physical and virtual networks, subnets, and firewalls rules at the Satellite location to meet security and regulatory requirements.

Architecture decisions for threat detection and response in Satellite

Threat detection and response architecture decisions for Satellite
Architecture decision	Requirement	Option	Decision	Rationale
Threat detection and response (TDR)	Identify and neutralize threats	Bring your own security information and event management (SIEM) tool, for example, Splunk. IBM X-Force Threat Management.	Bring your own SIEM tool, for example, Splunk.	For hybrid cloud environments, customers typically prefer to use their current on-premises SIEM tools.