Architecture decisions for security
The following table summarizes the security architecture decisions for the deployment guide of how to migrate VMware to IBM Cloud Red Hat OpenShift Virtualization.
Architecture decisions for data security - encryption
| Architecture decision | Requirement | Option | Decision | Rationale |
|---|---|---|---|---|
| Encryption approach | Encrypt all data to protect it from unauthorized disclosure. |
|
Encryption with customer-managed keys | Using encryption with customer-managed keys gives organizations direct control over encryption, allowing them to own, rotate, and revoke keys to meet compliance requirements, enforce zero-trust security, limit insider risk, and maintain data portability. This approach provides granular access control, auditability, and the ability to immediately render data inaccessible if keys are revoked, helping ensure stronger security and customer trust |
| Data encryption at rest of primary storage | Encrypt all application data to protect it from unauthorized disclosure. |
|
Storage encryption with provider-managed keys | Storage encryption with provider-managed keys automatically protects the worker node’s OS and system files at rest by using provider-controlled keys, helping ensure confidentiality without customer-managed key overhead. |
| Data encryption at rest of backups | Encrypt all backup data to protect it from unauthorized disclosure. |
|
Encryption with customer-managed keys | Using customer-managed keys for backup storage encryption allows organizations to control the encryption keys that protect backup data, enabling key rotation, revocation, and auditability, helping ensure compliance, stronger security, and the ability to render backups inaccessible if needed. |
| Data encryption at rest of logs | Encrypt all operational and audit logs at rest to protect them from unauthorized disclosure. |
|
Encryption with customer-managed keys | Encrypting log at rest with customer-managed keys gives organizations control over key management, helping ensure security, compliance, and the ability to restrict or revoke access as needed.xt |
| Data encryption in transit of web app | Encrypt all application data in transit to protect it from unauthorized disclosure. | Application-level encryption with TLS | Application-level encryption with TLS | Web app uses HTTPS protocol to encrypt data transmissions. |
| Data encryption in transit of DB tier | Encrypt all application data in transit to protect it from unauthorized disclosure. | Application-level encryption with TLS | Application-level encryption with TLS | The database application uses TLS to encrypt data in transit. |
Architecture decisions for data security - key management
| Architecture decision | Requirement | Option | Decision | Rationale |
|---|---|---|---|---|
| Key lifecycle management and HSM | Encrypt data at rest and in transit by using customer-managed keys to protect them from unauthorized access. |
|
Key Protect | Key Protect is recommended for applications that need to comply with regulations that require encryption of data with customer-managed keys. Key Protect provides key management services by using a shared (multi-tenant) FIPS 140-2 Level 3 certified hardware security modules (HSMs). |
| Hyper Protect Crypto Services (HPCS) | HPCS is recommended for financial services and highly regulated industry applications. HPCS provides Key Management Services with the highest level of security and control that is offered by any cloud provider in the industry. It uses a dedicated (single-tenant) FIPS 140-2 Level 4 certified Hardware Security Module and supports customer-managed master keys, giving the customer exclusive control of the entire key hierarchy. | |||
| Certificate management | Protect secrets through their entire lifecycle and secure them using access control measures | Secrets Manager BYO Certificate Manager |
Secrets Manager | IBM Secrets Manager creates, leases, and centrally manages secrets that are used by IBM Cloud Services or customer applications. Secrets are stored in a dedicated instance of Secrets Manager and can be encrypted by using any of IBM Cloud Key Management Services. |
Architecture decisions for identity and access management
| Architecture decision | Requirement | Option | Decision | Rationale |
|---|---|---|---|---|
| Identity access and role management (IDM) | Securely authenticate users for platform services and control access to resources consistently across IBM Cloud | IBM Cloud IAM | IBM Cloud IAM | Use IAM access policies to assign users, service IDs, and trusted profiles access to resources within the IBM Cloud account. |
Architecture decisions for application security
| Architecture decision | Requirement | Option | Decision | Rationale |
|---|---|---|---|---|
| DDoS |
|
IBM Cloud Internet Services (CIS) | IBM Cloud Internet Services (CIS) | IBM Cloud Internet Services provide Distributed Denial of Service (DDoS) to protect applications that are exposed to the public network. |
| SSL/TLS |
|
IBM Cloud Internet Services (CIS) | IBM Cloud Internet Services (CIS) | IBM Cloud Internet Services provide SSL/TLS (Secure Sockets Layer / Transport Layer Security) to protect applications that are exposed to the public network. |
| Web application firewall | Protect web applications from application layer attacks. |
|
IBM Cloud Internet Services (CIS) | IBM Cloud Internet Services provides Web Application Firewall security features to protect applications that are exposed to the public network. |
Architecture decisions for infrastructure and endpoint
| Architecture decision | Requirement | Option | Decision | Rationale |
|---|---|---|---|---|
| Core network protection |
|
Red Hat OpenShift on IBM Cloud (VPC) |
|
Core network protection for Red Hat OpenShift Virtualization on IBM Cloud secures virtualized workloads through network isolation, segmentation, access-lists, security groups, and policy-driven access controls, with encrypted communication, and continuous monitoring to help ensure compliance and reduce attack surfaces. |
| Edge and endpoint protection |
|
Red Hat OpenShift Virtualization on IBM Cloud (VPC) | Red Hat OpenShift Virtualization on IBM Cloud (VPC) | Red Hat OpenShift Virtualization on IBM Cloud VPC secures edge and endpoint protection for workloads through private networking, encrypted storage, strong workload isolation, and strict access controls, with automated patching and centralized logging to maintain a consistent, resilient, and compliant security posture across distributed environments. |
Architecture decisions for threat detection and response
| Architecture decision | Requirement | Option | Decision | Rationale |
|---|---|---|---|---|
| Threat detection and response |
|
BYO Virtual Firewall (on VSI) in Edge VPC (deployed across availability zones) client choices: Fortigate Juniper vSRX Palo Alto |
firewall choice should align with in-house expertise, balancing control and simplicity |
Can be provided by Enterprise Network DMZ
|
Architecture decisions for governance, risk, and compliance
| Architecture decision | Requirement | Option | Decision | Rationale |
|---|---|---|---|---|
| Governance, risk, and compliance |
|
|
IBM Cloud Security and Compliance Center (SCC) Workload Protection | IBM Cloud Security and Compliance Center (SCC) provides centralized workload protection for Red Hat OpenShift Virtualization and container environments by continuously monitoring VMs and containerized workloads for vulnerabilities, misconfigurations, and security risks. It integrates governance, risk, and compliance (GRC) capabilities by enforcing security policies, assessing risk exposure, and automating compliance reporting for standards like CIS Benchmarks, NIST, PCI DSS, and GDPR. SCC enables organizations to maintain audit-ready environments, help ensure regulatory adherence, and integrate security into DevSecOps pipelines, providing end-to-end visibility and protection across hybrid and cloud-native workloads. |