Architecture decisions for security

The following are security architecture decisions for the Power Virtual Server Resiliency on AIX pattern.

Security architecture decisions
Architecture decision Requirement Alternatives Decision Rationale
Encrypt data at rest: Workloads Ability to encrypt data at rest Power Virtual Server storage encryption with provider-managed keys
  • Power Virtual Server uses IBM FlashSystem Storage with AES-256 (Advanced Encryption Standard) hardware-based encryption
  • For customer-managed keys by selecting a Key Management Service (KMS) for the respective storage service
Encrypt data at rest: Backups Ability to encrypt backups Storage Encryption with provider-managed keys
  • All objects that are stored in IBM Cloud Object Storage are encrypted by using randomly generated keys and an all-or-nothing-transform (AONT).
  • Secure Automated Backup with Compass includes source system IBM Spectrum Protect client encryption at-rest encryption in-cloud with AES 128 encryption.
Identity Access and Role Management (IDM) Securely authenticate users for platform services and control access to resources consistently across IBM Cloud IBM Cloud IAM
  • Use IAM access policies to assign users, service IDs, and trusted profiles access to resources within the IBM Cloud account.
  • Secure Automated Backup with Compass is integrated with IBM Cloud IAM.
Key Management Provider-Managed Keys Key Protect Hyper Protect Crypto Services Key Protect By default, storage at rest is encrypted with provider managed keys.
Privileged Identity and Access Management Privileged access management services for administrative purposes BYO Bastion Host, BYO Bastion Host with Privileged Access Management (PAM) Software BYO Bastion host or Privileged Access Gateway with PAM Software deployed in Edge VPC
2FA Authentication though IBM Security Verify		 Securely access remote resources over the private network for management purposes; bastion accessed through SSH. Session recording, tracking all activities that are successful or not to note any potential threats
Core Network Protection
  • Strict separation of duties
  • Isolated security zones between environments
  • Isolated, private cloud environment
 Separate VPCs, subnets, Access Control List (ACL), and Security Groups for workloads in VPC.

Use of virtual firewalls that is deployed to the Edge or Transit VPC to provide advance firewall and routing capabilities between VPC and Power Virtual Server
  • A design combination that uses:
  • Separate VPCs (edge and management) connected through transit gateway and, the use of edge firewall capabilities.
  • Subnets, Security Groups and ACLs to create an Edge or Transit VPC design along with isolated LPARs on Power Virtual Server
Threat detection and response
  • Boundary protection: highest level of isolation from external network threats
  • IPS/IDS protection at all ingress/egress
  • Unified Threat Management (UTM) Firewall
 BYO Virtual Firewall
FortiGate
Palo Alto		 BYO Virtual Firewall - FortiGate
Palo Alto
  • Virtual firewall on VSI in the Transit or Edge VPC
  • However, client preference recommendation is FortiGate
  • FortiGate supports native HA configuration, IPS and IDS