Security in VPC IaaS Environments

Cloud security is a set of security measures that protect cloud-based data, applications, and infrastructure. It's a type of cybersecurity that involves both cloud providers and their clients. Cloud security protects against internal and external threats to business security and ensures that legal requirements are met.

This document provides an overview of IBM Cloud’s security capabilities, options, best practices and solutioning guidance associated with those capabilities. The scope includes Virtual Private Cloud (VPC) Infrastructure as a Services (IaaS) security capabilities. Security in other landing zones such as VMWare and OpenShift will be handled in future documents.

IBM Cloud has a broad range of security capabilities, but other options like 3rd party solutions might be discussed that can be applicable to hybrid or multi-cloud situations. Some of the options might also include those from IBM Cybersecurity Services. These are presented in the IBM Cybersecurity Services Capabilities section.

Overview information on general cloud security concepts is available. Another reference source is the security section within the IBM Cloud Architecture Center.

This document is geared toward cloud consultants, architects, engineers, and it assumes that the reader has a level of cloud proficiency and general knowledge of security concepts. This white paper isn't meant to be a cloud or security tutorial or technically comprehensive with the particular security solutions mentioned.

General security best practices and solutioning guidance

There are many different security best practices for cloud deployments, but one that is most prominent and important today is the overarching approach of the zero trust model. Zero trust has some key principles that should be considered in any security design. These principles include:

  • Never trust, always verify
  • Enforce least privilege access
  • Enable strong authentication, and periodic and recurring authentication as possible
  • Assume breaches everywhere and protect and detect accordingly.
  • Segment functions and related network areas to create security perimeters to limit blast radiuses of attacks.
  • Discover all possible resources, functions, components, and data that is used in an environment and ensure total visibility – you cannot secure what you cannot see.
  • Use continuous security monitoring

This paper shows how various IBM Cloud security elements can be deployed following a zero trust approach. For more information, see the National Institute of Standards and Technology paper. Additional sources on zero trust principles and applications are available.

Security solutions framework

IBM uses a broad standard framework in all its security endeavors. This includes design, consulting, and implementation described in the following sections for reference. Now some, but not all of these are necessarily applicable for IBM Cloud in Virtual Private Cloud environments from a technical capability perspective. Only the boxes highlighted in blue in the diagram will be discussed. Some of these capability categories can be broken down further and these are discussed in detail starting in the following sections.

IBM Security Framework
illustrates the security framework for IaaS Security white paper

IBM Cybersecurity Security Services capabilities: options in certain situations

IBM Cybersecurity Services is a specific business unit within IBM that focuses specifically on security. They have a broad range of security solutions and associated consulting and managed services. The list below provides an overview of their solutions, and these can be considered additional options in IBM Cloud that may be applicable in certain scenarios like hybrid or Multicloud situations.

Security Domains

Data security

Data security is the process of protecting digital information throughout its life cycle from unauthorized access, corruption, theft, or destruction. The following sections discusses IBM Cloud's capabilities in this domain.

The following concepts are discussed:

Data-at-rest encryption

IBM Cloud provides native, integrated data-at-rest encryption for VPC volumes and snapshots and file storage/VPC shares automatically. IBM Cloud also provides data-at-rest encryption for its object storage by default. All the encryption used adheres to the AES-256 standard. Customers can use IBM-managed encryption (default) or customer-managed keys.

The following options are available for data-at-rest encryption:

  • IBM Cloud default encryption: This is automatic if another key management scheme isn't selected. IBM keys are used.
  • IBM Cloud encryption with customer keys: The customer selects an IBM Cloud native key management system (KMS). IBM Cloud has two KMSs: IBM Key Protect and Hyper Protect Developer Starter Kits.
  • External encryption solution: A customer might be using their own data encryption solution on-premises and want to extend this to the cloud. Or, a customer might want centralized data control across multiple clouds. IBM IBM Cybersecurity Services has an applicable solution known as Guardium.

The following are best practices for data-at-rest encryption:

  • Data encryption should always be used as can be expected.
  • Cloud native encryption with a designated cloud native KMS provides the best lifecycle automation and orchestration.
  • Encrypting data with customer managed keys is recommended to meet regulatory compliance for additional security and customer control.

The following is solutioning guidance for data-at-rest encryption:

Key management and lifecycle management

Key management allows cloud customers the ability to create, store, manage and rotate keys with automation to support storage encryption. IBM Cloud has two native, integrated key management services, IBM Key Protect Standard and Dedicated. For more information see:

The following diagram is a depiction of the two types of key management capabilities in IBM Cloud.

Diagram of key management capabilities
Key Management Capabilities

The following options are available for key management:

  • IBM Key Protect Standard - Applicable in situations where key storage security requirements are not highly critical and where a multi-tenant solution is sufficient. This capability is commonly referred to as Bring Your Own Key (BYOK) and it is certified to meet the Federal Information Processing Standard (FIPS)-140-2 level 3, hardware security module (HSM) requirements.
  • IBM Key Protect Dedicated - provides key management services with the highest level of security and control offered by any cloud provider in the industry. It uses a dedicated (single-tenant) FIPS 140-2 Level 4 certified Hardware Security Module and supports customer-managed master keys, giving the customer exclusive control of the entire key hierarchy. IBM Key Protect Dedicated is specifically recommended for financial service environment.
  • Customer or 3rd party key management solution: This might be applicable when a customer is using an external or 3rd party solution in a hybrid or multi-cloud environment.

The following are best practices for key management:

  • Cloud native key management offers the most secure, integrated and automated key lifecycle management.
  • User access to keys should be tightly controlled and monitored as can be expected.
  • Processes should be established on how keys should be used and managed. Proper rotation of keys should be established.
  • Regular inspection of activity logs surrounding key management should occur.

The following is solution guidance for key management:

Data-in-transit encryption

Data-in-transit encryption can occur in multiple areas within the IBM Cloud. There can be external applications using HTTPS/SSL that would terminate to servers within a VPC or load balancers and NexGen firewalls in front of the servers in VPCs. There is also default data-in-transit encryption when there are accesses and traffic transits to Object, Block and File Storage and cloud services.

The following options are available for data-in-transit encryption:

  • Data-in-Transit encryption to IBM Cloud storage - No options. This is a default function.
  • Application Level Data-in-Transition Encryption - Applicable mostly in public access situations but of course this can be applied in private access situations. Transit Level Security (TLS) 1.2 should be used at a minimum.
  • Application-level data-in-transit encryption termination - TLS termination at a NexGen firewall TLS termination at an edge load balancer TLS termination with IBM Cloud CIS.

The following are Best practices for data-in-transit encryption:

Application-level data-in-transition encryption should always be applied in public access situations. Application-level data-in-transit encryption should always be terminated at the edge at a firewall or a load balancer. When the traffic is decrypted at the edge, it can be inspected for threats, and so on. Application-level encryption termination should not occur on servers that are in the interior of a network.

The following includes solution guidance for data-in-transit encryption:

Certificate lifecycle management

Certificates can be used in several areas within IBM Cloud to provide data-in-transit TLS encryption in such areas as load balancers, API gateways, and so on. IBM Cloud has certificate management capabilities which allow customers to provision, manage, and deploy public and private SSL/TLS certificates for use with IBM Cloud services and applications. For more information see: Getting started with IBM Cloud Secrets Manager

The following options are available for certificate management:

  • IBM Cloud Secrets Manager - Highly recommended when IBM Cloud is primarily used
  • No Certificate Management - Perhaps applicable in private environments with Dev/QA workloads and or where there is a minimal number of certificates to managed.
  • Customer-Owned or 3rd Party Certificate Management Solutions.

The following are Best Practices for certificate management:

  • Regular rotations of certificates
  • Notification of expiring certificates
  • Certificate storage in a hardware security module
  • Maintain certificate inventory
  • Document certificate management procedures.

The following is solution guidance for certificate management:

Data lifecycle management and governance

IBM Cloud provides a range of data security measures as discussed, but customers may want full data lifecycle management and security across data in hybrid or multi-cloud environments. These capabilities may include data discovery, data classification, data tagging, data integrity checks and loss prevention among others. There are several 3rd party solutions in the market in this full data lifecycle management realm. One such solution from IBM Cyber Security Services is known Guardium.

Data Loss Prevention (DLP) and data access, integrity and monitoring

IBM Cloud has a number of ways to control data access such as identity and access management (IAM) and permissions on object storage and so on. And there is IBM Cloud Activity Tracker which logs all user and API access to data. But there are no specific ways to specifically monitor and control data loss and data integrity. This is typically the realm of 3rd party data control solutions. For more information, see What Is Data Loss Prevention (DLP).

Identity and Access Security

Cloud Identity and Access Management (IAM) is a set of tools, policies, and practices that control user access to cloud resources like data, applications, and services. The following sections discusses IBM Cloud's capabilities in this domain.

The following concepts are discussed:

Access and Role Access Management

IBM Cloud has a full featured native IAM that can control all aspects of admin user actions and services within an account. It enables you to securely authenticate users for platform services and control access to resources consistently across IBM Cloud. For more information, see Access management in IBM Cloud and How IBM Cloud IAM works. The following highlights some of the major IAM functions available.

Table 1: IBM Cloud Identity and Access Management Capabilities
IAM Capability Function or Feature
Resource groups A resource group is a way for you to organize your account resources in customizable groupings. Any account resource that is managed by using IBM Cloud® Identity and Access Management (IAM) access control belongs to a resource group within your account. You assign resources to a resource group when you create them from the catalog.
Access groups An access group can be created to organize a set of users, service IDs, and trusted profiles into a single entity that makes it easy for you to assign access. You can assign a single policy to the group instead of assigning the same access multiple times for an individual user or service ID.
Service IDs A service ID identifies a service or application like how a user ID identifies a user. You can create a service ID and use it to enable an application outside of IBM Cloud access to your IBM Cloud services. You can assign specific access policies to the service ID that restrict permissions for using specific services, or even combine permissions for accessing different services.
Access policies A policy grants a subject one or multiple roles to a set of resources so that specific actions can be taken within the context of the specified target resources.
Roles Roles provide a certain level of access and there can be platform and service roles. Roles might have such roles as “Editor” and “Administrator”. Further roles define a set of actions that can be performed on cloud resources. Platform roles control the ability to call platform APIs to do actions such as provisioning a service instance. Service roles are supported by some services and control the ability to call service APIs. IBM Cloud supports predefined roles such as "Administrator" and "Editor" that apply across multiple services. Services can also define custom roles that apply only to that service, and users can define their own custom roles that include only the specific actions they want to grant access to. User-defined custom roles are useful for meeting least privilege requirements."
Context restrictions Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on a rule's criteria. The criteria include the network location of access requests, the endpoint type from where the request is sent, and sometimes the API that the request tries to access. These restrictions work with traditional IAM policies, which are based on identity, to provide an extra layer of protection.
Multi-Factor Authentication (MFA) Multifactor authentication (MFA) adds an extra layer of security to your account by requiring all or specific or designated users to authenticate by using another authentication factor beyond an ID and password. MFA is also commonly known as two-factor authentication (2FA). When MFA is enabled, a user is prompted to provide a unique identifier (such as a username or email) and a one-time password (OTP) generated by an authenticator app or a hardware token. This type of MFA is much more secure than account-based MFA because it is not limited to classic infrastructure resources and applies to all resources within the account. It also reduces the risk of a breach because of a weak password or the use of the same password across multiple accounts.
Trusted profiles By using trusted profiles, you can establish a flexible, secure way for federated users to access the IBM Cloud® resources they need to do their job. All federated users that share certain attribute that are defined in your corporate user directory are mapped to a common profile and can share access to IBM Cloud resources. This common identity makes it possible to give the members of your organization that share access requirements automatic access to resources one time, rather than having to add each user to an account and then grant them access directly or by using access groups. Trusted profiles can also be used to grant access to service IDs, compute resources, or services. Allowing a compute resource to assume that a trusted profile allows you to assign access to applications running on that resource without the need for a long-term credential that then must be managed and rotated. This greatly enhances the security of applications running in IBM Cloud. For more information, see Using a trusted profile to call IAM-enabled services

The following diagram provides insight on how IAM works in the IBM Cloud.

Illustrates the detailed framework for IAM
Identity and access management depiction

Access and role access management options include:

  • Multi-Factor Authentication (MFA) and complex passwords: Using MFA and complex passwords are always recommended.
  • Assigning individual-based accesses and policies: This option is not recommended. Users should be placed into access groups or in trusted profiles with specific policies.
  • Single Sign On (SSO) Federation: Applicable where customers already have a single sign-on infrastructure or where customers want to use their established Active Directory or LDAP, and so on.

Access and role access management best practices include:

  • Review Best Practices for Organizing Resources and Assigning Access.
  • Always apply a least privilege approach for all cloud access.
  • Never use a root account for any administration. Always apply context restrictions for IAM access.
  • Never apply IAM capabilities to a single user.
  • Use trusted profiles or access groups and assign policies to the access group.
  • Always use multi-factor authentication and a complex password and rotation policy.
  • Develop thorough documentation that dictates how IAM is used in your IBM Cloud accounts
  • Conduct regular, periodic reviews of your account IAM settings in relation to your IAM documentation and policies. Over time, settings can drift or be inadvertently changes resulting in overly permissible states.
  • Conduct periodic reviews of IAM logs provided by IBM Cloud Logs to look for access anomalies.

Access and role access management solution guidance include:

Customers are encouraged to review the documentation in the Managing Your Account, Resources, Access documentation for more insight on best IAM practices and solutioning guidance.

IAM with Single Sign-On (SSO) and Identity Provider (IdP) federation

IBM Cloud IAM allows federation so that you can integrate with your external identity provider (IdP) to securely authenticate external users to your IBM Cloud account. By using your IdP, you can provide a way for users in your company to use single sign-on (SSO). For more information, see Single Sign On.

The following Options are available for single sign-on.

  • SSO: Applicable where federation with other identity providers or external directories is required.
  • No SSO: Customers may forgo SSO if they have no federation with Identity Providers.

The following are best practices for single sign-on.

  • Use IBM Cloud Trusted Profiles along with any SSO solution
  • Ensure multi-factor authentication with the SSO solution
  • Enforce granular role and permission management.

The following is solution guidance for single sign-on.

Secrets management

Secrets management is a way to securely store and manage API keys, certificates, user ID and password credentials, and other sensitive information with automation and integration. IBM Cloud’s service is known as IBM Cloud Secrets Manager and it has several key security features such as secrets lifecycle management, logging, default encryption, IAM integration, versioning. For more information, see Getting started with IBM Cloud Secrets Manager.

The following options are available for secrets management:

  • IBM Cloud IBM Cloud Secrets Manager: Automated and native secrets management solution that is fully integrated with IBM.
  • No secrets management: Never recommended again, but this might be applicable where you have a private environment that is used for noncritical dev and test and the like. Secrets here might possibly be embedded into applications here, if security requirements are low and cost is a factor.
  • 3rd party secrets management solution: This option might be applicable in multi-cloud situation but secrets management automation with IBM Cloud is lost.

The following are best practices: for secrets management:

  • IBM Cloud is focused on enterprise workloads and these workloads should always include secrets management.
  • Cloud native secrets management that provides full lifestyle capabilities and full cloud integration
  • Automated creation, rotation, revocation, and expiration of static secrets
  • Never transmit secrets via plain text. All should transit that uses TLS encryption.

The following is solutioning guidance for secrets management:

IBM Cloud Secrets Manager is a high available platform which has built-in resiliency and backups in each region. Customers have specific responsibilities around secrets management.

Bastion host and Privilege Access Management (PAM)

A bastion host is a server used to manage access to an internal or private network from an external network - sometimes called a jump box or jump server. Because bastion hosts often sit in the Internet edge, they typically run a minimum number of services to reduce their attack surface. They are also commonly used to proxy and log communications, such as SSH sessions. Privilege Access Management (PAM) software can be loaded on top of the bastion host to provide more security functions, granular access control and logging beyond terminal SSH access.

Bastion host and PAM options include:

  • Virtual Server Instance (VSI) for bastion host: There are no options for an underlying platform for a Bastion Host. Bastion Hosts must be created on a virtual server instances (VSI) within the confines of a Virtual Private Cloud (VPC).
  • Bastion host, no PAM Software: Not recommended in that highly granular access, approval workflows and detailed logging may be needed.
  • Bastion with PAM software - Various 3rd party solutions are in the marketplace, and this is always recommended.

IBM Cybersecurity Services does have a PAM solution that's known as Verify. For more information, see IBM Cybersecurity Services Verify

Bastion host and PAM best practices include:

  • Bastion hosts should always be accompanied with PAM software. A least privilege approach should always be applied to permissions on the bastion host and the PAM software.
  • Detailed logs should be enabled, and regular reviews of logs should be undertaken to look for anomalies.
  • Logs from the bastion host and the PAM software should be correlated with other logs to get inferences of threats. Typically, this correlation comes in the form of a Security Event and Information Management (SIEM) Platform.

Bastion host and PAM solution guidance include:

Identity governance

Identity governance is a policy or programmatic approach to identity management. All of IBM Cloud IAM capbilities support overall identity governance. But on top of these are typically governance processes and procedures and many of these might be manual processes through documentation or automation. These would be generally be out of scope for cloud, for example, existing approval workflow systems, and so on.

Application Security

Application security generally is the process of developing, adding, and testing security features to applications to prevent security vulnerabilities. The following sections discusses IBM Cloud's capabilities in this domain.

The following concepts are discussed:

Web Application Firewalling (WAF)

Web Application Firewalls (WAF) help protect web applications by performing edge filtering and monitoring HTTP traffic between a web application and the Internet. WAF is an OSI protocol Layer-7 defense in the OSI model, and it is not designed to defend against all types of attacks. IBM Cloud has two ways to provide web application firewalling at the Internet edge. One that is typically used in a Content Delivery Network (CDN) and which is named CIS. The other WAF option is using NexGen firewalls that can be placed on the “edge” or in front of Transit VPCs. You can find information on your NexGen firewalls WAF capabilities in their respective product documentation.

The following options are available for web application firewalls:

  • IBM Cloud Internet Services: Using Cloud Internet Service WAFs may be more applicable in situations where you need a broad range of capabilities that are commonly found in Content Delivery Networks such as global load balancing, DNS features, URL control and so on
  • NexGen Firewall: Applicable where a NexGen firewall is already at the Internet edge and there are no additional needs that can be found in content delivery networks. NexGen firewalls are typically deployed in “edge” or transit VPCs to provide more advanced firewall functions like Intrusion Detection and Intrusion Protect (IDS/IPS) among other capabilities.
  • IBM Cloud Internet Services: Using Cloud Internet Service (CIS) WAFs may be more applicable in situations where you need a broad range of capabilities that are commonly found in Content Delivery Networks such as global load balancing, DNS features, URL control and so on.
  • NexGen Firewall: Applicable where a NexGen firewall is already at the Internet edge and there are no additional needs that can be found in content delivery networks. NexGen firewalls are typically deployed in “edge” or transit VPCs to provide more advanced firewall functions like Intrusion Detection and Intrusion Protect (IDS/IPS) among other capabilities.
  • No WAF: Customer might elect to forgo the use of a WAF in private environments where there might be a private connection to on-premises infrastructure. A customer might have their own WAF in a Demilitarized Zone (DMZ) on-premises.

Review the following best practices for web application firewalls:

  • WAF should always be used in public access environments. There are many options and configurations with WAF that relate to HTTP/HTTPS, domains, and detection policies. Customers should thoroughly review these items and adapt to their own specific security needs and associated security policies.
  • As with other security protection and detections capabilities, WAF logs should be stored and inspected regularly for signs of anomalies.
  • As with other security protection and detections capabilities, logs should be stored and inspected regularly for signs of anomalies.
  • WAF logs should generally be correlated with other logs, perhaps through a Security Event and Information Management (SIEM) platform, if available.

The following is solutioning guidance for web application firewalls:

Distributed Denial of Service (DDoS)

A distributed denial of service (DDoS) attack is a malicious attempt to disrupt normal traffic of a server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. These attacks can occur at the application layer and the network layer. IBM Cloud has two ways of providing DDoS protection for designs that have public internet access. One is using CIS, and the other is using NexGen firewalls, that can be deployed on Virtual Server Instances at the Internet edge. Review the following links for more information:

DDoS options include:

  • CIS: Applicable in public internet access environments, particularly in production environments and where dispersed users are accessing apps in a content delivery manner.
  • NexGen Firewall: More applicable where an edge firewall is already being used to and users are not dispersed, and cost is a factor.
  • CIS: Applicable in public internet access environments, particularly in production environments and where dispersed users are accessing apps in a content delivery manner.
  • NexGen Firewall: More applicable where an edge firewall is already being used to and users are not dispersed, and cost is a factor.
  • No DDoS: Not required in private only networks.

DDoS best practices include:

  • Best practices for CIS
  • Create a DDoS attack threat model that is a structured approach to identifying and analyzing potential risks to your online service or website from a DDoS attack.
  • Implement rate limiting by controlling the amount of traffic that is sent to a network or server.
  • Ensure log monitoring and analysis of web traffic to look for anomalies such as unusual high traffic volume or server errors.

DDoS solution guidance includes:

Infrastructure and endpoint security

Infastructure and endpoint security is the practice of securing endpoints such as servers and underlying infrastructure such as Virtual Prive Clouds (VPCs) and related networking. The following paragraphs discuss IBM Cloud's security capabilities in these critical areas.

The following concepts are discussed:

Core network Protection and network segmentation capability

IBM Cloud provides several standard network isolation capabilities to help customer separate and secure traffic and compute workloads. These isolation techniques ensure that any attacks are contained in a network area and to limit the blast radius. For more information, see the following links:

The following are segmentation methods:

  • Virtual Private Cloud - VPCs Can segregate various environments, e.g., one VPC for production, one VPC for Dev/Test, one for management, and so on. And of course, there are use cases where there may be one general use VPC that is completely separate from another VPC in an account, i.e., a customer have two different workload environments. Virtual Private Cloud
  • Access Control Lists (ACLs) - Segregate ingress and egress traffic within Virtual Private Cloud (VPC) subnets. Access Control Lists (ACLs)
  • Security groups - Segregates traffic in and out of virtual server network interfaces, This could be considered host firewalling. Security Groups
  • Transit gateway - IBM Cloud’s Transit Gateway can interconnect IBM Cloud classic, IBM PowerVS and Virtual Private Cloud (VPC) infrastructures, keeping traffic securely within the IBM Cloud network. Transit Gateway can be deployed for: VPCs in the same region (local routing) and VPCs in different regions (global routing) VPCs to your IBM Cloud classic infrastructure VPCs to PowerVS environments. Now transit gateways are not always thought as a specific security capability, but transit gateways can provide a form of network segmentation known as Pretext Filtering, similar to basic standard firewalls. More information here can be found at: Filtering Routes using Transit Gateway pretext filtering.
  • NexGen firewalls - Firewalls at the Internet can segregate public access from internal private compute beyond L3/L4 filtering. It can be considered a key “demilitarized” zone segmentation.

The following options are available for segmentation:

  • Virtual Private Cloud (VPC) - There are no options to VPC segmentation, but customer could elect, for example, to only use one VPC and place all resources in that VPC. This could be used in non-critical environments where there is only one function, e.g., test and there is no public access and cost is a factor.
  • Access Control Lists (ACLs) - There are no options for using ACLs in VPC environments.
  • Security Groups - There are no alternatives in a VPC environment.
  • NexGen firewall - Customers can elect, based upon a risk profile and the workload types, to place NexGen firewalls in a separate Dimilaritized Zone (DMZ) edge VPC.
  • Transit gateway - There are no options for using Transit Gateway when you want to interconnect VPCs or connect to other environment, e.g., PowerVS. But the use of pretext filtering is options in many situations.
  • VPC - There are no alternatives for VPC segmentation, but customer could elect, for example, to only use one VPC and place all resources in that VPC. This could be used in non-critical environments where there is only one function, e.g., test and there is no public access and cost is a factor
  • Access Control Lists (ACLs) - There are no alternatives for using ACLs in VPC environments.
  • Security groups - There are no alternatives in a VPC environment.
  • NexGen firewall - Customers can elect, based upon a risk profile and the workload types, to place NexGen firewalls in a separate Dimilaritized Zone (DMZ) edge VPC.
  • Transit gateway - There are no alternatives for using Transit Gateway when you want to interconnect VPCs or connect to other environments, e.g., Power Virtual Server. But the use of pretext filtering is an option in many situations.

The following are best practices: for segmentation:

  • In public environments, always have an Internet edge VPC where a firewall can be placed and act as a Demilitarized Zone segmentation
  • Separate production, dev, test, and so on. from each other using VPC segmentation.
  • Always apply a “deny all” approach to ACLs and Security Groups and only open ports, protocols and IP addresses as needed
  • Conduct periodic reviews of all ACL and Security Group rules. Customer should understand traffic flows between servers so as to understand what segmentation is needed.
  • In public environments, always have an Internet edge VPC where a firewall can be placed and act as a Demilitarized Zone segmentation.
  • Separate production, dev, test, and so on from each other using VPC segmentation.
  • Always apply a “deny all” approach to ACLs and Security Groups and only open ports, protocols and IP addresses as needed.
  • Conduct periodic reviews of all ACL and Security Group rules. Understand traffic flows between workloads to understand what segmentation is needed.

The following is solutioning guidance for segmentation:

Edge protection and firewalling capability

Segmentation techniques can be considered firewalling methods. IBM Cloud has native firewalling in several areas to control IP addresses, ports and protocols and associated ingress and egress traffic. Most notable are ACLs that are firewalls that are applied to created cloud subnets. Security Groups are firewalls that are applied to virtual server instance (VSI) network interfaces. Security Groups work at Level 3 and Level 4 controlling allowed IP addresses, ports, and protocols.

  • Access Control Lists controls ingress and egress IP addresses, ports and protocol in subnets.
  • Security Groups - Controls ingress and egress IP addresses, ports and protocols on virtual server instances network interfaces. This can be considered host firewalling.
  • NexGen firewalls - IBM Cloud has two firewalls within its catalog, Juniper and Fortinet, that can be deployed on VSIs at the edge, and these can fully control Level 3 & 4 traffic, but these are capable of much more filtering like controlling URLs, files, DNS queries and layer 7 web application firewalling. In addition to the firewalls in the IBM Cloud catalog, customers can bring their own firewall and host it on a VSI.
  • IBM Cloud Internet Services - CIS setup has a traditional layer 3/4 firewall, in addition to its WAF capability and other security features. This would be applicable in situation where the customer has dispersed users and where a content delivery network (CDN) solution may be used.
  • Context Restrictions - firewalls in essence that front end services to control ingresses from certain allowed IP addresses. E.g., blocking accesses from Russia on a Saturday night.

Edge protection and firewall options include:

  • VPCs, Access Control Lists (ACLs), security groups - No options – mandatory for all VPC environments. Please see: exploring firewalls.
  • NexGen Firewalls - Required when there are public connections to the Internet and IBM Cloud Internet Services will not be used. Required when there are public connections to the Internet and where advanced firewalls features are needed, e.g., SD-WAN, file inspections, and so on. Optional in private connections to on-prem, but still recommended. Optional when CIS will be used.
  • IBM Cloud Internet Services - CIS. Required where there are other needs such as content delivery networking (CDN), e.g., edge content caching, URI controls, distributed TLS terminations, global load balancing, DDoS, and so on.

Edge protection and firewall best practices include:

  • Knowing and documenting all traffic flows, and segment accordingly
  • Firewalls should be first setup with a “deny all” configurations and IPs, port and protocols are only opened when necessary.
  • Periodic firewall rules reviews
  • IBM Cloud Internet Services best practices
  • Knowing and documenting all traffic flows, and segment accordingly
  • Firewalls should be first setup with a “deny all” configurations and IPs, port and protocols are only opened when necessary.
  • Periodic firewall rules reviews
  • IBM Cloud Internet Servicesbest practices.

Edge protection and firewall solutioning guidance include:

Endpoint detection and endpoint protection capability

Endpoint detection and endpoint protection security are a detection and protect mechanism that works at the operating system and application levels. This can loosely be thought of as anti-virus on a server, but today’s endpoint detection and endpoint protection security solutions provide so much more like hardening, software patching, compliance monitoring, and threat hunting. Within IBM Cloud’s Security and Compliance Center (SCC) solution is a component known as IBM Cloud Workload Protection. This might be likened to endpoint detection and endpoint protection security. This provides a broad range of security capabilities to include:

  • A unified and centralized framework to manage the security and compliance of applications, workloads, and infrastructure.
  • Host and image scanning, auditing, and runtime vulnerability management capabilities.
  • Posture management for a distributed environment.
  • Runtime detection and data enrichment.

Within the context of this particular section, only runtime vulnerability and detection are discussed. IBM Cloud Workload Protection also has compliance components, and these are discussed in the governance, risk, and compliance section.

For more information, see Key features of IBM Cloud IBM Cloud Compliance Manager Workload Protection. This capability can also fall into a security mechanism that is known as vulnerability management.

In addition, see What is endpoint security and What is endpoint detection and response..

Endpoint detection and protection options include:

  • IBM Cloud Workload Protection - Fully integrated into IBM Cloud with automation aspects and ties in with IBM Cloud IBM Cloud Compliance Manager
  • 3rd Party Endpoint Protection and Detection (EPP/EDR) - Stand-alone solutions without IBM Cloud integration, but that may be applicable if a customer is using an endpoint security solution on-prem or in a multi-cloud situation. IBM Security, now known as Cybersecurity Services, has a EPP/EDR solution known as Reaqtq. IBM Cybersecurity Services also sells, consults on, implements and manages various 3rd party EPP/EDR market solutions.
  • No workload protection endpoint security- This option depends upon the customer risk profile and what type of workloads are being used. This could be applicable in a private environment with no Internet access or low risk situations with dev and test environments, and perhaps where cost is a factor.

Endpoint detection and protection best practices include:

  • Cloud Workload Protection is always recommended in public environments.
  • Any cloud workload protection should be accompanied with people and processes to use the service or tool to find threats and vulnerability holistically. A set and forget approach should never be used.

Endpoint detection and protection solution guidance include:

Virtual Private Endpoints (VPEs)

IBM Cloud has Virtual Private Endpoints (VPE) that allow secure access to various cloud services without traversing the Internet. VPEs have firewalls in the form of access control lists and security groups previously discussed. IBM Cloud Virtual Private Endpoints (VPE) for VPC enables you to connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choosing, which is allocated from a subnet within your VPC. VPE is an evolution of the private connectivity to IBM Cloud services. VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service, or service instance, basis depending on the service operation model. The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available, and spans all availability zones of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. VPE for VPC gives you the experience of controlling all the private addressing within your cloud.

The following options are available for virtual private endpoints:

  • VPE use: This option is always recommended due to its inherent security and private traffic transit.
  • Cloud Service Access Through the Internet: This is never recommended, but a possible transit if cloud service access is needed in some way across the Internet.

The following best practices are available for virtual private endpoints:

  • Virtual Private Endpoints (VPEs) should always be used when there is a need to access cloud services as opposed to any access over the Internet.
  • VPEs have security features that should be considered during the implementation process. One is that VPEs have Access Control Lists (ACLs) that can control all traffic in and out of the VPE.
  • Virtual Private Endpoints (VPE) should always be used when there is a need to access cloud services as opposed to any access over the Internet.
  • VPEs have security features that should be considered during the implementation process. One is that VPEs have Access Control Lists (ACLs) that can control all traffic in and out of the VPE.
  • Another is that VPE security groups can additionally be applied to control inbound application traffic.

The following is solutioning guidance for virtual private endpoints:

Threat investigation and response

Threat investigation and response is a cybersecurity process that involves identifying, analyzing, and responding to security threats. Many security solutions have their own specific threat detection capabilities, for example NexGen firewalls. Typically customers use a variety of logs and aggregate them and correlate them to provide a wholistic threat investigation picture. The following sections discusses IBM Cloud's capabilities in this domain.

The following concepts are discussed:

Cloud Identity and Access Management logging

Cloud Identity and Access Management generates activity tracking events. Activity tracking events report on activities that change the state of a service in IBM Cloud. You can use the events to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. You can use IBM Cloud Activity Tracker Event Routing, a platform service, to route auditing events in your account to destinations of your choice by configuring targets and routes that define where activity tracking events are sent. For more information, see About IBM Cloud Activity Tracker Event Routing. You can use IBM Cloud Logs to visualize and alert on events that are generated in your account and routed by IBM Cloud Activity Tracker Event Routing to an IBM Cloud Logs instance. Logs can also be forwarded externally to a Security Information Even Management (SIEM) for event correlation for threat detection.

IAM logging options include:

There are no other IBM Cloud IAM logging options, this is the default and built-in logging capability.

IAM logging best practices include:

  • The forwarding of actvity tracking events to a Security Event and Information Management (SIEM) platform, if a customer is using a SIEM.
  • Regular reviews of user and API activity log to determine any possible anomalies.

IAM logging solution guidance include:

Logging event correlation

Logging plays a key role in security in that captures events that may be anomalous and when are correlated and analyzed, can detect a threat and other problems. Logging can also play a role in compliance auditing. Several IBM Cloud services create logs as noted in the below table:

Table 1 : Other logging sources
Logs Function
VPC flow logs Provides logs of all ingress and egress traffic within a VPC.
IBM Cloud Logs As noted above this provides logs of all administrator actions and API activities within an IBM account.
NexGen firewalls Provides logs on a variety of functions or actions that occur within the firewalls, e.g., rule hits, alarms, and so on. Also note that most NexGen firewalls have their own portals where threats can be investigated
IBM Cloud Internet Services LogPush Service Captures CIS firewall events.
Cloud workload protection Event Forwarding Forwards various events from the cloud workload protection solution.

Logging event correlation options include:

  • VPC flow logs: There are no options if traffic capture in and out of a VPC is needed for security and troubleshooting purposes.
  • NexGen firewalls: Customers can elect to capture and forward all kinds of logs.

Logging event correlation best practices include:

  • Logging of IAM user and API actions should always be used, regardless of the security situation. These can be used for troubleshooting purposes and mandatory in compliance situations.
  • Firewall logs should always be used for detection purposes, if deployed at the edge in a public access environment.
  • Use of VPC flow logs, Cloud Internet Services logs and Cloud Workload Protection logs is dependent upon the customer's use of a Security Information and Event Management (SIEM) platform and how many log feeds are sufficient and how much security inspection granularity.

Logging event correlation solutioning guidance include:

Threat detection

Threat detection in IBM Cloud can occur in various places. NexGen firewalls deployed at the edge can detect anomalous traffic through their Intrusion Detection and Intrusion Protection (IDS/IPS) and other capabilities. NexGen firewalls have other detection mechanisms as well to include file and URL blocking, and so on. IBM Cloud Internet Services, which also operates at the Internet Edge, can detects threats at the application layer through its WAF capability. IBM Cloud also has a workload protection, previous discussed which can detect runtime threats on workloads. These are summarized below:

Table 2: Threat detection - available methods
Area or Solution Detections
NexGen firewalls (see respective firewall documentation) Anomalous traffic, blocked traffic, firewall rule hits, anomalous files, URLs, DNS queries, and so on.
CIS (Cloud Internet Services) Layer 7 and WAF detections
Cloud workload protection About Workload Protection and Key Features Runtime threat detections and vulnerability discovery around virtual server instances.

The following options are available for threat detection:

  • NexGen Firewalls - This detection option can be deployed in public access situations at the edge. This option can also be deployed in private access situations where customers want an additional level of threat detection to whatever security maybe on-prem. Finally, this option can be deployed in conjunction with CIS in certain situations.
  • IBM Cloud Internet Services - This detection option can be deployed in public access situations at the edge. But this option in public environments is typically used where broader Content Delivery Networking (CDN) capabilities are needed. Customers would not necessarily deploy this in private situations and where content delivery network capabilities are not needed.
  • Cloud Workload Protection - This detection option can be deployed where customers are using or will use IBM Cloud IBM Cloud Compliance Manager This option may be needed where a customer just needs endpoint security, and particularly in public access environments.

The following are best practices: for threat detection:

  • Threat detection capabilities should always be deployed in public situations.
  • Deployment in private situations is dependent upon a customer risk profile.
  • Threat detections capability should be accompanied with trained personnel and appropriate processes.
  • Threat detections need to be correlated in some way, perhaps through a Security Event and Information Management (SIEM) platform, to triangulate attacks and get a holistic view of threats.

The following is solutioning guidance for threat detection:

Threat response

Security response functions typically fall into two categories: those that are automated by a security capability and those that are broader in nature that involves people, processes, and technologies, for example, incident response. For the first category, IBM Cloud has various security capabilities that can act to stop or respond to a threat.

  • NexGen Firewalls - Response: Blocking traffic, files, URLs, DNS queries, and so on. This includes various types of response alerts and alarms.
  • IBM Cloud Internet Services - Response: Blocking various HTTP/HTTS traffic and domains and notifications based on events.

Threat response options include:

  • NexGen Firewalls: Customers have the option to get a variety of response alerts and alarms based on various detection items and other firewall criteria.
  • CIS: Customers have the options of getting and selecting different notifications based on security events.

Threat response best practices include:

  • Procedures and processes to handle all the security notifications and alerts in a unified manner
  • Personnel that are established and trained to respond to security events
  • Having an established incident response plan.

Threat response solutioning guidance include:

  • Configuring alert policies (Cloud Internet Service)
  • NexGen firewall response capability - See the respective firewall documentation and how to set up possible responses.

Broader incident response

The above information discussed security response capabilities in IBM Cloud. But there are numerous broader solutions in the marketplace that handle security incident responses on a much larger scale to handle all aspects of risk exposure, people, process and technology when there is an event. IBM Cyber Security Services has a replete service in this area known as IBM X-Force Incident Response Services. And there are other broader incident response solutions in the marketplace.

Vulnerability management

Vulnerability testing and management can be broad but generally it involves tools that seek to uncover areas that can be used by attackers. For example, network vulnerability testing seeks to scan ports, protocols, and IP addresses that are open for penetration, perhaps because of user misconfiguration. Often security configurations can “drift” over time because of some inadvertent user actions or changing needs. And there are other ways where vulnerabilities can develop, and which can be exposed. Review some vulnerability testing and checking capabilities within IBM Cloud and some other solutions:

Table 3: Vulnerability management - methods
Area or Solution Vulnerability checking or testing
IBM Cloud Security and Compliance Center Workload Protection Ability to scan resources for misconfigured settings per compliance requirements.
Vulnerability Advisor Ability to scan container images. This vulnerability checking is really applicable where containers may be deployed on top of a Virtual Private Cloud (VPC) Virtual Service Instances (VSIs).
Software and network vulnerability (the reader may want to refer to this link: Scanning software for vulnerabilities) Various 3rd party market solutions are available, which can be deployed in IBM Cloud on Virtual Server Instances (VSIs). IBM Cybersecurity Services can source a number of solutions here including its preferred partner Tenable. IBM Cybresecurity Services also has vulnerability management services known as X-Force Red vulnerability management service.

The following options are available for vulnerability management:

  • IBM Cloud Security and Compliance Center Workload Protection: Customers have the option of choosing the resources and configurations that they want to scan for vulnerabilities.
  • Vulnerability Advisor: Customers can choose what images to scan and what exemptions are available when a threat detection occurs.
  • 3rd Party: Customers have the option of selecting and that uses various vulnerability testing solutions and each of these have a myriad of configuration options.

The following are best practices: for vulnerability management:

  • Customers should establish a vulnerability testing policy and plan and conduct regular vulnerability testing per the plan and policy.
  • Processes, procedures, and approval workflows for vulnerability remediations and similar should be established.

The following is solutioning guidance for vulnerability management:

Governance, risk, and compliance

Governance, Risk, and Compliance (GRC) is a structured way to align information technology (IT) with business goals while managing risks and meeting all industry and government regulations. The following sections discusses IBM Cloud's capabilities in this domain.

The following concepts are discussed:

Configuration governance and management

Cloud security configuration and management is a set of processes, procedures, and native tools and automation to control and eliminate misconfigurations, which today can be a huge source of cloud security vulnerabilities. IBM Cloud’s specific configuration governance is handled through its IBM Cloud Security and Compliance Center Workload Protection platform. In IBM Cloud Compliance Manager, all security configurations such as Access Control Lists (ACLs), Multi-Factor Authentication (MFA) and many others can be configured according to certain compliance frameworks and other prescribed custom settings a customer may want. IBM Cloud Compliance Manager can continually check operating configurations and do a comparison between parameters that are currently "set" versus those that are prescribed or dictated.

Configuration governance and management options include:

  • IBM Cloud Compliance Manager: Customers have the option of choosing the resources and configurations that they want to scan for status and parameters.
  • Palo Alto Prisma Cloud: This solution from IBM Cybersecurity Services provides configuration governance in multi-cloud situations
  • Manual configuration management: Customers might possibly track configurations manually, say through spreadsheets and the like, but this method is tedious and prone to errors. This might be a possibility with noncritical workloads in a private access situation.
  • Palo Alto Prisma Cloud: This solution from IBM Cybersecurity Services provides configuration governance in multi-cloud situations.
  • Manual configuration management: Customers might possibly track configurations manually, say through spreadsheets and the like, but this method is tedious and prone to errors. This might be a possibility with noncritical workloads in a private access situation.
  • No configuration governance: This option is not recommended even in private or noncritical situations. Vulnerabilities might be opened up where there is security configuration “drift” from personnel making inadvertent changes and customers would be unable to locate possible problems without significant inspection.

Configuration governance and management best practices include:

  • Establish a configuration management policy and develop and design security configurations well before any deployment
  • Understand the compliance framework applicable to your environment that might possibly drive configurations
  • Understand how needed compliance frameworks are translated into security configurations
  • Use automation such as IBM Cloud Security and Compliance Center Workload Protection to automate security configurations and tracking
  • Develop workflows and approval processes to control security configuration changes
  • Ensure that change rights are strictly controlled through Identity and Access Management (IAM) permissions and any Privilege Access Management (PAM) granular permissions.
  • Review the Best practices for working with IBM Cloud Security and Compliance Center Workload Protection.

Configuration governance and management solutioning guidance include:

Review the following solution guidance for IBM Cloud Security and Compliance Center Workload Protection: Cloud Security Posture Management guidance.

Audit and regulatory and compliance monitoring

In some respects auditing and regulatory aspects and conmpliance monitoring are all related. IBM Cloud has two main capabilities to aid in auditing: IBM Cloud Security and Compliance Center Workload Protection and IBM Cloud Activity Tracker, both of which were discussed earlier. IBM Cloud Security and Compliance Center Workload Protection provides a wide range of compliance audit reports as to the overall state of a customer compliance as compared to various security frameworks, for example NIST 800-53, HIPPA, and so on. Activity Tracker provides an auditing function in that it tracks all IAM and API activities, as previously discussed. Auditors can use both of these audit functions. See the following if there is a need to understand IBM Cloud's underlying infrastructure compliance monitoring (typically referred to "below the line monitoring): compliance monitoring.

Regulated workloads have specific compliance framework adherence requirements and regulatory aspects are subsumed to a certain degree in compliance monitoring and auditing.

The following options are available for audit, regulatory, and compliance monitoring:

  • IBM Cloud Compliance Manager: Customers can use this tool for compliance monitoring and audit reports. This is highly reccommended due to its tight integration with IBM Cloud.
  • Palo Alto Prisma Cloud: This option might be applicable if there is need for multi-cloud compliance monitoring. Or, the customer might already be using this platform. Using this solution just for IBM Cloud is not recommended due to possible costs and solution configuration complexities.
  • No compliance monitoring: Customers can possibly forgo compliance monitoring and auditing if the workloads are non-regulated and there are no audit reporting requirements.

The following are best practices: for audit, regulatory, and compliance monitoring:

Review the best practices for working with IBM Cloud Security and Compliance Center Workload Protection: Best practices for working with IBM Cloud Security and Compliance Center Workload Protection

The following is solutioning guidance for audit, regulatory, and compliance monitoring: