Architecture decisions for security
Review the main architecture decisions for securing the solution at a platform level such as networking, access and storage, and at the AI level. The following tables covers Red Hat OpenShift and Virtual Private Cloud workloads as well as the IBM Cloud Text to Speech and IBM Cloud Speech to Text SaaS services.
| Architecture decision | Requirement | Options | Decision | Rationale |
|---|---|---|---|---|
| Network Isolation: VPC virtual server instances | Isolate the different applications and environments running in the VPC. | VPC Access Control Lists (ACLs) VPC Security Groups VPC NGFW appliance combined with VPC routing tables |
VPC Access Control Lists (ACLs) and VPC Security Groups |
Native VPC capabilities, simpler to implement and no specific skills required |
| Network Isolation - Red Hat OpenShift workloads | Isolate the different applications/environments running in Red Hat OpenShift | Using several OpenShift clusters Using OpenShift network policies |
Using OpenShift network policies | Native OpenShift capability, lower infrastructure footprint and cost |
| Network Isolation - SaaS | Isolate the traffic to the different SaaS services used (IBM Cloud Text to Speech, IBM Cloud Speech to Text, Maximo Visual Inspection) | Private endpoint (VPE) Public endpoint |
Private endpoint (VPE) | SaaS services are by definition (in most cases) multitenant and accessed through the same target, however using a VPC private endpoint at least ensures that the path remains private thus increasing the security and avoiding egress costs |
| Network Isolation - Public access to the environment | Isolate the environment from the public internet and filter and control access to it (including load balancing to the different environments) | IBM Cloud Internet Services (CIS) VPC NGFW appliance combined with VPC routing tables |
IBM Cloud Internet Services (CIS) | As a service offering, easier to implement and with better scalability |
| Access Management | Provide RBAC capabilities to the IBM Cloud environment and services data | IBM Cloud Identity and Access Management (IAM) | IBM Cloud Identity and Access Management (IAM) | Built-in IBM Cloud capability, supported by all IBM Cloud services |
| Encryption in transit - VPC Virtual Server Instances | Secure data in transit to/from the VPC Virtual Servers Instances workloads | No encryption Application level encryption |
Application level encryption | Only way to implement encryption in transit for application running on a VPC virtual server instance, if the application is not publicly exposed, no encryption might be acceptable but this depends on the exact customer's requirements |
| Encryption in transit - Red Hat OpenShift | Secure data in transit to/from the OpenShift container workloads | No encryption Application level encryption Service Mesh for Red Hat OpenShift |
Application level encryption | Lower infrastructure footprint and simpler Openshift cluster design and management, same approach needed to secure VPC virtual server instances communications in any case |
| Encryption in transit - SaaS | Secure data in transit to/from IBM Cloud Text to Speech, IBM Cloud Speech to Text and Maximo Visual Inspection | Native TLS encryption | Native TLS encryption | Text to Speech, IBM Cloud Speech to Text are exposed via HTTP and WebSocket interfaces and natively support TLS 1.2. Maximo Visual Inspection is exposed via REST APIs which also support TLS natively. |
| Encryption at rest - Key Management | Provide and manage the keys to encrypt data for VPC virtual server instances, Red Hat OpenShift and SaaS services | IBM managed keys Customer provided keys - IBM Key Protect Customer provided and controlled keys - IBM Hyper Protect Crypto Services (HPCS) |
IBM managed keys | Native solution, compatible with all IBM Cloud services. However this is dependent on the exact customer's requirements in terms of control over the encryption keys |
| Data Encryption for image and video files and analysis | Encryption at Rest and in Transit: Given the sensitive nature of the visual data (e.g., images, inspection results, AI models), ensuring that data is encrypted both at rest and in transit is critical. IBM Cloud provides built-in encryption, but it's important to confirm that all data handling complies with encryption standards, particularly for regulatory and compliance purposes. Key Management: Use secure key management services like IBM Key Protect to control and rotate encryption keys effectively. | IBM managed keys Customer provided keys - IBM Key Protect Customer provided and controlled keys - IBM Hyper Protect Crypto Services (HPCS). |
IBM managed keys for images and video shared for Maximo | Native solution, compatible with all IBM Cloud services. However this is dependent on the exact customer's requirements in terms of control over the encryption keys |
Security Architecture decision for AI
IBM watsonx.governance is the key services considered in this pattern. watsonx.governance has the following key capabilities:
- Manage, monitor and provide end to end AI governance
- Life cycle management for Large Language Models
- Add new approved models
- Anomaly detection
- Bias detection