Getting started with IBM Cloud Security and Compliance Center Data Security Broker
Overview
Protect your data in the cloud with the IBM Cloud Data Security Broker, which is a complete data encryption solution that secures sensitive data in enterprise databases by integrating with key management and databases to provide application-level encryption.
Data Security Broker is a software that makes data breaches irrelevant by ensuring data remains encrypted, not only when it is stored but also when it is being processed by databases and applications.
Data Security Broker offers Data encryption services which consists of two main components, namely:
IBM Cloud Security and Compliance Center Data Security Broker Manager is the administrative console for the solution that integrates with enterprise key managers and databases and manages the Data Security Broker solution components.
IBM Cloud Security and Compliance Center Data Security Broker Shield is the SQL proxy that functions to encrypt and decrypt data at the field or record level.
Data Security Broker Manager enforces encryption policies and configurations by:
- Communicating with key management solutions, the Data Security Broker Shield, and databases.
- Orchestrating configuration and deployment.
Data Security Broker Shield is a stateless proxy that intercepts and encrypts application data sent to the database and decrypts encrypted data.
Data Security Broker provide a range of data encryption services such as data encryption, data tokenization, record level encryption, and data masking.
Data Security Broker supports only PostgreSQL database.
Setting up your environment
Before you begin
Before you begin installing and configuring the Data Security Broker, ensure that you have met the following requirements:
- Create an IBM Cloud account.
- Set up your environment.
- Set up the minimum permissions required in the IBM Cloud account.
Ensure that your environment meets the following minimum system level and resource level requirements:
| Cluster | Operating System | Number of Worker nodes required |
|---|---|---|
| Red Hat® OpenShift® cluster | RHEL7/RHEL8 and CoreOS | 2 |
| IBM Cloud Kubernetes cluster | Ubuntu 18 | 2 |
Minimum permissions required to install, set up, and access Data Security Broker
As an IBM Cloud user, you need to set the follwoing minimum permissions to install, set up and access Data Security Broker. By using the following steps and the information in the table, assign the required permissions:
- Log into your IBM Cloud account and click Manage -> Access (IAM).
- In the Manage access and users dashboard, click View all in the My user details section.
- In the Access tab, click Assign access +. From the Table 2, select a service and click Next.
- In the Roles and actions section, select the specified permissions that are required.
- Click Add and Assign to assign the permissions required.
| Service Name | Permission level |
|---|---|
| Key Protect | Writer |
| IBM Cloud® Object Storage | Manager |
| Kubernetes Service | Manager, Editor |
| IBM Red Hat OpenShift Kubernetes Service | Editor |
| Schematics | Manager, Administrator |
You can find details about platform roles and the actions mapped to each of the role in the table below:
| Platform Roles | Description | |||
|---|---|---|---|---|
| Administrator | As an administrator, you can perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users. | |||
| Editor | As an editor, you can perform all platform actions except for managing the account and assigning access policies. | |||
| Operator | As an operator, you can perform platform actions required to configure and operate service instances, such as viewing a service's dashboard. | |||
| Viewer | As a viewer, you can view service instances, but you can't modify them. |
Sizing Guidelines
The factors that affect the sizing of the Data Security Broker deployments consist of the Data Security Broker Manager management console and one or more Data Security Broker Shield proxies. Each component has its own resource needs depending on the anticipated workloads.
Data Security Broker Manager
In general, resources allocated to a Data Security Broker Manager deployment needs to be scaled with the number of managed Data Security Broker Shields and the number of concurrent users using the Data Security Broker Manager.
Data Security Broker Shield
The general rule for Data Security Broker Shield sizing, to handle peak utilization scenarios, is to match the sum of all Data Security Broker Shield's memory and CPU allocations to that of the database instance. The initial vCPU and memory requests for the pod installation can start low and can be scaled up based on utilization, based on pod scaling policies, and depending on the workload in a particular installation. Resource allocation to Data Security Broker Shield deployments typically scales with the expected maximum number of concurrent connections.
Data Security Broker Shield consists of a single container that runs in its own pod. The Data Security Broker Shield pod can be in the same or different cluster but must have network connectivity to Data Security Broker Manager.
Minimum system requirements for deploying in IBM Cloud Kubernetes cluster (IKS) or Red Hat® OpenShift® Kubernetes (ROKS) cluster:
| Product | Container/service | IKS/ROKSVersion | vCPU | Memory | Disk Space |
|---|---|---|---|---|---|
| Data Security Broker (DSB) Manager | DSB-manager | IKS v 1.17+, ROKS v 4.8.54+ | 4 | 8 GB | 5 GB |
| Data Security Broker (DSB) Shield | DSB-shield | IKS v 1.17+, ROKS v 4.8.54+ | 2 | 8 GB | (No persistent volume necessary) |
After the environment is set up and you have the required roles and permissions, and sizing guidelines defined, you can start setting installing the Data Security Broker by following the instructions in the Installing Data Security Broker section.
Next Steps
Now that you have an understanding of the various entities that exist within Data Security Broker, and that you have setup the environment to install the Data Security Broker, the following diagram details the user flows that you might be helpful when you are working with Data Security Broker.
