Best practices for access, secrets, and deployment configuration
As you transition your workloads to IBM Cloud, be sure to keep the following best practices in mind. These best practices around assigning access, managing secrets, and configuring deployments can help ensure that your compliance audits run smoothly.
Follow the principle of least privilege
It's always a best practice to assign each user in your account the least amount of access that is required for them to perform the duties of their role. For example, your organization might have a compliance-focal who wants to use Compliance Manager to manage the collection of data for compliance audits. For the focal to be able to perform the required tasks in your account, they must have access to the Compliance Manager, Event Notifications, and Cloud Object Storage services through IAM. If they are managing compliance for an entire enterprise or a specific integration, then more permissions can be provided.
Helping ensure the proper configuration of IAM policies is one of the greatest factors in reducing the cost of a data breach per the IBM Cost of Data Breach 2024 report.
Take advantage of access groups
Through the Identity and Access Management service, you can add the users or resources in your account to access groups based on role or required permissions. By using these groups, you can minimize the number of necessary policies that you need to assign and manage in your account. For example, if your team project uses the same resources, you can create a group and assign permissions to the group rather than to each individual. For help with getting started, see Creating access groups.
Does a user need this permission for a short time period? It might be better practice to use a trusted profile. Learn more.
Enforce MFA
While multifactor authentication is typically a choice made by each organization, more compliance regulations are requiring it. Be sure that you know which standards and regulations that your organization is required to be in compliance with. To configure MFA, you can create a settings template that defines the level of MFA that you want your company to follow. Then, assign the settings template to all account groups. Learn more about Setting up Multifactor authentication.
Encrypt the data in your account
By using credentials, keys, or certificates it is important that your data remains secure throughout your account. It is important to think about encryption at every level, whether it's at rest, in motion, or in use. To evaluate about which secrets management tool is best for your organization, see Which service should I use.
Ensure the proper rotation of secrets
Regardless of which service you are using or what type of secret that you are rotating, it is crucial to the security of your applications that the rotation is completed securely and regularly. To help ensure that you never miss a rotation, it's recommended that you configure alerts. Check out the following links to learn more about the best practices of each service and secret type:
Run recurring compliance checks
The first time that an account is configured it is typically done carefully. But, as more policies are set, users leave your company, or resources are updated you can quickly become uncompliant. To help ensure that your organization remains secure, it is highly recommended that you use Compliance Manager or Workload Protection to continuously validate the compliance posture of your account.
Running an evaluation does not help ensure regulatory compliance. An evaluation provides a point in time statement of your current posture for a specific resource. It is your responsibility to review and interpret the results to help ensure that your organization is adhering to the controls that are required for your industry.