You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The IDs, such as {: #title-id} are required for publishing this reference architecture in IBM Cloud Docs. Set unique IDs for each heading. Also include
59
59
the toc attributes on the H1, repeating the values from the YAML header.
60
60
-->
61
61
62
-
This reference architecture summarizes the deployment and best practices on IBM Cloud for setting core security services and their associated dependencies. IBM Cloud's core security services are crucial for ensuring robust security and compliance for cloud-based applications and data. Their primary goal is to provide framework for secure and compliant IBM Cloud workloads.
62
+
This reference architecture summarizes the deployment and best practices on {{site.data.keyword.cloud_notm}} for setting core security services and their associated dependencies. {{site.data.keyword.cloud_notm}}'s core security services are crucial for ensuring robust security and compliance for cloud-based applications and data. Their primary goal is to provide a framework for secure and compliant {{site.data.keyword.cloud_notm}} workloads.
63
63
64
64
Here’s a brief overview of each service:
65
65
66
-
Key Protect: This service provides a secure and scalable way to manage encryption keys for your cloud applications. It ensures that sensitive data is protected by managing and safeguarding cryptographic keys, facilitating compliance with industry standards and regulatory requirements.
66
+
{{site.data.keyword.keymanagementserviceshort}}: This service provides a secure and scalable way to manage encryption keys for your cloud applications. It ensures that sensitive data is protected by managing and safeguarding cryptographic keys, facilitating compliance with industry standards and regulatory requirements.
67
67
68
-
Secrets Manager: This service helps in securely storing and managing sensitive information such as API keys, credentials, and certificates. By centralizing secret management, it reduces the risk of exposure and simplifies the process of accessing and rotating secrets, thereby enhancing security posture.
68
+
{{site.data.keyword.secrets-manager_short}}: This service helps in securely storing and managing sensitive information such as API keys, credentials, and certificates. By centralizing secret management, it reduces the risk of exposure and simplifies the process of accessing and rotating secrets, thereby enhancing the security posture.
69
69
70
-
Security and Compliance Center: This platform offers a comprehensive suite of tools to assess, monitor, and maintain the security and compliance of your cloud environment. It provides insights and controls to help organizations meet regulatory requirements, adhere to best practices, and protect against threats.
70
+
{{site.data.keyword.compliance_short}}: This platform offers a comprehensive suite of tools to assess, monitor, and maintain the security and compliance of your cloud environment. It provides insights and controls to help organizations meet regulatory requirements, adhere to best practices, and protect against threats.
71
71
72
-
IBM Cloud Security and Compliance Center Workload Protection: This service offers functionality to protect workloads, get deep cloud and container visibility, posture management (compliance, benchmarks, CIEM), vulnerability scanning, forensics, and threat detection and blocking.
72
+
{{site.data.keyword.sysdigsecure_full_notm}}: This service offers features to protect workloads, get deep cloud and container visibility, posture management (compliance, benchmarks, CIEM), vulnerability scanning, forensics, and threat detection and blocking.
73
73
74
-
This reference architecture showcases how these services form a foundational security layer that enhances data protection, simplifies compliance, and strengthens overall cloud security for any workload in IBM Cloud.
74
+
This reference architecture showcases how these services form a foundational security layer that enhances data protection, simplifies compliance, and strengthens overall cloud security for any workload in {{site.data.keyword.cloud_notm}}.
75
75
76
76
## Architecture diagram
77
77
{: #architecture-diagram}
78
78
79
-
The following diagram represents the architecture for Core Security Services on IBM Cloud and reuses the [best practices](/docs/framework-financial-services?topic=framework-financial-services-about) for IBM Cloud for Financial Services.
79
+
The following diagram represents the architecture for the core security services deployable architecture on {{site.data.keyword.cloud_notm}} and reuses the [best practices](/docs/framework-financial-services?topic=framework-financial-services-about) for {{site.data.keyword.framework-fs_full}}.
The architecture is anchored by three fundamental services: Key Protect, Secrets Manager, and IBM Cloud Security Services and Workload Protection. These services provide integration endpoints for any customer workload hosted on IBM Cloud.
83
+
The architecture is anchored by three fundamental services: {{site.data.keyword.keymanagementserviceshort}}, {{site.data.keyword.secrets-manager_short}}, and IBM Cloud Security Services and {{site.data.keyword.sysdigsecure_full_notm}}. These services provide integration endpoints for any customer workload that is hosted on {{site.data.keyword.cloud_notm}}.
84
84
85
-
1.Key Protect
85
+
1.{{site.data.keyword.keymanagementserviceshort}}
86
86
87
-
Key Protect is responsible for centrally managing the lifecycle of encryption keys used by IBM Cloud Object Storage (COS) buckets, Secrets Manager, and event notification resources. Additionally, it can manage encryption keys for any customer workload requiring protection.
87
+
{{site.data.keyword.keymanagementserviceshort}} is responsible for centrally managing the lifecycle of encryption keys that are used by {{site.data.keyword.cos_full_notm}} buckets, {{site.data.keyword.secrets-manager_short}}, and event notification resources. Additionally, it can manage encryption keys for any customer workload that requires protection.
88
88
89
-
2.Secrets Manager
89
+
2.{{site.data.keyword.secrets-manager_short}}
90
90
91
-
Secrets Manager securely stores and manages sensitive information, including API keys, credentials, and certificates. It utilizes encryption keys from Key Protect to encrypt sensitive data and to seal/unseal vaults holding the secrets. It is preconfigured to send events to the Event Notifications service, allowing customers to set up email or SMS notifications. Moreover, it is automatically configured to forward all API logs to the customer's logging instance.
91
+
{{site.data.keyword.secrets-manager_short}} securely stores and manages sensitive information, including API keys, credentials, and certificates. It uses encryption keys from {{site.data.keyword.keymanagementserviceshort}} to encrypt sensitive data and to seal and unseal vaults that hold the secrets. It is preconfigured to send events to the {{site.data.keyword.en_short}} service, allowing customers to set up email or SMS notifications. Moreover, it is automatically configured to forward all API logs to the customer's logging instance.
92
92
93
93
3. Security Compliance Center
94
94
95
95
The Security Compliance Center instance is preconfigured to scan all resources provisioned by the reference architecture. It can be expanded to accommodate the unique workloads of customers.
96
96
97
97
98
-
IBM Cloud Object Storage buckets are set up to receive logs from Logging and Alerting Services. Each bucket is configured to encrypt data at rest by using encryption keys managed by Key Protect.
98
+
{{site.data.keyword.cos_full_notm}} buckets are set up to receive logs from logging and alerting services. Each bucket is configured to encrypt data at rest by using encryption keys managed by {{site.data.keyword.keymanagementserviceshort}}.
99
99
100
100
## Design concepts
101
101
{: #design-concepts}
102
102
103
103
- Storage: Backup, Archive
104
-
- Networking: Cloudnative contectivity
105
-
- Security: Data Security, Identity & Access, Application Security, Threat Detection and Response, Infrastructure & Endpoints, Governance, Risk & Compliance
106
-
- Resiliency: High Availability
107
-
- Service Management: Monitoring, Logging, Auditing / tracking, Automated Deployment
104
+
- Networking: Cloud-native connectivity
105
+
- Security: Data security, identity and access, application security, threat detection and response, infrastructure and endpoints, governance, risk and compliance
106
+
- Resiliency: High availability
107
+
- Service management: Monitoring, logging, auditing and tracking, automated deployment
@@ -118,40 +116,34 @@ The following table outlines the requirements that are addressed in this archite
118
116
| Aspect | Requirements |
119
117
| -------------- | -------------- |
120
118
| Networking | Provide secure, encrypted connectivity to the cloud’s private network for management purposes. |
121
-
| Security | Encrypt all application data in transit and at rest to protect from unauthorized disclosure. \n Encrypt all security data (operational and audit logs) to protect from unauthorized disclosure. \n Encrypt all data using customermanaged keys to meet regulatory compliance requirements for additional security and customer control. \n Protect secrets through their entire lifecycle and secure them using access control measures. |
122
-
| Resiliency | Support application availability targets and business continuity policies. \n Ensure availability of the application in the event of planned and unplanned outages. \n Backup application data to enable recovery in the event of unplanned outages. \n Provide highly available storage for security data (logs) and backup data. |
123
-
| Service Management | Monitor system and application health metrics and logs to detect issues that might impact the availability of the application. \n Generate alerts/notifications about issues that might impact the availability of applications to trigger appropriate responses to minimize down time. \n Monitor audit logs to track changes and detect potential security problems. \n Provide a mechanism to identify and send notifications about issues found in audit logs. |
119
+
| Security | Encrypt all application data in transit and at rest to protect it from unauthorized disclosure. \n Encrypt all security data (operational and audit logs) to protect from unauthorized disclosure. \n Encrypt all data using customer-managed keys to meet regulatory compliance requirements for additional security and customer control. \n Protect secrets through their entire lifecycle and secure them using access control measures. |
120
+
| Resiliency | Support application availability targets and business continuity policies. \n Ensure availability of the application during planned and unplanned outages. \n Back up application data to enable recovery during unplanned outages. \n Provide highly available storage for security data (logs) and backup data. |
121
+
| Service Management | Monitor system and application health metrics and logs to detect issues that might impact the availability of the application. \n Generate alerts/notifications about issues that might impact the availability of applications to trigger appropriate responses to minimize downtime. \n Monitor audit logs to track changes and detect potential security problems. \n Provide a mechanism to identify and send notifications about issues that are found in audit logs. |
||[Key Protect](https://cloud.ibm.com/docs/key-protect?topic=key-protect-about)| A full-service encryption solution that allows data to be secured and stored in IBM Cloud|
138
-
||[Secrets Manager](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-getting-started#getting-started)| Certificate and Secrets Management |
139
-
||[Security and Compliance Center (SCC)](https://cloud.ibm.com/docs/security-compliance?topic=security-compliance-getting-started)| Implement controls for secure data and workload deployments, and assess security and compliance posture |
140
-
||[Security and Compliance Center Workload Protection ](https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started)||
141
-
| Service Management |[IBM Cloud Monitoring](https://cloud.ibm.com/docs/monitoring?topic=monitoring-about-monitor)| Apps and operational monitoring |
142
-
||[IBM Log Analysis](https://cloud.ibm.com/docs/log-analysis?topic=log-analysis-getting-started)| Apps and operational logs |
| Storage |[{{site.data.keyword.cos_full_notm}}](https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-about-cloud-object-storage)| Web app static content, backups, logs (application, operational, and audit logs) |
132
+
| Networking |[Virtual Private Endpoint (VPE)](https://cloud.ibm.com/docs/vpc?topic=vpc-about-vpe)| For private network access to {{site.data.keyword.cloud_notm}} services, for example, {{site.data.keyword.keymanagementserviceshort}}, {{site.data.keyword.keymanagementserviceshort}}, {{site.data.keyword.compliance_short}}. |
||[{{site.data.keyword.keymanagementserviceshort}}](https://cloud.ibm.com/docs/key-protect?topic=key-protect-about)| A full-service encryption solution that allows data to be secured and stored in {{site.data.keyword.cloud_notm}}|
135
+
||[{{site.data.keyword.secrets-manager_short}}](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-getting-started#getting-started)| Certificate and Secrets Management |
136
+
||[{{site.data.keyword.compliance_short}}](https://cloud.ibm.com/docs/security-compliance?topic=security-compliance-getting-started)| Implement controls for secure data and workload deployments, and assess security and compliance posture |
| Service Management |[{{site.data.keyword.monitoringlong_notm}}](https://cloud.ibm.com/docs/monitoring?topic=monitoring-about-monitor)| Apps and operational monitoring |
139
+
||[{{site.data.keyword.loganalysislong_notm}}](https://cloud.ibm.com/docs/log-analysis?topic=log-analysis-getting-started)| Apps and operational logs |
- Ensure Object Storage encryption is enabled with BYOK
151
-
- Ensure Activity Tracker data is encrypted at rest
152
-
- Ensure Activity Tracker trails are integrated with Log Analysis logs
153
-
- Ensure Key Protect has automated rotation enabled for customer-managed keys
154
-
- Ensure that the Key Protect service instance is highly available
146
+
Ensures compliance with some of the controls in the CIS IBM Cloud Foundations Benchmark profile. To view the list of added controls, follow these steps:
155
147
156
-
**Security and Compliance Center (SCC)** <br>
157
-
This reference architecture utilizes the Security and Compliance Center, which defines policy as code, implements controls for secure data and workload deployments, and assesses security and compliance posture. For this reference architecture, the CIS IBM Cloud Foundations Benchmark is used. A profile is a grouping of controls that can be evaluated for compliance.
148
+
1. Go the {{site.data.keyword.cloud_notm}} [catalog](/catalog#reference_architecture){: external} and search for the Core Security Services deployable architecture.
149
+
1. Click the tile for the deployable architecture to open the details. The Security & compliance tab lists all of the controls that are included in the deployable architecture.
0 commit comments