IBM Cloud Essential Security and Observability Services
This reference architecture summarizes the deployment and best practices on IBM Cloud for setting essential security services and their associated dependencies. IBM Cloud's essential security services are crucial for ensuring robust security and compliance for cloud-based applications and data. Their primary goal is to provide a framework for secure and compliant IBM Cloud workloads.
Here’s a brief overview of each service:
Key Protect: This service provides a secure and scalable way to manage encryption keys for your cloud applications. It ensures that sensitive data is protected by managing and safeguarding cryptographic keys, facilitating compliance with industry standards and regulatory requirements.
Secrets Manager: This service helps in securely storing and managing sensitive information such as API keys, credentials, and certificates. By centralizing secret management, it reduces the risk of exposure and simplifies the process of accessing and rotating secrets, thereby enhancing the security posture.
Security and Compliance Center: This platform offers a comprehensive suite of tools to assess, monitor, and maintain the security and compliance of your cloud environment. It provides insights and controls to help organizations meet regulatory requirements, adhere to best practices, and protect against threats.
IBM Cloud Security and Compliance Center Workload Protection: This service offers features to protect workloads, get deep cloud and container visibility, posture management (compliance, benchmarks, CIEM), vulnerability scanning, forensics, and threat detection and blocking.
This reference architecture showcases how these services form a foundational security layer that enhances data protection, simplifies compliance, and strengthens overall cloud security for any workload in IBM Cloud.
Architecture diagram
The following diagram represents the architecture for the IBM Cloud Essential Security and Observability Services deployable architecture on and reuses the best practices for IBM Cloud Framework for Financial Services.
The architecture is anchored by three fundamental services: Key Protect, Secrets Manager, and Security and Compliance Center. These services provide integration endpoints for any customer workload that is hosted on IBM Cloud.
-
Key Protect
Key Protect is responsible for centrally managing the lifecycle of encryption keys that are used by IBM Cloud Object Storage buckets, Secrets Manager, and event notification resources. Additionally, it can manage encryption keys for any customer workload that requires protection.
-
Secrets Manager
Secrets Manager securely stores and manages sensitive information, including API keys, credentials, and certificates. It uses encryption keys from Key Protect to encrypt sensitive data and to seal and unseal vaults that hold the secrets. It is preconfigured to send events to the Event Notifications service, allowing customers to set up email or SMS notifications. Moreover, it is automatically configured to forward all API logs to the customer's logging instance.
-
Security and Compliance Center
The Security Compliance Center instance is preconfigured to scan all resources provisioned by the reference architecture. It can be expanded to include IBM Cloud Security and Compliance Center Workload Protection to accomodate the unique workloads of customers.
IBM Cloud Object Storage buckets are set up to receive logs from logging and alerting services. Each bucket is configured to encrypt data at rest by using encryption keys managed by Key Protect.
Design concepts
- Storage: Backup, Archive
- Networking: Cloud-native connectivity
- Security: Data security, identity and access, application security, threat detection and response, infrastructure and endpoints, governance, risk and compliance
- Resiliency: High availability
- Service management: Monitoring, logging, auditing and tracking, automated deployment
Requirements
The following table outlines the requirements that are addressed in this architecture.
| Aspect | Requirements |
|---|---|
| Networking | Provide secure, encrypted connectivity to the cloud’s private network for management purposes. |
| Security | Encrypt all application data in transit and at rest to protect it from unauthorized disclosure. Encrypt all security data (operational and audit logs) to protect from unauthorized disclosure. Encrypt all data using customer-managed keys to meet regulatory compliance requirements for additional security and customer control. Protect secrets through their entire lifecycle and secure them using access control measures. |
| Resiliency | Support application availability targets and business continuity policies. Ensure availability of the application during planned and unplanned outages. Back up application data to enable recovery during unplanned outages. Provide highly available storage for security data (logs) and backup data. |
| Service Management | Monitor system and application health metrics and logs to detect issues that might impact the availability of the application. Generate alerts/notifications about issues that might impact the availability of applications to trigger appropriate responses to minimize downtime. Monitor audit logs to track changes and detect potential security problems. Provide a mechanism to identify and send notifications about issues that are found in audit logs. |
Components
The following table outlines the products or services used in the architecture for each aspect.
| Aspects | Architecture components | How the component is used |
|---|---|---|
| Storage | IBM Cloud Object Storage | Web app static content, backups, logs (application, operational, and audit logs) |
| Networking | Virtual Private Endpoint (VPE) | For private network access to IBM Cloud services, for example, Key Protect, Key Protect, Security and Compliance Center. |
| Security | IAM | Cloud Identity and Access Management |
| Key Protect | A full-service encryption solution that allows data to be secured and stored in IBM Cloud | |
| Secrets Manager | Certificate and Secrets Management | |
| Security and Compliance Center | Implement controls for secure data and workload deployments, and assess security and compliance posture | |
| IBM Cloud Security and Compliance Center Workload Protection | ||
| Service Management | IBM Cloud Monitoring | Apps and operational monitoring |
| IBM Cloud Log Analysis | Apps and operational logs | |
| Activity Tracker Event Routing | Audit logs |
Compliance
Ensures compliance with some of the controls in the CIS IBM Cloud Foundations Benchmark profile. To view the list of added controls, follow these steps:
- Go the IBM Cloud catalog and search for the IBM Cloud Essential Security and Observability Services deployable architecture.
- Click the tile for the deployable architecture to open the details. The Security & compliance tab lists all of the controls that are included in the deployable architecture.