Use an approved reference architecture |
|
|
Use only services that are IBM Cloud for Financial Services Validated |
|
- No infrastructure (beyond what is provided for your Satellite location) is needed to use Financial Services Validated services that are part of the reference architecture.
|
Ensure that all deployed software meets all control requirements |
- Consider the software that you plan to install into your workload clusters in your Satellite location. Ensure that software is developed, deployed, configured, and managed in a way that is consistent with the control requirements.
|
- Consider the pieces of software that you plan to install into any part of your underlying infrastructure in your Satellite location or your supporting on-premises environment outside of Satellite. Ensure that software is developed,
deployed, configured, and managed in a way that is consistent with the control requirements.
|
Implement a system of account, identity, and access management to enable a zero trust environment |
- For accounts and resources in IBM Cloud, use IBM Cloud IAM for account, identity, and access management for IBM Cloud. See Accounts, identity management, and access control for more details.
- For accounts and resources managed outside of IBM Cloud (such as source code control systems, databases, federated identity providers, user directories, and so on), use solutions for account, identity, and access management that are
appropriate for those resources.
- For all workload operators, develop and use tools and processes of your choosing that allow operators to request access to be granted, to have access revoked, and so on.
- For workload consumers accessing your workloads (both web apps and APIs), use App ID (either federated or not) or bring your own solution.
|
- For operators of the IaaS / Data Center, use your own solutions for account, identity, and access management.
- Develop and use tools and processes of your choosing for operators to request access, to be granted access, to have access revoked, and so on.
|
Use and maintain nonproduction environments for development and testing |
- Create a separate IBM Cloud account with a duplicate deployment of the Satellite reference architecture and use it for testing all changes before you promote to your production Satellite location.
- Do not put anything into production that has not been tested in an equivalent nonproduction environment.
- Treat all nonproduction environments as if they were for production environments by following all of the best practices and Framework controls for each environment you create.
|
- Provide a separate set of hosts that are dedicated to your dev or test Satellite location that are isolated from your production Satellite location.
|
Enforce information flow policies and protect the boundaries of your application |
- Use separate network areas for control plane hosts and workload hosts for more specific network flow restrictions.
- Only allow network access to control plane for components (for example, management plane) that use services provided by control plane hosts.
- Identify interconnects between your Satellite workloads and your other services outside of the Satellite components and allow required network flows only.
- Use Satellite Link endpoints to provide secure access to private endpoints of IBM Cloud services.
- Use edge plane and restrict access to workloads deployed on your Red Hat OpenShift on IBM Cloud cluster so that security and management-related services can be accessed from the management plane only.
|
- Plan your virtual or physical network infrastructure for Satellite deployment to facilitate clear network flow restrictions based on proper identification of source and destination network areas.
|
Ensure that all operator actions are run through a bastion host |
- Ensure all interactive operator actions to manage the application in your Satellite locations can be run through a bastion host only in your dedicated edge or management plane.
- Enable recording of bastion sessions for auditing.
|
- Ensure all interactive operator actions to manage your on-premises infrastructure can be run through a bastion host only.
- Enable recording of bastion sessions for auditing.
|
Capture audit events and forward to a SIEM |
- For IBM Cloud resources, capture audit events by using Activity Tracker Event Routing and Object Storage encrypted using KYOK. In addition, ensure that those events are sent to a security information and event management (SIEM). See
Audit logging of IBM Cloud audit events for more details.
- For application code that runs in your Satellite location, ensure that auditable events are captured and forwarded to a SIEM. See Audit logging of provider events and SIEM for more details.
|
- Capture audit events for actions performed in your IaaS / data center environment. These audit logs should be securely stored, and they should also be forwarded to a security information and event management (SIEM) system.
|
Ensure that operational logging and monitoring is implemented |
- Capture operational logs that are generated by application code as a complement to audit logs. See Operational logging for
more details
- Capture operational metrics like CPU usage, memory usage, and API response times. See Operational monitoring for more
details.
|
- Capture operational logs that are generated within your IaaS / data center by using tools of your choosing.
- Capture operational metrics for resources in your IaaS / data center like CPU usage, memory usage, and API response times.
|
Follow secure development processes and ensure software integrity |
- Ensure that security engineering principles are applied in the design, development, implementation, and modification of the system.
- Maintain software integrity by using signed images, applying security patches, doing vulnerability scans, and so on. For more information, see Development processes and software integrity.
|
- Ensure that security engineering principles are applied in the design, development, implementation, and modification of resources in your IaaS / data center environment by using tools of your choosing.
- Maintain software integrity with tools of your choosing by using signed images, applying security patches, doing vulnerability scans, and so on.
|
Encrypt consumer data at rest and in transit |
- Ensure that data at rest is always encrypted by using Hyper Protect Crypto Services to manage encryption keys. Ensure that all Financial Services Validated services that support integration with Hyper Protect Crypto Services are configured
properly. For more information, see Encryption at rest.
- Ensure that data in transit is always encrypted by using TLS 1.2 or higher, including all traffic within your deployment and pods in your Red Hat OpenShift on IBM Cloud workload clusters.
- For any workloads hosted in IBM Cloud (not the Satellite location), use Hyper Protect Crypto Services for TLS offload for all data that is requested from outside of IBM Cloud (inbound traffic to IBM Cloud) and protected by a certificate
that is signed by a public certificate authority. Configure any web servers to use TLS offload to set up the session so that the private key never leaves HPCS. For more information, see Encryption in transit.
|
- Ensure data at rest in your IaaS / data center environment is always encrypted. For example, ensure that all physical storage is encrypted by using keys that are managed by a hardware security module (HSM) in your IaaS / data center.
- Ensure that data in transit is always encrypted by using TLS 1.2 or higher, including all traffic within your IaaS / data center environment.
- Use TLS offload for firewalls / load balancers that perform TLS termination for requests from outside of your IaaS / data center environment and protected by a certificate that is signed by a public certificate authority.
|
Implement business continuity and disaster recovery |
- Implement a system for business continuity and disaster recovery (BCDR). Define Recovery Point Objective (RPO), Recovery Time Objective (RTO), and Maximum Tolerable Downtime (MTD) metrics for essential business functions. Implement
your application so that the metrics are achieved. An alternative storage region in IBM Cloud should be used to meet control requirements. For more information, see Business continuity and disaster recovery for Satellite reference architecture.
- Follow best practices for BCDR as defined by the specific IBM Cloud-managed services that you use such as Hyper Protect Crypto Services, Object Storage, and so on. For more infomration, see Backup and disaster recovery for IBM Cloud services.
|
- Implement a system for BCDR. Define Recovery Point Objective (RPO), Recovery Time Objective (RTO), and Maximum Tolerable Downtime (MTD) metrics for essential business functions within your IaaS / data center and ensure that those metrics
are achieved. For more information, see High Availability, Disaster Recovery, and Disconnected Usage.
- Ensure you use alternative storage in a physically separate data center for BCDR.
|
Design your application for high availability (recommended) |
- For workloads that run in IBM Cloud, deploy your application to:
- Multiple availability zones within the IBM Cloud regions that you're using.
- Multiple regions with failover between them.
|
|
Use endpoint detection and remediation (EDR) tooling to detect malicious code |
- Run regular, automated scans of the components in your environment to detect vulnerabilities so that they can be mitigated.
|
- Run regular, automated scans of the components in your IaaS / data center environment to detect vulnerabilities so that they can be mitigated.
|
Regularly scan for open ports / protocols |
- Regularly scan to make sure the list of open ports / protocols reflects the minimum number of ports / protocols that are needed by your workloads.
|
- Regularly scan to make sure the list of open ports / protocols reflects the minimum number of ports / protocols that are needed within your IaaS / data center environment.
|
Secure and manage secrets and certificates |
- Securely protect secrets through their entire lifecycle using tools like Hashicorp Vault. For more information, see Handling and securing secrets.
|
- Securely protect secrets that are needed in your IaaS / data center environment through their entire lifecycle by using tools like Hashicorp Vault.
|
Tag all IBM Cloud resources with security attributes |
|
- Tag all resources in your IaaS / data center environment based on security attributes that you define. Use tools of your choosing.
|
Monitor for security and compliance against a baseline configuration |
- Deploy and use tools for monitoring and reporting of security and compliance. Maintain a baseline configuration for your service that consists of automated mechanisms to facilitate information system baseline management. See Compliance monitoring for more details.
|
- Deploy and use tools for monitoring and reporting of security and compliance within your IaaS / data center environment. Maintain a baseline configuration for your service that consists of automated mechanisms to facilitate information
system baseline management.
|