Running operator actions through a bastion host
All interactive operator actions must be run through a bastion host in the management VPC. A bastion host is a server that can be accessed through SSH, Windows Remote Desktop Protocol (RDP), or kubectl
, but only through a Direct Link
or VPN for VPC connection. After set up, the bastion host allows a secure connection to virtual server instances or Red Hat OpenShift on IBM Cloud clusters within the management VPC and the workload VPC. Administrative tasks on the individual
servers are completed by using SSH, RDP, or kubectl
, proxied through the bastion. Access to the servers and regular internet access from the servers, for example, for software installation, is allowed only with a special maintenance
security group that is attached to those servers. In addition, session auditing must be enabled to record all privileged user actions.
After connecting to the management VPC through Direct Link or VPN for VPC, a complete bastion solution should include the following details:
- Full session recording of actions executed via the bastion to perform session audits. This includes SSH, and Kubernetes exec (
kubectl exec -it
) sessions.- Linux-based session recordings are captured as a raw dump of stdout and stderr streams, including TAB characters (bash escape sequences).
- Session recordings should be placed in to a storage service maintained within your environment for archiving. The storage should be configured as “immutable object storage.” Retention policies are should be applied to the storage, so that data is stored in a WORM (Write-Once-Read-Many), non-erasable and non-rewritable manner. The policy is set and enforced for a 12-month (minimum) retention period.
- Authenticating users with MFA using a physical hardware-based security key that generates a six-digit numerical code. A smart card or hardware token designed and operated to FIPS 140-2 level 2 or above or equivalent (e.g., ANSI X9.24, ISO 13491-1:2007) is recommended.
- Locking user accounts after three (3) consecutive failed logon attempts within 15 minutes.
- Locking user accounts for 30 minutes when there have been more than three unsuccessful logon attempts. After the lockout period ends, the user will be able to reset their password. Internal privileged accounts must remain locked until released by an administrator.
- Session timeout after 15 minutes of inactivity.
- Providing a system use notification banner from either the bastion or the target system. The warning banner is displayed before the system grants access to the user and the usage conditions must be approved before proceeding. The banner will
provide privacy and security notices consistent with applicable customer policies, regulations, standards, and guidance. The warning banner will state that:
- Users are accessing a financial services information system.
- Information system usage may be monitored, recorded, and subject to audit.
- Unauthorized use of the information system is prohibited and subject to criminal and civil penalties.
- Use of the information system indicates consent to monitoring and recording.
Set up a bastion host
You need to install and manage your own bastion solution within your management VPC. There are various ways a bastion solution can be implemented. For one example that uses Teleport Enterprise Edition, see Setting up a bastion host for secure connectivity.
Related controls in IBM Cloud Framework for Financial Services
Family | Control |
---|---|
Audit and Accountability (AU) | AU-14 Session Audit |
Access Control (AC) | AC-6 (9) Least Privilege | Auditing Use of Privileged Functions AC-17 Remote Access |
Identification and Authentication (IA) | IA-2 (1) Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts |