IBM Cloud Docs
Security design

Security design

Security is a critical consideration when you're hosting client workloads on VMware Cloud Foundation as a Service (VCFaaS). This section outlines the security requirements for protecting workloads, helping ensure compliance, and maintaining a robust defense against potential threats. From data encryption and to identity and access management, these guidelines help you design a secure environment for your applications and data.

Review the following security design requirements:

  • Encryption at rest: Protect stored data with provider-managed keys, host-based encryption, and customer-managed keys.
  • Data in transit encryption: Use TLS to secure data during transmission.
  • Key management: Manage encryption keys with IBM Cloud Security and Compliance Center, Workload Protection, Hyper Protect Crypto Services, or IBM Key Protect.
  • Firewall: Implement capabilities such as intrusion detection systems (IDS), intrusion prevention systems (IPS), Distributed Denial-of-Service (DDoS) protection, CIS functionalities, VPN services, and compliance monitoring with Security and Compliance Center.

Security design considerations

Review the following security design considerations.

Encryption at rest

The web app multizone resiliency pattern uses IBM Cloud data protection services to protect all application data from unauthorized disclosure. Application data includes configuration data, metadata, and all security data, such as logs and credentials to access application or cloud resources.

  • Application, databases, backup, and log data are encrypted at rest by using storage encryption with provider-managed keys. If storage encryption with customer-managed keys is required, then host based encryption will be required. For example Linux Unified Key Setup (LUKS), see Protect LUKS encryption keys with Hyper Protect Crypto Services (HPCS) and IBM Key Protect which is a tutorial that provides step-by-step instructions on how to protect LUKS encryption keys from being compromised by using either Hyper Protect Crypto Services or IBM Key Protect.
  • The web app encrypts data in transit by using Transport Layer Security (TLS) encryption. The IBM Cloud Secrets Manager service is used to store and manage secrets and credentials to access applications, cloud resources, SSL/TLS certificates, and private keys.
  • Key Protect is used to support data encryption with customer-provided keys to meet regulatory compliance requirements. Key Protect uses a shared FIPS 140-2 level 3 certified hardware security module (HSM) to store keys that are used by storage services for envelope encryption. It is also used to offload TLS/SSL keys.

You could also use HPCS as the key management service. HPCS uses a dedicated HSM FIPS 140-2 Level 4 certified, which is the highest level. HPCS supports customer-managed master keys, giving the customer exclusive control of the entire key hierarchy. HPCS is recommended for financial services and other highly regulated industry applications.

Encryption in transit

The web application can be accessed through HTTPS and over CIS which are encrypted and managed by IBM cloud. Https are terminated at CIS and LLB based on requirement.

Security and Compliance Center

IBM Cloud Security and Compliance Center Workload Protection offers functions to protect your Microsoft Windows® and Linux® virtual machines (VMs) that are hosted on your VMware® by Broadcom environment. These functions include compliance, vulnerability scanning, and threat detection. For more information, see Architecture patterns for integrating IBM Cloud Security and Compliance Center Workload Protection with VCF as a Service.

Currently, the threat detection feature is available only for Windows VMs. After you provision an instance of the Security and Compliance Center Workload Protection service, you can deploy the agent on your Windows VMs or you can deploy the agent and host scanner on your Linux VMs. The agent collects data that you can use for intrusion detection, while the host scanner is used for posture management and vulnerability scanning capabilities.

IBM Cloud Internet Services

IBM Cloud Internet Services is a suite of capabilities that are designed to enhance security, performance, and reliability for applications and websites hosted on IBM Cloud. It offers various services to manage traffic, protect against cyber threats, and optimize delivery. Review the following overview of key features:

  • Core security services:

    • DDoS protection: Defends against Distributed Denial-of-Service (DDoS) attacks.
    • Web application firewall (WAF): Protects web applications from common vulnerabilities like SQL injection and cross-site scripting.
    • SSL/TLS: Helps ensure secure data transmission by encrypting traffic between users and servers.

  • Performance optimization:

    • Content Delivery Network (CDN): Reduces latency and improves load times by caching content on a global network of servers.
    • Caching and acceleration: Improves performance by storing frequently accessed data closer to users.

  • Reliability and traffic management:

    • Load balancing: Distributes incoming traffic across multiple servers to help ensure high availability.
    • DNS management: Provides fast and resilient Domain Name System (DNS) services with advanced configurations.