In the four previous parts, we have covered the cloud computing models, the shared responsibility security model, the responsibilities of the cloud service provider, and those of the client. Today, we cover IBM BLU Acceleration for Cloud as a data security in the cloud use case. So, let’s get started.
The IBM BLU Acceleration for Cloud Use Case
IBM BLU Acceleration for Cloud is a new data warehousing and analytic environment offered exclusively through the cloud. IBM SoftLayer and Amazon Web Services (AWS) are the two cloud service providers where this new offering will initially be available. It is a comprehensive software stack including a Linux RedHat operating system that gets deployed on the cloud provider’s infrastructure.
To tie this back to our cloud computing models of part #2, this is an IaaS use case where BLU Acceleration for Cloud is the workload that gets deployed on the infrastructure. For example, on AWS, BLU Acceleration for Cloud will be available as an Amazon Machine Image (AMI) on the Marketplace. After the client purchases the offering, the AMI is used to instantiate a new virtual machine. On IBM SoftLayer, BLU Acceleration for Cloud will be available as a Flex Image, and the client will have the option to choose between deploying on a virtual machine or on bare metal. The bare metal deployment has additional benefits such as full isolation from other tenants and more predictable performance.
System Architecture
BLU Acceleration for Cloud is a comprehensive software stack including a Linux RedHat operating system that gets deployed on the cloud provider’s infrastructure. Figure 1 describes the overall system architecture. The BLU Acceleration for Cloud system components are the following:
DB2 BLU: This is the IBM DB2 database system with the BLU acceleration feature.
Web Console: This is the system’s overall administrative console.
LDAP Server: This is an embedded Openldap system for managing users and groups.
Cognos: This is the IBM Cognos Business Intelligence (BI) software.
Tools: This is a set of downloadable tools including drivers, InfoSphere Data Architect (IDA), Data Studio, and Cognos Framework Manager (FM).
Warehouse Packs: These are physical data models and sample reports for accelerating data warehousing projects. The packs included are Customer Insight, Supply Chain, and Market & Campaign.
BLU Acceleration for Cloud also integrates with external storage systems. For example, on Amazon Web Services (AWS), it integrates with the AWS Elastics Block Store (EBS) for persisting data. It also integrates with the AWS Simple Storage Service (S3) for storing database backup images. Similarly, BLU Acceleration for Cloud integrates with the IBM SoftLayer SWIFT object store.
Using IBM BLU Acceleration for Cloud
After provisioning BLU Acceleration for Cloud using the cloud provider’s provisioning interfaces, a client would use BLU Acceleration for Cloud in the following manner:
Step #1: The client connects to the BLU Acceleration for Cloud database and creates their warehouse schemas.
Step #2: The client uploads data to their BLU Acceleration for Cloud database. They can do this in so many ways. For example, the client first moves their data to the cloud provider’s object store (e.g., IBM SoftLayer SWIFT or AWS S3). Next, they move that data from the object store to their BLU Acceleration for Cloud database. The underlying DB2 database system has been extended to allow clients to backup a database to S3 or SWIFT as well as to load data from S3 or SWIFT to a DB2 database.
Step #3: The client connects their applications to the BLU Acceleration for Cloud database and start exploring just like they would do with an on premise database. The client can also log on to the administrative console to add users, assign roles, or perform other administrative tasks.
Built-in Security Capabilities
Recall that BLU Acceleration for Cloud is an IaaS use case. So, the client is responsible for securing their BLU Acceleration for Cloud deployment on the infrastructure they provisioned. To this end, BLU Acceleration for Cloud provides a rich set of built-in security capabilities to help clients meet their security, privacy and compliance needs. They include:
User management: BLU Acceleration for Cloud users are managed in the embedded LDAP server. The internal system components such as DB2, Cognos and the Web Console are configured to perform user authentication through the embedded LDAP server. Single Sign On (SSO) across these components is also supported. User management is performed through the Web Console interfaces.
Role-Based Access Control: When a user is created, they are assigned a specific role determining their level of access to the system. The role is one of Administrator, Developer, or User.
Row level access control: This feature allows clients to enforce stronger security policies by limiting the set of rows a user has access to in a given table. For example, if a table contains employee data, a client can easily set up a rule that limits an employee’s access to their own data or to employees who report to them.
Dynamic data masking: This feature allows clients to enforce stronger security policies by limiting access to sensitive columns in a given table. For example, if a table contains a Social Security Number (SSN) column, a client can easily set up a rule such that when that column is accessed by an unauthorized user, a masked value is returned instead of the actual SSN value.
Trusted Contexts: This feature allows clients to further restrict when a user can exercise a particular privilege. For example, a client can easily implement a rule that permits connecting to the database only from a given IP address. Additionally, for 3-tier applications, Trusted Contexts allows the mid-tier application to assert the end user identity to the database for access control and auditing purposes.
Encryption for data at rest: When provisioning a BLU Acceleration for Cloud system, the client has the option to indicate whether or not they want the database to be encrypted. The default is an encrypted database. The encryption uses AES in CBC mode with a 256 bits key. Encryption and key management are totally transparent to applications and schemas. Additionally, the client has the option to indicate, upon provisioning, the master key rotation period. The default is 90 days but the client may choose a different value. The master key rotation is automatic and transparent. Database and tablespace backup images are automatically compressed and encrypted. Like for online data, backup images are also encrypted using AES in CBC mode with 256 bit keys. Data is compressed first and then encrypted. This is particularly important because if the order is reversed, the compression ratio will not be interesting as encryption, by definition, removes any patterns.
Encryption for data in transit: Secure Socket Layer (SSL) is supported for safeguarding both the database traffic as well as the Web Console traffic.
Auditing: This feature allows client to implement audit policies to hold user accountable for their actions and track any malicious activities.
Additionally, strong security and privacy requires protection at every level of the stack. This includes:
Linux operating system hardening: BLU Acceleration for Cloud employs a host firewall to protect listening services against port scans and other network security threats. As such, only the required TCP ports are open, specifically those for the DB2 instance, the Web Console, the Cognos BI Web Console, and Secure Shell (SSH). On Amazon Web Services (AWS), BLU Acceleration for Cloud takes advantage of the AWS Security Groups concept to implement the host firewall. On IBM SoftLayer, BLU Acceleration for Cloud takes advantage of the IP Tables concept to implement the host firewall.
DB2 database hardening: The DB2 database is automatically hardened upon provisioning. This means that CONNECT authority to the database is revoked from PUBLIC, and SELECT privilege on the catalog tables and views is also revoked from PUBLIC. Additionally, the AUTHENTICATION database manager configuration parameter is set to SERVER_ENCRYPT which means that user authentication credentials are never flown in clear text between a user application and the database server. These credentials are automatically encrypted with AES 256 when flown over the network regardless of whether SSL is used or not.
Web Console restrictive interfaces: Non administrative users have no way of invoking administrative functions as, by design, the Web Console does not show administrative features to users who are not members of the administrative role.
Guardium Database Activity Monitoring
While the built-in security capabilities discussed above are sufficient for many clients, you can add on your own data security solution. For example, Guardium Database Activity Monitoring allows you to take security to the next level. With Guardium, clients can meet even the most stringent of security requirements as demonstrated by the success of Guardium in protecting mission-critical databases for many large enterprises around the world. Some of the key Guardium capabilities include:
Separation of Duties: The Guardium server can be deployed on a separate host with a separate administrator, thus enabling physical separation of duties between security administration and database administration. The Guardium server can be deployed on the cloud or even on premise if so desired.
Real-time Monitoring and Alerting: Guardium continuously monitors all traffic in and out of the database and takes action in real time as per the security policy. This is critical to limiting security exposures by immediately detecting intrusions and misuse. For example, an excessive number of logins might be an indication that someone is trying to brute force the database.
Sensitive Data Discovery: Unknown Sensitive data is sometimes the reason behind a data security breach. Guardium is able to detect sensitive data that may reside in the database so that policies can be put around that data to limit security exposures.
Vulnerability Assessment: Even an initially hardened database may go out of compliance if administrators are not careful with the changes they make. Guardium is able to assess the configuration of the database and produces a report describing the security posture of that database. Thus, giving the administrator an opportunity to remediate any out of compliance issues.
Secure Design Principles
The development of BLU Acceleration for Cloud follows secure development best practices as outlined in the IBM Secure Engineering Framework. This includes the completion of a risk assessment and a threat modeling document. Additionally, the IBM Security AppScan tools are regularly used to conduct static and dynamic code analysis during the development process. Last but not least, the IBM Guardium Vulnerability Assessment tool is used to validate that the BLU Acceleration for Cloud database is properly hardened.
Part #6 will conclude this series and answer the fundamental cloud security question we asked in part #1. Stay tuned! Link to previous part is here.
The post Data Security in the Cloud – Part #5 appeared first on BLU Acceleration for Cloud.