Why a data-first approach is critical to designing and building secure cloud services

Share this post:

Privacy and Security Matter

At IBM we take our obligations to data responsibility very seriously. We recognize the importance our customers place on data privacy, data residency and data protection. I’m sure the users you serve have the same concerns.

The aim of this blog is twofold: to share the data-first approach we use in IBM to help you architect and deliver secure data-centric applications; and to answer the data protection questions you may have so you can confidently leverage the innovation of the IBM Cloud to unlock the potential of your most valuable data.

Developers and architects are crucial in ensuring IBM maintains its position as a trusted partner for processing data. Central to their system design and deployment considerations is the need to maintain a data-centric focus and a data-first approach. Our systems are there to support and enhance the work of our clients and central to all business is their data – the heart of a business.

IBM recognizes this and our cloud services take the privacy and security of customer’s data as the highest priority. In support of this we have a comprehensive program in place to secure data and meet customers’ requirements linked to data-centric standards such as PCI, HIPAA and FFIEC.

Secure by Design

Data privacy is our primary consideration when developing all solutions and we are committed to putting the control of this data in the hands of customers. Our access controls are designed to reduce the need for access to customer content and limit the level of access in the rare cases where it is necessary. IBM does this by using strict access controls, privileges, and granular permission systems to help ensure the client both knows and agrees to situations where IBM interacts with their data.

Secure Access to the Data

In IBM, data security is assured through the processes and technical mechanisms shown in the below diagram. This data-centric security model is driven by access controls plus extensive and monitoring/logging. The access approval process includes mechanisms to:

  1. ensure security access approval is routed to the data owner (where possible) or data service owner to validate the need and ensure the concept of ‘need to know’ is maintained.
  2. mandate that access requests for data flow through the data centric security logic.
  3. access requests are properly logged to create a clear audit trail.
  4. ongoing need is audited and use of the rights is monitored.

When an individual needs access to data, they (or their manager) initiates a workflow to request access.

  1. The workflow first notifies the appropriate data owner about the request along with details of the individual, the level of access they require and a justification for the access request. The level of access is limited to the minimum necessary to perform their job function. The systems may allow something as simple as yes/no access or a much more sophisticated set of criteria that is interpreted by the security access guards. Access may be granted to the whole subject area, to business objects or even individual business attributes – depending on how narrow the security control needs to be.
  2. The data owner responds with either an approval or denial. Their response is logged and the data owner is able to see a report of who has access – and remove access as appropriate.
  3. If the person’s access is approved, the workflow sends a request to add the access rights to the individual’s security profile. This may be a manual step or fully automated. The security profile is typically in a user directory such as LDAP.

Data-centric Security Access

There are two types of data-centric guard functions that protect data access: Pre-Access and Post-Access Guards.

  • Pre-Access Guards determine whether the caller is authorized to access the requested data. These guards run at the start of the request.
  • Post-Access Guards adjust the data that is returned to the caller so that it complies with the information protection policies for the service.  These guards should run towards the end of the processing, before the data is returned to the caller. Examples of these post-access guards include masking sensitive data, removing elements that identify individuals, and encrypting data for transmission.

Isolated Repositories

Many types of data platforms are available to developers to store and analyze data. For example, the IBM Cloud catalog includes many choices including SQL and NoSQL databases and application servers.

Each data platform may have its own support mechanisms for securing data, and clients may choose to distribute or replicated their data across multiple platforms depending on the requirements of the business workloads.

The data-centric security access guard functions must provide consistent access control to all copies of the data. The data services are responsible for calling the data-centric security guard functions to validate that the user/system requesting data is authorized to do so.

The stored data can then be isolated from external users and systems so they are
only callable by the data services.  This can be accomplished by using isolated network or access security set up with a restricted set of user accounts that only the data services, authorized processes inside the data service and specific personnel in the data service operation team can access.

Access Monitoring and Logging

All access requests made and granted, plus details of the data retrieved are recorded in the Audit Data repositories which are separate and secure. These repositories are designed for analytical review and investigation by the security team.

Security Analytics and Auditing

The use of workflow for granting and removing access rights provides auditable evidence of who has access to which data.

The access logging reveals:

  • Who extracted a particular type of data.
  • What is the scope of a particular individual’s access to data.

Data Responsibility @ IBM

IBM’s data-centric approach to building and operating the IBM Cloud ensures your data privacy and security is respected.  The technology and processes outlined here ensure we meet these requirements continuously.  However, IBM also gives customers the tools to enable success with their own privacy and security.  Many products and services are available from the robust IBM Cloud catalog that provide the needed functionality to not only secure data, but also meet the stringent requirements present in global standards and regulations.  IBM provides customers with mechanisms to limit access to only those who have a demonstrated need, mechanisms to log and monitor activity, mechanisms to respond to vulnerabilities and risks, and much more.  With the IBM Cloud, clients can focus on what is most important to their business – turning their data into actionable insight.

Our data-first security principles safeguard customer’s data across the world. IBM Cloud in Europe is planning additional capabilities which give clients even more control of their data and more visibility of how IBM processes the data.

IBM is updating its security access procedures for dedicated and shared environments in Europe to ensure client content (including personal data and special personal data) stays in the EU. EU-based IBM employees will play a critical role in IBM’s incident and change management processes, reviewing all changes that could affect client data, and reviewing any data access requests from outside the EU. In addition, for dedicated cloud instances we’re putting the clients in control – clients will review and approve all non-EU access requests to their content if an instance requires support or access from a non-EU based employee.

And rest assured that if data has to be accessed outside the EU, IBM ensures appropriate and transparent transfer mechanism are in place and consistent levels of protection are maintained regardless of location. This allows IBM to securely leverage its global team of experts and augment our support professionals in Europe with the best of our worldwide subject matter experts if needed.

Brandon Beadel and Simon Rogers co-authored this post.



via IBM Cloud Blog https://ibm.co/2pQcNaA

November 8, 2017 at 05:03AM