C1000-174 Manage Security

Manage Security Detailed Explanation

Manage Security is critical for protecting cloud environments. Security management includes safeguarding user access, protecting data, and constantly monitoring for vulnerabilities or threats.

This section focuses on three main areas: Access Control and Identity Management, Data Protection and Privacy, and Vulnerability Management and Security Monitoring. Together, these practices help ensure that only authorized users access resources, data remains secure, and threats are detected and mitigated promptly.

a. Access Control and Identity Management

Controlling who has access to resources and how they can use those resources is fundamental to maintaining security in a cloud environment.

1. IAM (Identity and Access Management)

IAM, or Identity and Access Management, is a system that manages who can access which resources and defines what actions they can perform.

• Why IAM is important: IAM allows you to limit access based on a user’s role, which reduces security risks. It ensures that users have only the permissions they need to do their job (the principle of least privilege).
• How IAM works in IBM Cloud:
  • User identities: Each user is assigned a unique identity, allowing IBM Cloud to track and manage individual access.
  • Roles and permissions: IAM allows you to create roles (like “administrator,” “developer,” or “viewer”) and assign permissions to each role. Permissions define what actions users can perform on specific resources.
  • Access policies: Policies specify which users or groups can access resources. For example, a developer might only be able to view resources, while an admin can modify them.
• Example: If you have a developer who only needs to view resources and not modify them, you can create a “viewer” role that restricts their access to “read-only.” This reduces the risk of accidental or malicious changes to resources.

2. Multi-Factor Authentication (MFA)

MFA, or Multi-Factor Authentication, requires users to provide additional verification beyond just a password when logging in.

• Why MFA is essential: Passwords alone are vulnerable to various attacks (like phishing). MFA adds an extra layer of security, making it harder for unauthorized users to access the system.
• How MFA works:
  • After entering their password, users must provide a second form of verification. This could be:
    • A code sent via SMS or email
    • A code generated by an authenticator app
    • A physical token or biometric verification (like a fingerprint)
• Example: If a user logs in with their password, they’ll be prompted to enter a code sent to their phone. Even if an attacker has the password, they can’t access the system without the additional code.

3. Role-Based Access Control (RBAC)

RBAC, or Role-Based Access Control, organizes access by assigning roles to users based on their job functions. Each role has specific permissions associated with it.

• Why RBAC is effective: It simplifies permission management and ensures consistency. Instead of assigning permissions individually, you assign roles to users, making it easier to control and adjust access.
• How RBAC works in IBM Cloud:
  • Role definitions: Each role (e.g., admin, developer, auditor) has defined permissions.
  • Assign roles to users: Once roles are defined, they’re assigned to users or groups. If someone changes positions, you can change their role rather than modify individual permissions.
• Example: A “developer” role might allow access to development resources, but not to production environments. If a developer is promoted to an admin role, they automatically gain access to additional resources without needing to assign each permission individually.

b. Data Protection and Privacy

Data protection is about securing data wherever it resides, whether stored on disk (at rest) or transferred over the network (in transit). Privacy ensures that data handling complies with regulatory standards.

1. Data Encryption at Rest and in Transit

Data encryption is a process that converts data into a coded format, making it unreadable to unauthorized users.

• Encryption at rest: Protects data stored on disks or other storage media.
  • IBM Cloud’s storage encryption: IBM Cloud encrypts stored data automatically, so even if unauthorized users gain access, they cannot read the data without the encryption keys.
• Encryption in transit: Protects data as it travels across networks.
  • TLS/SSL protocols: IBM Cloud uses TLS (Transport Layer Security) or SSL (Secure Sockets Layer) to encrypt data during transmission, ensuring secure communication between clients and servers.
• Example: Imagine a customer’s personal information stored in a database. With encryption at rest, even if someone gains unauthorized access to the storage, they won’t be able to read the data without the encryption key.

2. Data Encryption Key Management

Key management involves securely creating, storing, and managing encryption keys. Without proper key management, encryption is ineffective.

• IBM Key Protect:
  • Key generation: IBM Key Protect generates strong encryption keys and securely stores them.
  • Key rotation: Keys are rotated (changed) periodically to enhance security, minimizing the risk of keys being compromised.
  • Access control for keys: Access to keys is restricted so that only authorized applications or users can use them.
• Example: If data is encrypted with a specific key, IBM Key Protect will store that key securely and ensure it is rotated regularly, reducing the risk of data exposure if the key were to be compromised.

3. Privacy and Compliance

Privacy and compliance ensure that data is handled according to regulatory standards, protecting user privacy and building trust.

• Relevant privacy regulations:
  • GDPR (General Data Protection Regulation): Protects the personal data of individuals in the EU. It includes requirements for data handling, storage, and user rights.
  • Industry standards: Other industry-specific regulations (like HIPAA for healthcare) impose additional requirements on data management.
• IBM Cloud’s compliance:
  • IBM Cloud has built-in tools to help organizations comply with these standards. It provides secure storage, logging, and auditing to support compliance efforts.
• Example: If your application stores customer data from EU residents, following GDPR means you need to ensure this data is encrypted, handle requests to delete or update data, and keep records of access.

c. Vulnerability Management and Security Monitoring

Regularly scanning for vulnerabilities and monitoring the environment for threats helps to detect and address security risks proactively.

1. Regular Scanning and Patching

Regular scans and patches keep systems secure by identifying and fixing vulnerabilities before they can be exploited.

• Security scanning: Automated security scans analyze systems for known vulnerabilities.
  • IBM Cloud offers security scan tools that check for weak points, outdated software, or misconfigurations that could be exploited.
• Patching: When a vulnerability is identified, a patch (a software update) is often released to fix it.
  • IBM Cloud’s patch management tools help apply these patches in a structured, low-impact way to ensure the system remains secure.
• Example: If a vulnerability is discovered in a cloud application, you would run a security scan to identify the exact issue, apply the patch, and test it to confirm that the vulnerability is resolved.

2. Logging and Analysis

Detailed logging and analysis enable teams to monitor user activity, detect anomalies, and trace events for troubleshooting or security investigations.

• Logging in IBM Cloud:
  • Activity logs: Track user and system actions within the environment.
  • Error logs: Record any errors or failures that occur in applications or services.
  • IBM Cloud Log Analysis: Provides a centralized place to view, filter, and analyze logs, helping to identify patterns or unusual behavior.
• Example: If unusual login attempts are detected, log analysis helps security teams see patterns (such as IP addresses, times of access) and determine if these are legitimate or part of an attempted breach.

3. Threat Detection and Incident Response

Detecting threats in real-time and responding promptly is crucial for minimizing security incidents.

• IBM Security QRadar:
  • QRadar is a security tool that monitors for potential threats, like unusual login patterns, unexpected data access, or suspicious activity.
  • Incident response: When a threat is detected, QRadar can automatically notify security teams and initiate incident response processes, like blocking an IP or revoking access.
• Example: If a user account suddenly starts accessing sensitive data it doesn’t normally interact with, QRadar could flag this activity as suspicious and alert the team to investigate.

Summary

Effective security management in IBM Cloud includes:

1. Access Control and Identity Management: Managing user roles, enforcing multi-factor authentication, and using role-based access to ensure only authorized individuals can access resources.

2. Data Protection and Privacy: Encrypting data at rest and in transit, managing encryption keys securely, and ensuring that data handling complies with privacy regulations.

3. Vulnerability Management and Security Monitoring: Conducting regular scans and patching, logging and analyzing system activities, and implementing tools for real-time threat detection and response.

Together, these measures help build a secure and compliant cloud environment, protecting both the system and user data.

Manage Security (Additional Content)

WebSphere ND 9.0.5 security management differs significantly from cloud-native security models. Instead of IAM roles and cloud-based encryption, WebSphere ND security is built around authentication mechanisms, SSL/TLS encryption, Java security policies, database security, and logging/auditing. This section provides a comprehensive WebSphere ND-specific security framework.

1. Authentication and Access Control in WebSphere ND

WebSphere ND does not use IBM Cloud IAM but instead relies on LDAP, local registries, federated repositories, and Java-based authentication mechanisms.

1.1 Identity Stores in WebSphere ND

WebSphere ND supports multiple identity storage methods:

Identity Store	Description
Local User Registry	Users and passwords stored within WebSphere itself.
LDAP (Lightweight Directory Access Protocol)	External identity management, such as Active Directory.
Federated Repositories	A combination of multiple identity sources, including LDAP and local users.

To check the current identity store:

wsadmin.sh -c "print AdminTask.getUserRegistries()"

1.2 Java Authentication and Authorization Service (JAAS)

• WebSphere ND uses JAAS for user authentication.
• Administrators define Login Modules for handling authentication requests.

Example JAAS Configuration for LDAP Authentication:

<LoginModule class="com.ibm.ws.security.server.lm.LdapLoginModule">
    <option name="bindDN">cn=admin,dc=example,dc=com</option>
    <option name="bindPassword">mypassword</option>
</LoginModule>

1.3 Role-Based Access Control (RBAC)

WebSphere ND implements RBAC using built-in security roles:

Role	Permissions
Administrator	Full control over WebSphere ND.
Operator	Can start/stop servers but cannot modify configurations.
Configurator	Can modify configurations but cannot start/stop servers.
Monitor	Read-only access to system settings.

Example: Assigning a User to the Administrator Role

1. Open WebSphere Admin Console (https://Dmgr_IP:9043/ibm/console).
2. Navigate to Security → Global Security → Administrative User Roles.
3. Add a new user and assign them the Administrator role.

2. Configuring SSL/TLS in WebSphere ND

WebSphere ND does not use automatic cloud-based TLS management; instead, administrators must manually configure SSL certificates.

2.1 Supported SSL/TLS Protocols

Protocol	Recommendation
TLS 1.3 / TLS 1.2	Recommended for security and compliance.
SSL 3.0 / TLS 1.0 / TLS 1.1	Deprecated and should be disabled.

To verify the current WebSphere ND SSL configuration:

wsadmin.sh -c "print AdminTask.getSSLConfig()"

2.2 Configuring SSL Certificates in WebSphere ND

Step 1: Generate a Self-Signed Certificate

1. Open WebSphere Admin Console → Security → SSL Certificate and Key Management.
2. Click Create a New Self-Signed Certificate.
3. Set validity, key size, and encryption method.

Step 2: Managing Certificates with ikeyman

• WebSphere ND includes IBM Key Management Utility (ikeyman) to manage keystores.

• To list certificates:

  ikeycmd -cert -list -db key.p12 -stashed
  

• To import a CA-signed certificate:

  ikeycmd -cert -import -db key.p12 -label mycert -file mycert.cer
  

Step 3: Enabling TLS 1.2 in WebSphere ND

1. Open WebSphere Admin Console.
2. Navigate to Security → SSL Certificate and Key Management → SSL Configuration.
3. Set Protocol to TLS 1.2.
4. Restart WebSphere ND.

3. Java Security in WebSphere ND

Since WebSphere ND is a Java EE-based server, it incorporates Java 2 Security Policies.

Java 2 Security Manager

• WebSphere ND can enforce Java security policies to limit access to system resources.
• Policies are defined in java.policy.

To enable Java 2 Security:

1. Open WebSphere Admin Console → Security.
2. Enable Java 2 Security.
3. Define permissions in java.policy.

Example: Restricting File System Access

grant codeBase "file:${application}" {
    permission java.io.FilePermission "/etc/password", "read";
};

4. Database Security in WebSphere ND

WebSphere ND does not rely on cloud-native encryption; instead, it uses JDBC security mechanisms.

4.1 JDBC Authentication

To secure database connections:

• Use J2C Authentication Data Entries instead of hardcoded credentials.
• Restrict JDBC access to specific roles.

Example: Configuring a JDBC Data Source with J2C Authentication

1. Navigate to Resources → JDBC Providers → Data Sources.
2. Select JAAS - J2C authentication alias.
3. Enter the database username and password.

4.2 Database Encryption

WebSphere ND supports external database encryption:

Database	Encryption Method
IBM DB2	Native Column-Level Encryption, HADR
Oracle	Transparent Data Encryption (TDE)

To enable DB2 encryption:

db2 "CREATE TABLESPACE encrypted_ts USING STOGROUP IBMSTOGROUP ENCRYPTION YES"

5. Logging & Auditing in WebSphere ND

Unlike cloud-native logging tools, WebSphere ND has built-in logging and security auditing mechanisms.

5.1 WebSphere ND Log Files

Log File	Description
SystemOut.log	Standard application server log.
SystemErr.log	Captures error messages and stack traces.
FFDC logs	First Failure Data Capture logs for troubleshooting.

To monitor logs in real time:

tail -f /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/server1/SystemOut.log

5.2 Enabling Security Auditing

WebSphere ND can audit:

• User logins.
• Administrative changes.
• Access control violations.

To enable security auditing:

1. Open WebSphere Admin Console → Security → Security Auditing.
2. Configure audit events in audit.xml.

Example Security Audit Configuration (audit.xml):

<AuditEvent type="UserLogin" action="SUCCESS">
    <User userID="admin"/>
</AuditEvent>

5.3 Integrating WebSphere ND Logs with IBM QRadar

For threat detection, WebSphere ND logs can be sent to IBM QRadar.

Steps to Integrate WebSphere ND with QRadar:

1. Configure Log Source in QRadar.
2. Set up WebSphere ND to forward logs to QRadar.
3. Define security rules for anomaly detection.

Summary: WebSphere ND 9.0.5 Security Best Practices

Security Feature	Best Practice
Authentication	Use LDAP or Federated Repositories for user management.
Access Control	Implement RBAC with WebSphere ND roles.
SSL/TLS	Enforce TLS 1.2 / 1.3 and manage certificates with ikeyman.
Java Security	Enable Java 2 Security to restrict application permissions.
Database Security	Use J2C Authentication and encrypted databases.
Logging & Auditing	Enable security audit logs and integrate with IBM QRadar.