Security & encryption
IBM Industry Solutions Workbench operates on the Red Hat OpenShift Container Platform, which means many options are predefined based on this requirement. The IBM Industry Solutions Workbench utilizes a container architecture where pods are isolated from one another. OpenShift can be deployed in both private and public cloud environments, depending on the customer's needs and preferences. Third-party dependencies are not included as part of the product and are not the vendor's responsibility. Configuration is entirely managed by the customer. The scope of the product begins after the installation of OpenShift.
IBM Industry Solutions Workbench adheres to following principles and guidelines to secure your environment and data:
- Security by Default
- No Unencrypted Communication (only valid certificates allowed)
- Data at Rest Must Be Encrypted
- Authenticated Access Only
- Audit Logs
- No Hardcoded Default Secrets
- Container Security and Best Practices
- Least Privilege SCC Used
- No Root Access (except for the pipeline step to build container images, see k5-build-publish-image)
- No Privileged Usage (except for the pipeline step to build container images, see k5-build-publish-image)
Network Topology
- Network Policies isolate the IBM Industry Solutions Workbench projects (designer/hub and k5project namespaces) from all other Kubernetes namespaces.
- Routes expose the relevant services to be externally reachable via HTTPS, utilizing the configured default cluster certificates.
- Incoming requests are secured with SSL until they reach the designated pods.
- Istio Service Mesh can be enabled for specific k5projects, optionally.
- Inter-pod and inter-namespace communication between ISW components is secured with SSL/HTTPS.
- Third-party dependencies can operate both inside and outside the cluster and can be configured accordingly. SSL is recommended for these connections.
- OpenShift Ingress and Egress are utilized to manage incoming and outgoing traffic. All security-related options (such as IP whitelisting and rate limiting) can be configured on the relevant resources.
Data Storage and encryption
Sensitive data is stored as follows:
- OpenShift Secret
- Vault (optional)
Eliminating the need for data persistence at rest with encryption, IBM Industry Solutions Workbench does not provide persistent volumes, except temporary for the created tekton pipeline runs. The database system assumes responsibility for securing communications, ensuring that all data transfers are encrypted using SSL.
We strongly recommend hardening the Red Hat Enterprise Linux CoreOS (RHCOS). This prevents attackers from gaining access to the data of an OpenShift container. See also: