Cloud technology increases its status as a critical and essential commodity year after year. Every consumer and every enterprise around the globe are adopting the cloud to beat competitors to provide a highly scalable, dynamic, easy to manage, and yet secure infrastructure. The adoption of cloud may increase manifold only when the understanding and trust for the cloud expand. After movement to the cloud, organizations have no direct control over their assets on cloud. The data and operations are handed over to the cloud provider. Hence, the organizations would like to understand how the data is stored and protected, how their data will be shielded from security threats, how the security is implemented and managed. With this understanding, organizations can establish a better trust relationship with the cloud service provider.
The security of IBM cloud solution is based on the IBM security framework. IBM takes a holistic view of security and provides a risk-based approach to security for all its offerings.
In this chapter, we describe how IBM, based on the IBM security framework, addresses security for it's cloud offering, IBM SmartCloud for Social Business.
Security governance, risk and compliance
Governance, risk, and compliance are one of the major concerns cited by organizations when it comes to security in the cloud. Because the control lies in the provider, the governance for security lies with the provider. Organizations are concerned about how the compliance requirements are met and how the risks are managed.
IBM SmartCloud® for Social Business addresses all these concerns in all its offerings. IBM, as a provider, understands the needs of the organization. The IBM Online Collaboration Services has a dedicated security organization, which understands and evaluates the organization's requirements and designs the security architecture and compliance management technologies.
To assist transparency, IBM aligns its approach to recognized industry standards such as FISMA, FIPS, and so on. IBM regularly submits the policies, standards, and processes to both internal audits and external certifications. IBM has a comprehensive Service Organization Controls (SOC) reporting program also.
IBM SmartCloud® for Social Business offerings are covered by numerous security assurance activities throughout the entire lifecycle. IBM performs quarterly security reviews of all the systems and infrastructure. Rational AppScan testing checks for common web exposures such as cross site scripting, cross site request forgery, and SQL injection. Manual ethical hacking supplements the expertise in the AppScan tool set and targets the unique application and infrastructure configuration. IBM compliance programs mandate periodic self assessments and production scanning and reporting of compliance posture. Privacy reviews help to ensure customer data protection. IBM’s comprehensive policies on privacy and client data protection can be found at http://www.ibm.com/privacy/us/en/.
People and identity
Organizations must make sure that authorized users in their enterprise and supply chain must have access to data, tools, and applications that they need and whenever they need it. At the same time, they must ensure that they block unauthorized access. This can be achieved by adopting a least privilege model and a strong federated identity management.
IBM SmartCloud® for Social Business ensures that the user's access privileges are appropriate and secure access mechanisms are in place by following the user governance model.
The users can be added only by an administrator. While creating users, the role should be specified which controls what the user needs to know and access.
The passwords also follow basic guidelines regarding the length, characters, and so on. Also, the requirement of changing the password at first login can be specified.
Users can click Forgot password?
to have their password reset. This link resets the organization password, but does not necessarily reset the mail password.
The existing users can be regularly managed by the administrator by the user interface (UI) as shown in the figure below. The administrator can resend invitation, reset password, delete users, and so on.
Administrators and Administrator assistants can reset passwords by clicking the arrow next to a user listed in User Accounts and selecting Reset Password
. Administrator assistants can reset the login password for a user but cannot reset IBM® Lotus Notes® passwords. Administrators can reset both the login passwords and the IBM Notes passwords.
The following figure shows the UI window for managing existing users.
Administrators can enable security settings to enforce password expirations through System Settings > Security
. When a user logs in with an expired password, they are prompted to reset that password.
The following figure shows the security settings for password window.
Federated identity management
Federated identity management is an important aspect of cloud security. It should be deployed to securely exchange identity information when bridging cloud environments. It ensures a system of identity confidence is implemented to prevent identity spoofing.
Federated identity management is handled by a single sign-on (SSO) service that is available for all cloud-based services in IBM SmartCloud for Social Business. If you enable federated identity management, users who are logged on to your system can use the cloud-based services without having to log on again.
The IBM SmartCloud for Social Business products rely on SAML to provide the SSO services. In this implementation, your organization is the identity provider, and IBM SmartCloud® for Social Business is the service provider. You can use either SAML 1.1 or SAML 2.0.
Before your organization decides to implement a federated identity management system, you need to understand the various flow models that exists and the different types of federated identity management.
Models of federated identity management
Two flow models exist in federated identity management:
Identity provider initiated model (IdP-initiated)
Service provider initiated model (SP-initiated)
Normally, the SP-initiated flow model is not available in SAML 1.1 because SAML 1.1 does not support Identity Provider Discovery Profile. However, IBM SmartCloud for Social Business uses a hybrid version of SP-initiated that allows both SAML 1.1 and SAML 2.0. As a result, Identity Provider Discovery Profile is not required by IBM SmartCloud for Social Business, and is not implemented.
IBM SmartCloud® for Social Business implements the Browser/POST profile that is used in SAML 1.1 and is compatible with the Web Browser SSO profile in SAML 2.0. Other profiles are not supported at this time.
The following outlines describe these two flows:
The user gains access to your intranet through your organization's authentication mechanism.
The user navigates to a web page on your intranet that contains a link to an IBM SmartCloud for Social Business product such as Engage or IBM Connections.
The user clicks the link.
The SSO process is initiated. A SAML assertion is sent to the IBM SmartCloud for Social Business endpoint through HTTP POST. If the user has a valid account, access is granted.
The user interacts with IBM SmartCloud for Social Business.
The user navigates to the IBM SmartCloud for Social Business login page.
The user clicks Use My Organization's Login.
The user enters the email address that is associated with the user's account.
IBM SmartCloud for Social Business looks up the email address and then redirects the user to your organization's authentication mechanism.
The flow continues from Step 4 of the IdP-initiated model.
Types of federated identity management
In IBM SmartCloud for Social Business, four types of federated identity management are available:
By default, all users in your organization are assigned the Non-federated type unless you enable one of the other types.
The login for SmartCloud for Social Business is independent of, and separate from, your organization's login procedure. Users must log on to IBM SmartCloud for Social Business to use the cloud-based services. The Non-federated type is the default type, and is the simplest and easiest type to set up because it requires no action on your part.
Users must authenticate with your organization before they can access the cloud-based services. Users do not have a user name or password on IBM SmartCloud for Social Business. If they go to the IBM SmartCloud for Social Business login page, they must click Use My Organization's Login. The Federated type applies to all users in your organization.
The Federated type is convenient for your users who normally work from the office. They can log on to your system and use IBM SmartCloud for Social Business without needing a separate username and password combination. However, if any of your users work from home or work while traveling, your directory servers must be accessible from the Internet. Also, because your users do not have a separate login for IBM SmartCloud for Social Business, services such as chat and POP/IMAP are not available.
If you choose the Federated type, you must implement the SP-initiated flow model.
Users have the option of authenticating with your organization before accessing the cloud-based services, or using their SmartCloud for Social Business user name and password to log on to SmartCloud for Social Business. The Modified type applies to all users in your organization.
The Modified type allows your users to access IBM SmartCloud for Social Business from the Internet, but you do not need to make your directory servers accessible from the Internet. Your users can use the single sign-on services when they are in the office, and the IBM SmartCloud for Social Business login when they are outside the office.
Each user in your organization is assigned one of the previously listed types: Non-federated, Federated, or Modified. If you do not specify a type for a particular user, the user is assigned the Non-federated type.
Use the Partial type if you have one group of users who normally work in the office, and another group of users who normally work from home or who travel frequently. For example, the office workers can be assigned the Federated type, and the traveling sales team can be assigned the Modified type.
You can also use the Partial type to group users by the services that are available to them. Users with the Federated type do not have access to chat or POP/IMAP, but users of the Modified type do have access to chat and POP/IMAP.
If you choose the Partial type, you must implement the SP-initiated flow model to support users with the Federated type.
After one of the federation types is implemented, you can change to one of the other types by contacting your customer services representative. The customer services representative will advise you on the process. If you are using the Partial type, you can change individual users from one type to another without the need to contact your customer services representative.
Hence, having understood the flows and various types of federated identity management, assess your organization needs and contact an IBM services representative to help you prepare and enable federated identity management system.
Most organizations cite data as the most important security concern when it comes to cloud. The concerns revolve around data storage, access control, compliance and audit requirements, the business issues around data theft, notification requirements, and the damage to brand value.
IBM SmartCloud® for Social Business helps us deal with all these concerns. There are several data centers across the globe and expanding year after year. With security a top priority for most organizations today, IBM designed IBM SmartCloud® for Social Business offerings for enterprise-grade operations.
IBM SmartCloud® for Social Business does not mind your content and data or leverage your user interface to deliver online advertisements. You can download or remove content, data, and files from the service. As our customer, you should be comfortable knowing where your data is stored. Our service does not fragment customer data across locations, and we tell you in which of our data centers your content is stored. The data storage can be in any of the data centers based on the organizations' proximity to the data center.
Data storage for each offering on IBM SmartCloud® for Social Business is defined at the subscription level. See the figure below.
Multitenancy refers to a software architecture where a single instance of the software runs on a server, serving multiple client-organizations (tenants). Multitenancy contrasts with multi-instance architectures where separate software instances (or hardware systems) operate on behalf of different client organizations. With a multitenant architecture, a software application is designed to virtually partition its data and configuration, and each client organization works with a customized virtual application. The multi-tenant architecture can be achieved with Smart Cloud for Social Business through policies. By default, members in your organization are not listed in the Organization Directory. This means that those users are not visible to members of other organizations.
Administrators can have all users publicly listed in the directory, have only specific users listed publicly, or allow each user to decide whether they want to be publicly listed. If you are not visible to the directory, then you are not listed when searched for by users outside of your organization. If you are listed in the directory then other users external to your organization can find you and add you to their network.
There are three types of private settings:
User Choice: This allows your users to decide whether they are listed in the directory. Listing them makes them searchable to users outside of your organization.
All Private: This is selected by default. All Private prevents your users from being found by users external to your organization.
All Private with Exceptions: Control which users are listed in the directory.
Only those users you list in Exceptions are visible to users external to your organization. Any user not listed in Exceptions is considered a private user and will not be visible in the directory. When you select this option, a list of exceptions is created. This list contains the names of the users you select to make public when you add their name in Exceptions. This field does not represent the current list of exceptions. It represents only the users you are adding to the already existing list of exceptions. To see the list of users who are already an exception, click View all exceptions. To overwrite the existing users who are already listed as an exception, select Only allow the users currently listed in Exceptions to be displayed in the directory. Any users previously selected as exceptions are removed from the directory. Then add any user you intend to be a public user in Exceptions. This list replaces any current list of exceptions.
Data encryption and the management of the encryption keys is of vital importance irrespective of whether the data is idle or in transit. IBM SmartCloud for Social Business provide encryption capabilities for each of the offerings. As for instance, SmartCloud Notes supports both Notes and S/MIME signatures. The SmartCloud Notes can be accessed through various clients – desktop, web browser, and mobils. The email is encrypted irrespective of what Notes client is being used. All SMTP and NRPC email is scanned for viruses and spam. Additionally, the Notes client has a strong in-built mechanism known as Execution Control List(ECL) which controls the active content in email. If accessed through the web browser, the cache control policies take care that no email information is left behind in the browser cache.
Data retention also is a critical aspect when it comes to cloud. IBM SmartCloud Archive Essentials is a cloud-based solution for archiving, compliance, and e-discovery integrated with IBM SmartCloud Notes services. It has a security-rich environment where the data can be stored and accessed for quick and easy insight. However, all the access is recorded and accessible through the detailed audit reports.
Data auditing is an extremely essential requirement in the cloud. SmartCloud for Social Business provides a mechanism to share files outside of your organization. It also allows you to invite guests to view and download your files, attend meetings, and so on. But is really important to monitor the user activity, both within the organization and outside the organization.
The administrator can monitor the user activity in the organization by using the "Journaling" feature. The journal is a record of the user activity on your company account. It includes date, time, and user information about events such as logon attempts, password changes, and start times of online meetings. Approximately every 24 hours, the journal service produces several journal files, one for each component of IBM SmartCloud for Social Business. Each file is compressed using gzip and then made available through FTPs on the IBM SmartCloud® for Social Business integration and migration site. After seven days on the site, the files are removed. Each compressed file contains a plain text file that is in a highly readable format. The format is consistent and regular so that the text files can be programmatically parsed.
Apart from the detailed journal files for each component of the IBM SmartCloud for Social Business, the administrator can generate and view reports of the files that have been downloaded by users outside the organization between a specific period of time by using the "File Download History" option.
The user and the administrator can also generate reports for the meetings.
IBM SmartCloud Collaboration for Government
Similar to other organizations, Government agencies are under constant pressure to improve delivery of their services and simultaneously drive down the costs. Additionally, being a government agency, it has to take care of the government grade security and regulatory compliance. IBM provides a dedicated cloud for government agencies, best suited to take care of its collaboration needs and the security needs. It is based on the subscription model, thus, allowing instant scalability at any point of time. IBM SmartCloud Social Collaboration for Government is compliant with Federal Information Security Management Act (FISMA) guidelines, is hosted in the IBM Federal Data Center, and is available for all United States government entities at the federal level.
Application development in the cloud is similar to their on-premise counterparts. However, design aspects, especially security methodology, must be taken care when it comes to cloud. The cloud service is accessible through APIs. These APIs must be secured by adopting Oauth, the open standard for authorization. As soon as the user accesses the application, it is redirected to the login page. The user must enter the user name and password. Upon successful login, the user is provided with a token. The token then calls the API. The token has a validity period. Hence, the access is applicable until the token expires.
The administrator has the controlled access to enable the access of third-party applications to the users.
Additionally, IBM leverages the Rational AppScan to perform testing checks for common web exposures such as cross site scripting, cross site request forgery, and SQL injection. Manual ethical hacking
supplements the expertise in the AppScan tool set and targets the unique application and infrastructure configuration The system development lifecycle includes code reviews, code control, and accountability. Processes are in place that ensure application and infrastructure reviews at the corporate level.
All the components of IBM SmartCloud® for Social Business have application level access. Safe defaults within the component ensure user security awareness without intrusiveness. For example, the Upload Files window has access disabled by default in the "Share with" field. See the figure below .