IBM SmartCloud for Social Business has a highly secure infrastructure in place to provide cloud resiliency and data security. It provides the customers with confidence that information, either active or in a dormant state, is adequately protected.
In an IBM SmartCloud for Social Business environment, the network security is provided by high performance, state-of the-art firewalls. The firewalls are designed in a multi-level topology to provide enhanced network protection.
The authentication is done at the yellow zone layer. When the authentication is completed successfully at the yellow zone layer, access is allowed to enter the Green Zone.
The following figure shows the secure architecture implemented at each layer:
The firewall restricts access from systems that have direct external connection and those which contain confidential data or configuration data. The firewall applies specific restriction of traffic between specified filter ports and addresses. The firewall does not allow direct access from external interfaces into the restricted network zones. All the inbound and outbound traffic is allowed through specified ports and services. For details, refer to Cheat Sheet for Firewall settings
As an IBM SmartCloud for Social Business administrator, you provide user security by having user credentials and federated identity. However, it is possible that the user credentials might be stolen or phished. To resolve this concern, as an administrator, you can provide an additional layer of access security by restricting IPs. In this case, the attacker would need to authenticate to IBM SmartCloud for Social Business from within your network before they could access user credentials.
To specify an IP address or a range of IP addresses, as an administrator user, perform the following steps.
- Click Admin -> Manage Organization.
- Go to System Settings -> Security.
- Specify the IP address ranges in the section highlighted in the following figure.
This mechanism protects your organization against others stealing user credentials. However, this method has some restrictions:
- Users access IBM SmartCloud for Social Business from a mobile device:
For example, BlackBerry users must authenticate through a BlackBerry Enterprise Server (BES) which authenticates both the mobile device and the user. Because the IP address for the authenticated user is that of the BES server, IP address restrictions can block IBM SmartCloud for Social Business access, depending on the range specified. You can however use VPN tools on the mobile device to route traffic using the company network, in which case, IP address restrictions are valid.
- SMTP, POP, and iMAP protocols are not supported for IP address restrictions.
If your company uses these protocols when accessing IBM SmartCloud for Social Business, IP address restrictions will not be applied.
IBM SmartCloud for Social Business provides a multi-tenant service. Most of the services use the network accelerator technology to cater to the needs of thousands of users distributed all over the world. The network accelerator relies on dynamic IPs, in which case, applying the IP address restrictions is not recommended. Hence, if a network accelerator technology is used, IBM SmartCloud for Social Business recommends that the corporate firewalls use the DNS.
Apart from providing multi-layer defense approach, IBM also provides realtime antivirus support services on demand scanning capabilities for the SmartCloud for Social Business environment. IBM uses a robust commercial antivirus product which is deployed not only on the system servers but within the application to provide immediate real time scanning on file storage and sharing.
Vulnerability scanning is performed on the network and servers, and there are regular independent application and infrastructure reviews. IBM performs regular testing checks using IBM Rational AppScan for common web exposures such as cross site scripting (XSS), cross site request forgery (CSRF), and SQL injection.
IBM also has a dedicated security organization working across all the IBM SmartCloud for Social Business services that provides security management activities surrounding the network, infrastructure, applications, and supporting services. It also has responsibilities within the system development lifecycle, which includes application and service product security requirements development, code security, security feature development, and security testing activities. Specific security design reviews are conducted by the cross-IBM SmartCloud for Social Business security organization. All code updates undergo the strict lifecycle from design to deployment phase. All the code is subjected to extensive peer review and is approved by a development architect before being merged into the code base. Each update is associated with an escalated problem report or approved work item. All code updates are tested and verified. Code updates are rolled up into a full system build in preparation for deployment. After internal system verification testing, the development team stages the build for handoff to operations staff on a designated server. Operations staff does not have access to source code, but they do have the ability to deploy the system to staging and testing for another round of system verification testing. The system update is deployed in production only after those tests are successful.