copyright | lastupdated | subcollection | keywords | ||
---|---|---|---|---|---|
|
2024-11-17 |
pattern-sap-on-powervs |
{{site.data.keyword.attribute-definition-list}}
{: #security-decisions}
Architecture decision | Requirement | Decision | Rationale |
---|---|---|---|
Primary Storage | Ability to encrypt data at rest | PowerVS uses IBM FlashSystem Storage with AES-256 (Advanced Encryption Standard) hardware-based encryption | Industry-Standard AES-256 encryption as provided by FlashSystem Storage for PowerVS |
Backup Storage & Archive Storage | Ability to encrypt backups | Cloud Object Storage Encryption Provider managed encryption provided by block storage. | By default, all objects that are stored in IBM Cloud Object Storage are encrypted by using randomly generated keys and an all-or-nothing-transform (AONT). \n The file systems associated within any Classic infrastructure is IBM Cloud Block Storage Volume or file storage. Block and File Storage allows for Provider managed encryption (IBM Cloud managed keys) which will be configured by default when storage is setup. \n When file storage is encrypted, there is no way to “dedupe” on backup, thus requiring more storage. |
HANA Data Encryption | Ability to encrypt SAP HANA data at rest | HANA Data Volume Encryption (DVE) | DVE encrypts HANA data at the persistence layer, protecting data stored on disk from unauthorized access at operating system level. |
Workload | IaaS platform must support Data Encryption: \n * Client to server \n * App. LPAR to DB LPAR | * FTPs and HTTPs protocols (client to server) \n * Inflight encryption for HANA DB supported using TLS/SSL, encryption for App to DB | Client to server encryption can be accomplished over HTTPs (SSL); File transfer encryption via FTPs , SAP supports encryption between application and database using SSL. |
Identity Access & Role Management (IAM) | Securely authenticate users for platform services and control access to resources consistently across IBM Cloud | IBM Cloud IAM | Use IAM access policies to assign users, service IDs, and trusted profiles access to resources within the IBM Cloud account. |
Privileged Identity & Access Management | Privileged access management services for administrative purposes | * BYO Bastion host (or Privileged Access Gateway) with PAM SW deployed in the VPC Landing Zone \n * 2FA Authentication though IBM Security Verify | Securely access remote resources over the private network for management purposes; bastion accessed via SSH. Session recording, tracking all activities, successful or not, to note any potential threats |
Core Network Protection | * Strict separation of duties \n * Isolated security zones between environments \n * Isolated, private cloud environment | * Separate VPCs, Subnets, ACLs and Security Groups for non-SAP workloads that may exist in VPC. \n * In addition to VPC capabilities, use of virtual firewalls deployed to the Edge/Transit VPC to provide advance FW and routing capabilities between VPC and PowerVS \n * Separation of application and DB in separate PowerVS LPARs as well as separate production and non-Production environments. | A design combination using: Separate VPCs (transit, management, workload) connected through transit gateway and, the use of edge firewall capabilities. Subnets, Security Groups and ACLs to create an Edge/Transit VPC design along with isolated LPARs on PowerVS |
Threat detection and response | * Boundary protection: highest level of isolation from external network threats \n * IPS/IDS protection at all ingress/egress \n * Unified Threat Management (UTM) Firewall | BYO Virtual Firewall (on VSI) in VPC Landing Zone (deployed across availability zones) – client choices: \n * Fortigate{: external} \n * Juniper vSRX{: external} \n * Checkpoint Cloud Guard{: external} \n * Palo Alto{: external} | * Can be provided by Enterprise Network DMZ. \n *In addition, if client requires: \n * Virtual FW on VSI in the VPC Landing Zone{: external} \n * Client preference however recommendation is Fortigate and Juniper. \n * Fortigate supports native HA configuration \n * Fortigate supports both IPS and IDS |
Enterprise security and compliance Service | Hybrid multicloud risk management | IBM Security and Compliance Center | Unified security, compliance and risk visibility across hybrid multicloud |
Secret Management | Centrally manage secrets | Secret Manager | Create, lease, and centrally manage secrets that are used in your apps and services. |
Financial Industry | Financial Industry Specific Cloud | IBM Cloud for Financial Services | Supported on Power System Virtual Servers (may need check available regions) |
{: caption="Architecture decisions for security" caption-side="bottom"} |