asd765 cloud 87ohhlj db2 askh security xbas chatbot

If you came here and wondered about the blog title, then read on. I plan to write about a couple of mixed, seemingly random topics. Why not express that in today's blog title...? :) It is almost end of the year and here is some news I wanted to share with you before the holidays.

Track API key usage by combining IBM Cloud IAM and LogDNA search

Which key is still in use...?

Recently, I blogged about tracking account activity from the command line. I showed you how to search IBM Cloud Activity Tracker with LogDNA records using a Python script. Today, I discuss how to combine the IAM Identity Services API with the LogDNA search to track usage of API keys. The goal is to find out whether API keys for a user or service ID were recently used. If they were not used for long, they might be up for deletion.

Enterprise digitalization and cybersecurity: How companies struggle

Cybersecurity Workshop at Zeppelin University

Last Friday, 25.01.2019, I attended the Cybersecurity workshop of the "Bodensee Innovationscluster Digitaler Wandel" (digitalization). The innovation cluster is organized by the Zeppelin University in Friedrichshafen. It tries to bring together companies from the wider Lake Constance region that are impacted by digitalization. The researchers have identified four topics that will be addressed:

Use a custom domain, manage TLS certificates and apply e2e security to cloud app

End to end security for a cloud app on IBM Cloud

Well, that title is a little bit long and ugly, but it basically describes what I wanted to tell you about today. A while ago, I blogged that my team published a tutorial "Apply end to end security to a cloud application". It demonstrates how to use secure network traffic (data in transit), cloud object storage (data at rest), and the app itself by access control (authentication). The app runs on the IBM Cloud Kubernetes Service (IKS). By default, the app is exposed on an IBM Cloud-supplied hostname and domain. I updated the tutorial to show how to use a custom domain and deploy a TLS certificate managed by the IBM Cloud Certificate Manager.

IBM Cloud and Watson security questionnaires

If you are reading my blog regularly, you are aware of the entries on cloud security. Today, I want to point you to some newer reading material at the Cloud Security Alliance. They now have up-to-date self-assessment security questionnaires for the IBM Cloud.

The three available security documents cover IBM Cloud Infrastructure (IaaS), IBM Cloud Platform (PaaS), and the IBM Watson Services with their cognitive / AI capabilities. Using the provided material, you can learn about application security, audits, compliance, how business continuity and operational resilience are handled, procedures for change control, data and data center security, IAM (identify and access management) and much more. The answers include many links to references, documentation and other valuable information. Just for that it is worth going over the security questionnaires for IBM Cloud.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Latest News on Bluemix and IBM Cloud

IBM Cloud News

Sometimes it's quite hard to keep an overview of what is going on with the IBM Cloud. I had been out on vacation and needed to catch up. Want to learn with me? Here is some of the latest news for Bluemix and IBM Cloud for some weekend reading:

• IBM Cloud is the new name for the former IBM Bluemix offering. It combines the Platform- (PaaS), Infrastructure- (IaaS), Function- (FaaS) and Software-as-a-Service (SaaS) offerings under the new, simple name: "The IBM Cloud is the cloud for the enterprise. Yours."
• IBM announced the roll-out of a new support model and enhanced capabilities for IBM Cloud, giving clients full control over their data. Support will be provided be EU-based staff.
• A new, enhanced version of IBM Cloud Private is available. It allows to run Kubernetes-based containers, Cloud Foundry apps and much more in your data center and enables the journey to cloud.
• A new IBM Cloud support portal has been made available. It serves as a single entry point for anything related to the cloud services, regardless whether it is public, dedicated or private cloud.
• A new tutorial section has been introduced in the documentation for IBM Cloud. They help developers get to know services and tools together to build, deploy and scale real world solutions. Read more about the tutorials in this blog.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

EU Cloud: IBM gives client full control over their data

IBM Cloud: Have full control over your data

Today, IBM announced for December the roll-out of a new support model and capabilities for IBM Cloud. Based on the announcement IBM is in the process of adding more EU-based staff to provide 24x7 support from within the EU. It is also providing enhanced encryption capabilities. All is done to give clients full control over their data and to be better positioned to meet the requirements of the EU General Data Protection Regulation (GDPR). The IBM Cloud in Frankfurt, Germany, is the first to feature the enhancements. Quite exciting news as German, as European, as cloud user.

In my spare time, I am teaching "Introduction to Data Management" at a cooperative state university. I tell the students that, today, data is the / a core asset of any business. It is a critical resource that needs to be protected and managed with care. Hence, putting data security at the core of platform design is important. The blog "Why a data-first approach is critical to designing and building secure cloud services" gives a great introduction into what needs to be considered for building a secure cloud platform. It touches everything from the isolation and encryption of resources and access control to monitoring, audit and governance. I covered some of the same aspects in my blog "Securing Workloads on IBM Cloud".


That's all for now. I can't wait to give a test drive once it is available. If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Securing Workloads on IBM Cloud - Some Resources

Security Guides for IBM Cloud

Recently, I provided you with an overview of security and compliance resouces for IBM dashDB and Cloudant. Today, I want to take a broader view and point you to some good introductory material on security for cloud-based workloads. It consists of an overview of different cloud deployment models and their components. Then it digs into each of those categories and takes a look at how to secure those components and the data.

Location and Intent Matter: Data Privacy vs. US Government

Some data is locked away

Earlier this month and last Summer two interesting cases related to data privacy were decided. Both concern US search warrants for email data stored outside the United States of America. In July 2016 the United States Court of Appeals for the Second Circuit ruled that Microsoft does not need to hand over email data stored in Ireland. This February, the United States District Court for the Eastern District of Pennsylvania decided that Google must produce the emails which were stored outside the USA. The last case is not finally decided because Google plans to appeal the ruling. Independent of that, what is the take-away from these rulings? Let's take a look.

Security and Compliance for IBM dashDB and Cloudant

Database Security & Compliance

I often get asked about the security features of IBM dashDB and Cloudant. Both are database services ("DBaaS") offered on IBM Bluemix. Once the security topic is dealt with, compliance-related questions are next. A good chunk of questions can be answered by going over the provided product documentation. Here are the links to get you started on database security and compliance.

DB2/dashDB Security: Implicit Privileges Through Group Membership

DB2 Data Security

I recently saw an interesting DB2 question on Stack Overflow. Someone asked how it is possible to find out privileges for a user when the privileges were granted to a group the user is member of. DB2 does not manage group membership within the database, it is done in the operating system. But DB2 offers functions and views to retrieve that information and to simplify analysis of the security-related metadata. And remember that this applies to IBM dashDB as well.

To look up which groups a specific user belongs to, DB2 offers the table function AUTH_LIST_GROUPS_FOR_AUTHID. The returned groups are not necessarily used within the database and can be any operating system group. The following query returned several of those typical Linux groups:

SELECT * FROM TABLE (SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID('HLOESER')) as T

An administration view that comes handy is SYSIBMADM.AUTHORIZATIONIDS. It lists all authorization IDs along their respective type, i.e., groups, users and roles. When combined with another view, SYSIBMADM.PRIVILEGES, which lists all explicit privileges for all authorization IDs (that is for users, groups and roles), it allows to filter, e.g., for specific group or role privileges. Joining in the groups for a specific user and not forgetting to factor in PUBLIC privileges, I came up with the following query. It should list all the implicit privileges I have.

SELECT distinct p.AUTHID, p.PRIVILEGE, p.OBJECTNAME, p.OBJECTSCHEMA, p.OBJECTTYPE
FROM SYSIBMADM.PRIVILEGES P, SYSIBMADM.AUTHORIZATIONIDS A,
     TABLE (SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID('HLOESER')) as U 
WHERE p.privilege='CREATEIN' AND a.authidtype='G'
      AND a.authid=p.authid
      AND (u.group=a.authid or a.authid='PUBLIC')


If you want to know all your privileges, just UNION the result above with a query on SYSIBMADM.PRIVILEGES for your authid:

SELECT distinct p.AUTHID, p.PRIVILEGE, p.OBJECTNAME, p.OBJECTSCHEMA, p.OBJECTTYPE
FROM SYSIBMADM.PRIVILEGES P, SYSIBMADM.AUTHORIZATIONIDS A, TABLE (SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID('HLOESER')) as U 
WHERE p.privilege='CREATEIN' and a.authidtype='G' and a.authid=p.authid
AND (u.group=a.authid or a.authid='PUBLIC')
UNION
SELECT distinct p.AUTHID, p.PRIVILEGE, p.OBJECTNAME, p.OBJECTSCHEMA, p.OBJECTTYPE
FROM SYSIBMADM.PRIVILEGES P
WHERE p.authid='HLOESER'

Data Protection, Privacy, Security and the Cloud

Protecting your bits

(This is the first post in a planned series on data protection, security, and privacy related to DB2/dashDB in the cloud and IBM Bluemix)

As a data/database guy from Germany, security and data protection and privacy have been high on my list of interests for many, many years. As a banking customer I would hate it when someone not authorized would access my data. I also don't like to go through the hassle of replacing credit cards, changing passwords, take up a new name (user name only :), or more because a system my data is or was on had been hacked. With more and more data being processed "in the cloud" it is great to know how much effort has been put into designing secure cloud computing platforms, into operating them according to highest security standards, and how international and local data protection standards and laws are followed for legal compliance.