IBM UrbanCode Cloud Services Security Version 3.0 Revised 12/16/2016. IBM UrbanCode Cloud Services Security

Similar documents
Build integration overview: Rational Team Concert and IBM UrbanCode Deploy

IBM Security QRadar Version Customizing the Right-Click Menu Technical Note

IBM emessage Version 8.x and higher. Account Startup Overview

Installing Watson Content Analytics 3.5 Fix Pack 1 on WebSphere Application Server Network Deployment 8.5.5

CONFIGURING SSO FOR FILENET P8 DOCUMENTS

IBM License Metric Tool Enablement Guide

IBM Cloud Object Storage System Version Time Synchronization Configuration Guide IBM DSNCFG_ K

Version 9 Release 0. IBM i2 Analyst's Notebook Premium Configuration IBM

Version 9 Release 0. IBM i2 Analyst's Notebook Configuration IBM

ios 9 support in IBM MobileFirst Platform Foundation IBM

Platform LSF Version 9 Release 1.1. Migrating on Windows SC

Using application properties in IBM Cúram Social Program Management JUnit tests

IBM Storage Driver for OpenStack Version Release Notes

Migrating Classifications with Migration Manager

Getting Started with InfoSphere Streams Quick Start Edition (VMware)

IBM Storage Driver for OpenStack Version Installation Guide SC

IBM Security QRadar Version Forwarding Logs Using Tail2Syslog Technical Note

Platform LSF Version 9 Release 1.3. Migrating on Windows SC

IBM FlashSystem V MTM 9846-AC3, 9848-AC3, 9846-AE2, 9848-AE2, F, F. Quick Start Guide IBM GI

IBM Security QRadar Version 7 Release 3. Community Edition IBM

IBM Operational Decision Manager Version 8 Release 5. Configuring Operational Decision Manager on Java SE

IBM Cognos Dynamic Query Analyzer Version Installation and Configuration Guide IBM

IBM Geographically Dispersed Resiliency for Power Systems. Version Release Notes IBM

IBM Storage Driver for OpenStack Version Release Notes

IBM Storage Management Pack for Microsoft System Center Operations Manager (SCOM) Version Release Notes

IBM Maximo for Service Providers Version 7 Release 6. Installation Guide

IBM Operational Decision Manager. Version Sample deployment for Operational Decision Manager for z/os artifact migration

Tivoli Access Manager for Enterprise Single Sign-On

IBM Hyper-Scale Manager Version Release Notes IBM

IBM OpenPages GRC Platform Version 7.0 FP2. Enhancements

IBM FlashSystem V Quick Start Guide IBM GI

IBM Storage Driver for OpenStack Version Installation Guide SC

IBM LoadLeveler Version 5 Release 1. Documentation Update: IBM LoadLeveler Version 5 Release 1 IBM

IBM Maximo for Aviation MRO Version 7 Release 6. Installation Guide IBM

IBM Spectrum LSF Process Manager Version 10 Release 1. Release Notes IBM GI

Integrated use of IBM WebSphere Adapter for Siebel and SAP with WPS Relationship Service. Quick Start Scenarios

IBM Maximo Calibration Version 7 Release 5. Installation Guide

IBM. Avoiding Inventory Synchronization Issues With UBA Technical Note

IBM Copy Services Manager Version 6 Release 1. Release Notes August 2016 IBM

Best practices. Starting and stopping IBM Platform Symphony Developer Edition on a two-host Microsoft Windows cluster. IBM Platform Symphony

Version 1 Release 1 November IBM Social Marketing Solution Pack User's Guide IBM

Integrating IBM Rational Build Forge with IBM Rational ClearCase and IBM Rational ClearQuest

IBM. IBM i2 Enterprise Insight Analysis Understanding the Deployment Patterns. Version 2 Release 1 BA

IBM Endpoint Manager Version 9.1. Patch Management for Ubuntu User's Guide

IBM Financial Transactions Repository Version IBM Financial Transactions Repository Guide IBM

Version 2 Release 1. IBM i2 Enterprise Insight Analysis Understanding the Deployment Patterns IBM BA

IBM WebSphere Sample Adapter for Enterprise Information System Simulator Deployment and Testing on WPS 7.0. Quick Start Scenarios

Version 1.2 Tivoli Integrated Portal 2.2. Tivoli Integrated Portal Customization guide

IBM. Release Notes November IBM Copy Services Manager. Version 6 Release 1

IBM Operations Analytics - Log Analysis: Network Manager Insight Pack Version 1 Release 4.1 GI IBM

IBM. Networking INETD. IBM i. Version 7.2

IBM Security SiteProtector System Configuring Firewalls for SiteProtector Traffic

Rational Focal Point Technical Overview 2(15)

Tivoli Access Manager for Enterprise Single Sign-On

IBM Tivoli Directory Server Version 5.2 Client Readme

Proposal for a Tivoli Storage Manager Client system migration from Solaris with VxFS to Linux with GPFS or AIX with GPFS or JFS2

IBM OpenPages GRC Platform - Version Interim Fix 1. Interim Fix ReadMe

Patch Management for Solaris

Release Notes. IBM Tivoli Identity Manager Universal Provisioning Adapter. Version First Edition (June 14, 2010)

IBM Worklight V5.0.6 Getting Started

Tivoli Access Manager for Enterprise Single Sign-On

IBM Tealeaf UI Capture j2 Version 2 Release 1 May 15, IBM Tealeaf UI Capture j2 Release Notes

Networking Bootstrap Protocol

Release Notes. IBM Tivoli Identity Manager Rational ClearQuest Adapter for TDI 7.0. Version First Edition (January 15, 2011)

Application and Database Protection in a VMware vsphere Environment

Implementing Enhanced LDAP Security

IBM Kenexa LCMS Premier on Cloud. Release Notes. Version 9.3

Version 4 Release 1. IBM i2 Enterprise Insight Analysis Data Model White Paper IBM

iscsi Configuration Manager Version 2.0

A Quick Look at IBM SmartCloud Monitoring. Author: Larry McWilliams, IBM Tivoli Integration of Competency Document Version 1, Update:

CONNReadme.txt. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM Spectrum LSF Version 10 Release 1. Readme IBM

IBM Cloud Orchestrator. Content Pack for IBM Endpoint Manager for Software Distribution IBM

IBM. IBM i2 Analyze Windows Upgrade Guide. Version 4 Release 1 SC

IBM Storage Driver for OpenStack Version Release Notes IBM

IBM i2 ibridge 8 for Oracle

Release Notes. IBM Security Identity Manager GroupWise Adapter. Version First Edition (September 13, 2013)

IBM Maximo Calibration Version 7 Release 6. Installation Guide

Migrating on UNIX and Linux

IBM Content Analytics with Enterprise Search Version 3.0. Expanding queries and influencing how documents are ranked in the results

IBM License Metric Tool Version 9.0 (includes version 9.0.1, and ) Tuning Performance Guide

Installing on Windows

IBM BladeCenter Chassis Management Pack for Microsoft System Center Operations Manager 2007 Release Notes

IBM Watson Explorer Content Analytics Version Upgrading to Version IBM

IBM Rational Development and Test Environment for System z Version Release Letter GI

Setting Up Swagger UI for a Production Environment

Netcool/Impact Version Release Notes GI

IBM Storage Management Pack for Microsoft System Center Operations Manager (SCOM) Version Release Notes IBM

Best practices. Reducing concurrent SIM connection requests to SSM for Windows IBM Platform Symphony

IBM UrbanCode Deploy security features

IBM OpenPages GRC Platform Version Interim Fix 5. Interim Fix ReadMe

Using Client Security with Policy Director

IBM Maximo for Service Providers Version 7 Release 6. Installation Guide IBM

IBM Storage Host Attachment Kit for HP-UX Version Release Notes IBM

US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM Tivoli Monitoring for Databases. Release Notes. Version SC

IBM Maximo Spatial Asset Management Version 7 Release 5. Installation Guide

IBM Maximo Spatial Asset Management Version 7 Release 6. Installation Guide IBM

Configuring IBM Rational Synergy to use HTTPS Protocol

IBM Extended Command-Line Interface (XCLI) Utility Version 5.2. Release Notes IBM

Transcription:

IBM UrbanCode Cloud Services Security 1

Before you use this information and the product it supports, read the information in "Notices" on page 10. Copyright International Business Machines Corporation 2016. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.<Customer Name>Error! Reference source not found. 2

Contents Contents... 3 Overview of IBM Cloud Services architecture... 4 On-premise security... 6 What data is exchanged with IBM Cloud Services?... 6 Registration of IBM Bluemix DevOps Connect... 7 Protocol... 7 Cloud service security... 7 Mobile device security... 7 How trust is established... 7 How mobile access is restricted to authorized users... 8 How approvals and task activates are secured... 8 Security of UrbanCode Insights... 8 How trust is established... 8 How access is controlled... 8 How data is secured on UrbanCode Insights... 9 Notices... 10 Trademarks... 12 3

Overview of IBM Cloud Services architecture The IBM UrbanCode cloud service architecture consists of several parts: On-premises. Customers typically install IBM UrbanCode Release and IBM UrbanCode Deploy in their data center, and then often authenticate users through their LDAP system. To make data available to the cloud services, another utility, IBM Bluemix DevOps Connect, is installed in the customer s data center to broker communication between the IBM UrbanCode Release and IBM UrbanCode Deploy servers and the cloud services to which mobile devices and other external services connect. Cloud Services. An IBM-maintained set of cloud services that receives data from the IBM Bluemix DevOps Connect utility and provides data to other services by using REST APIs and push notifications. Mobile devices. Users receive deployment data and approval requests on their secured ios 9 compatible devices. UrbanCode Insights. An IBM-maintained service that provides metrics about deployments on customers' installations of IBM UrbanCode Deploy. 4

The following figure illustrates the architecture. 5

On-premise security IBM UrbanCode Release and IBM UrbanCode Deploy provide REST APIs that enable external systems to integrate with them. Administrators for those products authorize integrations and configure user access by issuing authorization tokens. Instead of requiring that customers provide access through their firewall, IBM provides a synchronization utility, IBM Bluemix DevOps Connect, that pushes data to an IBMmaintained cloud-hosted service where mobile devices connect. Data access for mobile devices continues to be controlled by the access controls that are provided in the IBM UrbanCode Release and IBM UrbanCode Deploy products. No additional administration is required. What data is exchanged with IBM Cloud Services? For integration with the mobile app, the following data elements are collected from IBM UrbanCode Release and IBM UrbanCode Deploy and then synchronized to the cloud service. Release summary statistics Release task names Task start times and estimates Approval names, descriptions, and assignees Task and approval assignees (display names and email addresses) Access control data: release and deployment teams and roles that are associated with users as designated by their email addresses For integration with UrbanCode Insights, the following data elements are collected from IBM UrbanCode Deploy and then synchronized to the cloud service. Not all of this data is currently used. Application process requests (including details such as application, environment, and success and failure status) Applications Environments Team and user information (email and user name but not passwords) Application Processes (Not used) Snapshots (Not used) No personally identifiable information (PII), artifacts, or passwords are transmitted. In each case, IBM Bluemix DevOps Connect authenticates itself with IBM UrbanCode Release and IBM UrbanCode Deploy with tokens that the administrators of those products issue. Customer-side certificates encrypt the tokens. DevOps Connect then transmits this data by HTTPS to a secure cloud service that IBM maintains. The cloud service does not provide read access to any of this data to any client without identifying the requesting user and determining whether the user is permitted to access this data. The authentication and authorization mechanism is described in greater detail in Cloud services security later in this document. 6

Registration of IBM Bluemix DevOps Connect Upon installing IBM Bluemix DevOps Connect, an administrator registers the installation with his or her IBM ID. During the registration process, DevOps Connect generates a 128-bit universally unique identifier (UUID) that identifies the DevOps Connect installation and receives a randomly generated 64- byte token from the cloud services that is Base64 encoded. The ID and token form the DevOps Connect credentials. The credentials are never displayed to users and are always transmitted by HTTPS. Protocol All further communication between the customer s network and cloud services are outbound HTTPS connections from the IBM Bluemix DevOps Connect utility, which are authenticated by cloud services by the unique ID and token transmitted in the HTTP header. Tokens never expire. DevOps Connect periodically uses POST methods to send recently changed data from IBM UrbanCode Release and IBM UrbanCode Deploy to the cloud as described earlier. It also opens an outbound HTTPS web socket connection so that approvals and task status updates from mobile users can be relayed to IBM UrbanCode Release and IBM UrbanCode Deploy. Cloud service security Cloud services refer to IBM-maintained cloud-hosted REST API services. All communications to and from the cloud services is via HTTPS, and all data at rest is also encrypted. The email service uses opportunistic encryption with Transport Layer Security (TLS). Security source scans and dynamic scans are routinely performed on the cloud services code base and running systems. Mobile device security When integrations run, eligible first-time users receive email invitations to download and register the UrbanCode Release and Deploy mobile application. The email contains a link where users can download the app from the Apple App Store. The invitation contains a unique access code to register their mobile application. The one-use access code expires after five days. How trust is established Trust is established when users register. When users register, their device IDs are sent to the IBM cloud service, and unique tokens are returned. These tokens are stored securely in the devices keychains. Subsequent communications with IBM Cloud Services use the secure token to identify the device. All communications to the mobile API, including registration, are under SSL. Read-only actions are authenticated by means of the device token. Actions which involve a write action, such as approving deployment requests or recording that a user is starting or completing a manual deployment activity, require that the user authenticate by using the device s passcode or a thumb-print. 7

How mobile access is restricted to authorized users Mobile user access is controlled through IBM UrbanCode Release and IBM UrbanCode Deploy. The UrbanCode Release and Deploy mobile app uses the product s team- and role-based security system to determine user eligibility. For IBM UrbanCode Release, users on teams with deployments for phases selected by the DevOps Connect administrator are eligible to receive deployment data. For IBM UrbanCode Deploy, users on teams with deployments receive deployment data. Users only receive data for deployments that their team or teams own. When a user is removed from teams, they stop receiving team data starting the next time data is synced with the cloud service. When users are removed from LDAP or other backend authentication systems, their user accounts are not closed until they are explicitly disabled in IBM UrbanCode Deploy or IBM UrbanCode Release. How approvals and task activates are secured 1. Approval requests and tasks are sent to the cloud along with the owning team and role. 2. Eligible users receive approval and task notifications in their app s inbox. Users are eligible if they registered their secured device, and they are in the expected role for the owning team. 3. Users must have a device passcode or touch ID enabled to authenticate any approval response from the mobile app. 4. Cloud services send approvals and task activities and user credentials to the on-premises products. Security of UrbanCode Insights How trust is established Trust between UrbanCode Insights and IBM Bluemix DevOps Connect is created when you register your installation of DevOps Connect. DevOps Connect receives a token and ID from the IBMid system and uses this token and ID to connect to UrbanCode Insights. All communication between these systems is encrypted by HTTPS. How access is controlled Security and trust for UrbanCode Insights are managed through IBMid authentication: All users must have an IBMid to access metrics information. Each user's IBMid must be registered on the IBM UrbanCode Deploy server. The e-mail address that is associated with the IBMid must match the e-mail address for the IBM UrbanCode Deploy user. Each user that has an IBMid on the IBM UrbanCode Deploy server can see all of the metrics on the UrbanCode Insights dashboard for that server. Access is not limited by teams on the IBM UrbanCode Deploy server. 8

How data is secured on UrbanCode Insights All data for UrbanCode Insights is stored in databases that are hosted by Compose (www.compose.com), which provides the security for that information. All traffic between UrbanCode Insights and Compose is encrypted by HTTPS. Email addresses of users are encrypted in the database, and no other user information is stored. 9

Notices Copyright International Business Machines Corporation 2016. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. This information was developed for products and services offered in the US. This material might be available from IBM in other languages. However, you may be required to own a copy of the product or product version in that language in order to access it. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user s responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive, MD-NC119 Armonk, NY 10504-1785 US For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. 10

IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Director of Licensing IBM Corporation North Castle Drive, MD-NC119 Armonk, NY 10504-1785 US Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. The performance data and examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Statements regarding IBM s future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. 11

Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml. 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback