Watson Developer Cloud Security Overview

Similar documents
Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Twilio cloud communications SECURITY

Layer Security White Paper

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

The Common Controls Framework BY ADOBE

WORKSHARE SECURITY OVERVIEW

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

SECURITY & PRIVACY DOCUMENTATION

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SECURITY PRACTICES OVERVIEW

Data Security and Privacy Principles IBM Cloud Services

Google Cloud & the General Data Protection Regulation (GDPR)

Security and Compliance at Mavenlink

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Oracle Data Cloud ( ODC ) Inbound Security Policies

A company built on security

SoftLayer Security and Compliance:

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

Cloud FastPath: Highly Secure Data Transfer

Cloud Customer Architecture for Securing Workloads on Cloud Services

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Security Architecture

QuickBooks Online Security White Paper July 2017

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Online Services Security v2.1

Comprehensive Database Security

VMware vcloud Air SOC 1 Control Matrix

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

TRACKVIA SECURITY OVERVIEW

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Integrated Cloud Environment Security White Paper

Education Network Security

Protecting Your Cloud

Cloud-Based Data Security

WHITE PAPER- Managed Services Security Practices

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

BLACKLINE PLATFORM INTEGRITY

APPLICATION & INFRASTRUCTURE SECURITY CONTROLS

IBM Security Intelligence on Cloud

Awareness Technologies Systems Security. PHONE: (888)

IBM SmartCloud Notes Security

Information Security Controls Policy

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

Secure Access & SWIFT Customer Security Controls Framework

7.16 INFORMATION TECHNOLOGY SECURITY

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

What can the OnBase Cloud do for you? lbmctech.com

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Security Standards for Electric Market Participants

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

CCISO Blueprint v1. EC-Council

MigrationWiz Security Overview

Data Processing Amendment to Google Apps Enterprise Agreement

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Canada Life Cyber Security Statement 2018

Databricks Enterprise Security Guide

HIPAA / HITECH Overview of Capabilities and Protected Health Information

The Nasuni Security Model

IBM Case Manager on Cloud

FormFire Application and IT Security

Vendor Security Questionnaire

InterCall Virtual Environments and Webcasting

Keys to a more secure data environment

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Projectplace: A Secure Project Collaboration Solution

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Juniper Vendor Security Requirements

Security+ SY0-501 Study Guide Table of Contents

Security Information & Policies

Security Note. BlackBerry Corporate Infrastructure

CIS Controls Measures and Metrics for Version 7

IBM Compose Managed Platform for Multiple Open Source Databases

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

locuz.com SOC Services

CIS Controls Measures and Metrics for Version 7

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

WHITEPAPER. Security overview. podio.com

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Checklist: Credit Union Information Security and Privacy Policies

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Virtual Machine Encryption Security & Compliance in the Cloud

SFC strengthens internet trading regulatory controls

Infrastructure Security Overview

Security Assessment Checklist

MEETING ISO STANDARDS

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Magento Commerce Architecture and Security Model Last updated: Aug 2017

Atmosphere Fax Network Architecture Whitepaper

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Transcription:

Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for implementations of IBM Watson Services. While data that is subject to regulation must not be used with Watson Services, IBM recognizes that other types of customer data must be appropriately protected and segregated. Additionally, users might submit Personally Identifiable Information (PII) and regulated data through a Watson query. Procedures and governance are used to handle these unintended submissions in addition to maintaining the security of the Watson environment. Deployment and Security Overview Watson services may be deployed in a variety of ways such as the IBM Watson public cloud, premium plans which provides additional data isolation within the public cloud, or a dedicated cloud environment for when clients need infrastructure that only supports them. In each case the service remains the same and IBM ensures that the security architecture remains consistent. Data: Watson services manage data in a variety of ways. Many of the Watson services are designed to be stateless in nature, meaning that while they may process data, they do not store it; the data is only used to complete the transaction and when that call to the service is completed the data is not retained. Some of the services allow customization which enables customers to help bring specific context to the data being submitted for processing. This configuration information when stored is isolated and encrypted. By default, transaction logs for each service are stored but users can opt out if so desired. Authentication & Authorization: The services are instantiated within Bluemix. Once a service has been requested for use credentials are generated and managed through Bluemix. When a call to a Watson service is made by an application, the credentials are transmitted via HTTPS for authentication and authorization. This allows only authorized users access to their content. Once this step is completed; a temporary token is generated that is good for 60 minutes. Encryption: Watson services only accept and send client data over the Internet using HTTPS via TLS connections with support for TLS version 1.2. Any client data stored is encrypted per IBM policy. Base Security: IBM Watson security policy requires that all services include network and storage encryption, circuit and application level firewalls, security information and event management, intrusion detection, application source code scanning, 3 rd party penetration testing, and regular vulnerability scanning. Figure 1 shows how these standards are used together. Backup & Redundancy: Watson services leverage replication and snapshots to support these requirements. Implementation may vary depending on the service. Generally, data is replicated

securely across multiple instances or data store locations where daily snapshots are taken and stored using encrypted storage. Note: IBM may use outside vendors to assist with backup requirements. Figure 1. Watson Services Environment Security IBM SoftLayer DataCenter Customer Network or End Users IBM Watson Developer Cloud Slab to Slab Barriers End-to-End Encryption between Customer and Watson via TLS 1.2 Storage Encryption AES 256 bit Internet IBM DataPower will: - Authorize user ID for destination instance - Get routing Info - Access Config Info using URL WEA as a Service Scheduled Inspections Natural Language Classifier Route with user Information Tooling ManTraps Bluemix Firewall Proxy Server, Router, Authenticator, Application Firewall (IBM DataPower) Dialog Retrieve & Rank Vistor Logs Speech Services Logs Security Information & Event Management Vulnerability Scanning Tested Audible Alarms Key Green Lines & Borders: Security Measures and Flows Purple Arrows: End User Flows Blue Lines & Borders: Informational Video Surveillance C Proximity Card Access & Biometrics Controlled Perimeter E Watson Deployment Options

Watson works to satisfy a broad set of enterprise security and compliance requirements. Three cloud deployment models are available to meet various data requirements and business needs. All of our deployments reside within hardened enterprise class IBM SoftLayer data centers that are ISO27001 and SOC2 certified*. 1. Public - The Public Cloud is the most cost effective and provides a shared tenancy model which allows users to embrace the power of Watson services while sharing the infrastructure cost needed to run Watson. Each service provides unique credentials, API Opt-out capability (should users not want to share their data with Watson for service improvement), encryption of data in motion and at rest, and all of the enterprise security controls you expect from IBM. Public plans are a great option for companies not looking to include regulated or personally identifiable data (PII) into their Watson Services. 2. Premium Plans Provide all of the features above with the added benefits of data isolation and service SLA s. Enterprise plans provide customers a unique instance of a Watson service that is dedicated for their use leveraging containers and dedicated

database instances to isolate client data. This option still leverages the advantage of shared hardware within the Watson Cloud environment. Enterprise plans are suggested for customers looking to use Watson services with non-regulated PII data or that may have other data isolation requirements. 3. Dedicated Deployments Allow customers full data isolation by implementing a dedicated Watson Cloud for each customer. Customers get a dedicated instance of Bluemix and Watson services, which allows for integration with most enterprise single sign on solutions, tenant unique encryption keys, and added logging and monitoring capabilities, including detailed access logs. This not only allows customers to see who accessed their environment and when it was accessed, but it also provides the added benefit of knowing the complete solution is running on hardware dedicated for them in the geography of their choice. Dedicated deployments are appealing to enterprises with workloads that include sensitive data and have a need for additional transparency into where and how their data is managed. Conclusions and Recommendations Being aware of the features and benefits of Public, Premium, and Dedicated Cloud is key to designing the right transformation to the Cloud. The added transparency provided by extended security controls in Dedicated Cloud deployments can boost Cloud initiatives. It is important to uncover security and compliance requirements up front and to tackle the hard questions early by including all internal stakeholders into Cloud initiatives. Making sure to include the security and compliance and risk teams early in the process will help ensure that the Cloud adoption program remains on track. Additional information on SoftLayer security certifications can be found here: http://www.softlayer.com/compliance Additional information on Bluemix security certifications can be found here: http://www.ibm.com/cloud-computing/bluemix/trust/ Additional information on Watson security certifications can be found here: http://www.ibm.com/watson/watson-security.html Governance, Risk, and Compliance The Watson data compliance strategy is built upon widely accepted Governance, Risk, and Compliance (GRC) principles as shown in Figure 2.

Figure 2. Watson Governance, Risk & Compliance Security Policy The Watson Cloud Security Policy is established by the IBM Corporate Directives that are defined at the highest level of IBM. The Watson Security Policy maps to the ISO27002 structure. Watson security controls are designed to meet industry standard controls and are intended to assist with compliance to external regulations in the healthcare and financial sectors such as HIPAA, HITECH, and FFIEC when and where applicable. Audits and Self-Assessment IBM assesses and audits compliance with HIPAA, FFIEC, and IBM internal security policies. Assessments can include: Self-assessment of security controls. Independent internal audits that are performed by using the security principle of separation of duties. 3 rd party auditors (SSAE16, ISO27001, and government regulatory agencies) External Audit

Watson Cloud Technology and Support has a team of professionals that are prepared to respond to external audits that are required under applicable law or regulation. Risk Assessment IBM recognizes risk assessment to be an important factor in security and has established a periodic risk assessment process that is applicable to the systems that host Watson as a Service. Assessments are entered into the IBM Governance, Risk, and Compliance program to determine & manage the current risk posture. Physical security Physical security of IBM property is defined at the global level and includes a layered approach that includes site, building, data center, and data center partitions. Employees have limited physical access based on their job requirements to systems that host Watson as a Service offerings. Physical building security is maintained at various levels that are based on a categorization of security requirements for any physically partitioned area. The security includes but is not limited to gates, badge locks, cipher locks, key locks and biometrics, video monitoring and access logs. Data centers do not have first floor windows. Data center emergency doors are alarmed. Logical security Logical security consists primarily of technical means as specified by the IBM CIO and other security authorities within IBM. Watson as a Service logical security uses the following safeguards: Activity logging that includes suspicious activity monitoring of protected logs. End-to-end encryption of data. Isolation of customer data. Procedures for an emergency shutdown to prevent data leakage. Technical specifications that detail allowable configurations for devices. Application of security patches. Network configuration that includes zoned security layering that is enforced by mandatory firewall and router rule sets. Security for user devices. Antivirus and anti-malware protection with automated workstation compliance tools. Vulnerability scanning and intrusion detection. Change management process and information systems maintenance. DDoS protection of inbound circuits to data centers. Ongoing internal & external penetration testing/ethical hacking program. Regular application source code reviews, threat modeling, and application scanning. Human Resource security

IBM Human Resource policies determine the required background checks and monitoring for employees. These policies are based on applicable local laws. Employees with elevated system privileges are subject to more stringent requirements. All IBM employees are required take annual security education and to read and certify annually that they comply with established IBM Business Conduct Guidelines (BCGs). For more information about the BCGs, see http://www.ibm.com/investor/governance/business-conductguidelines.wss. Secure Engineering The IBM Watson Development teams institute the IBM Secure Engineering Framework which reflects best practices from across the company and directs our development teams to give proper attention to security during the development lifecycle. These practices are intended to help enhance product security, protect IBM and customer intellectual property and support the terms of warranty of IBM products. Access control Watson as a Service uses a provisioning system with robust security attributes that is used to manage access for IBM administrators and to retain audit trails of access control workflow. Secondary controls are used to enforce periodic revalidation of users that are based on continued business need and employment verification. Access to systems that host the Watson as a Service offering is granted by management and is based on role requirements. Access is decided by using the principle of least privilege as a guide. Cryptography IBM employs the latest cryptographic technologies when available and technically feasible to protect customer data while at rest and in motion, examples include TLS/SSL, IPSEC, Third Party CAs, Encrypted File Systems, Encrypted Storage Systems, Key Management Systems, etc. Deviations On occasion, deviations from the written security practice might be discovered through an audit or other means. When conditions warrant, systems might be taken offline for a deviation until remedial actions are taken. Deviations must be applied for by using a defined process, tracked to closure, and remediated with approved interim measures until a final remediation is completed. IBM Vendor Partners

Different companies can have different security practices while still conforming to prudent security principles. Watson vendor partners are carefully vetted and required to provide equally robust security practices in the area for which they provide their services. Security incident management A global management process for security incidents is employed and is applicable to the systems that host the Watson as a Service offering. This process is communicated to IBM employees and management, and is monitored 24x7x365 by trained IBM employees.

Notes Section 1. Natural Language Classifier: The database used in this solution is backed up at regular intervals and is protected while in transit and at rest. Backup copies are encrypted in transit via SSL and then written on encrypted disk using a unique key. The current backup location utilizes Amazon Simple Storage Service. NLC Tooling stores the following information: 1. Questions used to train instances of Natural Language Classifiers (NLC) 2. Corresponding Classes / Intents 3. Training data for untrained classifiers 4. Test data from executed tests

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback