Network security
Cloud Pak for Data as a Service provides network security mechanisms to protect infrastructure, data, and applications from potential threats and unauthorized access. Network security mechanisms provide secure connections to data sources and control traffic across both the public internet and internal networks.
| Mechanism | Purpose | Responsibility | Configured on |
|---|---|---|---|
| Private network service endpoints | Access services through secure private network endpoints | Customer | IBM Cloud |
| Access to private data sources | Connect to data sources that are protected by a firewall | Customer | Cloud Pak for Data as a Service |
| Integrations | Secure connections to Third-party clouds through a firewall | Customer and Third-party clouds | Cloud Pak for Data as a Service |
| Connections | Secure connections to data sources | Customer | Cloud Pak for Data as a Service |
| Connections to data behind a firewall | The Satellite Connector and Satellite location provide secure connections to data sources in a hybrid environment | Customer | IBM Cloud and Cloud Pak for Data as a Service |
| VPNs | Share data securely across public networks | Customer | IBM Cloud |
| Allow specific IP addresses | Protect from access by unknown IP addresses | Customer | IBM Cloud |
| Allow third party URLs | Allow third party URLs on an internal network | Customer | Customer firewall |
| Multi-tenancy | Provide isolation in a SaaS environment | IBM and Third-party clouds | IBM Cloud, Cloud providers |
Private network service endpoints
Use private network service endpoints to securely connect to endpoints over IBM private cloud, rather than connecting to resources over the public network. With Private network service endpoints, services are no longer served on an internet routable IP address and thus are more secure. Service endpoints require virtual routing and forwarding (VRF) to be enabled on your account. VRF is automatically enabled for Virtual Private Clouds (VPCs).
For more information about service endpoints, see:
- Securing connections to services with private service endpoints
- Blog: Introducing Private Service Endpoints in IBM Cloud Databases
- IBM Cloud docs: Secure access to services using service endpoints
- IBM Cloud docs: Enabling VRF and service endpoints
- IBM Cloud docs: Public and private network endpoints
Access to private data sources
Private data sources are on-premises data sources that are protected by a firewall. Cloud Pak for Data as a Service requires access through the firewall to reach the data sources. To provide secure access, you create inbound firewall rules to allow access for the IP address ranges for Cloud Pak for Data as a Service. The inbound rules are created in the configuration tool for your firewall.
Integrations
You can configure integrations with third-party cloud platforms to allow Cloud Pak for Data as a Service users to access data sources hosted on those clouds. The following security mechanisms apply to integrations with third-party clouds:
- An authorized account on the third-party cloud, with appropriate permissions to view account credentials
- Permissions to allow secure connections through the firewall of the cloud provider (for specific IP ranges)
For example, you have a data source on AWS that you are running notebooks on. You need to integrate with AWS and then generate a connection to the database. The integration and connection are secure. After you configure firewall access, you can grant appropriate permissions to users and provide them with credentials to access data.
Connections
Connections require valid credentials to access data. The account owner or administrator configures the type of credentials that are required, either shared or personal, at the account level. Shared credentials make the data source and its credentials accessible to all collaborators in the project. Personal credentials require each collaborator to provide their own credentials to use the data source.
Connections require valid credentials to access data. The account owner or administrator configures the type of credentials that are required at the account level. The connection creator enters a valid credential. The options are:
- Either shared or personal allows users to specify personal or shared credentials when creating a new connection by selecting a radio button and entering the correct credential.
- Personal credentials require each collaborator to provide their own credentials to use the data source.
- Shared credentials make the data source and its credentials accessible to all collaborators in the project. Users enter a common credential which was created by the creator of the connection.
For more information about connections, see:
Connections to data behind a firewall
Secure connections provide secure communication among resources in a hybrid cloud deployment, some of which might reside behind a firewall. You have the following options for secure connections between your environment and the cloud:
Satellite Connector
A Satellite Connector uses a lightweight Docker-based communication that creates secure and auditable communications from your on-prem, cloud, or Edge environment back to IBM Cloud. Your infrastructure needs only a container host, such as Docker. For more information, see Satellite Connector overview.
See Connecting to data behind a firewall for instructions on configuring a Satellite Connector.
Satellite Connector is the replacement for the deprecated Secure Gateway. For the Secure Gateway deprecation announcement, see IBM Cloud docs: Secure Gateway Deprecation Overview
Satellite location
A Satellite location provides the same secure communications to IBM Cloud as a Satellite Connector but adds high availability access by default plus the ability to communicate from IBM Cloud to your on-prem location. A Satellite location requires at least three x86 hosts in your infrastructure for the HA control plane. A Satellite location is a superset of the capabilities of the Satellite Connector. If you need only client data communication, set up a Satellite Connector.
See Connecting to data behind a firewall for instructions on configuring a Satellite location.
VPNs
Virtual Private Networks (VPNs) create virtual point-to-point connections by using tunneling protocols, and encryption and dedicated connections. They provide a secure method for sharing data across public networks.
Following are the VPN technologies on IBM Cloud:
-
IPSec VPN: The VPN facilitates connectivity from your secure network to IBM IaaS platform’s private network. Any user on the account can be given VPN access.
-
VPN for VPC: With Virtual Private Cloud (VPC), you can provision generation 2 virtual server instances for VPC with high network performance.
-
The Secure Gateway deprecation announcement provides information and scenarios for using VPNs as an alternative. See IBM Cloud docs: Migration options.
Allow specific IP addresses
Use this mechanism to control access to the IBM cloud console and to Cloud Pak for Data as a Service. Access is allowed from the specified IP addresses only; access from all other IP addresses is denied. You can specify the allowed IP addresses for an individual user or for an account.
When allowing specific IP addresses for Watson Studio, you must include the CIDR ranges for the Watson Studio nodes in each region (as well as the individual client system IPs that are allowed). You can include the CIDR ranges in Cloud Pak for Data as a Service by following these steps:
- From the main menu, choose Administration > Cloud integrations.
- Click Firewall configuration to display the IP addresses for the current region. Use CIDR notation.
- Copy each CIDR range into the IP address restrictions for either a user or an account. Be sure to enter the allowed individual client IP addresses as well. Enter the IP addresses as a comma-separated list. Then, click Apply.
- Repeat for each region to allow access for Watson Studio.
For step-by-step instructions for both user and account restrictions, see IBM Cloud docs: Allowing specific IP addresses
Allow third party URLs on an internal network
If you are running Cloud Pak for Data as a Service behind a firewall, you must allowlist third party URLs to provide outbound browser access. The URLs include resources from IBM Cloud and other domains. Cloud Pak for Data as a Service requires access to these domains for outbound browser traffic through the firewall.
This list provides access only for core Cloud Pak for Data as a Service functions. Specific services might require additional URLs. The list does not cover URLs required by the IBM Cloud console and its outbound requests.
| Domain | Description |
|---|---|
| *.bluemix.net | IBM legacy Cloud domain - still used in some flows |
| *.appdomain.cloud | IBM Cloud app domain |
| cloud.ibm.com | IBM Cloud global domain |
| *.cloud.ibm.com | Various IBM Cloud subdomains |
| dataplatform.cloud.ibm.com | Cloud Pak for Data as a Service Dallas region |
| *.dataplatform.cloud.ibm.com | CCloud Pak for Data as a Service subdomains |
| eum.instana.io | Instana client side instrumentation |
| eum-orange-saas.instana.io | Instana client side instrumentation |
| cdnjs.cloudflare.com | Cloudflare CDN for some static resources |
| nebula-cdn.kampyle.com | Medallia NPS |
| resources.digital-cloud-ibm.medallia.eu | Medallia NPS |
| udc-neb.kampyle.com | Medallia NPS |
| ubt.digital-cloud-ibm.medallia.eu | Medallia NPS |
| cdn.segment.com | Segment JS |
| api.segment.io | Segment API |
| cdn.walkme.com | WalkMe static resources |
| papi.walkme.com | WalkMe API |
| ec.walkme.com | WalkMe API |
| playerserver.walkme.com | WalkMe player server |
| s3.walkmeusercontent.com | WalkMe static resources |
Multi-tenancy
Cloud Pak for Data as a Service is hosted as a secure and compliant multi-tenant solution on IBM Cloud. See Multi-Tenant
Parent topic: Security