Open in app

Sign in

Write

Sign in

Applying governance capability of IBM Cloud Pak for Multicloud Management to operate hybrid clouds for enterprise standards

Jaya Ramanathan
IBM Cloud
Published in
6 min readNov 22, 2019

Authors: Jaya Ramanathan, Ali Kanso, Yu Cao, Yanni Zhang

Overview

IBM Cloud Pak for Multicloud Management enables cluster, application, and the security lifecycle of your hybrid cloud environments. Enterprises must meet internal standards for software engineering, secure engineering, resiliency, security, and regulatory compliance for workloads hosted on hybrid clouds. Teams that provide enterprise cloud platforms, as well as application business units that run their business applications on like cloud platforms, can use IBM Cloud Pak for Multicloud Management governance capability to gain visibility and drive remediation for various security and configuration aspects to help meet such enterprise standards.

IBM Cloud Pak for Multicloud Management Governance Architecture

You can use the following capabilities available in the IBM Cloud Pak for Multicloud Management governance feature:

  • Add new policies without updating the IBM Cloud Pak for Multicloud Management policy framework.
  • Apply policies created using out of the box policy templates.
  • Incorporate various policy languages easily, for example Open Policy Agent (OPA).
IBM Cloud Pak for Multicloud Manager Governance Architecture

The governance architecture is composed of the following components:

  • Dashboard: Provides a summary of your cloud governance and risk details, including policy violations and security findings API.
  • Policy UI: Allows policies to be created and deployed to various managed clusters based on attributes associated with clusters such as geographical region, Continuous Integration/Continuous Deployment (CI/CD) environment (Dev, Prod), cloud provider, etc. Displays policy violation details.
  • Policy Store: Uses Kubernetes etcd to store policies as CustomResourceDefinition (CR) objects.
  • Controls: Security and configuration controls for various enterprise standards.
  • Policy Controller: Evaluates one or more policies on the managed cluster against your specified control, and generates Kubernetes events for violations. The violations are automatically propagated to the hub cluster.
  • Cloud Event Manager: Collects events related to policy lifecycle (create, delete, update) and policy violations, and routes them to enterprise incident management tools.
  • Findings API: Provides an interface to query and submit findings. Enables integration with SIEM tools used by enterprise Security Operations Center, and governance, risk, and compliance tools used by enterprise risk and compliance teams. Policy violations are automatically mapped to findings.
  • Findings UI: Displays details of various findings, both findings for policy violations, and those for controls that directly integrate with Findings API.

Policy Elements

You can specify checks on managed clusters with the IBM Cloud Pak for Multicloud Management governance framework to verify whether a given control (security or configuration) is operating to enterprise standards. Your enterprise standards are typically based on industry best practices, such as the NIST Cyber Security Framework (CSF) and/or compliance standards for example Payment Card Industry (PCI).

As you verify your controls, you might need multiple policies and policy controllers to verify different aspects. The IBM Cloud Pak for Multicloud Management governance framework can aggregate multiple embedded policies into one global policy that gets propagated to a list of managed clusters scoped by placement rules. IBM Cloud Pak for Multicloud Management aggregates policy violations of all the clusters it manages and displays a centralized global view of the overall governance and risk posture. View the diagram of the IBM Cloud Pak for Multicloud Management Governance and risk dashboard:

Newly defined policies can be embedded into the IBM Cloud Pak for Multicloud Management governance framework and leveraged to get propagated to managed clusters, where they are processed by policy controllers. Violations are reported back to the IBM Cloud Pak for Multicloud Management hub cluster. You must create a policy controller that handles the newly added policy on the managed cluster. Ensure that your controller adheres to the IBM Cloud Pak for Multicloud Management policy controller framework. For more information, see Configuration policy controller in the IBM Cloud Pak for Multicloud Management documentation.

The defined policies are categorized into standards/controls/categories. For an example of standards, see NIST CyberSecurity Framework and PCI. The Controlcategory represents a grouping of controls within a standard. Controls are individual elements within a control category. You can incorporate policies written in languages, such as OPA, into the IBM Cloud Pak for Multicloud Management governance framework. See the Integrate Open Policy Agent with IBM Multicloud Manager policy framework for Kubernetes resource admission control blog, for more information. View the following diagram for an example of how a CIS policy can be created with one of the out-of-the-box IBM Cloud Pak for Multicloud Management policy templates. Select a pre-defined policy template from the Specificationfield:

Policy YAML template

Policy violations are reported to the IBM Cloud Pak for Multicloud Management hub cluster by the policy controllers. You can view your policy violations on the Policies tab from the IBM Cloud Pak for Multicloud Management user interface. View the diagram for an example violation for the CIS policy:

Example violation for the CIS policy

Remediation Actions

Policies contain the option to specify a remediation action: enforceor inform. When your remediation action is set to inform, the IBM Cloud Pak for Multicloud Management policy controller will not take any remediation actions to fix the violations. Your controller will report the status to the IBM Cloud Pak for Multicloud Management hub cluster. The enforce action, enables the controllers to take remediation actions to remove the violations. Examples of remediation actions include the following:

  • Creating missing resources, such as Kubernetes pod-security-policies .
  • Restarting a container that mutated into an undesirable state.
  • Patching a role-based access control (RBAC) role that grants permissions that are no longer deemed necessary.
  • Updating configuration to ensure audit logs are generated for targeted services

In both action modes, alerts and escalation mechanisms, such as sending email/Slack notifications with Cloud Event Manager and generating audit logs to Security Operations Center, can be enabled when violations are detected. For details about deploying multicloud applications with Cloud Event Manager, see Deploying and Managing Multicloud Applications with IBM Multicloud Manager and Cloud Event Management.

Policy Templates

After installation, IBM Cloud Pak for Multicloud Management provides the following out-of-the-box policy templates:

  • Audit Logging — checks if audit logs are being collected for specified set of services e.g., authentication, authorization, etc.
  • Identity Access and Management (IAM) — checks if RBAC policies match what is deployed at the Kubernetes level; checks if there are an excessive number of users that have cluster-wide administrator access.
  • Certificate expiration — checks if certificates expire before a configurable period of time.
  • Encryption — checks if Kubernetes secret encryption is enabled and whether the specified encryption provider is being used.
  • Container security hardening — checks if your cluster is security hardened for the CIS standard.
  • Container vulnerability scanning — checks if security vulnerabilities exist on images in image repositories or running containers.
  • Container integrity monitoring — checks if file and, or process mutations have occurred on containers.

Integrating with the governance capability

Third party controls can be integrated into the IBM Cloud Pak for Multicloud Management governance capability with one of the following options:

Advanced Integration

  • Integrate with policy framework by providing policies and policy controllers.
  • Propagate policy state to the IBM Cloud Pak for Multicloud Management hub cluster.
  • IBM Cloud Pak for Multicloud Management hub cluster maps policy violations to security findings.

For more information, visit the Developing your own policy controller blog.

Basic Integration

  • Submit your findings data with the IBM Cloud Pak for Multicloud Management hub Findings API. View an example of the basic integration by visiting the IBM and Sysdig team up blog.

Applying the governance capability

IBM Cloud Pak for Multicloud Management governance architecture can be applied by completing the following steps:

  1. Define various standards and requirements that must be met for each cluster.

2. Use the out-of-the-box policy templates to create, customize, and apply policies to various managed clusters.

3. Develop additional policy templates and controllers.

4. Integrate controls with the findings API.

5. Integrate findings with SIEM and governance, risk, and compliance tools.

6. Integrate events with incident management tools.

7. Implement remediation actions to resolve policy violations/findings for your managed clusters.

8. Automate remediation whenever possible.

For more details, refer to IBM Cloud Pak for Multicloud Management Governance and risk documentation.

Acknowledgements: Jaya Ramanathan, Ali Kanso, Yu Cao, Yanni Zhang, and Mikela Dockery

Docker
IBM
Hybrid Cloud
Kubernetes
Governance

--

--

Jaya Ramanathan
IBM Cloud

Written by Jaya Ramanathan

23 Followers
Writer for

Red Hat Distinguished Engineer, Chief Security and Governance Architect. Opinions are my own.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams