IBM DataPower Operations Dashboard considerations for GDPR readiness
...
For PID(s): IBM DataPower Operations Dashboard
- 5725-T06 IBM DataPower Gateway
Notice:
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM DataPower Operations Dashboard that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
...
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
...
Table of Contents
- GDPR
- Product Configuration for GDPR
- Data Life Cycle
- Data Storage
- Data Access
- Data Processing
- Data Deletion
- Data Monitoring
- Capability for restricting Use of Personal Data
Note: The links to the DataPower Gateway Knowledge Center in this document are for version 7.6. If you are using a different version, use the "Change version" option in IBM Knowledge Center to change to the appropriate version of the topic.
...
GDPR
General Data Protection Regulation (GDPR) has been adopted by the European Union (“EU”) and applies from May 25, 2018.
Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for processors
- Potential for significant financial penalties for non-compliance
- Compulsory data breach notification
Read more about GDPR
...
Product Configuration for GDPR
How to configure our offering such that it could be used in a GDPR environment?
User configuration
After deployment and installation of DataPower Operations Dashboard you will need to become familiar with its role-based access control. By default, DataPower Operations Dashboard uses internal users and group registries to facilitate the user administration for nonproduction scenarios.
...
Review the product recommendations for post installation task that are recommended in hardening installation and to improve the product security such as replacing self-signed certificates, implement SSL Client Authentication with the gateway, and so forth. In each version, this list is updated. Review this documentation after an upgrade.
Management services configuration
After the installation of DataPower Operations Dashboard is complete, you will need to modify and enable the following:
- Replace self-signed certificates as they are used for the web console and the REST management service.
- Implement SSL Client Authentication with the Gateway Management services (SOAP/REST) to secure data.
- If you suspect that that the syslog payload data contains private information, encrypt your drives and file systems.
- If you plan to expose DataPower Operations Dashboard web console to API developers that are located on other network segments than your gateways, use the External Web console to avoid granting access through firewalls to the DataPower Gateway network segments.
- You should consider separating your DataPower Operations Dashboard installation into production and nonproduction environments and bind only the production gateways to the production DataPower Operations Dashboard installation to minimize access to personal data.
- You should consider using masked data in nonproduction environments in case you execute transactions based on data originated from production environments.
Transaction services configuration
After the installation of the DataPower Operations Dashboard is complete, you will need to configure each gateway (known as monitored device) from the DataPower Operations Dashboard web console. The configuration requires that you provide a privileged user to access and configure the gateway.
...
If you offload any data from DataPower Operations Dashboard, encrypt them as they might contains personal data.
...
Data Life Cycle
What is the end-to-end process through which personal data go through when using our offering?
User Accounts
DataPower Operations Dashboard provides access to the management of Users, Groups and Role-Based managed security mechanism via its Manage and Security options. This can be done when managing users using DataPower Operations Dashboard internal database registry. It is not available when LDAP is the selected option for managing those users.
Avoid using the local user registry , and use instead LDAP repositories to manage your users.
System Logs
Personal data, including IP addresses, session IDs, user IDs, webpage URLs, and cookie names, can exist in system logs. DataPower Operations Dashboard collects and logs IP addresses, user and system names, and other unstructured data.
...
The data will be stored in DataPower Operations Dashboard database until the database is full, while old entries are purged automatically.
...
Data Storage
How can the client control the storage of personal data?
Storage of account data
You can backup DataPower Operations Dashboard software, static configuration, and user configuration data in the DataPower Operations Dashboard database by using internal scripts. When you provide the destination for the backup file, you need to make sure that it is located in a protected area. For more information please refer to the documentation here.
...
Data Access
How can the client control access to personal data?
Security Roles
Security roles are used to provide a way for the administrator to filter the view that users have of the system. Administrators can use the roles to filter out data from user's view by devices, domains, services, client IP addresses, payload, and more. Filtering provides users with insights to only the parts of the system that they are allowed to access.
...
- The web console that is controlled by DataPower Operations Dashboard access control.
- Directly by the system administrator to files that should be controlled by the client by using proper policies of credential keeping, firewall access, and physical access to the offering servers. The administrator has the following access: readaccess, writeaccess, update_access.
Separation of duties
Separation of duties can be applied by using the security roles that are both built-in and custom.
Privileged Administrators
Administrator access can be filtered by IPs, but client should enforce network access management such as firewalls and network segment separation. Customers should pay attention to the ability to access the CLI level using SSH.
Activity logs
Access logs to the web console are generated by the offering. However, system admins with CLI access can delete these files.
...
Data Processing
How can the client control processing of personal data?
DataPower Operations Dashboard cannot anticipate which data is personal data and which data is generated from the processing of the transactions. If transactions contain personal data, the client must properly identify this type of data and to protect this data if transferred off of DataPower Operations Dashboard.
...
Data Deletion
How can the client control the deletion of personal data?
DataPower Operations Dashboard cannot anticipate which data is personal data and which data is generated from the processing of the transactions. If transactions contain personal data, the client must properly identify this type of data in order to delete it. Once the data has been identified, client should perform the following steps to ensure complete removal of the data from the DataPower Operations Dashboard:
- Locate and replace or delete system log files that contain information that is identified as personal data.
- Locate transactions that contain personal data using Raw Messages dashboard and delete all transactions with personal data.
- Delete all exported data such as Backups, Reports, and all other offloaded data that might contain personal data.
- Delete entire data according to its type (Syslogs, payloads etc.)
...
Data Monitoring
How could the client monitor the processing of personal data?
- DataPower Operations Dashboard does not monitor log files.
...
DataPower Operations Dashboard cannot monitor the processing of personal data in specific beyond the overall health monitoring of the offering. DataPower Operations Dashboard contains internal health monitoring and alerts to monitor its component health. However, this monitoring does not monitor the DataPower Operations Dashboard system logs.
...
Capability for restricting Use of Personal Data
Will your customers be able to address Data Subject requests from their customers?
DataPower Operations Dashboard meets the following data subject rights: right to access, modify, forgotten, and portability.
...