Cloud
March 15, 2023 By Josephine Justin
Norton Samuel Stanley
5 min read

Context-based restrictions (CBRs) in IBM Cloud can be used to enhance security and protect sensitive data.

By leveraging these features, organizations can ensure that their cloud resources are accessed only by authorized users and comply with various security and regulatory requirements.

What are context-based restrictions?

IBM Cloud context-based restrictions (CBRs) help to ensure that only authorized users can access sensitive resources. They grant access based on the user’s role, location or other contextual factors. This helps to protect customer data and minimize the risk of unauthorized access or breaches. See the IBM Cloud documentation to learn more about how context-based restrictions work. 

When to use context-based restrictions

The following are some specific scenarios where IBM Cloud context-based restrictions can be used:

  • Role-based access control (RBAC): With RBAC in IBM Cloud, the organization can grant different levels of access and permissions to users based on their roles and responsibilities. For example, developers may have access to development resources, while operations personnel may have access to production resources. RBAC can help ensure that only authorized personnel have access to the resources they need to do their jobs.
  • IP address allow-listing: An organization wants to restrict access to its cloud resources to specific IP addresses. With IP address allow-listing in IBM Cloud, the organization can specify which IP addresses are allowed to access its resources. For example, the organization may whitelist the IP addresses of its headquarters and branch offices, while blocking access from other locations.
  • Geolocation restrictions: An organization needs to comply with local data privacy regulations that require data to be stored within a specific region. With geolocation restrictions, the organization can restrict access to resources in a specific region to users located within that region. This can help ensure that sensitive data is protected and only accessible to authorized personnel within the specified region.
  • Resource-based access control (ReBAC): An organization wants to restrict access to its most sensitive data and resources. With ReBAC, access can be granted to specific resources based on the user’s role and permissions. For example, the organization may restrict access to its financial data to only authorized personnel with specific roles and permissions. Additionally, IBM Cloud can audit access to these resources to ensure that only authorized users are accessing them.

Context-based restriction use cases

Here are few use cases for context-based restrictions:

  • Regulatory compliance: Many industries—including finance, healthcare and government—have strict regulatory requirements around data protection and access control. IBM Cloud’s context-based restrictions can help organizations comply with these regulations by ensuring that only authorized personnel have access to sensitive data. For example, an organization in the healthcare industry may use geolocation restrictions to ensure that patient data is only accessible to healthcare professionals within a specific region.
  • Application development and testing: In application development and testing environments, context-based restrictions can help ensure that developers and testers have access to the resources they need without exposing sensitive data or resources to unauthorized users.
  • Disaster recovery and business continuity: In disaster recovery and business continuity scenarios, IBM Cloud’s context-based restrictions can help ensure that critical resources and data are protected and available to authorized personnel. IBM Cloud can use geolocation restrictions to ensure that backup and recovery resources are only accessible from authorized locations.

Rule implementations

1. Enforce a rule

Context-based restriction rules can be enforced upon creation and updated at any time. Rule enforcement can be of three types:

  • Enabled: Enforces the rule and restricts the access to services based on the rule definition.
  • Disabled: No restrictions are applied to the resources. 
  • Report-only: Allows you to monitor how the rule affects you without enforcing it. All access attempts are logged in Activity Tracker. It is recommended to enable a rule in Report-only mode for 30 days before enforcing the rule. Some of the services do not support this mode (e.g., IBM Cloud Databases resources).

Rules created in report-only mode can be listed using the CLI with the following command:

ic cbr rules --enforcement-mode report

2. Scope a rule

You can narrow the scope of the rule to specific APIs as part of the restrictions to achieve fine-grained security in your system. Only some services support the ability to scope a rule by API. To know the API scopes for specific service, first get to know the list of services supported by using the CLI:

For example, you can use the CLI to view the possible scopes of the IBM Cloud Kubernetes Service:

To create rules with a restricted scope, use the API-types attribute:

3. Restrict access using tags

You can create rules to restrict access to specific instance(s) based on access tags. IBM Cloud resources can be created and accessed with IAM access tags, and these tags can be used to restrict access using context-based restrictions.  To restrict specific VPCs to access IBM Cloud Object Storage service instances that are assigned with tag “env:test”, you can create the rules rule-create command:

ibmcloud cbr rule-create --context-attributes  "networkZoneId=ca1c2bb48b40ed7c595a6ff3ed49f055" --service-name cloud-object-storage --enforcement-mode report --tags "env=test"

Note: You must create the zone before you can create the rules. To create the zone, refer to Creating network zone from the CLI.

4. Restrict using IP addresses

Restrict IP addresses of authorized personnel to access the IBM Cloud resources using context-based restrictions. Create zones for the IP address and create a rule with that zone:

Additionally, you can allow different IP addresses for public and private endpoints of a service. 

5. Create specific geolocation-based restrictions

Access to a service can be restricted in specific locations to impose data residency requirements: 

6. Monitor the rules

To monitor the rules behavior in enabled or report-only mode, refer to Monitoring context-based restrictions.

Conclusion

IBM Cloud’s context-based restrictions can help organizations ensure that their cloud resources are protected, compliant and accessible only to authorized personnel. By leveraging these features, organizations can mitigate security risks, enhance compliance and improve operational efficiency.

Resources

Was this article helpful?
YesNo
Josephine Justin
Architect
Norton Samuel Stanley
Lead Software Engineer - IBM Cloud Storage

More from Cloud
July 19, 2024

IBM Cloud Virtual Servers and Intel launch new custom cloud sandbox

4 min read - A new sandbox that use IBM Cloud Virtual Servers for VPC invites customers into a nonproduction environment to test the performance of 2nd Gen and 4th Gen Intel® Xeon® processors across various applications. Addressing performance concerns in a test environment Performance testing is crucial to understanding the efficiency of complex applications inside your cloud hosting environment. Yes, even in managed enterprise environments like IBM Cloud®. Although we can deliver the latest hardware and software across global data centers designed for…

July 18, 2024

10 industries that use distributed computing

6 min read - Distributed computing is a process that uses numerous computing resources in different operating locations to mimic the processes of a single computer. Distributed computing assembles different computers, servers and computer networks to accomplish computing tasks of widely varying sizes and purposes. Distributed computing even works in the cloud. And while it’s true that distributed cloud computing and cloud computing are essentially the same in theory, in practice, they differ in their global reach, with distributed cloud computing able to extend…

July 16, 2024

How a US bank modernized its mainframe applications with IBM Consulting and Microsoft Azure

9 min read - As organizations strive to stay ahead of the curve in today's fast-paced digital landscape, mainframe application modernization has emerged as a critical component of any digital transformation strategy. In this blog, we'll discuss the example of a US bank which embarked on a journey to modernize its mainframe applications. This strategic project has helped it to transform into a more modern, flexible and agile business. In looking at the ways in which it approached the problem, you’ll gain insights into…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters