Contribute in GitHub:
Edit online
Security
Client Security Concerns
Should a customer suspect a Cyber Security issue with their system, client should open a Severity 1 case containing as much detail as possible.
Client Security Questionnaires
Before submitting questionnaires, IBMers and clients should first refer to the security information, links and certifications that are available on this page. Existing customers who need a security questionnaire or assessment completed should submit a case to the IBM Support Community Portal and attach the document or link. This will be routed to the proper SRE security resource for review / completion. Please note there is a 2-3 week turnaround time required for the SRE security team to respond to client provided security forms or questionnaires; additional time may also be required for Watson IoT Security team review.
Although IBM will fill out security questionairres as above, client led audit of the MAS SaaS offering is not supported or allowed. This includes onsite audit visits or performing validation tasks for individual clients. IBM will provide certifications as below only.
Security Management
IBM maintains and follows standard mandatory employment verification requirements for all hires. In accordance with IBM internal process and procedures, these requirements are periodically reviewed and include, but may not be limited to, criminal background check, proof of identity validation, and additional checks as deemed necessary by IBM.
-
All IBMers are required to complete mandatory Cyber Security & Privacy training annually
-
All IBMers are required to complete GDPR training annually
-
All IBMers are required to complete mandatory Business Conduct Guidelines training annually
-
Only IBM Maximo Application Suite SaaS personnel are permitted access to customer systems
-
IBM Maximo Application Suite SaaS SRE personnel are required to use privileged access workstations to connect and work with our customer's IBM systems. These workstations meet IBM's highest and most stringent security guidelines.
IBM Maximo Application Suite SaaS SRE personnel who are granted ROSA level access to customer environments are required to use the AWS Client VPN. Details on this VPN can be found here:
IBM Maximo Application Suite SaaS SRE personal access credentials are role based and managed using an IBM internal access management system.
Access is based by job duties (least privilege principal) in accordance with IBM IT Security Policy. The IBM Cloud Delivery Services security team performs the following processes to ensure only those individuals who require access to systems have it, and to ensure the right privileges are in place:
-
A separation of duties review is performed by the IBM Maximo Application Suite SaaS SRE management team to ensure no one individual has a conflict of roles without adequate safeguards beings in place
-
A review of user access is performed to ensure existing users and privileges are still required
-
A defined process is in place to ensure individuals who leave the IBM SRE team, even if to other areas within IBM, have their UserID and privileges revoked
The IBM Maximo Application Suite SaaS SRE team performs proactive management and deployment of patches, updates and fixes to the Application, Middleware, Database and O/S layers via a planned Maintenance & Outage Calendar
IBM SRE employs a defense in depth strategy (DiD) for boundary protection that includes firewalls and encrypted communications for remote connectivity to access the environment. All communications that cross this boundary are controlled and monitored.
All IBM Maximo environments are configured for Anti-Malware (Anti-Virus) protection and Endpoint Detection and Response (EDR) technology with associated telemetry. Status and alerts are monitored continuously.
IBM Trust Center - Enterprise IT Security and Trust:
https://www.ibm.com/trust/security
Physical Security for AWS Cloud:
Customer Access
IBM Maximo Application Suite as a Service is a public internet based offering. Customers connect to AWS using HTTPS encryption over the internet
There is no direct link, peering or private cloud option available for the IBM Maximo Application Suite SaaS offering
Every IBM Maximo Application Suite SaaS customer environment is delivered in a single tenant instance of the application, running on the Openshift platform.
All IBM Maximo Application Suite SaaS customers use HTTPS (SSL) encryption (256 bit) at the browser level to access IBM hosted applications. Connections are SHA-2 and TLS v1.2 compatible
IBM obtains and implements externally facing SSL certificates from a trusted Certificate Authority (CA)
All databases use native AES-256 encryption (data is encrypted at rest)
Customers will not have direct access to the operating system, cluster, file system or web application server. Changes need to be requested through a Support ticket.
Single Sign On
IBM Maximo Application Suite SaaS supports Single Sign On (SSO). Details can be found here:
https://www.ibm.com/docs/en/mas-cd/continuous-delivery?topic=configuring-users-identity
LDAP and SAML (2.0) is supported.
IBM does not certify any specific tool a client has implemented within their environment. If the tool supports SAML 2.0 then it will work within the MAS-SaaS environment.
Customers will be responsible to ensure the appropriate user setup and mapping is correct and configured.
Penetration and Vulnerability Testing
IBM’s Product Transformation Center (PTC) conducts penetration testing on the IBM Maximo Application Suite as a Service offering annually.
IBM performs vulnerability scanning and subsequent remediation in all IBM Maximo Application Suite SaaS environments on a regular basis aligned with IBM IT Security Standards (ITSS). This includes Operating System, Middleware, Application and TCP/IP vulnerability scanning.
Vulnerabilities are assigned individual vulnerability ratings and exploitation categories (Critical, High, Medium or Low). These ratings are used to determine an IBM mandated time requirement to remediate and resolve the vulnerability.
Vulnerability scanning results and logs are considered IBM Confidential Information and are not disclosed to customers or prospects.
IBM does not permit external penetration tests on MAS offerings for security and compliance reasons. However, IBM can provide comprehensive penetration test reports conducted by IBM’s Product Transformation Center (PTC). These reports are thorough and should address the objectives and concerns of external parties, ensuring they have a clear understanding of IBM MAS system security posture and the measures we have in place to safeguard our offerings.
SQL Injection
Please see FAQ link below regarding how Maximo protects against SQL injection:
Security Services
The IBM Maximo Application Suite SaaS team provides the following security and system access services. These services are included as part of the IBM Maximo Application Suite as a Service:
-
Setup of SSL certificates and DNS registration. This is standard by default and allows for secure browser based HTTPS (encrypted) access IBM Maximo Application Suite SaaS end users.
-
Setup of IPsec Virtual Private Network (VPN) between client locations and IBM Cloud data center(s). VPN setup is optional, and is used to provide the following:
-
Direct read-only access to IBM on Cloud databases
-
LDAP authentication
-
Other uses are not currently available using VPN.
-
Setup and configuration of SSO including OIDC (default), SAML and LDAP user authentication for IBM Maximo Application Suite applications. SSO configuration is optional but is included as part of the IBM on Cloud subscription.
Compliance - AWS (Infrastructure)
All IBM Maximo Application Suite SaaS customer environments are managed to IBM IT Security Standards (ITSS) defined by IBM’s Chief Information Security Officer (CISO). This includes vulnerability scanning and subsequent remediation
AWS holds ISO-27001 certification and can provide SOC 1, 2 and 3 reports to customers
AWS (IaaS) ISO information:
https://aws.amazon.com/compliance/iso-27001-faqs/
AWS SOC information:
Industry and Regulatory Compliance
AWS Security Controls:
https://aws.amazon.com/compliance/data-center/controls/
IBM Maximo Application Suite SaaS environments are ISO-27001 certified. This certificate is publicly available and can be viewed / downloaded via the link below.
ISO-27001:
https://www.ibm.com/downloads/cas/EEO0NVLK
Details regarding specific Industry and Regulatory compliance can be found in the IBM Enterprise & Technology Security Community (this is accessible to IBMers only).
IBM Maximo Application Suite SaaS adopts and follows CIS Benchmarks as provided through the AWS Security Hub.
IBM Maximo development follow IBM Secure Engineering practices for application development. IBM Secure Engineering is outlined publicly at the following link:
https://www.ibm.com/security/secure-engineering/index.html
IBM Maximo developers are required to follow secure coding practices, and complete education in the SANS top 25 and OWASP top 10. In addition, static (source) and web application scanning using IBM (HCL) AppScan product suite must be performed. These products check for SANS Top 25 and OWASP top 10 issues. Any vulnerabilities found by these scans must be resolved before product release or submitted through IBM's Product Security Incident Response Team (PSIRT) process for resolution via defect (IBM Authorized Program Analysis Report or APAR)
IBM Maximo development uses Rational Team Concert for development (management of tasks, stories, epics, version control, test management, etc) Selenium and TestNG for test automation, Jenkins for deployment automation, and Rational Performance Tester (RPT) for performance load testing.
IBM Maximo Software Development Life Cycle (SDLC):
https://www.ibm.com/support/pages/ibm-maximo-software-development-life-cycle
Data Security & Privacy (DS&P)
Manage application logging when configured with certain verbose options can allow for extensive information being gathered. This logging could include Personally Identifiable Information (PII) or Sensitive Personal Information (SPI). This information is generated and stored in plain text files on the application server. These logs are often made available to the customer upon request via SFTP. Application administration, including the logging configuration, are the responsibility of the customer, and it is highly recommended that logging PII/SPI not be configured unless absolutely required. The following document describes how to configure logs to exclude any data classified as PII or SPI:
https://www.ibm.com/support/pages/node/2801463
IBM Data Security and Privacy Principles for IBM Cloud services can be found at the link below:
https://www.ibm.com/support/customer/csol/terms/?cat=data-security
IBM Privacy Shield Privacy Policy for Certified IBM Cloud Services can be found below. This is applicable to EU-US and Swiss-US customers:
https://www.ibm.com/privacy/details/us/en/privacy_shield.html
Data Responsibility at IBM
https://www.ibm.com/blogs/policy/dataresponsibility-at-ibm/
If a government wants access to data held by IBM on behalf of a SaaS client, IBM would expect that government to deal directly with that client
Data Processing Addendum (GDPR)
https://www.ibm.com/support/customer/csol/terms/?id=Z126-7870&lc=en#detail-document
Data Privacy and Subject Rights
IBM Privacy Statement IBM's Privacy Statement describes IBM's general privacy practices and subject rights that apply to personal information. For complete statement details click on the link below.
https://www.ibm.com/privacy/us/en/
Right to Lodge a Complaint In the event a client or customer considers our processing of personal information not to be compliant with applicable data protection laws, a complaint can be submitted directly with IBM by using the form in the link below.
NIST
IBM Maximo Application Suite Manage Servers (commercial public offerings) follow NIST guidelines and assess against NIST controls, but claim no specific NIST compliance(s).
Data Leakage Prevention / Data Loss Prevention (DLP)
IBM Cloud Delivery Services does not use DLP monitoring. Access controls are implemented on all databases restricted to privileged users only. Customers configure and manage the data their users can view, update and export within the Maximo Application Sutie applications, as well as determine which of their users is permitted direct read-only access to their database(s).
IBM purchases Professional Errors and Omissions including cyber risk insurance (see below) for IBM's liability arising out of actual or alleged breach of duty, neglect, error, misstatement, misleading statements or omission committed in the conduct of IBM’s professional services. This includes coverage for loss of intangible property, such as customer data, due to IBM’s negligence. This coverage is global in scope.
Media Sanitization
AWS securely sanitizes physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with National Institute of Standards and Technology, United States Department of Commerce (NIST) guidelines for media sanitization (see link below)
Cyber Insurance
IBM carries standard cyber risk insurance under its Professional Errors & Omissions policy. PE&O insurance provides coverage for actual or alleged breach of duty, neglect, error, misstatement, misleading statements or omission, solely for acts or omissions committed by IBM in providing professional services to our client(s). Coverage includes network security, unauthorized access, unauthorized use, receipt or transmission of a malicious code, denial of service attack, unauthorized disclosure or misappropriation of private information, privacy liability, notification costs, credit card monitoring, and fine & penalties incurred by the customer. The PE&O Policy itself is IBM Confidential information.
Regulated Content
IBM Maximo Application Suite offerings are not intended to host government regulated content. Please see the Cloud Services Agreement (link below) Section 2c for details
Clock synchronization
All customer Maximo servers leverage IBM Cloud's internal NTP service as single reference time source for information system processing clocks and security domains.
Customers are responsible or synchronizing their local environments (workstations, on premise servers) with an authoritative time source.