Table of contents

Introduction 2

Account Management 2
Multi-Account Management 2
Multi-Account User and Access Management 3

Centralized Logging 4

Security Services 6
Managed Services 6
Network Services 7
Additional Controls 7

Cloud Networking 8

DevOps Tooling 9

Kubernetes Dependencies 10
Introduction
The current Encore solution is designed and implemented to execute within the AWS
environment. The AWS solution architecture is based on best practices as defined by both AWS
and the Cloud Security Alliance (CSA). This document outlines a discussion around what is
currently implemented and how it may be migrated into the IBM Public Cloud and IBM VMZR
Solution for North America environments.

However, this document does not define the overall discussion between Bank of the West,
supporting vendors (Finxact, Savana), and IBM. Neither does this document define a complete
set of requirements to migrate Encore onto either of the IBM Cloud environments.

Therefore, the ultimate intent of this document is to frame the discussion around various
aspects of the system in order to have IBM aid Bank of the West and its vendors to migrate onto
the IBM Cloud. The tenants of a well architected cloud environment have been followed using
the AWS precepts. We (Bank of the West, Vendors, Levvel) seek the aid of IBM Cloud to define
the best practices in its environment.

Account Management
Multi-Account Management
The current Encore solution leverages AWS Organization for consolidated billing, centralized
and management of security policies. IBM Public Cloud has the Enterprise to support a similar
multi-account approach.

Questions related to the IBM VMZR Solution for North America:

1. Will the IBM VMZR solution support Enterprise functionality?

2. How will consolidated billing be supported?

3. Will billing reporting support billing breakdown by:

a. Tagged resources across accounts?
b. Per account basis?
c. Resource type?

4. Will administrators be capable of requiring multi-factor authentication for all users of the
BOTW VMZR cloud presence? How will this be supported - through IBM ID, Enterprise
security policies, or other mechanism?

5. Organization Units (OUs) provide a means to group similar accounts. They are similar
to a group but for accounts that can be used to apply service control policies, group
 costs, or retrieve details of related accounts. In Enterprise, what are the equivalent
constructs?

6. Service control policies (SCPs) are policy-like documents applied to OUs or accounts
directly and determine which API calls can be executed in an account, including for the
root user. How are service control policies implemented in the IBM VMZR Enterprise
offering?

Multi-Account User and Access Management

The Encore solution on AWS follows best-practices as outlined by AWS and the Cloud Security
Alliance. The following questions are related to the VMZR solution for North America to gain
insight into migration paths and best-practice support.

1. In AWS, the root user of an account has unmitigated access to all resources within the
account without regard to an IAM policy and access is typically restricted to account
creation or break glass activities. Will the the VMZR solution have the concept of a root
account user as in AWS or are administrative accounts the highest level of account
access?

2. The authorization scheme implemented by the Encore solution, leverages IAM policies,
roles, and groups. Groups are generally used from a static perspective to enforce
general requirements across a user population. Roles are leverage across accounts to
allow for role-based authorization. All user accounts are created in an ‘identity’ account
and groups in that account enforce general security policies (ie all users must have MFA
enabled), but roles are used for cross-account access.

a. Users assume a role (sts:AssumeRole) between accounts to perform some

action in the target account. How will the IBM VMZR solution support cross-
account role-based access?

b. Policies are assigned to roles to control the level of access that a user has when
assuming that role. What are the equivalent policies constructs in the IBM VMZR
solution?

c. Policies may also be assigned to resources. Resource policies control access to

the resource, the types of activities that access is limited, and which accounts
access is limited. Will the IBM VMZR solutions support resource-level policies?

3. AWS SSO is used in the Encore solution to allow cross-account access via the console
and for extending BOTW corporate identities into the cloud.

a. How will the IBM VMZR solution support integration with BOTW Active Directory?
 b. How will single-sign on be supported between BOTW business applications and
the IBM VMZR supported services? (which IBM Cloud service?)

c. Which IBM VMZR service supports single-sign on across accounts?

4. For multi-account access, how is MFA supported when using IBM Cloud VMZR
command line tooling?

Centralized Logging
Centralized logging of application, audit, and systems resource logs is a critical element, and
Cloud Security Alliance best-practice, to a strong information security approach. Limiting access
to the centralized logging facility is generally limited to information security staff with controls in
place to avoid log file manipulation. The AWS-based Encore solution uses an isolated account
and S3, with sufficient resource and role policies to limit the ability for manipulation.

1. Does the IBM VMZR solution support cross-account logging of audit, application, and
resource logs into an object store in a centralized account?

2. CloudTrail is used in AWS to capture audit-level events, which IBM Cloud on VMZR will
support logging audit-level events?

3. AWS Organization supports creating an organizational level CloudTrail event log that is
applicable across all accounts. This allows administrators to setup audit level logging
across the entire enterprise and capture those logs into a central logging store. Does
Enterprise support similar functionality?

4. One security control to prevent deletion of log files, is the necessity to enter an MFA
token to validate the deletion. Does IBM Object Storage support MFA-on-delete
functionality?

5. CloudWatch is another AWS logging utility leveraged by the Encore solution to capture
application, service, and resource logging events.

a. One use of CloudWatch is for notification and remediation. This is accomplished

through serverless-computing constructs being subscribed to log groups. The log
groups are CloudWatch grouping of events types - an application, a resource,
etc. Does the IBM VMZR solution for North America support serverless
computing subscriptions to logging events?

b. While CloudWatch is a logging utility, CloudWatch is more generic and logging

events are captured within log groups. Dumping the events to a central logging
 facility typically incorporate serverless computing functions, queues, and real-
time event processing streams (Kinesis). How are general logging events
captured and dumped into a centralized logging facility across accounts?

6. AWS Config is a service that captures the current state of the cloud environment and is
a critical tool for cloud asset management. Periodically, Config dumps the cloud
environment asset snapshot into the Encore centralized logging environment. Which
service within the IBM VMZR will provide centralized logging of cloud assets?

7. VPC Flow Logs is a service which logs the time of a request, the port and protocol of the
source and destination, whether the request was allowed or denied, and the number of
packets transmitted. These logs are also captured and stored in the central logging
account of the Encore solution. Does the IBM VMZR solution support logging of VPC
network traffic?

8. Centralized logging is stored in the AWS S3. IBM provides Object Storage as the
equivalent service.

a. Does Object Storage support lifecycle schedules to migrate data to lower cost
storage tiers after a defined amount of time?

b. Does Object Storage support disposition schedules to remove data after a

configurable time?

9. Integration with third-party tools, such as SIEM and IDS/IDP solutions, often require
access to centralized logs. Many third-party integrations with AWS leverage the
sts:AssumeRole functionality. How will the IBM VMZR support third-party integrations
and access to the centrally stored logs?

Security Services
Managed Services
The Encore solution leverages several AWS managed security services to provide base level
security insight into the cloud solution.

1. AWS Config is leveraged to understand and monitor cloud assets. Cloud asset
management is an important aspect of regulatory and corporate compliance efforts.
Additionally, being able to detect shifts in cloud asset configuration aids in detecting
unauthorized asset creation and deletion. In the IBM VMZR solution for North America,
which service will provide asset management discovery and reporting?
 2. GuardDuty performs continuous threat and anomaly detection across CloudTrail, VPC
Flow Logs and DNS logs. For example, a brute force attack or attempted assume roles
activities will be detected and reported by GuardDuty. Which service will support similar
security monitoring and reporting functionality in the IBM VMZR solution?

3. AWS Macie inspects the contents of S3 buckets for sensitive data. This includes
common personally identifiable information (PII), regulatory documents, API keys and
key secret key material. Which service in the IBM VMZR solution will provide similar
capabilities to detect PII and other sensitive information in Object Storage?

4. AWS Inspector is a combination of network configuration analysis and an agent-based

vulnerability assessor. For example, an agent may report on Common Vulnerability and
Exposures that are detected on an EC2 instance (Virtual Server). Which services on the
IBM VMZR solution will provide the capability to monitor virtual servers for
vulnerabilities?

5. The AWS Security Hub presents diverse security related findings across an entire
Organization. Additionally, it aggregates findings from Inspector, GuardDuty, and Macie.
Security Hub also provides integration points for third-party tools to extend its security
monitoring and reporting capabilities. What is the equivalent service in the IBM VMZR
solution that provides aggregate security monitoring?

6. AWS Trust Advisor is a service that delivers a weekly email with a digest of cost savings,
performance, and fault tolerance opportunities as well as any security or service limit
concerns. What is the equivalent service in the IBM VMZR solution that provides an
automated report for security concerns and cost savings opportunities?

7. Distributed Denial of Service attacks against AWS resources is mitigated through the
AWS Shield service (layer 3 and 4 attacks). Basic DDoS protection through AWS Shield
is free of charge.

a. Which IBM VMZR solution service will provide Layer 3 and 4 DDoS protection?

b. Will the IBM VMZR solution provide similar services free of charge?

Network Services
Both IBM and AWS cloud solution offer Virtual Private Cloud (VPC) solutions that are pretty
similar. VPCs define an isolated network environment for hosting services and solutions.

1. To control traffic across the VPC, AWS offers Network Access Control Lists (NACLs).
NACLs provide the ability to allow or deny, inbound and outbound network traffic. They
 are also to be defined as ‘stateless’, meaning that a deny for inbound traffic on port 8080
will not automatically be blocked for outbound traffic. What equivalent service will the
IBM VMZR solution provide for NACLs?

2. Security Groups (SGs) are essentially firewalls that may be attached to resources
running within a VPC. A single resource may have many SGs assigned to it. Also, SGs
are considered ‘stateful’, meaning that an inbound port is automatically blocked for
outbound traffic if the inbound port is also blocked. What equivalent services is provided
by the IBM VMZR solution?

3. In AWS VPC Endpoints allow for exposure of services at the VPC level as a method of
consolidating traffic to AWS or third-party hosted services onto the AWS network. This
prevents service-service traffic from traversing the public Internet. VPC endpoints allow
secure communication by applications to AWS Services. And, VPC endpoints may be
defined to allow for AWS-AWS communications between separate accounts - for which
a third-party may host a SaaS or PaaS solution. Will the IBM VMZR solution offer similar
capabilities as the VPC Endpoint construct in AWS?

Additional Controls
Additional controls are those security controls used and supported by AWS to provide additional
hardening of the Encore solution. Understanding how these security controls might be
implemented in the IBM VMZR solution is critical.

1. Virtual Server hardening. As part of the DevOps pipeline, selecting and hardening a
virtual image is necessary to provide a secure cloud platform. Encore leverages CIS
hardened AMIs available via the AWS Markeplace.

a. Are similar virtual server images available for hardening in the IBM Cloud
Marketplace and available on VMZR solution?

b. Are Virtual Server images allowed to be hardened through separate processes

before use?

c. What are the IBM VMZR DevOps tooling capabilities for modifying and building
BOTW templates from VMZR provided virtual server images?

2. Key Management. AWS currently leverages KMS as the key management solution with
the AWS Encore solution. IBM Public Cloud has an equivalent service Key Protect.

a. How will the IBM VMZR integrate with on-premise HSM to allow HSM control
keys in Key Protect?
 b. If custom HSM keys are leveraged, will Key Protect allow automated key rotation
or is key rotation procedure responsibilities delegated to BOTW?

Cloud Networking
The AWS-based Encore service leverage several AWS services to provide secure access to the
enterprise, between multiple accounts, and administrative resources.

1. The AWS Direct Connect service establishes a direct connection between on-premise
enterprise networks to an AWS data center. Some of the benefits of Direct Connect,
include network isolation (no public Internet) and better network performance and
throughput between AWS and on-premise applications. The IBM Public Cloud offers the
equivalent service - IBM Cloud Direct Link. Will the IBM Cloud Direct Link service be
available in 1Q2021 on the VMZR Solution for North America?

2. The AWS Transit Gateway service eliminates the need to create n-to-n peering
connections between the enterprise and its cloud-hosted VPCs and, similarly,
eliminating the need to create direct VPC-to-VPC peerings in a multi-account
environment. The Transit Gateway provides easier administration and connectivity. Will
the IBM VMZR provide similar functionality or will BOTW be required to manage N-to-N
connections between accounts and the enterprise?

3. The AWS VPN is leveraged initially instead of Direct Connect, but also as a secondary
transmission line in case of Direct Connect failure. Will the IBM VMZR solution support
VPN connectivity in a primary and secondary (failover) role? Is failover automated?

DevOps Tooling
BOTW intends to leverage on-premise GitLab DevOps tooling to manage the build, testing, and
deployment to the IBM VMZR solution. The following questions assume GitLab on-premise
integrating with IBM VMZR service that are similar to the IBM Public Cloud offerings.

1. Kubernetes is the container orchestration platform for BOTW Encore solution

components. The current Encore process uses Helm to package its container-based
solution for deployment. The IBM Public Cloud supports Helm-based deployments.
According to publically available documentation (https://cloud.ibm.com/docs/containers?
topic=containers-helm), Tiller is a required prerequisite. Helm v3 is the latest version of
Helm and has removed Tiller. Does IBM have a product release plan for which Helm v3
will be supported? Will this product release plan be applicable to the IBM VMZR
solution?
 2. The ability to provide timely hardened virtual server templates for deployment is a
cornerstone of an organization’s ability to respond to vulnerabilities at the operating
systems and utility levels. The Encore solution intends to start with CIS hardened
images (or equivalent in the IBM Cloud ecosystem) and requires the capability to
address threats and vulnerabilities (CVEs, etc) in a short timeframe. Ideally, the DevOps
toolchain will support the capability to automate virtual server template production.

a. What are the DevOps toolchains and APIs that support selecting and building a
hardened image template?

b. Is Ansible a supported platform to modify and build a virtual server image?

c. Existing IBM Cloud supplied tutorials focus on bare metal servers being used for
the customer operating system. Is it possible to use a virtual server template in a
VPC as a virtual server?

3. Terraform is an essential tool for building out the infrastructure as code (IaC) approach
used by the Encore DevOps team. How well supported is the IBM Cloud and IBM VMZR
solution by Terraform? Will IBM Terraform tooling also support the IBM VMZR solution?

Kubernetes Dependencies
1. IAM Roles for Service Accounts (IRSA). The AWS-based Encore solution leverages
EKS and IRSA for associating an IAM service role to a Kubernetes service account. By
virtue of mapping service accounts to IAM roles, containers may then use the AWS SDK
or CLI tools to access services.

a. Does IBM Public Cloud and the VMRZ solution support similar functionality to
map IBM IAM roles to Kubernetes service accounts?

b. Will containers hosted on the IBM Kubernetes service, be capable of accessing

other IBM services via SDK or CLI using IBM IAM roles?

2. Kubernetes Logging and Monitoring. Amazon EKS is integrated with AWS CloudTrail, a
service that provides a record of actions taken by a user, role, or an AWS service in
Amazon EKS. CloudTrail captures all API calls for Amazon EKS as events. The calls
captured include calls from the Amazon EKS console and code calls to the Amazon EKS
API operations.
a. How is logging and monitoring implemented in the IBM VMZR solution?

b. How are audit trails for compliance purposes implemented in the IBM VMZR
solution?
3. ETCD Migration. Will IBM provide an ETCD migration path from EKS pods to pods
hosted on IBM VMZR?

4. External-DNS plugin. To manage DNS entries, the AWS-based Encore solution

leverages the external-dns (https://github.com/kubernetes-sigs/external-dns) plugin.
Currently, the IBM Cloud DNS solution (and perhaps VMZR) are not listed as supported
DNS providers.

a. Will IBM contribute to the open source project to add IBM Cloud DNS integration
capabilities?

b. Will the IBM VMZR solution include a DNS service? Or will DNS be handled by
the IBM Public Cloud? Or will DNS be delegated to BOTW?