Securing IBM Netezza Performance Server (NPS) in an ...
Transcript of Securing IBM Netezza Performance Server (NPS) in an ...
© Copyright International Business Machines Corporation 2021
Securing IBM Netezza Performance Server
(NPS) in
an Enterprise Ecosystem
For On-premises deployments with CPDS v1.x
By
Prasada Reddy Puttur, CISSP Rajesh Naicken
Security Architect Netezza Performance Server Persistent Systems Inc
Security Programme Lead & Senior Architect Net Netezza Performance Server IBM
© Copyright International Business Machines Corporation 2021
Table of Contents
1. INTRODUCTION ....................................................................................................................................... 3
2. PHYSICAL SECURITY ................................................................................................................................. 3
3. SECURITY ASSESSMENT AND VULNERABILITY MANAGEMENT ................................................................... 3
4. DATA-AT-REST PROTECTION .................................................................................................................... 4
4.1. ENCRYPTING AND LOCKING THE DATA STORAGE .................................................................................................... 4 4.2. DATABASE FIELD LEVEL ENCRYPTION .................................................................................................................... 5 4.3. ENCRYPTING LOCAL USER PASSWORDS .......................................................................................................... 5 4.4. STORAGE BACKUP MANAGEMENT ....................................................................................................................... 5
4.4.1. Encryption during nzbackup ................................................................................................................... 5 4.4.2. Encryption during TSM backup .............................................................................................................. 5
4.5. ENCRYPTING LOCAL USER PASSWORDS .......................................................................................................... 6
5. DATA-IN TRANSIT PROTECTION................................................................................................................ 6
5.1. SECURED USER AUTHENTICATION ....................................................................................................................... 6 5.2. SECURED DATABASE CONNECTIONS ..................................................................................................................... 6
6. SECURE INSTALLATION ............................................................................................................................ 7
6.1. THE SECURE SOFTWARE REPO MANAGEMENT....................................................................................................... 7 6.2. THIRD PARTY SOFTWARE INSTALLATION ................................................................................................................ 7
7. AUTHENTICATION AND AUTHORIZATION ................................................................................................. 7
7.1. ROLES AND ACCESS RIGHTS ................................................................................................................................ 7 7.2. SEPARATION OF DUTIES ..................................................................................................................................... 8 7.3. DATABASE ADMINISTRATORS ............................................................................................................................. 8 7.4. PRIVILEGED ADMINISTRATORS ............................................................................................................................ 8 7.5. USER MANAGEMENT VIA EXTERNAL ENTERPRISE MICROSOFT WINDOWS ACTIVE DIRECTORY / LDAP SERVER ................... 8 7.6. NETEZZA PERFORMANCE SERVER ACCESS .............................................................................................................. 8 7.7. LOCAL USER PASSWORD POLICY ......................................................................................................................... 9
8. NETWORK ACCESS CONTROL ................................................................................................................... 9
8.1. NETEZZA CLIENTS AUTHENTICATION .................................................................................................................... 9 8.2. NETWORK SETUP AND DNS UPDATE .................................................................................................................... 9
9. SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) SUPPORT .................................................. 10
9.1. ACTIVITY LOGS ............................................................................................................................................... 10 9.2. PRIVACY AND COMPLIANCE MANAGEMENT ......................................................................................................... 10
9.2.1. GDPR..................................................................................................................................................... 11 9.2.2. DISA-STIG .............................................................................................................................................. 11
10. REFERENCES .......................................................................................................................................... 11
11. NOTICES ................................................................................................................................................ 12
© Copyright International Business Machines Corporation 2021
1. Introduction In today’s digital world, ‘data’ is a critical component for success of any business. With
emerging trends and wider usage of technology it is very important to secure the data. The
enterprise data is typically managed using some form of data warehousing technologies. Hence it
is critical and compulsory to protect the data warehousing solutions from internal and external
security threats.
IBM Netezza Performance Server (NPS) is an Enterprise grade Data warehousing solution from
IBM, which is deployed on IBM Cloud Pak for Data System (1) . . IBM Cloud Pak® for Data
System is a complete hybrid cloud on-premises platform-in-a-box.
This white paper highlights various security aspects of NPS and describes the security best
practices which can be applied to secure NPS in an enterprise ecosystem.
2. Physical Security • Restrict access to data warehouse appliance by appropriate access control to data center
by using smart card based, biometric base access.
• Define security policy rules and ensure they are being followed in the physical lab
premises.
• Deployment layout should not be exposed to unauthorized parties.
• The Hardware and storage replacement components should follow authorized
replacement and disposal mechanism as per NIST standards (3).
3. Security Assessment and Vulnerability
Management It is essential to assess the security of data warehousing solution using industry specific security
scanners. NPS supports Nessus scanning for vulnerability assessment of Software and
Networking environment. Vulnerability management is a proactive approach to find
vulnerabilities in systems and applications, so that they can be fixed before exploited by
attackers. Vulnerability scanning and assessment is done in a continuous periodic cycle. The
product is scanned with Nessus Enterprise scanner during development and recommend updates
to the customer for addressing the discovered vulnerabilities.
Cloud Pak for Data System platform on which the NPS database runs, includes the OSCAP tool.
Using the tool, you can scan the system periodically to identify any known vulnerabilities.
© Copyright International Business Machines Corporation 2021
IBM periodically releases critical security patches for the Cloud Pak for Data System platform. It
is critical to apply patches for software packages detected during vulnerability scanning to ensure
pre-emptive protection.
4. Data-at-Rest Protection Data stored in the persistent storage, inside and/or external, needs to be protected against
accidental removal or theft of the storage media. NPS provides the following functionalities to
protect the storage media:
• Encrypting and locking the storage disks
• Protecting the database backup
4.1. Encrypting and Locking the Data Storage
NPS uses SSD disks as the main storage medium. These disk drives are self-encrypting drives
(SED), which provides improved security and protection of the data stored on the system.
Self-encrypting drives encrypt data as it is written to the disk. Each disk has a disk encryption
key (DEK) that is set at the factory and stored on the disk. The disk uses the DEK to encrypt data
as it writes, and then to decrypt the data as it is read from disk. The operation of the disk, and its
encryption and decryption, is transparent to the users who are reading and writing data.
For the optimal security of the data stored on the disks, SEDs have a mode referred to as auto-
lock mode. In auto-lock mode, the disk uses an authentication encryption key (AEK) to protect
its DEK. When powered off, the disks are automatically locked. When the disk is powered on,
the SED requires a valid AEK to read the DEK and unlock the disk to proceed with read and
write operations. If the SED does not receive a valid authentication key, the data on the disk
cannot be read. The auto-lock mode helps to protect the data when disks are accidentally or
intentionally removed from the system.
In auto-lock mode, the authentication encryption (AEK) can be stored locally on control nodes
storage area. For better security, you can also store it on a remote key management tool like IBM
Software Key Life Cycle Manager (ISKLM).
There are a set of utilities and services provided in the NPS for the life cycle management of
authentication encryption key (AEK).
By default, auto-lock mode is not enabled in the NPS.
© Copyright International Business Machines Corporation 2021
4.2. Database Field level encryption
Netezza supports the field level encryption in the database table. The necessary software
functionality is provided to encrypt and decrypt at granular level of application specific data. The
encryption and decryption are managed by using a key generated by application, which secures
confidentiality and integrity of the application data.
The encryption supports industry standard security algorithms such as RC4, AES-128/192/256.
The Dynamic data masking can be implemented using encryption and decryption functions to
prevent unauthorized access to sensitive data in database objects.
4.3. Encrypting Local User passwords
When you create local NPS database users, the account passwords are stored in the database in
encrypted form. The NPS system has a default encryption process. For more security, you can
create and specify a host key for encrypting passwords.
4.4. Storage Backup Management
NPS has the capability to back up the data externally and secure that backup using standard
encryption process.
4.4.1. Encryption during nzbackup
The backup process stores an encrypted host key by using the default encryption process, or you
can use the nzbackup -secret option to encrypt the host key by using a user-supplied string. To
restore that backup set, an administrator must specify the same string in the nzrestore -secret
option. To protect the string, it is not captured in the backup and restore log files.
When you back up the local user and group information, the backup set saves information about
the password encryption. If you use a custom host key, the host key is included in the backup set
to process the account passwords during a restore.
4.4.2. Encryption during TSM backup
If you are using Tivoli Storage Manager (TSM) encrypted backup support, you can configure the
NPS backups to use encrypted backups. To configure encrypted backups, you must specify some
settings to the TSM configuration files in the backup archive and API clients. For each TSM
server in your environment, you can specify that the Tivoli backup connector use encrypted
backups to store the files sent by the NPS backup utilities.
© Copyright International Business Machines Corporation 2021
Refer to the following document for detailed information about configuring system for encrypted
backup using TSM.
• Tivoli Storage Manager encrypted backup support
4.5. Encrypting Local User passwords
When you create local NPS database users, the account passwords are stored in the database in
encrypted form. The NPS system has a default encryption process. For more security, you can
create and specify a host key for encrypting passwords.
5. Data-in Transit Protection It is essential to secure the data while it is travelling across the components within the product or via external network.
5.1. Secured User Authentication • When users are integrated with an external user directory such a LDAP server or a
Windows Active Directory, it is recommended to use SSL/TLS communication between external client and LDAP authentication server.
• NPS supports SSLv3.0 and TLS1.2 protocol support for the communication with the
external Enterprise LDAP server. It ensures that the password is always encrypted during
authentication process by using the in-built SSSD mechanism. NPS expects SSL or TLS
be enabled and CA certificates are configured on Enterprise LDAP server before being
used for authentication.
• The identity of the components in client/server communication is also ensured by using
Public Key Infrastructure (PKI) certificate management process.
5.2. Secured Database Connections • By default, the Netezza Performance Server system is configured to accept either
secure SSL connections or plain connection from Netezza clients. It is recommended to use secured SSL connection for external clients as the best security practice.
• If your users are located within the secure firewall of your network or they use a protocol
such as ssh to securely connect to the Netezza system, you might require them to use
unsecured communications, which avoids the performance overhead of secured
communications. If you have one or more clients who are outside that firewall, you might
require them to use secured connections.
• If enabled for SSL connections, NPS uses TLSv1.2 protocol by default.
• Refer the following documents on how to create different database connection types in
NPS.
© Copyright International Business Machines Corporation 2021
• Configure the Netezza host authentication for clients
• Netezza client encryption and security
6. Secure Installation
6.1. The Secure Software Repo Management
The Netezza Performance Server software packages and fix packs are stored in secure software
location repository called IBM Fix Central( https://www.ibm.com/support/fixcentral/).
The software repo authentication and access for downloading the software is managed by IBM
Certified authentication process.
6.2. Third Party software installation Third party software installation is not allowed to install by default, which is to preserve the
integrity of the overall Netezza software stack on the appliance environment. Any forced 3rd
party software installation can hamper the overall functioning and performance of the product.
7. Authentication and Authorization
Authentication and authorization are key component of NPS to support user access and
execution of product services.
Database Administrators needs to manage the access to different users by granting them only the
required roles or privileges as needed to access a particular database object and System
Administrators should manage the overall access to the Cloud Pak for Data System.
7.1. Roles and access rights
• You can control access to NPS by placing the system in a secured location such as a data
center.
• You control the access to the NPS database, objects, and tasks on the system by
managing the NPS database user accounts that can establish SQL connections to the
system. By default, the database user who creates an object is the owner of the object
unless the person who creates the object specifies a different database user.
• Linux accounts allow users to log in to the NPS server at the operating system level, but
they cannot access the NPS database using SQL.
• You can control access to the Cloud Pak for Data System where NPS is deployed by
following the guidelines as recommended in Could Pak for Data System usage.
© Copyright International Business Machines Corporation 2021
7.2. Separation of duties
NPS recommends that you develop an access model for your NPS system. An access model is a
profile of the users who require access to the NPS and the permissions or tasks that they will
need.
7.3. Database Administrators
As the database admin user, you can create other database users and groups to grant and manage
access to the objects (such as databases, tables, and views) and administration tasks (such as
creating or dropping tables, deleting rows, and creating users).
For more information, see: Performance Server database users, groups, and roles.
7.4. Privileged administrators
The default admin user account is a powerful database super-user account. Use the admin
account only when necessary; IBM recommends that you create an administration group that
reflects an appropriate set of permissions and capabilities (See: Creating an administrative user
group.
The NPS security model is a combination of administrator privileges granted to users and/or
groups, object privileges associated with specific objects (for example: table xyz) and classes of
objects (for example: all tables). You need administrative privileges to take data outside of NPS.
For more about Netezza Performance Server administration, see: Administration overview.
7.5. User Management via external enterprise Microsoft Windows Active Directory / LDAP server
The default local user management feature is for getting started quickly and may not be suitable
for meeting all the compliance requirements for user management. Hence after the initial setup
of NPS, it is strongly recommended to use enterprise-level LDAP provider for user management.
NPS system supports LDAP authentication for container authentication and Database user
authentication. The authentication process is described in IBM documentation: LDAP
authentication .
NPS system also supports Kerberos authentication for database users – as it is described in IBM
Documentation.
7.6. Netezza Performance Server access
• It is recommended to use NPS web console via https protocol for more secure operation,
and to reduce usage of CLI.
© Copyright International Business Machines Corporation 2021
• Container access via port 51022 to be restricted for specific administrative users.
• As a best practice, avoid using root user for doing ssh into the NPS host container.
Always use nz or equivalent user for Host access via ssh.
7.7. Local User Password Policy A password policy sets certain standards for passwords, such as password complexity and the
rules for changing passwords. A password policy minimizes the inherent risk of using passwords
by ensuring that they meet adequate complexity standards to thwart brute force attacks.
On enabling LDAP authentication, the LDAP user’s password is managed by LDAP
administrator as per enterprise policy standards.
For local user authentication the password changes are applied as described in the Password
expiration settings.
On Client side encryption of password using nzpassword can be applied as explained in local
user password encryption. It is recommended to change default password for default users such as nz, admin, root using
standard Netezza password change procedure.
8. Network Access Control
8.1. Netezza Clients Authentication
Netezza Performance Server supports the functionality to enable communication specific host/IP
address or subnet: when connection is added from a specific IP or subnet, then NPS server can be
accessed only from defined connections as explained in the section Configure the Netezza host for client authentication.
It is highly recommended to use connection functionality to allow or deny access to specific
hosts from which the database application are executed.
8.2. Network setup and DNS update
Network setup and DNS setups to be followed as defined in the Installation Guide, or you can
contact IBM Support team for updates.
© Copyright International Business Machines Corporation 2021
9. Security information and event
management (SIEM) support
At a high level, audit logging provides accountability, traceability, and regulatory compliance
regarding access to and modification of data. Enterprises are often subject to industry
requirements for regulatory auditing compliance. The NPS along with Cloud Pak for Data
System platform has functionality to integrate with an external enterprise log server such IBM Q-
Radar.
9.1. Activity logs
All major software components that run on the host machine have an associated log. In addition,
query history captures user activity information on the system, such as the queries that are run,
query plans, table access, column access, session creation, and failed authentication requests.
For more information, see:
• System logs
• Advanced query history
9.2. Privacy and Compliance management
Data privacy is generally focused on the use and governance of personal data and personally
identifiable information. It might include putting policies in place to ensure that personal
information is being collected, shared, and used in appropriate ways.
Compliance is a systematic approach to governance designed to ensure that an institution meets
its obligations under applicable laws, regulations, best practices and standards, contractual
obligations, and institutional policies.
Clients are responsible for ensuring their own readiness for the laws and regulations that apply.
Clients are solely responsible for obtaining advice of competent legal counsel as to the
identification and interpretation of any relevant laws and regulations that may affect the
clients‚ business, and any actions the clients might need to take to comply with such laws and
regulations.
The products, services, and other capabilities described herein are not suitable for all client
situations and might have restricted availability. IBM does not provide legal, accounting, or
auditing advice or represent or warrant that its services or products will ensure that clients are
ready for any law or regulation.
Netezza Performance Server supports following security and privacy compliance assessments:
• The General Data Protection Regulation (GDPR)
© Copyright International Business Machines Corporation 2021
• Defence Information Systems Agency (DISA) - Security Technical Implementation
Guide – (DISA-STIG)
9.2.1. GDPR The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and
privacy in the European Union and the European Economic Area. GDPR establishes a stronger
data protection regulatory framework for processing of personal data of individuals.
Clients are responsible for ensuring their own readiness for the laws and regulations, including the
European Union General Data Protection Regulation. See NPS Data consideration for GDPR
readiness.
9.2.2. DISA-STIG Defense Information Systems Agency (DISA) - Security Technical Implementation Guide
(STIG) provides technical guidance to 'lock down' information systems/software that might
otherwise be vulnerable to a malicious computer attack. The Federal Customer and Financial
customers would require meeting the STIG compliance in an Enterprise operation.
The Netezza Performance Server and the Cloud Pak for Data System platform on which NPS
runs supports the enabling STIG compliance. It is recommended that customers enable STIG
compliance for both NPS and the platform and scan with Nessus scanner for compliance.
For more details regarding enabling of STIG compliance see the following:
• STIG compliance for NPS
• STIG compliance for Cloud Pak for Data System
10. References
1. Cloud Pak for Data System v1.0 Security Insights https://community.ibm.com/community/user/cloudpakfordata/viewdocument/security-whitepaper-on-cloud-pak-fo?CommunityKey=c0c16ff2-10ef-4b50-ae4c-57d769937235&tab=librarydocuments
2. IBM Redbooks: Security in Development - The IBM Secure Engineering Framework
https://www.redbooks.ibm.com/redpapers/pdfs/redp4641.pdf
3. Security Guidelines for Storage Infrastructure and media sanitization.
https://csrc.nist.gov/publications/detail/sp/800-209/final https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
4. Best Practices for Ensuring Impenetrable Data Warehouse Security
https://datawarehouseinfo.com/data-warehouse-security/
© Copyright International Business Machines Corporation 2021
11. Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products,
services, or features discussed in this document in other countries. Consult your local IBM representative for
information on the products and services currently available in your area. Any reference to an IBM product,
program, or service is not intended to state or imply that only that IBM product, program, or service may be used.
Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right
may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM
product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The
furnishing of this document does not give you any license to these patents. You can send license inquiries, in
writing, to:
IBM Director of Licensing IBM
Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and
Intellectual Property Law IBM Japan, Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are
inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore this
statement might not apply to you. This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be incorporated in new editions of the
publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials
for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
© Copyright International Business Machines Corporation 2021
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual
use of the information which has been exchanged, should contact:
IBM Corporation 2Z4A/101
11400 Burnet Road Austin, TX
78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases payment
of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM
under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent
agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results
obtained in other operating environments may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements will be the same on generally
available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results
may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice and
represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are
subject to change without notice. Dealer prices may vary. This information is for planning purposes only. The
information herein is subject to change before the products described become available. This information contains
examples of data and reports used in daily business operations. To illustrate them as completely as possible, the
examples include the names of individuals, companies, brands, and products. All of these names are fictitious and
any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any
form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the sample
programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot
guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute
these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or
distributing application programs conforming to IBM's application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as
follows:
© (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright
IBM Corp. _enter the year or years_. All rights reserved.
If you are viewing this information in softcopy form, the photographs and color illustrations might not be
displayed.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM
or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark
information at ibm.com/legal/copytrade.shtml.
© Copyright International Business Machines Corporation 2021
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of
Adobe Systems Incorporated in the United States, other countries, or both. IT Infrastructure Library is a registered
trademark of the Central Computer and Telecommunications Agency which is now part of the Office of
Government Commerce. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel
Corporation or its subsidiaries in the United States and other countries. Linux is a trademark of Linus Torvalds in
the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are
trademarks of Microsoft Corporation in the United States, other countries, or both. ITIL is a registered trademark,
and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent
and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other
countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or
its affiliates. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States,
other countries, or both and is used under license therefrom. Linear Tape-Open, LTO, the LTO Logo, Ultrium, and
the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
Statement of Good Security Practices
IT system security involves protecting systems and information through prevention, detection and response to
improper access from within and outside your enterprise. Improper access can result in information being altered,
destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in
attacks on others. No IT system or product should be considered completely secure and no single product, service
or security measure can be completely effective in preventing improper use or access. IBM systems, products and
services are designed to be part of a comprehensive security approach, which will necessarily involve additional
operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT
WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE
YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
© International Business Machines Corporation 2021 International Business Machines Corporation
New Orchard Road Armonk, NY 10504 Produced
in the United States 06-20 All Rights Reserved
References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which
IBM operates.