Authentication for your IBM Cloud Code Engine functions

Protect your Code Engine functions

How can we protect an API function implemented as IBM Cloud Code Engine function? This was one of the questions which I recently answered. When migrating from IBM Cloud Functions to Code Engine, this is a common question. Cloud Functions offer some basic security to protect against unauthorized calls. Code Engine and their functions differ in flexibility and hence you have to deal with authentication. Here is a simple solution.

Tutorial on cloud end-to-end security - an overview

Cloud solution architecture

Recently, my team updated our tutorial on applying end-to-end security to a cloud application. The tutorial features a typical app with an attached NoSQL database and object storage. Moreover, it leverages other services for increased security and to provide observability. Even better, all components can be automatically deployed, including a Tekton-based delivery pipeline. In this blog post, I am going to provide an overview and discuss some implementation details.

Blog series on cloud security and account cleanup

Cleaning up unused cloud privileges

Regular account cleanup is part of account administration and security best practices, not just for cloud environments. So it is great when your cloud provider offers functionality to analyse the security setup and to detect unused (inactive) identities and privileges in your account. Over the past year, I looked at those features and thereby created a mini series on cloud security and account cleanup. Here is an overview.

Trusted Contexts for enhanced security: Both in Db2 and IBM Cloud

Security feature in action: Trusted Profile

I trust you to know my old blog post about trusted contexts. Some years ago, I explained how to secure your Db2 database using trusted contexts. By establishing a trusted relationship based on specified attributes, the Db2 feature of a trusted context allows you to switch to another user ID or role, typically with more associated privileges. It is a great security tool to limit direct user privileges and still allow a user to perform tasks requiring more privileges.

Decode JWTs in bash

Today, it is once again time for one of those "let's document it" blog posts. Lately, I looked into one of the IBM Cloud security features, trusted profiles based on compute resources. I described how to turn your container into a trusted identity. For developing code locally, I needed to copy over files from the Kubernetes pods to my local machine, then decode JWT access tokens, all using the command line. Here is what I did.

Analyze your IBM Cloud access management setup

ER diagram for cloud security data

Recently, I looked into how to analyze the access management setup of my IBM Cloud account. I wanted to better understand what kind of access policies exist, what service instances are covered by rules and policies, etc. In the past, I have shared with you how to get insights into IBM Cloud account privileges or how to improve security by identifying inactive identities. This time, I looked across the existing APIs to obtain identity and access management (IAM) and resource data. I retrieved, then analyzed that security data. With these insights, it is possible to improve security for your IBM Cloud account and its resources.

Things I learned at IDUG on JSON Web Token support in Db2

JSON Web Token support in Db2

Right now, I am at the IDUG 2022 EMEA Db2 Tech Conference in Edinburgh, Scotland. It's great to have an in-person event again, to network and to discuss. This year, there are many sessions covering Db2 security and they are well-attended. Database security seems to be (more) popular, now. In the past, I have blogged about JSON Web Tokens (JWT) and Db2. They allow a Single Sign-On (SSO) integration of Db2.

New IBM Cloud security features you should know

Custom role for operating Code Engine

Cybersecurity is always in a state of change. There are new security features and new attack methods - or was it the other way? Over the past months, several new security features were added to IBM Cloud. In this blog post, I want to quickly describe them and point you to IBM Cloud blog posts where I discuss them in greater detail.

Required IAM privileges for a service ID to update Code Engine app

Remember the steps

This blog post today is one of those written for me. In the past I stated a couple times that I use this blog to remember things. Today, it is about setting up IBM Cloud IAM privileges for a Service ID. That service ID needs to build a new container image, then update an existing Code Engine app.

Get certified for IBM Cloud, new certifications available

This week, I completed another certification, I passed the IBM Cloud Security Engineer exam. It is a natural step when you consider that many of my IBM Cloud blog posts are about security-related topics.

In this blog post, I want to give you a quick overview of IBM Cloud certifications and what it topics are covered for the IBM Cloud Security Engineer certification.

Simple, quick and secure cloud onboarding for workshops and hackathons

Create an external Identity Provider

Short-lived projects like hackathons or workshops often have the following characteristics:

• similar privileges for everyone on the project,
• only few IAM (Identity and Access Management) roles,
• preferred simple administration (setup, running it, cleanup) over tightest security.

Additionally, such projects often are repeated with similar setup, but other participants. So, how do you onboard them efficiently and securely?

With that question in mind, I published two blog posts on the IBM side along with code on GitHub:

• Secure onboarding for your workshops and hackathons and
  
• Bulk creation of users in IBM Cloud App ID.
  

The articles utilize features and services like access groups and trusted profiles, external identity providers based on IBM Cloud App ID. The code is in Terraform and Python for full automation where possible. Enjoy.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Password expiration and vacation planning

Ready for vacation: Passwords

The months of July and August are typical vacation times. Many people work with (at least mental) packing list to prepare for some time off. On my list are passwords. I can relax knowing that no password will expire when I am away. The reason is that for some systems it is a big hassle to reset expired password or accounts. Thus, I prepare accounts for vacation.

How to connect from Python to Db2

One of the recurring questions I have seen is "how to connect from Python to Db2". I have blogged about Python and Db2 a couple times before. Recently, the question has been popping up again more frequently. From my view, the increased security with mandatory SSL/TLS encryption and the use of Python-based Jupyter notebooks for data science and AI / ML projects are the drivers behind that increase. Moreover, there is Db2 on-premises and the Db2 on Cloud / Db2 Warehouse on Cloud plus container-based offerings. Today, I am trying to sort this out and answer that question. Again.... :)

Cloud Security: BYOK vs. KYOK explained

Keep and bring your own key

When talking about cloud security and key management systems (KMS) for data encryption, we often hear the terms BYOK and KYOK. But what do they mean and what is the difference? Let me try to explain in this quick write-up. BYOK stands for "bring your own key" and refers to the ability to import an existing - your own - encryption root key into a (cloud-based) key management system.

Cloud-based HSM with PKCS #11 for Db2 Native Encryption

Manage your encryption keys

When using Db2 databases, there are a different ways to encrypt the stored data (data at rest). One of them is to use the built-in feature, Db2 native encryption. It supports three kinds of keystores, a local keystore file or centralized key management systems (KMS) based on KMIP or PKCS #11 protocols.

Today, I want to point you to a tutorial in the IBM Cloud documentation. It discusses using Hyper Protect Crypto Services PKCS #11 for Db2 native encryption.

IBM Cloud: Send out alert emails using SMTP

Last year, I blogged about how to use Slack or email notifications for security IBM Cloud security issues. Now I added another code sample, showing how to send out notification emails using any SMTP server. The code is written in Python and Node.js and deployed as IBM Cloud Functions-based webhook. The core part in charge of connecting to an SMTP email server and sending the email is isolated as dedicated action. Thus, it is possible to use it on its own, e.g., to send out emails unrelated to the IBM Cloud Security & Compliance Center.

Wireshark with Lua on RHEL / CentOS

Wireshark with Lua-based dissector

What do you do on a rainy public holiday with COVID19 restrictions in place? Finally get Wireshark to work with Lua support to have custom dissectors. Dissectors are useful to turn binary garbage into readable TCP or UDP packet content. Lua is a scripting language and a supported way of adding dissectors in Wireshark. Unfortunately, the install package for Red Hat Enterprise Linux does not include Lua support. Compiling Wireshark on my RHEL 8.3 does not simply work because it requires Lua version 5.2 for my scripts to work. And RHEL either has version 5.3 or 5.1 which both are incompatible (long story). So, let's get going.

Pseudo-decorators for my Python Flask app

Secured Python Flask app on Code Engine

Recently, I migrated an existing Python app from a Cloud Foundry to an IBM Cloud Code Engine deployment. The Flask app uses decorators for the routes and for OIDC-based authentication. For usability, the app should start up even without anything configured yet and the OIDC decorators being invalid. It required to some IMHO tricky coding.

JWT token authentication in Db2 runtimes like Python or Node.js

Python script connecting to Db2 with JWT

Some weeks ago I discussed how to configure JWT-based token authentication in Db2. I set up Db2 to accept JWS identity tokens and then connected to my test database using the command line. But how do you connect from a programming language like Python or Node.js? Here is what I needed.

Follow-up to Db2 and JWT: What is JOSE...?

JWT: Encoded or decoded security claims

Last week, I wrote about Db2 support for JSON Web Tokens (JWT). Today, I have a small follow-up with some reading material on JWT and related topics like JOSE, JWS, JWK as well as OAuth and OpenID Connect.

Some JWT history and standards

The first draft for JSON Web Tokens, JWTs, is already 10 years old. It is from December 2010. The early draft states: