Secure environment practices

Secure environment practices

These practices can help ensure a secure IBM Security Identity Manager environment.

Given sensitive data in these areas Ensure that these practices occur

Database data Restrict operating system access to database files. Limit the privileges of the operating system accounts (administrative, root-privileged, or DBA) to the least privileges needed. Change the default passwords. Enforce periodic password changes.

Database logs Restrict operating system access to log and trace files. Limit the privileges of the operating system accounts (administrative, root-privileged, or DBA) to the least privileges needed. Change the default passwords. Enforce periodic password changes.

Database backups Store database backups at safe and secure locations. Guard against leaks or exposure of sensitive and confidential information.

LDAP data Securely handle any LDAP data that contains sensitive information. Sensitive information includes disabling anonymous read, enabling SSL, and restricting access to privileged and authorized operating system and application users.

LDAP logs Restrict access to log files in the log directory of the directory server to privileged and authorized operating system and application users. This restriction is especially important if you enable audit logging for the directory server. for more details.

LDAP backups If LDIF files contain sensitive information, store them safely and handle them securely.

IBM Security Identity Manager logs If Security Identity Manager logs in the path/ibm/tivo../../common/CTGIM directory contain sensitive information, restrict access to them.

Directories under ISIM_HOME If the data, configuration, and installation logs contain sensitive information, restrict access to the directories in ISIM_HOME.

Network traffic Restrict network traffic to what is required by the deployment. If you write our own application and use an ISIM API to retrieve sensitive data, encrypt the data before you send it over the network.

WebSphere Application Server security Enable security on WebSphere Application Server and disallow running WebSphere Application Server with a non-root account.

Parent topic: Security

Given sensitive data in these areas	Ensure that these practices occur
Database data	Restrict operating system access to database files. Limit the privileges of the operating system accounts (administrative, root-privileged, or DBA) to the least privileges needed. Change the default passwords. Enforce periodic password changes.
Database logs	Restrict operating system access to log and trace files. Limit the privileges of the operating system accounts (administrative, root-privileged, or DBA) to the least privileges needed. Change the default passwords. Enforce periodic password changes.
Database backups	Store database backups at safe and secure locations. Guard against leaks or exposure of sensitive and confidential information.
LDAP data	Securely handle any LDAP data that contains sensitive information. Sensitive information includes disabling anonymous read, enabling SSL, and restricting access to privileged and authorized operating system and application users.
LDAP logs	Restrict access to log files in the log directory of the directory server to privileged and authorized operating system and application users. This restriction is especially important if you enable audit logging for the directory server. for more details.
LDAP backups	If LDIF files contain sensitive information, store them safely and handle them securely.
IBM Security Identity Manager logs	If Security Identity Manager logs in the path/ibm/tivo../../common/CTGIM directory contain sensitive information, restrict access to them.
Directories under ISIM_HOME	If the data, configuration, and installation logs contain sensitive information, restrict access to the directories in ISIM_HOME.
Network traffic	Restrict network traffic to what is required by the deployment. If you write our own application and use an ISIM API to retrieve sensitive data, encrypt the data before you send it over the network.
WebSphere Application Server security	Enable security on WebSphere Application Server and disallow running WebSphere Application Server with a non-root account.