Secure deployment considerations

When you deploy the ISAM appliance, consider the following points.

• The Security Verify Access embedded user registry should only be used in the following scenarios:
  • Proof of Technology deployments

  • Deployments with a low number ISAM users (< 5000)
  • When using federated directories with the ISAM basic user feature

• Choose the suitable Security Verify Access user authentication mode for the environment.
  • Use basic user for all scenarios unless GSO lock-box, user based ACLs, or account-valid/password-valid features are required.

  • Only use the full user model if basic user is not suitable. Basic user only supports minimal mode.

• The appliance has management and application interfaces. Network separation between the management and application interfaces must be maintained.
• Any Security Verify Access web reverse proxies that are hosted in the corporate DMZ network zone should be configured as restricted nodes.
• The ISAM appliance that hosts the Policy Server component should be hosted in a secure network zone and not exposed to the internet.

• If the embedded user registry is used, it should be hosted on the same appliance as the Security Verify Access Policy Server in a secure network zone. The embedded user registry port (636) should not be routable from the internet.
• Security Verify Access clustering is recommended to provide a highly available solution. Two ISAM appliances performing the primary and secondary roles respectively should be used. These should be hosted in the secure network zone with ISAM runtime replication enabled.

• If advanced authentication/authorization is required, the ISAM authentication service in the Advanced Access Control (AAC) component should be used. This should be hosted on the ISAM primary and secondary appliances in the secure network zone. This service should not be routable from the internet.
• Second factor or multi-factor authentication should be considered to increase assurance of user identity.
• Enable Network Time Protocol (NTP) on all appliances to synchronize the time correctly. This is to ensure the appliance works correctly with distributed components.
• Do not use self-signed certificates for any public facing services. Always obtain certificates issued by an appropriate certificate authority.
• All non-TLS communication should be disabled:

  • Only use port 636 for LDAP communication.

  • Only use HTTPS 443 application interfaces.

  • Only use TLS for junction communication.

• Enable the ISAM Web Application Firewall (WAF) feature on all appliances hosting the ISAM reverse proxy.
• Session affinity should be enabled between all Security Verify Access components for performance and scalability reasons.
• The Security Verify Access Distributed Session Cache (DSC) or failover cookie should be used to provide a highly available solution across multiple reverse proxy instances.

• If the DSC is deployed, it should be hosted in the secure network zone.
• Configure the reverse proxy cookie jar feature to prevent application cookies from being returned to clients unnecessarily.
• Connection pooling for junctions should be enabled to optimize performance of the solution. This capability is disabled by default.
• FIPS should be enabled if appropriate.
• Enable these security headers in the reverse proxy configuration:
  • strict-transport-security
  • content-security-policy

• Minimize access to unauthenticated resources using standard Security Verify Access ACL policy.
• Host the ISAM runtime database on an external Database. This database is used for federation and/or AAC features. The runtime database should be hosted in a secure network zone and should not be routable from the internet.
• Use a highly available solution for the external Security Verify Access runtime database. This service is critical to ISAM operation.
• Best practice is to use the ISAM REST APIs for automated deployment to allow:
  • Rapid recovery
  • Consistent and repeatable deployment configuration

• Don’t use Basic Authentication (BA) for authentication to ISAM REST APIs when automating deployment and management of the ISAM appliance. Certificate authentication should be used.
• Standard network security guidelines should be applied. Network access and administrative credentials to the appliance should only be available to authorized administrators on appropriate networks.
• Minimize on-board storage of logs by configuring remote syslog to store log and audit archives in a protected network zone. A separate logging server/service should be used to store logs.
• An appropriate patch process should be implemented to:
  • Subscribe to, and monitor IBM support site for ISAM appliance patches
  • Apply all patches promptly when released

• Set the sps.setCookiesAsSecure parameter to Secure to flag the cookies set by ISAM.

Parent topic: Product overview