IBM App Connect Professional (software) Considerations for GDPR Readiness
Information about features of IBM® App Connect Professional that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness.
Notice:
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM Integration Bus that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Table of Contents
- GDPR
- Product Configuration for GDPR
- Data Life Cycle
- Data Collection
- Data Storage
- Data Access
- Data Processing
- Data Deletion
- Data Monitoring
- Capability for Restricting Use of Personal Data
GDPR
General Data Protection Regulation (GDPR) has been adopted by the European Union ("EU") and applies from May 25, 2018.
Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for processors
- Potential for significant financial penalties for non-compliance
- Compulsory data breach notification
Read more about GDPR
- (EU GDPR Information Portal)[https://www.eugdpr.org/]
- (ibm.com/GDPR website)[http://ibm.com/GDPR]
Product Configuration for GDPR
The following sections provide considerations for configuring IBM App Connect Professional to help your organization with GDPR readiness.
Data Life Cycle
IBM App Connect Professional (ACP) is a general-purpose integration engine which enables users to route and transform data as it is passed between third-party applications. ACP supports a large range of protocols and data formats for the purpose of connecting to bespoke applications, and provides pre-built components that are capable of communicating with popular packaged applications. As such, ACP touches many forms of data, some of which could potentially be subject to GDPR. Most frequently, data passes through the ACP architecture in real time, with ACP making synchronous connections to online endpoints. However, ACP also interacts with persistent forms of data such as messaging systems (both traditional on-premises message systems such as IBM MQ , databases (relational databases and NoSQL databases), data held on local or remote file systems, email systems, and other CRM and ERP systems.
There are several third-party products with which ACP might exchange data. Some of these are IBM-owned, but many others are provided by other technology suppliers. For organizations considering a third-party product to support their GDPR readiness, consult that product's documentation.
ACP users control the way in which ACP interacts with data passing through it, by the definition of orchestrations (data flows). An orchestration is commonly constructed by a user acting in the role of "ACP developer", working with the ACP Studio. An orchestration is composed from a set of discrete building blocks (known as connectors) that are wired together in an ordered fashion by the ACP developer. Connectors are configured graphically.
What types of data flow through ACP?
As a general-purpose integration engine, there is no one definitive answer to this question because use cases vary from user to user. However, it is entirely possible, that customers of ACP use it to interact with data that relates to the following categories:
- Employees of the customer (for example; ACP might be used to connect the customer's payroll or HR systems)
- The customer's own clients' personal data (for example; ACP might be used by a customer to transform data related to their clients, such as taking sales leads and storing data inside their CRM system)
- The customer's own clients' sensitive personal data (for example; ACP might be used within industry contexts that require personal data to be transmitted through ACP, such as HL7-based healthcare records when integrating clinical applications.
Personal data used for online contact with IBM
ACP clients can submit online comments/feedback/requests to contact IBM about ACP subjects in a variety of ways, primarily:
- Public comments area on pages in the IBM Integration community on IBM developerWorks
- Public comments area on pages of ACP product documentation in IBM Knowledge Center
- Public comments in the Integration Bus space of dWAnswers
- Feedback forms in the IBM Integration community
Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.
Data Collection
ACP can be used to collect personal data. When assessing your use of ACP and your needs to meet with the demands of GDPR, you should consider the types of personal data which in your circumstances are passing through ACP. You may wish to consider aspects such as:
How does data arrive into your ACP orchestrations (synchronously / asynchronously? Across which protocols? Is the data encrypted? Is the data signed?)?
How is data sent out from your ACP orchestrations (synchronously / asynchronously? Across which protocols? Is the data encrypted? Is the data signed?)?
How is data stored as it passes through your ACP orchestrations? (Do you use any of the product features highlighted in the Data Lifecycle section of this document? If so, are you aware of how those features could potentially expose aspects of the data passing through the product?)
How are credentials collected and stored where needed by ACP to access third-party applications ?
ACP typically needs to communicate with third-party applications and systems, such as DB2 and SAP, and many such systems require ACP to authenticate. Where needed, authentication data (userids, passwords, and API keys) is collected and stored by ACP for its use in such communication.
Wherever possible, you should avoid using personal credentials for ACP authentication, to limit the chances of your personal credentials being used by message flows which were not your original intention. In any case, consider the protection of the storage used for authentication data.
Data Storage
When data travels through ACP orchestration as part of normal operation, ACP does not mandatorily persist that data directly to stateful media. However, users of ACP can configure "persistence=enabled" or "logging level=all", which can persist some sensitive data in the logs or persist on the databases. So, although ACP does not directly persist data to stateful stores, by association ACP users may want to consider securing data at rest that is written to logs or databases.
To mitigate the risk of non encrypting data at rest, the customer should in all cases not enable logging levels to INFO or FINEST; it should be set only to CRITICAL.
When designing orchestrations in App Connect Professional, customers can set the persistence setting to DISABLED in order not to allow storing of any in-flight data variables if a failure occurs that causes an orchestration job to stop. However, disabling persistence prevents the original job completing when the orchestration is restarted. Also, persistence is required by some activities in some use cases.
Read more:
Data Access
ACP-owned data can be accessed through the following defined set of product interfaces, some of which are designed for access through a remote connection, and others for access through a local connection.
- Web Management Console [Only remote, browser based]
- Command line interface
The Web Management Console (WMC) is a browser-based application hosted by the Integration Appliance
The WMC can configure and monitor hardware, orchestration, and network status of an Integration Appliance, using a Web browser. System Administrators can use the WMC for the following monitoring tasks:
- Obtaining Integration Appliance status information, such as memory-usage statics, disk-space statistics, CPU status, fan status, and power-supply status.
- Obtaining overall processing information at a glance, and then drill-down on specific orchestrations and obtain comprehensive information about specific messages, activities, errors, and other details.
- Viewing logs and error notifications.
In addition to the WMC, you can also use the Command Line Interface (CLI) to perform many administrative and monitoring tasks. For more information on the CLI, see the Command Line Interface reference.
Read more:
Authentication:
The Web Management Console (WMC) is a web-based management tool that allows you to:
- Manage the Integration Appliance
- Manage integration projects
- Monitor integration projects
You can access the same Integration Appliance from multiple WMCs. However, each WMC can only monitor and manage one Integration Appliance at a time. The tasks you can complete in the WMC depend on the user account you log in with. The WMC has built-in groups, which you can use to further control access to the Integration Appliance. Alternatively, you can specify an LDAP server to manage user and group authentication and authorization.
Role mapping:
Please see the Authorization section for various roles that can be assigned to any user.
Authorization:
In ACP there are various authorization levels available for each tenant and environment. Each user of ACP should be assigned only the level of authorization that they require for each environment.
The following list defines the permissions granted to each of the built-in groups:
- Tenant Administrator Group. Provides privileges to all environments, users, groups, and projects in a specific tenant. Permits users to create, edit, and delete users and custom groups in the tenant. Users in this group can add and delete users to and from any built-in or custom group in the tenant. Users in this group can view, edit, and delete permissions for all source projects in the tenant.
Users in this group can view all the environments in the tenant and have all the permissions of an environment administrator in each of the tenant environments.
- Environment Administrator Group. Provides privileges to all users, groups, and projects in a specific environment. Permits users to create, edit, and delete users and custom groups in a specific environment. Users in this group can add and delete users to and from any built-in or custom group in the environment.
Environment Administrators can also create and deploy project configurations for project that any environment publisher publishes, and view orchestration job details for any project configuration in the environment. With environment administrator group privileges you can edit permissions that publishers for the same environment set for their individual project configurations.
Even though members of the Environment Administrator group have Environment Publisher group and Environment User group privileges, the members of the Environment Administrator Group are not displayed in other groups in the same environment until you explicitly add the user.
- Environment Publisher Group. Provides project privileges in a specific environment. Permits users to create, deploy, or delete project configurations for any project that they publish in the environment. Users in this group can also start and stop orchestrations and view orchestration job details for project configurations they deployed in the environment. As an environment publisher, you can grant permissions for individual project configurations you create to another user with environment publisher privileges for the same environment.
The members of the Environment Publisher Group do not appear in the Environment User Group, until you explicitly add the user.
- Environment User Group. Permits users to monitor alerts and orchestrations in a specific environment. Users in this group can create and edit projects; however, they cannot publish the project to an environment. You must have Publisher privileges for the specific environment to which you want to publish a project. All users are automatically members of the Environment User group.
In a multi-environment tenant, users in this group only see the environment tab for environments of which they are a member. For example, a tenant has a Development, a Staging, and a Production environment. The tenant administrator or administrator of the Development environment adds a user to the User [Development] group. When the user logs in to the tenant, the user can only see the Development environment, even though the tenant has two other environments.
Read more:
Logging administration activity:
Administration activities are logged in the system logs.
Data Processing
Users of IBM App Connect Professional (ACP) can control the way in which ACP processes personal data, through the definition and configuration of the orchestrations that are deployed to the ACP runtime. Message flows begin processing when input data arrives into ACP through a starter activity, and they complete when data is sent out from an ACP end activity or request node. A large range of protocols are supported, some of which include provision for the data to be encrypted when it is passed into and sent out from ACP. Encryption provides a method by which the data is converted from a readable form to an encoded version that can only be decoded by another program if it has access to a decryption key.
Encryption:
App Connect Professional administrators have the authority to use any of the encryption activities supported to encrypt any data as needed. The admin owns the encryption key.
Read more:
- https://www.ibm.com/support/knowledgecenter/en/SS3LC4_7.5.2.0/com.ibm.wci.doc/toc_cryptoserviceactivities.html
- https://www.ibm.com/support/knowledgecenter/en/SS3LC4_7.5.2.0/com.ibm.wci.doc/AES_Encrypt_function.html
To mitigate the risk of non encrypting data at rest, the customer should in all cases enable logging levels to INFO or FINEST; it should be set only to CRITICAL.
Read more:
Data Deletion
In App Connect Professional by default, an appliance purges orchestration monitoring logs older than 30 days when any of the following conditions occurs on the appliance:
- The amount of available disk space falls below 50%.
- One day has passed since the last purge.
- More than 5,000 orchestration jobs have completed.
- More than 1,000 orchestration jobs have contained an error.
Using the WMC, you can configure the job log purging parameters on the appliance that determine:
- Trigger Conditions - What conditions trigger the appliance to purge orchestration monitoring data.
- Frequency - How often to purge orchestration monitoring data.
- Job Scope - What type of orchestration monitoring data to purge. https://www.ibm.com/support/knowledgecenter/en/SS3LC4_7.5.2.0/com.ibm.wci.appliance.doc/Working_with_Logs/purgingJobLogs.html
Any Business data is stored in Job Logs and Administrators have access to the purge the logs - https://www.ibm.com/support/knowledgecenter/en/SS3LC4_7.5.2.0/com.ibm.wci.appliance.doc/Working_with_Logs/purgingJobLogs.html
Data Monitoring
App Connect Professional provides its administrators sufficient tools like System logs, Job Logs, Orchestration logs to monitor access to the system and any changes applied to the system. Details about the usage of the various levels of logging can be found in Logging. For any instance if they administrator do not want to log any Business data into the logs, they need to set the logging level to Fatal and not INFO/ALL.
App Connect Professional provides a feature to enable Data Monitoring in Job logs to debug any failed executions. If a customer does not want to enable business data in Job logs, they need to specify logging level to Fatal.
Read more:
Capability for Restricting Use of Personal Data
App Connect Professional provides its administrators with access to purge logs based on any specific criteria like a schedule, trigger conditions, to remove specific information stored in the job logs as requested by their end customers - https://www.ibm.com/support/knowledgecenter/en/SS3LC4_7.5.2.0/com.ibm.wci.appliance.doc/Working_with_Logs/purgingJobLogs.html
Using the facilities summarized in this document, App Connect Professional enables an end-user to restrict usage of their personal data. Under GDPR, users have rights to Access, Modify and Restrict Processing. Refer to other sections of this document to control the following:
- Right to Access
- App Connect Professional administrators can use its features to provide individuals access to their data.
- App Connect Professional administrators can use its features to provide individuals information about what data App Connect Professional holds about the individual.
- Right to Modify
- App Connect Professional administrators can use its features to allow an individual to modify or correct their data.
- App Connect Professional administrators can use its features to correct an individual's data for them.
- Right to Restrict Processing
- App Connect Professional administrators can use its features to stop processing an individual's data.