Monthly Archives: August 2014

Anatomy of a BlueMix App

This entry is part 2 of 2 in the series Start here

When you start out to create a cloud-based app it helps to understand the environment that it will run including the components that are external to it as well as the framework and runtime components that are integral to it.

An app runs both on the device (client) and in the cloud (server) and invokes services on both platforms.


Much of the logic that you build into an app is in the form of JavaScript.  On the server this might be application logic in the form of JavaScript running in the node.js runtime.

On the client side the JavaScript might be Dynamic HTML client-side scripting running in a browser or a mobile app.

JavaScript developers typically use standardized JavaScript code written by other developers in the form of libraries such as jQuery (on the client).

If I had time on my hands…

This entry is part 1 of 2 in the series Start here

I dream of having time on my hands.  Ah, what would I do to occupy myself if I was a high-school kid dreaming to get a start in software development?

Knowing what I know now about how complicated developing software can get, I would try to do something very simple.  In fact, I would want to make it as simple as possible.

First, I would avoid one of the least productive and most complicated parts of software development — setting up my development and test environments.   I would look at developing in the cloud using a Platform as a Service (PaaS) such as IBM’s Bluemix.

Secondly, I would do it for free as much as possible.  In luck…IBM provides a free DevOps and PaaS services!

Sign up for free IBM DevOps Services and free trial for Bluemix.

Create a DevOps project.  I created a Git repository (

Copy the sample project as described here, fork it, and build & deploy it as instructed.  Run a test!






Reading List: Addressing Emerging Threats and Targeted Attacks with IBM Security Network Protection

This post covers the IBM Red Paper:  Addressing Emerging Threats and Targeted Attacks with IBM Security Network Protection (redp4826).

The book is about addressing new kinds of network threats such as advanced persistent threats (APTs), stealth bots, targeted application attacks, and designer malware.  For an up-to-date understanding of the threat landscape the reader is referred to the IBM X-Force Trend and Risk Report.   These new threats are being addressed by incorporating best-of-breed intrusion prevention, application visibility and control, IP reputation, and SSL inspection into one solution, and integrating this solution with security intelligence.

The protocol-aware Protocol Analysis Module (PAM) engine provides in-depth security and protection by analyzing every packet that traverses the IBM Security Network Protection solution.  The engine can process low-level protocols, such as the Internet Protocol (IP), to detect and block attacks at this level (such as denial of service attacks). PAM can perform a deep analysis of data that is transferred by high-level protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Remote Procedure Calls (RPCs).

The following core components are features of the PAM:

  • IBM Virtual Patch® technology: Shields vulnerabilities from exploitation, independent of a software patch.
  • Client-side application protection: Protects users against attacks that target applications that are used everyday, such as attacks that are embedded in Microsoft Office files, Adobe PDF files, and multimedia files.
  • Web application protection: Provides protection against sophisticated web application attacks, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
  • Advanced threat detection and prevention: Provides advanced intrusion prevention,including protection against potential zero-day attacks.
  • Data security: Provides monitoring and identification of personally identifiable information (PII) and other confidential data over both unencrypted traffic and SSL encrypted traffic if SSL inspection is enabled.


Reading List: Using the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security

This post covers the IBM Redbook: Using the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security published in April 2013.

This book provides an introduction to the IBM security framework and blueprint.  I do not cover this here because I previously covered it in my post Managing Security and Compliance in Cloud or Virtualized Data Centers.

Business Context

From the red book: “Business and IT drivers influence security.  Business drivers measure value, risk, and economic costs that influence an organization’s approach to IT security. Value drivers determine the worth of assets of the system to the business and of the business itself. Risk drivers involve compliance, corporate structure, corporate image, and the risk tolerance of the company. Economic drivers determine productivity impact, competitive advantage, and system cost.

IT drivers represent operational constraints in the general IT environment. For example, the complexity of a system, including its environment, that is exposed to internal and external threats presents risks that the organization must address. The IT drivers represent technical considerations that can affect the trustworthiness of the IT environment and the managed business systems as a whole. IT drivers are universal and must be considered within the context of the business drivers in all efforts. The combination of business and IT drivers represents the key initiatives for security management.

The following business drivers are covered:

  • Correct and reliable operation
  • Service level agreements
  • IT asset value
  • Protection of the business asset value or brand image
  • Legal or regulatory compliance
  • Contractual obligation
  • Financial loss and liability
  • Critical infrastructure
  • Safety and survival.

The following IT drivers are covered:

  • Internal threats
  • External threats
  • IT service management commitments
  • IT environment complexity
  • Business environment complexity
  • Audit and traceability
  • IT vulnerabilities.

IBM Security Framework

The IBM security framework covers the breadth of security.  I show applications and infrastructure here.

IBM security framework applications

For infrastructure, and important point is the decision to use virtualization.  “Organizations are increasingly using virtualization technology to support their goals of delivering services in less time, with greater agility, and at lower cost. By building a structure of security controls within this environment, organizations can reap the goals of virtualization, such as improved physical resource utilization, improved hardware efficiency, and reduction of power costs, while they ensure that the virtual systems are secured with the same rigor as the physical systems.

IBM security framework infrastructure

 Security Maturity Model

IBM security MM

 Security Blueprint

The Security Blueprint has the following foundational components:

  • Command and Control Management
  • Security Policy Management
  • Risk and Compliance Assessment
  • Identity, Access, and Entitlement Management
  • Data and Information Protection Management
  • Software, System, and Service Assurance
  • Threat and Vulnerability Management
  • IT Service Management
  • Physical Asset Management.

IBM security blueprint

 Architecture Principles

The following architecture principles are covered:

  • Openness
  • Security by default
  • Design for accountability
  • Design for regulations
  • Design for privacy
  • Design for extensibility
  • Design for sharing
  • Design for consumability
  • Multiple levels of protection
  • Separation of security management, enforcement, and accountability
  • Security-critical resources and awareness of their security context
  • Model-drive security
  • Consistency in approaches, mechanisms, and software components.

Foundational Security Management

IBM foundation security management loop

 Security Frameworks and Standards

Frameworks include:

Standards in the Industry information security and privacy standards profile model:

Info security and privacy standards profile model 1

Info security and privacy standards profile model 2


SABSA looks at the following business requirements:

  • Low-cost development
  • Fast time to market
  • Scalability of cost
  • Scalability of platforms
  • Scalability of security level
  • Scalability of use
  • Reusability
  • Operations costs
  • Administration costs
  • Usability
  • Interoperability
  • Integration
  • Supportability
  • Risk-based cost and benefit effectiveness
  • Enabling business.

SABSA matrix

 ISO/IEC 27002:20xx

ISO/IEC 27002:2005 contains 12 categories, or domains, that must be
considered when you apply an overall enterprise security approach. The
categories are:

  •  Risk assessment
  •  Security policy
  •  Organization of information security
  •  Asset management
  •  Human resources security
  •  Physical and environmental security
  •  Communications and operations management
  •  Access control
  •  Information systems acquisition, development, and maintenance
  •  Information security incident management
  •  Business continuity management
  •  Compliance.


The red book describes how to use the Open Enterprise Security Architecture (O-ESA) from the Open Group to build an over-arching Enterprise Security Architecture (ESA).

O-ESA rings

O-ESA flow

Policy Enforcement Points (PEPs) are included in the conceptual architecture:

O-ESA conceptual architecture PEPs

Example security domains are suggested:

  •  Uncontrolled
  •  Controlled (DMZ)
  •  Restricted
  •  Secured
  •  External Controlled (3rd party).

sample security domains

A process is provided to develop the technology architecture:

O-ESA dev ESA tech arch

Setting up security zones is summarized and the reader is referred to another red book for details: Enterprise Security Architecture Using IBM Tivoli Security Solutions, SG24-6014.  However, this document was written back in 2007.  I would take a look at Addressing Emerging Threats and Targeted Attacks
with IBM Security Network Protection (redp4826) first.

An example is provided for healthcare mobile security where an example set of security policies are provided:

example security policies

Example allocation of security services to zones is provided:

example security services

example security services zones

example security services LCM

The red book introduces SIEM technology:

Centralized log collection, analysis, and reporting on compliance for the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act (SOX), and ISO/IEC 27002:2005 is enforced by using Security Information and Event Management (SIEM) technology. This technology integrates the Web Security Server infrastructure. It also offers operating system-level monitoring that can collect logs from critical UNIX, Linux, and Windows servers. The SIEM solution is also able to monitor the network traffic flows between the components for abnormalities (unusual behavior) and identify data structures that are moving across the wire.

An operation model is provided for the example:

example security services OM

An SIEM operational view is provided:

SIEM operational view

Reading List: Managing Security and Compliance in Cloud or Virtualized Data Centers

In this post I cover the IBM Red Book SG248082:  Managing Security and Compliance in Cloud or Virtualized Data Centers.

The IBM Security Framework provides a top-level view on security:

IBM security framework

At the second level of detail IBM provides Security Blueprint.

IBM security blueprint

The Security Blueprint categorizes and defines security capabilities and services that are required to answer the business concerns in the IBM Security Framework such as infrastructure.

IBM security blueprint infrastructure

The Security Blueprint emphasizes control (knowing where you are in and out of compliance, why, and having action plans) in addition to compliance.  There is also a focus on visibility into and managing the security of virtual machines.

I cover the IBM Security Blueprint in more detail in my post Using the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security.

The functions of the PowerSC products are described and these provide a good example.  Regulatory compliance to industry standards such as Payment Card Industry Data Security Standard v1.2 (PCI-DSS) and Control Objectives for Information and related Technology (COBIT), typically adopted subject to the US Sarbanes-Oxley Act, can be automated.  Automated compliance helps address the huge effort of staying in compliance with multiple regulations.  Trusted Boot is a virtual implementation of the Trusted Platform Module (TPM) from the Trusted Computing Group.  Trusted Firewall filters traffic between VLANs.  Trusted Logs prevents modification of log files.  Trusted Surveyor provides consolidated security reporting.

A Top-Down Summary of Cloud Computing Reference Architectures

In this post I want to provide a brief top-down summary of reference architectures that are applicable to banks embarking on a cloud computing journey.  I will provide links to other posts where my more detailed views can be found.


Starting at the top we find the IBM Cloud Computing Reference Architecture (CCRA).  The CCRA includes the Cloud Computing Management Platform (CCMP), which includes Operational Support Systems (OSS) and Business Support Systems (BSS).











IBM Infrastructure as a Service (IaaS) patterns drill down on the IaaS block in the CCRA.

IaaS macropatterns

IBM Security Framework

The IBM Security Framework provides a business oriented point of view on IT security and can be applied to cloud computing, virtualized or traditional environments.

IBM security framework

IBM Security Blueprint

The IBM Security Blueprint provides a technical view covering areas of the framework such as infrastructure.

IBM security blueprint IBM security blueprint infrastructure

Frameworks and standards are summarized:

Also see:  Federal Financial Institution Examination Council (FFIEC).


O-ESA delves into the process and substance of details such as the development of security domains.  An example is provided in an IBM red book.

sample security domains example security services zones

example security services OM SIEM operational view

What are IBM CCRA and CCMP?

This entry is part 30 of 31 in the series Defining words

The IBM Cloud Computing Reference Architecture (CCRA) and Common Cloud Management Platform (CCMP) are useful to understanding the IBM Private Modular Cloud (CMP).

CCMP includes Operational Support Systems (OSS) and Business Support Systems (BSS).

At the highest level the IBM point of view can be summarized as follows:

CCRA summary

For an expanded view of the CCRA and CCMP IBM provides the following diagram.



Reading List: IBM SmartCloud: Building a Cloud Enabled Data Center

For banks wanting to increase IT agility and decrease IT costs via a cloud-enabled data center, this IBM Redguide is a must read.

The words “increase agility and decrease costs” are used a lot and my brain tends to filter out words that it hears a lot.  However, every major delay to a critical project that I have witnessed in the past few years has been due to delays in specifying or provisioning development or test environments.

The book builds on the IBM Cloud Computing Reference Architecture (CCRA) to address the Cloud Enabled Data Center adoption pattern.  This pattern is key to banks who want to build a private cloud to “combine the major advantages of the public cloud, such as strong standardization, self-service automation, scalability, and metering, with the advantages of on-premise data centers.  On-premise data centers provide advantages such as strong security, increased customization capabilities, and increased control over QoS.

As banks build out a private cloud, IaaS is the logical place to start.  The book provides a maturity model for IaaS.


The book provides macro patterns aligned to the maturity levels that prescribe architectures for each level.

Macro patterns are broken down into micro patterns and use cases.  Micro patterns are essentially functional clusters of use cases.

IaaS micro patterns and use cases

The macro pattern view shows provides a simplified view of the IaaS macro patterns.

IaaS macropatterns

They provide a macro patterns view overlaid with a logical software architecture.

IaaS logical swa

The product mappings in the book will need some critical thinking on the bank’s part as they are a bit dated.

IaaS IBM SmartCloud SW

IBM is generally proposing PaaS with its Private Modular Cloud (PMC) solution.  After seeing the degree to which banks struggle to provide test environments for projects and the kinds of problems that bog them down, I do believe that PaaS is where the banks that I am working with need to go.