Securing applications and data on Bluemix

IBM Bluemix Cloud Foundry applications provide built-in security for accessing bound services through the use of the VCAP_SERVICES environment variable. The credentials for externally managed services can also be added to VCAP_SERVICES by creating a Cloud Foundry user-provided service and then binding the service to the application.

Safe management of API keys also includes implementation of REST APIs that accept keys. Avoid the use of API keys in URL strings and instead accept them in request headers or POST body arguments that are encrypted when using SSL.

The Bluemix Key Protect service provides a secure cloud-based encryption key management solution for select Bluemix services and developer-created applications. API calls to the Key Protect service are available for audit through the Access Trail (also known as Activity Tracker) service.

Bluemix data services include features for security. The dashDB sensitive data reporting feature provides information on table columns with sensitive data such as US social security numbers and credit card numbers as well as activities that access the data. The IBM DB2 on Cloud service supports native encryption of data that encrypts all database data before it is stored. To create an encrypted database in the default instance using the default keystore, issue the CREATE DATABASE command specifying the ENCRYPT parameter.