Compliance? We’ve got you covered!

Ensuring the compliance of your business is crucial to establishing a trusted relationship between a provider and their customers. Nowadays, every company has different policies that define how to comply with laws and business regulations. Maintaining and protecting data, remediating problems and timely reporting are essential actions in ensuring compliance regardless of the internal or external policies to which you need to adhere.

The HCL/IBM Workload Automation represents the software stack’s foundation layer in scenarios where data is managed, for example in ETL processing, so it must comply with the company’s policies.

In this article you’ll learn how HCL/IBM Workload Automation 9.5 ensures compliance by:

1. Regulating user access
2. Providing secure services
3. Complying with security standards
4. Securely tracking changes
5. Managing secure code deployment

 
 User accesses regulation
 
HCL/IBM Workload Automation can be configured to authenticate users through your company’s directory, typically LDAP or AD, and give access to the Dynamic Workload Console (the GUI) following a role-based authorization scheme.

A user or a group of users may be assigned to one or more of these roles and be able to perform the role’s specific actions:

1. Administrator - Has all access available, including system & security configuration
2. Developer - Can design workload objects but has no access to administration functions
3. Operator - Is able to monitor and manage planned workload including ad hoc job submission
4. Analyst - Creates and runs report tasks only

 
Within the scope of allowed actions, a user can be limited to operate with a certain set of privileges over a set of objects, this workload security is based on the following principles:

1. Role – a profile made up of a combination of privileges
2. Security domain – a set of data identified by a naming convention
3. Workload folder – a set of data partitioned by the category (virtual location) where they are saved
4. ACL – the assignment of a role on a security domain, a folder to a user or group of users.

 
 Secure service provisioning
 
Using HCL/IBM Workload Automation you can provide to either internal or external customers orchestration capabilities as a service. In this case, it is very important to adopt a multitenancy model to govern different lines of business from a single central server infrastructure.

• The security model described above ensures that each LoB is segregated and isolated from one another.
• Installing agents as gateways ensures that the network is segmented into different network zones (at least one per LoB is recommended).
• Assuming that each LoB is assigned to a workload folder space, it is possible to delegate the security administration of a folder and its sub-folders to a LoB administrator. This simplifies LoB administration and provides administration redundancy. 

 
Security standards compliance
 
HCL/IBM Workload Automation is currently used by many Financial and Government institutions where compliance with security regulations is a high priority.

• All network communications are encrypted with TLSv1.2
• Default certificates can be hardened even using an external Certification Authority
• All operations can be audited (this topic is discussed in the next section)
• HCL/IBM Workload Automation is GDPR enabled and all sensitive data can be vaulted in a local encrypted file and resolved at runtime when a job requires them, and no sensitive information is sent across the network
• HCL/IBM Workload Automation has been certified internally by customers for the PCI DSS standard for credit card management
• HCL/IBM Workload Automation is FIPS and FISMA compliant
• HCL/IBM Workload Automation is highly available by design, and no OS or HW configuration is required to set up high-availability or disaster recovery
• Vulnerability scans are performed before releasing a new version, and no high severity exposures (OWASP definitions) are present when a version is released.

 
Auditing and tracking changes
 
All operations done from any interface are audited, and these actions can be stored in the database, in a file, or both.
The audited information includes; the action taken; the object changed; and the user who performed the change. It is recommended that the GUI interface be configured for Single Sign On (SSO) in order to properly track the user performing the operation.
 
It is also possible to enable the business justification feature. When the business justification is enabled and a change or action is performed, the user is requested to insert a reason, a description and a ticket number associated with the change. All of these parameters are configured by the administrator and can either be optional or mandatory to collect the information necessary to meet your audit requirements. These fields are inserted into the audit record and stored in the configured destination. 
 
Secure code deployment
 
The job-as-a-code approach and DevOps processes require compliance with standards such as:

• Version control and change management
• Artifact controlled promotion

 
In HCL/IBM Workload Automation artifacts are versioned when created or modified. Through the Workload Designer page, it is possible to compare different versions of the same object and if necessary, restore an object to a previous version.
 
A big challenge in promoting workload from development/test environments to UAT or Production environments is ensuring that the workload is complete and consistent, with no anomalies. To accomplish this, HWA/IBM Workload Automation provides a standardized process of promotion across environments to meet this need. This process uses a feature called Workload Application Templates. A workload application template is a selection of job streams (applications) that are pulled into a package complete with all the artifact definitions and relationships required to make them work as an auto-consistent unit. Once defined, the workload application template can be exported as a zip file, this zip package constitutes the unit of code that can be stored in a SCM (source code management) tool. The import process is guided, and the interface allows you to create a mapping between the source objects and the destination objects where you can control any name changes, workstation assignments, variables and variable table remapping etc. Export and import operations can be done simply by using the GUI or it can be done programmatically using the CLI or by calling the RESTful APIs available to fully automate the promotion process even if it’s driven by an external DevOps product.
 
 
In conclusion.
​HCL/IBM Workload Automation meets and exceeds the most up to date security standards, regulations and internal business policies to make sure your business stays compliant.

PHILLIP GAYLE

North American Sales Director for HCL Workload Automation. Phillip has over 10+ valuable experience in Sales, IT Operations, Security & Privacy, and Marketing. Phillip has worked with both Global and Local companies from various industries across all of North America.

RICCARDO PIZZUTILO

Technical Sales Specialist in the Workload Automation team. He first worked as a Test Engineer and later moved to Technical Sales for HCL Workload Automation. He has a degree in Telecommunication Engineering and loves interacting with customers, traveling and baking cakes. As a Technical Sales and Solution Architect he helps customers find the right workload automation solution for their needs. He is currently based in HCL Software laboratory in Rome.

BRUCE WHITEHEAD

Bruce has 23+ years of Workload Automation experience. He started working in the Workload Automation arena at Best Buy, a leading US electronics retailer. After 12 years there he spent 10 years at United Health (Optum) and helped them deploy one of the largest workload automation environments in the world. Currently he is a Tech Sales Specialist and Architect working for HCL Software.