IBM Event Streams and IBM Event Automation

Imagine your booming e-commerce platform thrives on a constant stream of payment events. Every transaction, full of data to power fraud detection, order fulfillment, and insightful analytics. But here's the rub: this data often includes sensitive customer information like credit card numbers. Now, picture an unauthorized user gaining access to this very event – a security nightmare and a hacker's dream!

Don't panic! This scenario, while frightening, is entirely preventable. Keep reading to discover how to lock down your events, ensure your customer data remains secure and consumer access only what they need to. We'll explore approval controls and data redaction to keep your event flow leak-proof.

Event Endpoint Management Controls

IBM's Event Endpoint Management (EEM) can be a valuable tool in addressing these leak as you expose Kafka topics with access controls, approvals, and data redaction, particularly for payment events containing sensitive information like credit card numbers. Main capability in EEM that can help you control how events are exposed are Controls and Options. With the combination of the two you’ll manage to

• Define Approval Policies on a Topic: This allows you to prevent external parties access your topic without the approval of the author of the topic itself.
• Data Redaction:

o   Within EEM: EEM offers message transformation capabilities. You can redact sensitive data in a payment event before publishing them on the topic. Either replace the content with new data or with hash value

o   Integrating with APIC: EEM supports the AsyncAPI specification, a standard for describing event-driven APIs. It allows you to export a topic in AsyncAPI specification to import it in APIC where you can further redact

This enables additional benefits for Secure Payment Processing:

• Self-Service Access: EEM allows authorized users to discover and subscribe to event streams through a self-service portal. This streamlines access for developers working on applications that require payment event data, while access controls ensure only authorized users can see the data.
• Documentation and Governance: EEM helps document event sources according to the AsyncAPI specification, making it easier for developers to understand the format and content of payment events. This promotes better governance and reduces the risk of misuse.

Overall, IBM's EEM complements Kafka by providing a centralized platform to manage access controls, approvals and data redaction for event streams. This simplifies secure exposure of payment events while ensuring sensitive data remains protected.

Step-by-Step Configuration

Connect to Cluster

After the login to the event endpoint management UI on the left-hand side the topics can be found. Those are empty as well as the catalog until a kafka cluster is connected.

A cluster can be added via the “add topic” and then “add new cluster”.

First required information is a name for the cluster followed by the URL or URLs corresponding to the desired cluster.

To accept the certificates, tick the box in the middle-right of the screen.

After hitting next, all the topics found on the added Kafka cluster are shown and can be selected for the import into EEM. Topics can be added afterwards as well.

Topics

Once topics are imported, they are visible under the topics tap on the left side. For every topic there is an overview which shows several data regarding the schema, options, and management options.

Add Schema

In the topic editor several attributes can be set. For instance, the name under which the topic will appear in the catalog. Along with a description, encoding type and tags comes a contact mail for the topic.

On the left-hand side under “event information” the schema settings can be found. Here a schema, message descriptions or sample messages can be added.

In this example a schema was uploaded which allows to verify the fields provided.

Options

To add options, a schema is not required due to the ability to add redactions via the JSONPath expression like ‘$.myfield’ but it makes it easier as shown in the following image.

First of all, in the option editor a name and a unique alias needs to be defined. A description is optional. Afterwards a control can be added.

Approval and Redaction are options further explained here.

Approval

If the approval is chosen, it will add the control automatically.

Requesting Access to a Topic (Option)

For a specific topic in the catalog on the top-right the access can be requested.

In order to get accepted, a contact and a justification for the access need is to specify.

Then the request is pending (per topic only one request can be open at the same time)

Accepting requests

The owner of the topic can see pending requests on the requests tap. And can decide whether to accept or deny.

If the request is approved, it appears in the requestors catalog screen for that topic. Along with that the connection details, the “generate access credentials” can be downloaded via at the top right. 

Redaction

If the reduction is chosen, the following screen will show up. On the right-hand side, the defined schema for that topic appears. (If there is no schema defined for that topic the only way would be via the json path).

Selecting the field which should be redacted allows to choose how field should look after the redaction. There is the option to replace the content of the field or to hash the value. In this example the pin was replaces by “xxxx” and the credit card number was hashed.

Additionally, schema filtering (deletes invalid messages) and an approval control was added to the topic before publishing. After adding the options, the views of the topic can be published to the catalogue.

If the topic is subscribed via event processing, the overwrite of the pin as well as the hashing of the credit card can be verified.

Additional tips & tricks

-        IBM Event Streams has a toolbox which has Starter Applications and Data Generator applications which are quite useful in sending a stream of messages.

-        There is also a good demo/tutorial in this link https://ibm.github.io/event-automation/tutorials/guided/tutorial-0. We used this as a start point and enriched the events with payment information using an Event Processing flow.

Benefits

Don't let your Kafka events become a security nightmare!

By implementing access controls, data redaction within IBM's Event Endpoint Management, you can expose your Kafka event streams in a secure and reliable way. Remember, securing your sensitive data is not just about compliance – it's about building trust with your customers. Take control of your event streams today, and ensure your customer data remains leak-proof!

• Enhanced Security: Restricting access and redacting sensitive data significantly reduces the attack surface and protects customer privacy.
• Improved Compliance: Adherence to regulations like PCI DSS (Payment Card Industry Data Security Standard) becomes easier by demonstrating control over sensitive financial data.
• Streamlined Data Flow: Authorized applications can still efficiently access the necessary data from the event stream for critical business processes.

Useful links

Documentation:

• Option-controls:  https://ibm.github.io/event-automation/eem/describe/option-controls/
• Subscribing to Topics: https://ibm.github.io/event-automation/eem/consume-subscribe/subscribing-to-topics/
• Tutorial for message generation: https://ibm.github.io/event-automation/tutorials/guided/tutorial-0

This blog was written while using IBM Event Endpoint Management version 11.1, which comprise of a small number of controls. New versions are coming up with new controls! to find out more check the What's New page

Authors

• Kevin Ross - kross@ibm.com
• Raji Thomas - raji.thomas@ibm.com
• Giovanni Vuolo - giovanni.rafael.vuolo@ibm.com