Skip to content

Commit

Permalink
2023-12-20 13:42:28+0000 (0537db1d525dd64706aa58747990bd04127fe456)
Browse files Browse the repository at this point in the history
  • Loading branch information
autobuild committed Dec 20, 2023
1 parent 35a0611 commit c5e3de9
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 37 deletions.
10 changes: 5 additions & 5 deletions cbr-enhanced-security.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
subcollection: solution-tutorials
copyright:
years: 2023
lastupdated: "2023-12-13"
lasttested: "2023-12-13"
lastupdated: "2023-12-20"
lasttested: "2023-12-20"

content-type: tutorial
services: containers, cloud-object-storage, activity-tracker, Registry, secrets-manager, appid, Cloudant, key-protect, log-analysis
Expand All @@ -19,7 +19,7 @@ use-case: Cybersecurity
{: toc-services="containers, cloud-object-storage, activity-tracker, Registry, secrets-manager, appid, Cloudant, key-protect, log-analysis"}
{: toc-completion-time="2h"}

This tutorial may incur costs. Use the [Cost Estimator](/estimator/review) to generate a cost estimate based on your projected usage.
This tutorial may incur costs. Use the [Cost Estimator](/estimator) to generate a cost estimate based on your projected usage.
{: tip}


Expand Down Expand Up @@ -335,6 +335,6 @@ To remove the resource, use the browser and navigate to the [{{site.data.keyword
{: related}

* Blog post [Towards Zero Trust with Context-Based Restrictions](https://www.ibm.com/blog/towards-zero-trust-with-context-based-restrictions){: external}
* Blog post [Introducing Context-Based Restrictions](https://www.ibm.com/blog/announcements/introducing-context-based-restrictions){: external}
* Blog post [Introducing Context-Based Restrictions](https://www.ibm.com/blog/announcement/introducing-context-based-restrictions/){: external}
* [What is Zero Trust?](https://www.ibm.com/topics/zero-trust){: external}
* Tutorial: [Best practices for organizing users, teams, applications](/docs/solution-tutorials?topic=solution-tutorials-users-teams-applications#users-teams-applications)
* [Best practices for organizing users, teams, applications](/docs/account?topic=account-account_setup)
16 changes: 8 additions & 8 deletions cloud-e2e-security.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
subcollection: solution-tutorials
copyright:
years: 2023
lastupdated: "2023-12-14"
lastupdated: "2023-12-20"
lasttested: "2023-12-13"

content-type: tutorial
Expand All @@ -20,7 +20,7 @@ use-case: Cybersecurity
{: toc-services="containers, cloud-object-storage, activity-tracker, Registry, secrets-manager, appid, Cloudant, key-protect, log-analysis, cis"}
{: toc-completion-time="2h"}

This tutorial may incur costs. Use the [Cost Estimator](/estimator/review){: external} to generate a cost estimate based on your projected usage.
This tutorial may incur costs. Use the [Cost Estimator](/estimator){: external} to generate a cost estimate based on your projected usage.
{: tip}


Expand Down Expand Up @@ -133,7 +133,7 @@ While the cluster is being provisioned, you will create the other services requi
### Use your own encryption keys
{: #cloud-e2e-security-7}

{{site.data.keyword.keymanagementserviceshort}} helps you provision encrypted keys for apps across {{site.data.keyword.Bluemix_notm}} services. {{site.data.keyword.keymanagementserviceshort}} and {{site.data.keyword.cos_full_notm}} [work together to protect your data at rest](/docs/key-protect/integrations?topic=key-protect-integrate-cos#integrate-cos). In this section, you will create one root key for the storage bucket.
{{site.data.keyword.keymanagementserviceshort}} helps you provision encrypted keys for apps across {{site.data.keyword.Bluemix_notm}} services. {{site.data.keyword.keymanagementserviceshort}} and {{site.data.keyword.cos_full_notm}} [work together to protect your data at rest](/docs/key-protect/integrations?topic=key-protect-integrate-cos). In this section, you will create one root key for the storage bucket.

1. Create an instance of [{{site.data.keyword.keymanagementserviceshort}}](/catalog/services/kms){: external}.
1. Select a **location**.
Expand All @@ -156,7 +156,7 @@ The file sharing application saves files to a {{site.data.keyword.cos_short}} bu
#### A bucket for the content
{: #cloud-e2e-security-9}

1. Create an instance of [{{site.data.keyword.cos_short}}](/catalog/services/cloud-object-storage){: external}.
1. Create an instance of [{{site.data.keyword.cos_short}}](/objectstorage/create){: external}.
1. Select a **Standard** plan and Set the **name** to `secure-file-storage-cos`.
2. Use the same **resource group** as for the previous services and click **Create**.
2. Under **Service credentials**, create a *New credential*.
Expand Down Expand Up @@ -222,7 +222,7 @@ The {{site.data.keyword.cloudant_short_notm}} database will contain metadata for
### Authenticate users
{: #cloud-e2e-security-11}

With {{site.data.keyword.appid_short}}, you can secure resources and add authentication to your applications. As an alternative not used in this tutorial, {{site.data.keyword.appid_short}} can [integrate](/docs/containers?topic=containers-comm-ingress-annotations#app-id) with {{site.data.keyword.containershort_notm}} to authenticate users accessing applications deployed in the cluster.
With {{site.data.keyword.appid_short}}, you can secure resources and add authentication to your applications. As an alternative not used in this tutorial, {{site.data.keyword.appid_short}} can [integrate](/docs/containers?topic=containers-comm-ingress-annotations#app-id-authentication) with {{site.data.keyword.containershort_notm}} to authenticate users accessing applications deployed in the cluster.

Before creating the {{site.data.keyword.appid_short}} service, grant service access to {{site.data.keyword.keymanagementserviceshort}} service. You must be the account owner or an administrator for the instance of {{site.data.keyword.keymanagementserviceshort}} that you're working with. You must also have at least Viewer access for the {{site.data.keyword.appid_short}} service.

Expand Down Expand Up @@ -438,7 +438,7 @@ By default, the application is accessible on a generic subdomain of `containers.
### Provision a {{site.data.keyword.cis_short_notm}} and {{site.data.keyword.secrets-manager_short}} instance
{: #cloud-e2e-security-cis-instance}
- A [{{site.data.keyword.cis_full_notm}}](/catalog/services/internet-services) instance is required. Use an existing instance or create one from this [catalog entry](/catalog/services/internet-services). A number of pricing plans are available, including a free trial. The provisioning process of a new {{site.data.keyword.cis_short_notm}} will explain how to configure your existing DNS registrar (perhaps not in {{site.data.keyword.cloud_notm}}) to use the CIS-provided domain name servers. Export the custom domain in the shell window:
- A [{{site.data.keyword.cis_full_notm}}](/catalog/services/internet-services){: external} instance is required. Use an existing instance or create one from this [catalog entry](/catalog/services/internet-services){: external}. A number of pricing plans are available, including a free trial. The provisioning process of a new {{site.data.keyword.cis_short_notm}} will explain how to configure your existing DNS registrar (perhaps not in {{site.data.keyword.cloud_notm}}) to use the CIS-provided domain name servers. Export the custom domain in the shell window:
```sh
export MYDOMAIN=example.com
```
Expand Down Expand Up @@ -630,13 +630,13 @@ Security is never done. Try the below suggestions to enhance the security of you
If you want to work with others on resources of this solution tutorial, you can share all or only some of the components. [{{site.data.keyword.cloud_notm}} Identity and Access Management (IAM)](/docs/account?topic=account-iamoverview) enables the authentication of users and service IDs and the access control to cloud resources. For granting access to a resource, you can assign [predefined access roles](/docs/account?topic=account-userroles) to either a user, a service ID, or to an [access group](/docs/account?topic=account-groups). An access group can be created to organize a set of users and service IDs into a single entity. It makes it easy for you to assign access. You can assign a single policy to the group instead of assigning the same access multiple times per individual user or service ID. Thus, you can organize groups for roles on your development project and align security and project management.
You can find information on the individual services and their available IAM access roles here:
* [{{site.data.keyword.containershort_notm}}](/docs/containers?topic=containers-access_reference#service). Note that this service also provides examples for [mapping service roles to typical project roles](/docs/containers?topic=containers-users).
* [{{site.data.keyword.containershort_notm}}](/docs/containers?topic=containers-access_reference). Note that this service also provides examples for [mapping service roles to typical project roles](/docs/containers?topic=containers-users).
* [{{site.data.keyword.registryshort_notm}}](/docs/Registry?topic=Registry-iam#iam)
* [{{site.data.keyword.appid_short}}](/docs/appid?topic=appid-service-access-management)
* [{{site.data.keyword.cloudant_short_notm}}](/docs/Cloudant?topic=Cloudant-managing-access-for-cloudant)
* [{{site.data.keyword.cos_short}}](/docs/cloud-object-storage?topic=cloud-object-storage-iam)
* [{{site.data.keyword.at_short}}](/docs/activity-tracker?topic=activity-tracker-iam)
* [{{site.data.keyword.keymanagementserviceshort}}](/docs/key-protect?topic=key-protect-manage-access#service-access-roles)
* [{{site.data.keyword.keymanagementserviceshort}}](/docs/key-protect?topic=key-protect-manage-access)
* [{{site.data.keyword.secrets-manager_short}}](/docs/secrets-manager?topic=secrets-manager-iam)
To get started, check out the [best practices for access management and how to define access groups](/docs/account?topic=account-account_setup#resource-group-strategy).
Expand Down
39 changes: 18 additions & 21 deletions create-deploy-retrain-machine-learning-model.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
subcollection: solution-tutorials
copyright:
years: 2023
lastupdated: "2023-09-22"
lasttested: "2022-09-12"
lastupdated: "2023-12-18"
lasttested: "2022-12-18"

content-type: tutorial
services: cloud-object-storage, ai-openscale
Expand Down Expand Up @@ -64,21 +64,15 @@ You can create a project to add data and open a data asset in the data refiner f
### Create a project
{: #create-deploy-retrain-machine-learning-model-create_project}

1. If you do not have an existing {{site.data.keyword.cos_short}} service, go to the [{{site.data.keyword.Bluemix_short}} catalog](/catalog) and create an instance of [{{site.data.keyword.cos_short}}](/objectstorage/create).

Insure the {{site.data.keyword.cos_short}} **One Rate** plan is not selected. The **One Rate** plan is not currently supported for model deployment.
{: note}

1. From the [catalog](/catalog), create [{{site.data.keyword.DSX_short}}](/catalog/services/data-science-experience?taxonomyNavigation=app-services)
1. Select a **region**
2. Select a **Lite** pricing plan
3. Change the **Service name** to **watson-studio-tutorial**
4. Select a **resource group** and click **Create**
2. Click on the **Launch in** twisty and select **IBM watsonx**.
3. Create a **project** by clicking on the upper left hamburger menu and selecting **Projects > Vew all projects** then **New project**.
3. In the subsequent page click **Create an empty project**.
3. Create a **project** by clicking **+ Create a new project** in the **Projects** section.
4. Provide **iris_project** as the project name.
5. Under **Storage**, choose an **existing** {{site.data.keyword.cos_short}} service verified to exist a few steps earlier.
5. In the **Define storage**, **Add** a new instance of a {{site.data.keyword.cos_short}} service.
6. Click **Create**. Your new project opens and you can start adding resources to it.

### Import data
Expand Down Expand Up @@ -113,18 +107,18 @@ As mentioned earlier, you will be using the **Iris data set**. The Iris dataset
{: #create-deploy-retrain-machine-learning-model-build_model}
{: step}

1. In the top navigation menu, click on `iris-project`, click on **Assets** in the top bar.
1. Click on **New task +** and search for **auto**.
1. In the top navigation menu, click **Assets**.
1. Click on **New asset +** and search for **auto**.
1. Click on the **Build machine models automatically** tile.
2. Set the name to **iris_auto**.
3. Under **{{site.data.keyword.watson}} {{site.data.keyword.pm_short}} service instance**, notice the service previously associated.
2. Click **Create**.

Once the model is created,
1. Add training data by clicking **Select data from project**.
1. Choose the **iris_initial.csv** file under **Data asset**.
1. Choose the **Data asset** under **Categories** and check **iris_initial.csv**.
2. Click **Select asset**.
1. If prompted, answer **No** to **Create a time series forecast?**.
1. If prompted, answer **No** to **Create a time series analysis?**.
2. Select **Species** as your **What do you want to predict?**.
3. Click **Experiment settings**.
1. Select **Data source**.
Expand Down Expand Up @@ -154,8 +148,8 @@ Once the experiment completes running,

In this section, you will deploy the saved model and test the deployed model,

1. Under the created model, click on **Promote to deployment space**.
1. Under **Target Space**, select **Create a new deployment space**. _You use deployment spaces to deploy models and manage your deployments._
1. In the **Assets** tab open **Models** on the left.
1. In the **Modes** table locate the model and click on the hamburger menu and choose **Promote to space**. _You use deployment spaces to deploy models and manage your deployments._
1. Set the **Name** to **iris_deployment_space**.
2. Select the {{site.data.keyword.cos_short}} storage service used in previous steps in the corresponding drop down.
3. Select the `machine-learning-tutorial` service in the corresponding drop down.
Expand Down Expand Up @@ -195,7 +189,7 @@ In the **Deployments > iris_deployment_space**:
Along with the UI, you can also do predictions using the API scoring endpoint by exposing the deployed model as an API to be accessed from your applications.

1. Under **API reference** tab of the deployment, you can see the _Endpoint_ under Direct link and code snippets in various programming languages.
2. **Copy** the _Endpoint_ in a notepad for future reference.
2. **Copy** the _Public endpoint_ in a notepad for future reference.
3. In a browser, launch the [{{site.data.keyword.Bluemix_notm}} Shell](/shell) and export the scoring End-point to be used in subsequent requests. **_Make sure you don't close this window/tab_**..
```sh
export SCORING_ENDPOINT='<SCORING_ENDPOINT_FROM_ABOVE_STEP>'
Expand Down Expand Up @@ -245,21 +239,24 @@ For ease of understanding, the tutorial concentrates only on improving the quali

In this section, you will create a {{site.data.keyword.aios_short}} service to monitor the health, performance, accuracy and quality metrics of your deployed machine learning model.

1. Create a [{{site.data.keyword.aios_full_notm}} service](/catalog/services/watson-openscale)
1. Create a watsonx.governance [{{site.data.keyword.aios_full_notm}} service](/catalog/services/watsonxgovernance)
1. Select a region preferably Dallas. Create the service in the same region where you created the {{site.data.keyword.pm_short}} service.
2. Choose **Lite** plan.
3. Set the service name to **watson-openscale-tutorial**.
1. Select a resource group.
4. Click **Create**.
2. Once the service is provisioned, Click **Manage** on the left pane and click **Launch Application**.
2. Once the service is provisioned, Click **Manage** on the left pane and click **Launch Watson OpenScale**.
3. Click on **Manual setup** to manually setup the monitors.

### Selecting a deployment
### System setup
{: #create-deploy-retrain-machine-learning-model-12}

In this section, as part of preparing your model for monitoring you will set up and enable monitors for each deployment that you are tracking with {{site.data.keyword.aios_full_notm}}.

1. By clicking on the **Edit** icon on the **Database** tile, choose **Free lite plan database** as your Database type and click **Save**. _This is to store your model transactions and model evaluation results._
1. Click on **Database**. _This is to store your model transactions and model evaluation results._ (it may already be selected)
1. Click the **Edit** icon on the **Database** tile
1. Choose **Free lite plan database** as your Database type
1. Click **Save**.
2. Click on **Machine learning providers**
1. Click on **Add machine learning provider** and click the edit icon on the **Connection** tile.
2. Select **{{site.data.keyword.watson}} {{site.data.keyword.pm_short}}(V2)** as your service provider type.
Expand Down
6 changes: 3 additions & 3 deletions resource-sharing.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
subcollection: solution-tutorials
copyright:
years: 2023
lastupdated: "2023-09-04"
lasttested: "2023-09-04"
lastupdated: "2023-12-18"
lasttested: "2023-12-18"

# services is a comma-separated list of doc repo names as taken from https://github.ibm.com/cloud-docs/
content-type: tutorial
Expand Down Expand Up @@ -196,7 +196,7 @@ You can find more examples in the GitHub repository [cross-account-resource-shar
A dependency on a key management service (KMS) like [{{site.data.keyword.keymanagementserviceshort}}](/docs/key-protect?topic=key-protect-getting-started-tutorial) and [{{site.data.keyword.hscrypto}}](/docs/hs-crypto?topic=hs-crypto-get-started) is typical for cloud-based solutions. A KMS instance holds the root keys for customer-managed encryption. Most services support customer-controlled encryption keys. Instead of **cloud-object-storage** ({{site.data.keyword.cos_short}}) in the example above, many other services can use a KMS instance shared across accounts.

Other typical (target) services for service-to-service authorization and candidates for resource sharing include:
- [{{site.data.keyword.cos_short}}](/docs/cloud-object-storage?topic=cloud-object-storage-getting-started-cloud-object-storage): Several services require or are able to store data and log files in a storage bucket. This includes the archiving of access logs and monitoring data. Other services like {{site.data.keyword.sqlquery_short}} need to access buckets to perform data analysis. And yet another category of services need access to subscribe to change notifications to trigger the execution of actions.
- [{{site.data.keyword.cos_short}}](/docs/cloud-object-storage?topic=cloud-object-storage-getting-started-cloud-object-storage): Several services require or are able to store data and log files in a storage bucket. This includes the archiving of access logs and monitoring data. Other services need to access buckets to perform data analysis. And yet another category of services need access to subscribe to change notifications to trigger the execution of actions.
- [{{site.data.keyword.en_short}}](/docs/event-notifications?topic=event-notifications-getting-started): To push out information about events to subscribers, service instances need to access an {{site.data.keyword.en_short}} instance.
- [{{site.data.keyword.secrets-manager_short}}](/docs/secrets-manager?topic=secrets-manager-getting-started): This service stores and provides to other services IAM API keys, SSL/TLS certificates, and other secrets. Hence, the dependent (source) services need to access {{site.data.keyword.secrets-manager_short}}.
- [{{site.data.keyword.cis_short}}](/docs/cis?topic=cis-getting-started): It manages domain names and other network data and, therefore, can be used for, e.g., certificate validation.
Expand Down

0 comments on commit c5e3de9

Please sign in to comment.