Prerequisites and Challenges: PAW installation

[mincharug.shulft]

Hi Experts,
kindly assist me with the below:

we have installed the PAW component; Docker is a prerequisite installed in a development environment. IBM suggested excluding running the antivirus (Symantec) in PAW & Docker applications/Folder which we did. but as we need to get security team approval on the exclusion, the security team is requesting to get the Vendor's evidence about what is the integrity of excluding these PAW&Docker applications & folder. As Vendor (IBM) mentioned "we can not provide the statement that excluding the folder is security issue free"
Has anyone experienced this scenario and how did you implement any suggestions, please?

[declanr]

This is one of those rock and a hard place requirements.

It would be impossible for IBM or anyone to say that it is impossible to get viruses or issues in a certain place.
Now to run on windows you should exclude it (depending on virus software used) to guarantee a good service level.

So then if an IT department absolutely refuses to exclude it without a guarantee (which they absolutely won’t get) it means you can’t really use PAW on windows.

So that leaves you with the options of PAW on Linux, no PAW at all… or potentially taking the risk and running windows/docker with the virus software still running (with the knowledge you are probably going to have a lot of issues which IBM support will not be able to help with.)

[gtonkin]

Unfortunately going Linux may not mean you are in the clear wrt antivirus.
One of my clients had Defender running creating all sorts of havoc requiring dispensations to exclude to container folders and related programs.

May be worthwhile checking what the stack would look like and if you are likely to run into the same issues, just on a different operating system.

[mincharug.shulft]

Thank you all for your quick response. Is there any way to monitor the excluded directory to see if any files/folders are modified for malicious activity? something like that? to prevent those excluded files/folders from safe. please suggest if these are feasible options.

[mincharug.shulft]

any suggestions please we are in the middle of the decision-making to with PAW or stay with TM1 Web.

[Steve Rowe]

Is there any way to monitor the excluded directory to see if any files/folders are modified for malicious activity? something like that? to prevent those excluded files/folders from safe. please suggest if these are feasible options.

I think this is a virus scanner so you're getting circular now....

It's been a fundamental pre-req of Planning Analytics for many years that the working directories should be free of scanning activity irrespective if we are talking the DB or PAW and Docker. I assume this is the same for great many other products.

Docker is a challenging space for IT security I think, having been in your position it goes kind of like this in the windows world
1. Docker is a black box we can't see what's going on in it.
2. We need a to be able to monitor it and see what's going.
3. All the windows based monitoring tools are too invasive and break docker.
4. We can't monitor it so you can't have it.

At the end of the day it's going to come down to the businesses desire for the product vs ITs desire to protect itself.

The best protection is just to turn everything off!

[Steve Rowe]

any suggestions please we are in the middle of the decision-making to with PAW or stay with TM1 Web.

Go RHEL for PAW.
PAW is massively better than TM1Web, assuming you want to use dashboards of course. Much better dev and admin tools as well.
You get to use Pafe too, baring in mind that Excel 365 and the legacy client is not supported this can be a big deal. Plus access to the new reporting types and hierarchies.

There's really no good reason to stay in the legacy world now and many plus points for moving.

If the only barrier is virus scanning of docker containers then this is a politics problem not a technology problem.