Cloud-Native Security Practices in IBM Cloud: White Paper
Cloud-Native Security Practices in IBM Cloud: White Paper
Cloud
White paper
This paper lists fundamental cloud-native security practices, with a focus on how to use them in IBM
Cloud. It incorporates common practices from across IBM’s global client base and industry best
practices. The scope spans cloud security strategy, operations, management, shared responsibilities, and
controls to meet compliance requirements. Cloud security is accomplished in layers, with particular
attention on data and workloads in a cloud-native world.
This paper is designed for security and technology professionals who are evaluating or deploying
workloads in the IBM Cloud. It covers the scope of concerns from deployment of a single application to
complex, hybrid or multi-cloud environments. If you are starting out the information here will set you on
the path to cloud native best practices, if you are transforming your enterprise the topics defined here will
let you more easily identify gaps and opportunities to improve your security profile.
Consider an example where IBM is the provider that sets up the home security system, but a business is
the tenant who sets up access code. Who is responsible for ensuring that the alarm is active when the
homeowner is away? It’s a shared responsibility, where the client must activate the alarm and the
provider must ensure that it is actively monitored.
In the model that follows, the tenant is responsible for all aspects of security in light blue, while the
provider has obligations for enabling security for the components in dark blue.
For IBM Cloud generally, IBM as the provider is responsible for the security of the data center, hosting
the servers, and the connectivity and uptime of the data center for the tenant’s use.
IBM Cloud comprises a set of trusted facilities and systems. All locations adhere to the same
standards and controls. Tenants can achieve compliance with controls and certifications by
combining their responsibilities with IBM’s responsibilities.
• Securing the entire workload, including servers, operating system updates, and patching,
securing the applications, data, managing access, monitoring, and threat management.
• While IBM Cloud provides the VPN for VPC service that encrypts traffic by using IKE/IPsec
from the client’s premises to within the client's VPC, if a client requires true end-to-end
encryption of traffic from their premises endpoint to their IBM Cloud VM, establishing that
end-to-end encryption is the client's responsibility. If the application can be updated, TLS v1.2
or later should be used to establish layer 4 encryption end-to-end. Where the application
cannot be updated, an IPsec tunnel should be used between the endpoint and the VM to
establish layer 3 encryption.
• Using IBM’s tools or its own tools to manage and secure workloads and data,
independent of IBM.
• Hiring IBM service teams or other third-party teams to provide services, such as any security
management and administrative tasks. These services are done upon request. When IBM
fulfills such requests, it acts as an extension of the tenant.
• Maintaining the security of the applications and data that it installs or runs on the
platform.
• Monitoring, threat detection, and responses on the application and data.
• Using IBM’s tools or its own tools to manage and secure applications and data,
independent of IBM.
• The tenant might hire IBM service teams to provide security management and assist with
defined regulatory compliance and reporting requirements. In such cases, IBM acts as an
extension of the tenant, who is still responsible for the security of its applications and data.
• Maintaining the security of any data that is processed and that it introduces into the
service at any level in the stack.
• Proactive data protection, encryption, key management, access control, data and IP theft
detection, and responses on data incidents.
• Using IBM’s tools or its own tools to manage and secure workloads, independent of IBM.
• Might hire IBM service teams to provide security management and assist with defined
regulatory compliance and reporting requirements. In such cases, IBM acts as an extension of
the tenant, who is still responsible for the security of its data.
Clients that are adopting cloud need to enhance the skills of their staff or acquire skilled members and
integrate them into their current teams in a programmatic way. The teams must be trained to maintain
the corporate defined standards while they use a specific cloud service provider. Deep expertise of the
cloud service provider environment is required while incorporating cloud configurations, leveraging
native-to-cloud provided security features.
IBM Security and the IBM Garage Methodology bring extensive expertise and offerings to advise and
support clients on their journeys to cloud adoption. Advisory and managed security services can be
provided by using a combination of IBM Security and the IBM Garage Methodology based on the
client’s scenario and requirements. Advisory and managed services offerings include Governance, Risk
& Compliance, Security Operations (SIOC), X-Force Threat Management (XFTM), X-Force Offensive
Testing (XF RED), X-Force Intel & Response (XF IRIS), and others.
New cloud development and operations models have an overall effect on an organization’s security
culture. Continuous development is one of the most valuable features of the cloud native model, and
security cannot lag releases. The goal of the cloud native organization is to maintain continuous
development and achieve continuous security. To keep pace application teams must take on more security
responsibility and accountability and developers must be enabled to embed security into the DevOps
process. When security is baked into your DevOps and culture from the beginning you’ve achieved
DevSecOps.
A thoughtful approach to aligning security practices begins with an overall consideration of your
organization’s cloud security strategy and approach:
• Take a risk-based view: You need to know what kinds of workload and data you are able to
move to the cloud and which need transformation. Starting with a risk-based assessment
gives you visibility, and a high-level roadmap for phasing your cloud adoption.
• Understand the shared responsibility model: Review the provider’s cloud terms of service
and your organization’s existing security policies and requirements, including regulatory
compliance. Identify if responsibilities have shifted from you to the provider, or if there are
gaps in your existing policies or responsibilities matrix.
Clients require an end-to-end approach to security that helps them achieve the three core
objectives shown in the figure below. These include structured security practices like:
• Consistent use of network protection and identity and access management (IAM) tools
to control access
• Increased client control and fortified workloads to protect data
• Continuous security and compliance with through clearly communicated controls,
monitoring and both broad and targeted threat management, which add efficiency and
visibility to how risk and compliance requirements are monitored and managed.
Access to applications requires the same attention as access to cloud resources. Business applications are
the gateway to your business’ or your customer’s data. It is your responsibility to add authentication to the
applications that are built on IBM Cloud. IBM Cloud App ID allows developers to add enhanced
authentication to their web and mobile applications and better secure their cloud-native applications and
services on IBM Cloud. Developers can extend this authentication with IBM Security Cloud Identity for
advanced capabilities such as device verification and drive toward the goal of adaptive risk-based
authentication.
The approach to cloud native network security must also consider the service types in use. To safeguard
the network from an application located on a public cloud isolation, segmentation and micro-
segmentation might be used. For customers using IaaS, isolation can be achieved by using a virtual
private cloud (VPC). Additionally, security groups can add instance-level security to manage inbound
and outbound traffic on both public and private network interfaces. Containers require additional
attention when it comes to network security. When building cloud-native applications with a Kubernetes
Service, limit the worker nodes or applications that can be accessed externally and use network policies
to manage cluster isolation.
As you look ahead to the next era of computing, there are many predictions and assumptions about what
the next great innovation might be, but one thing is indisputable: data and securing that data is and will
remain important to companies and consumers. The protection of data and the management of encryption
keys are standard items in security policies and controls. IBM Cloud encrypts the data in database and
storage services with built-in encryption. For higher levels of data protection, you can manage the
encryption keys that encrypt the data at rest. For sensitive data, gain control of encryption keys by using
Bring Your Own Key (BYOK) with IBM Cloud Key Protect. Clients can hyper-protect data and keep
their own keys with exclusive control of the keys and the hardware security modules (HSM) by using
Keep Your Own Key (KYOK) with IBM Cloud Hyper Protect Crypto Services. For highly sensitive data,
clients can consider encrypting the data at the application level before they store it in a cloud data service.
As the reliance on data grows in the era of hybrid cloud, the need for data privacy becomes even more
critical for everyone, and for businesses, it’s imperative. Confidential Computing protects data in use by
performing computation in a hardware-based Trusted Execution Environment. That secure and isolated
environment prevents unauthorized access or modification of applications and data while in use, thereby
increasing the security assurances for organizations that manage sensitive and regulated data.
IBM has been investing in Confidential Computing technologies for over a decade and is on its fourth
generation of the technology, delivering on end-to-end Confidential Computing for its clients’ cloud
computing for more than two years. From IBM’s point of view, data protection is only as strong as the
weakest link in end-to-end defense, which means that data protection must be holistic. Companies of all
sizes require a dynamic and evolving approach to security that is focused on the long-term protection of
data. Solutions that might rely on operational assurance alone don’t meet IBM’s standards.
IBM first announced generally-available Confidential cloud computing capabilities in 2018 with the release
of IBM Cloud Hyper Protect Services and IBM Cloud Data Shield. The family of IBM Hyper Protect Cloud
Services is built with secured enclave technology that integrates hardware and software and leverages
the industry’s first and only FIPS 140-2 Level 4 certified cloud hardware security module (HSM) to provide
end-to-end protection for clients’ entire business processes. IBM Cloud Data Shield provides technology
that helps developers to seamlessly protect containerized cloud native applications without needing any
code change.
Data classification and data activity monitoring are two effective methods to help secure critical
information. Before a client can adequately protect sensitive data, the client must identify and classify it.
Automating the discovery and classification process is a critical component of a data protection strategy
to prevent a breach of sensitive data. IBM Security Guardium provides integrated data classification
capabilities and a seamless approach to finding, classifying, and protecting the most critical data, whether
in the cloud or in the data center. Activity monitoring provides visibility into who is accessing sensitive
information and what information is being accessed, creating alerts when certain conditions are met, and
even blocking or quarantining connections where warranted.
As enterprises move regulated workloads to public cloud, it is essential to prove that security and
compliance concerns are handled better, faster, and easier than their status quo. IBM recognizes the
magnitude of these issues for all types of clients who are moving workloads to public cloud. The sheer
complexity they have to endure to achieve a security or compliance standard is exhausting.
At the heart of the solution to achieve continuous security and compliance is the IBM Cloud Security and
Compliance Center. The Center is a new security and compliance management platform on IBM Cloud
where customers can define controls, assess posture, monitor security and compliance, remediate issues, and
collect audit evidence. For example, an enterprise might define a collection of controls, such as a sensitive
© Copyright IBM Corporation 2019, 2020 9
workload profile, to address the security and compliance requirements for a cloud-native application that
handles sensitive data. These controls can cut across data security, network protection, identity and access
management, application security, and audit logging. From the enterprise policy framework, the controls are
then standardized based on the NIST 800-53 control set. By adopting DevSecOps methodology, clients can
also shift left to enforce appropriate guardrails as part of their CI/CD pipelines where security gates can be
defined. In addition to posture management, the Center brings together capabilities to define configuration
rules to enable governance and integrate to the capabilities of IBM Cloud Security Advisor that provide
insights about vulnerabilities and threats.
With capabilities from IBM Cloud Security and Compliance Center and by aligning with IBM Cloud
Satellite to enable enterprises to take advantage of their distributed cloud environment, clients can assess the
security and compliance posture of their workloads in a hybrid cloud deployment.
Cloud governance, security and risk policies, and industry compliance standards all rely on some level of
monitoring, reporting and audit. To guarantee an audit trail means tracking user access activities. IBM
Cloud Activity Tracker, on IBM Cloud provides aggregated activity logs of administrative and developer
actions completed on IBM Cloud resources. These logs are needed by DevSecOps and other security
teams to carry out their duties. Security teams can also instrument applications so user or transactions logs
can be sent to a logging store or other security system. IBM Cloud Log Analysis with LogDNA can be
used as that log service.
Vulnerability and patch management processes and solutions need to be established according to the tasks
and accountabilities associated with a shared responsibility model. During your planning phase assess
risks and identify threats that need to be handled, such as malware, for endpoints, virtual machines and
bare-metal servers. The IBM Cloud marketplace has catalogs of trusted vendors for these kinds of
solutions.
An organization’s cloud threat management approach needs to be defined and integrated in the context of
their overall threat management and security operations. The cloud threat management planning begins
with the risk assessment of your cloud workloads and what kind of monitoring and reporting is necessary.
To get an integrated view of security information and event management integrate cloud platform logs and
flows into IBM Security QRadar. With this view, security analysts can manage incidents appropriately
through IBM Resilient. Use the security and cyber expertise of IBM Security Managed Security Services
to better manage the security of the enterprise and cloud platform. The IBM Security Managed Security
services teams can provide a range of capabilities from “a single pane of glass” for hybrid multi-cloud to
specific solutions for container security.
Compliance
IBM Cloud is designed for organizations that want a cloud environment that’s security-rich, open,
hybrid, multicloud, and manageable. IBM Cloud compliance and trust certifications reaffirm IBM's
commitment to protection of customer data and applications. Designed with secure engineering
practices, the IBM Cloud platform features layered security controls across network and infrastructure.
For more information, see IBM Cloud compliance programs.
To achieve compliance for the workloads and applications that run on IBM Cloud, clients are
responsible for ensuring security controls and managing those for their part of the shared responsibility
model, as described earlier.
Data privacy
IBM is committed to protecting the privacy and confidentiality of personal information about its
employees, clients, Business Partners (including contacts within clients and Business Partners), and other
identifiable individuals. Uniform practices for collecting, using, disclosing, storing, accessing, transferring,
or otherwise processing such information assists IBM to process personal information fairly and
appropriately, disclosing it or transferring it only under appropriate circumstances.
With nearly 60 data centers across six continents, IBM offers a cloud architecture that enables clients to
know exactly where their data and applications are running in the IBM global data center network. IBM
is fully committed to protecting the privacy of clients’ data. While there is no single approach to privacy,
IBM complies with applicable data privacy laws in all countries and territories in which it operates. IBM
supports global cooperation to strengthen privacy protections.
Data centers
IBM’s data centers are built with multiple deployment options for clients’ unique workload needs.
Clients can choose where to deploy from nearly 60 locations in 19 countries. IBM also offers 13 TBps
of connectivity between data centers and network points of presence and three separate networks: a
public, private, and internal management network in each data center around the globe.
All IBM data centers have industry certifications to better help clients build compliance into a complete
cloud solution. Compliance is a critical decision point for organizations that are adopting a cloud
platform. Moving internal workloads to the cloud can provide key business and technical benefits, such
as elasticity, flexibility, and op-ex model. But moving to the cloud also means that the cloud must
demonstrate a secure and compliant infrastructure that meets all the regulations and standards that the
customer needs to build their application layers. IBM Cloud adheres to many stringent governmental and
industry-specific standards. For more information and a list of all compliance certifications and
regulations that are adhered to by IBM Cloud, see IBM Cloud compliance programs.
For instance, when it comes to cloud vendor management, vendor oversight is essential to ensure that the
cloud, or any service provider, is fulfilling the obligations as set forth in the contracts.
Engage in business only with parties who have the required expertise and that are trusted. Insist on
transparency and the disclosure of any subsuppliers, their locations, and their workforce
For more information, see Security to safeguard and monitor your cloud apps.
Use a risk assessment methodology such as NIST 800-30, ISO 31000, or OCTAVE to create a
prioritized risk register of assets, threats, and vulnerabilities based on assessing the current
environment. Revalidate and reprioritize this risk register at least every six months.
Analyze each of those controls to set a target maturity level according to a risk maturity model such as
NIST or ISO 27001, and assess to determine the current maturity. Prioritize the resulting maturity gaps to
drive cybersecurity operational and investment plans.
It’s important to consider the responsibility for designing, implementing, and monitoring the controls in
the context of the specific cloud services that are being consumed. Enumerate those responsibilities
explicitly in the contract of service. For instance, core controls such as privileged identity management,
vulnerability management, logging and monitoring, network security, and data security must be
integrated in the context of the client’s security practices and processes, including incident response,
secure engineering practices, physical security, background screening of the workforce, and data security
controls to secure cloud workloads.
The set of IBM Cloud security capabilities is outlined in the following image. For more
information, see Security in the IBM Cloud.
Further information
This paper discussed cloud-native security practices from across IBM’s global client base, spanning
cloud security strategy, operations, management, shared responsibilities, and compliance. For more
information, see the links that are included throughout this document.