Compute Services

Five security services every cloud platform should provide

Share this post:

Here are summaries of the five security services and enterprise security management a cloud platform should offer. Download the Guide to Securing Cloud Platforms for the details.

1: Identity and access management (IAM)

Any interaction with a cloud platform should start with establishing who or what is doing the interacting—an administrator, a user, or even a service. Look for providers offering a consistent way to identify and authenticate anyone accessing cloud applications, as part of their package of security services.

Similary, cloud platform vendors should offer a way for developers to build authentication into their mobile and web apps to control end user access. For example, IBM® Cloud offers the security service App ID to developers.

Organizations that have an existing identity and access management (IAM) system should expect a cloud provider to integrate it into the cloud platform for them—after all, IAM is extremely important to knowing who did what and when.

Finally, as part of IAM, a provider should automatically log all access requests and transactions and make them available for auditing purposes.

2: Networking security and host security

These three technologies are crucial for maintaining integrity in your network of security services:

  • Security groups and firewalls—Network firewalls are essential for protecting perimeters (virtual private cloud/subnet-level network access) and creating network security groups for instance-level access. Make sure your cloud providers offer these protections.
  • Micro-segmentation—Developing applications cloud-natively as a set of small services provides a security advantage: you can isolate them using network segments. Look for a cloud platform that implements and automates micro-segmentation through network configuration.
  • Trusted compute hosts—Cloud platform providers that offer hardware with load-verify- launch protocols can give you highly secure hosts for running your workloads. Using trusted platform module (TPM) with Intel Trusted Execution Technology (Intel TXT) in compute hosts is an example how provider might fundamentally secure their platform.

3: Data security: encryption and key management

It’s a boot-strap dilemma of cloud platforms that encryption, to be useful, depends on keeping encryption keys from being accessed without authorization. How do you prevent administrators on a platform you don’t control from accessing your keys? Bring your own keys.

A bring-your-own-keys (BYOK) model protects cloud workloads that require encryption. In this approach, your key management system generates a key on premises and passes it to the provider’s key management service. The root keys never leave the boundaries of the key management system, and you’re able to audit all key management activities. Any platform provider serious about protecting client data should offer BYOK key management for encryption of data at rest, data in motion and container images.

4: Application security and DevSecOps

As your DevOps team members build cloud-native apps and work with container technologies, they need a way to integrate security checks without stalling business outcomes. Therefore, they should use an automated scanning system to search for potential vulnerabilities in your container images before you start running them using

Because simply scanning registry images can miss problems like drift from static image to deployed containers, look for a cloud vendor that also scans running containers for anomalies. For example, IBM Cloud Container Service offers a Vulnerability Advisor to provide both static and live container security through image scanning.

5: Visibility and intelligence

Expect full visibility into your cloud-based workloads, APIs, microservices—everything. Ask cloud providers if they have a built-in cloud activity tracker that can create a trail of all access–including web and mobile–to the platform, services, and applications. Your organization should be able to consume logs and integrate them into your enterprise security information and event management (SIEM) system. 

Some cloud service providers also offer security monitoring with incident management, reporting and real-time analysis of security alerts. IBM QRadar® is a comprehensive SIEM offering that provides a set of AI-empowered security intelligence solutions that can grow with your organization’s needs.

Business success on cloud platforms requires trust in security services

As organizations address the specialized security needs of cloud platforms, they need and expect their providers to become trusted technology partners. Use the security guide to find a well-defended platform environment supporting fast application development without sacrificing security.

Learn what’s next for your cloud adoption.

More Compute Services stories

Improving App Availability with Multizone Clusters

Downtime costs money and results in unhappy customers.  Whether you have developed a new cloud-native application or repackaged an existing app to run as a container, now you need to ensure your app and the infrastructure running it are highly available.  IBM is excited to announce the availability of multizone clusters, targeted for June 2018.  Now […]

Continue reading

What the stats say about container development

59% improved application quality and reduced defects. 57% reduced application downtime and costs. All adopted container development.   In 2017, IBM conducted an in-depth research study on the state of container adoption across all industries, startups to enterprises. The study reveals the most important solutions driving usage and highlights the key challenges that must be addressed by cloud providers. […]

Continue reading

Process large data sets at massive scale with PyWren over IBM Cloud Functions

(Ed.–Josep Sampé–Universitat Rovira i Virgili–co-authored this post.) Let’s say you write a function in Python to process and analyze some data. You successfully test the function using a small amount of data and now you want to run the function as a serverless action at massive scale, with parallelism, against terabytes of data. What options do you have? Obviously, […]

Continue reading