Security

The State of IBM Cloud Security: Think 2019

Share this post:

The State of IBM Cloud Security: Think 2019

While many enterprises are adopting cloud services to achieve enhancements in scalability and efficiency, the CISO organizations in those enterprises are still looking for an effective strategy and tools for protection of data on the cloud. According to the IBM Institute for Business Value, 57 percent of all multicloud managers surveyed worry about security and compliance.[1]

The cloud development and operations model is also bringing about culture and organizational changes in enterprises, which means that application teams are taking on more security responsibility and accountability. Enabling developers to embed security into the DevOps process—thus positioning for an effective Dev-Sec-Ops—is important in achieving continuous security.

Traditional security products do not seem to address the challenges of dynamic, virtual, and distributed cloud environments. IBM’s view is that enterprises today require an end-to-end approach to security that helps them achieve three core objectives in managing their risk and compliance through structured security practices:

  • Manage user access and network protection across multicloud deployments
  • Fortify data protection with increased customer control and encryption of data at rest and in use
  • Gain actionable security insights using built-in capabilities and open integration

Manage user access and network protection across multicloud deployments

Surveys from the IBM Institute for Business Value show that larger organizations are adopting a multicloud strategy.[2] That means IBM’s clients need seamless management of security policies across their various clouds. In order to facilitate secured integration in a multicloud environment, we’ve built two key capabilities:

  • IBM Cloud App ID: App ID is designed to enable organizations to deliver a single, seamless experience for managing identity and access management for cloud applications, regardless of the combination of public cloud, dedicated, or private cloud. This offering can empower developers to easily integrate identity into their apps. Recently delivered capabilities for App ID include multi-factor authentication, prescriptive approach to access control, and managing policies across multiple clouds.
  • IBM Cloud Internet Services: This offering, which went live in 2018, is designed to provide a uniform platform to configure and manage the Domain Name System (DNS), Global Load Balancing (GLB), Web Application Firewall (WAF), and protection against Distributed Denial of Service (DDoS). With IBM Cloud Internet Services Enterprise Edition, organizations can get edge protection for multiple domains running in different cloud environments.

Fortify data protection with increased customer control and encryption of data at rest and in use

IBM Cloud security offerings and capabilities are designed to enable customers to gain more control of their data by using extended encryption and key-management capabilities.

  • The IBM Cloud Hyper Protect Crypto Services: IBM Cloud Hyper Protect Crypto Service will be available in March and is designed to provide encryption key management with a dedicated cloud hardware security module (HSM) built on the only FIPS 140-2 level 4-based technology offered by a public cloud provider. Through this, enterprises can fully manage their encryption keys on the cloud and have exclusive control of the HSMs that protect those keys, thus enabling a “Keep Your Own Key” (KYOK) functionality to help achieve more authority over their data.
  • IBM Cloud Data Shield: Built on Intel SGX and Fortanix® Runtime Encryption®, this offering is designed to enable application developers to enhance their applications (with no code change) to help protect sensitive data within protected areas of execution, known as enclaves. Data processed in an enclave is only visible to the application and not visible to the OS, Hypervisor, or any entities not authorized by the application. New (beta) capabilities in Data Shield include the following:
    • Runtime protection for Python applications, with no code changes required
    • A new Enclave Manager user interface that provides role-based management console, converter to get shielded images, and attestation reports
    • An integrated experience with the IBM Cloud platform
  • IBM Cloud Key Protect: IBM Cloud Key Protect, the key management service that is designed to enable Bring Your Own Key (BYOK), has delivered several capabilities, such as key rotation, secured upload of Customer Root Keys, and Private Network Access. IBM Cloud offers an expanded set of services supporting data-at-rest encryption with BYOK. With this new release, Key Protect now integrates with IBM Cloud for VMware Solutions, Databases, IBM Cloud Kubernetes Service, and Virtual Servers.
  • IBM Cloud Hyper Protect DBaaS (beta): IBM Cloud Hyper Protect DBaaS, which is available in beta, is designed to protect against threats of data breach and data manipulation, leveraging the strengths of IBM LinuxONE pervasive encryption and IBM Secure Service Container technology. It enables clients to use a fully encrypted database without the need for specialized skills.

Gain actionable security insights using built-in capabilities and open integration

You can’t manage what you can’t see. We hear from our enterprise clients that having appropriate security visibility is important in order to build confidence to move workloads to the cloud.

IBM Cloud Security Advisor provides a simple, unified dashboard with built-in monitoring capabilities and integration with third-party security providers. We continue to build and enhance our Security Advisor offering, and we’re excited to share the availability of its new functionalities:

  • Network Insights (Beta) provides actionable insights about potential threats and suspicious behavior by monitoring network traffic to and from Kubernetes clusters. It uses integrated threat intelligence and anomaly detection to identify reconnaissance attacks or potentially compromised assets.
  • Integration with container security providers Twistlock® and NeuVector.

End-to-end security: An example use case

To better understand how each piece of the security portfolio works together to address the security needs of your company, we can explain how a hypothetical company would take advantage of all of them. This company helps organizations raise funds to serve people in need or in times of disaster. They deal with sensitive data about donors, their credit cards, and also maintain donation records to help with necessary tax documents.

All access to the company’s systems should be protected, so they’d use Cloud Internet Services to protect against network attacks and App ID to authenticate their users. Credit card and other sensitive information would be protected in memory using Data Shield and would be encrypted and stored in a database. The keys to that encryption would then be securely stored in Hyper Protect Crypto Services. To manage and monitor the security posture of the application, their team would leverage Security Advisor to view their access logs and address potential vulnerabilities.

In conclusion

Founded on the principle that the cloud offers a unique opportunity to “do security right,” IBM Cloud is continuing to address these enterprise needs by delivering new security product offerings and capabilities to help enable enterprises to adopt cloud with confidence. We will continue investing in improvements like the ones we’ve announced above so our enterprise customers can have peace of mind as they bring more and more of their sensitive workloads to the cloud.

[1] [2] IBM Institute for Business Value: Assembling Your Cloud Orchestra (October 2018)

Distinguished Engineer, CTO & Director, Cloud Security

More Security stories
April 9, 2019

Track Your Cloud Activities Using IBM Cloud Activity Tracker with LogDNA

With IBM Cloud Activity Tracker with LogDNA, you can improve the security monitoring of your application by setting alerts for user access patterns and gain greater trackability for how your Cloud Service and Cloud Account is being used, configured, and accessed.

Continue reading

March 29, 2019

Adding Sign In to Multicloud Applications Without Code Changes

In this post, we will explore a proof of concept illustrating how we can leverage identity federation using a single IBM Cloud App ID instance along with common operational patterns, such as Kubernetes and Istio, to create a centralized identity and access management model that can transparently secure applications/services across cloud environments.

Continue reading

March 28, 2019

Sign In Your App Users With Any Identity Provider Using App ID

We're going to explain App ID’s custom identity flow and walk you through an example of how you can use it to integrate a third-party identity provider with App ID—specifically, LinkedIn.

Continue reading