Home Case Studies Security compliance in the IBM Hybrid Cloud Assessing security compliance at scale
Security compliance protocols on the IBM hybrid cloud platform
Cloud with padlock database secure concept
Security compliance management

The IBM internal hybrid cloud platform was created to host thousands of internal applications that run the businesses of IBM. The IBM Cloud® catalog contains hundreds of ready-to-use services. Application teams use fully managed cloud services instead of hosting their own services. IBM Cloud databases, for example, can provide back up, then restore and version upgrades on demand or on an automated schedule.

But the use of cloud services did not simplify corporate compliance requirement tracking. Do the cloud service instances created by the application teams address security compliance? Are the services configured to meet corporate security guidelines? Are the software versions consumed at the required security patch levels? These are the same problems managed at the IBM on-premises data centers.

52%
improvement in security compliance.
Cloud resources must meet corporate and division cyber security standards. Compliance results must be communicated to the compliance organizations. Pimmi Malhotra Leader CIO Hyperscaler Cloud Center of Excellence IBM
Automated controls extended to meet IBM requirements

The IBM hybrid cloud provides a platform for diverse application development teams. The platform and the application teams share the operational load. Application compliance was initially defined using a written check list, meetings and emails. Providing feedback and help was extremely limited.

The IBM Cloud Security and Compliance Center (SCC) provided automated controls collected into profiles. The CIO Hybrid Cloud Platform team selected a profile that closely matched its requirements, turned on scans, and opened their real time compliance controls dashboard. The controls are designed such that the team was able to visualize their security compliance posture when the first scan completed

Over time, the CIO Hybrid Cloud Platform team created a custom profile that matched their unique business requirements. The compliance results are recorded in “scans” and made available to application teams. All CIO Hybrid Cloud Platform team accounts were configured with appropriate SCC configuration and automated scans.

It is informative to compare compliance processes before and after SCC:

  • Before: Documentation and handwritten requirements
    After: Detailed controls that accurately encode requirements
  • Before: Manual inspection of account environment and resources
    After: Automated scans reporting results that support audit readiness
  • Before: Feedback meetings, email and handwritten documents
    After: Machine generated, unambiguous scan results with clear explanations of problems and often with remediation steps
Centrally defining security compliance controls with global visibility of scan results was crucial. Pimmi Malhotra Leader CIO Hyperscaler Cloud Center of Excellence IBM
Security compliance improved

The SCC provides a dashboard where security compliance results are reported. The controls displayed are clear and concise to help the application teams identify failing controls and make the necessary changes to the application resources to resolve the issues. Recurring scans automatically produce updated reports. This allows the application teams to observe the impact of the changes. This eliminated the need for central enforcement email notifications and status meetings. In July 2024, a review of the established SCC controls for the CIO Hybrid Cloud Platform team showed an SCC dashboard reading of 91% passing – a 52% improvement in corporate application compliance over a previous 60% SCC data dashboard reading in June 2023.1

The list of controls is reviewed regularly by the CIO Hybrid Cloud Platform team against industry and corporate compliance standards. Compliance requirements are constantly changing. Defining policy as code with automated auditing positions the CIO Hybrid Cloud Platform team to address changing security compliance standards.

 

 

The security compliance performance data for the CIO Hybrid Cloud Platform team was obtained through the IBM Security and Compliance Center dashboard on dates June 19, 2023 and July 26, 2024.

SCC provides a system that has helped us meet our current cloud compliance requirements and is adaptable to help cover new threats as they arise. Pimmi Malhotra Leader CIO Hyperscaler Cloud Center of Excellence IBM
IBM logo
About the IBM CIO organization

The Chief Information Officer (CIO) organization leads IBM’s internal IT strategy and is responsible for delivering, securing, modernizing and supporting the IT solutions that IBM employees, clients and partners use to do their jobs every day. The CIO organization’s strategy encompasses creating an adaptive IT platform that makes IT easier to access across the enterprise, accelerates problem-solving and serves as an innovation engine for IBM, catalyzing business growth.

Take the next step
Learn more about hybrid cloud solutions Learn more about IBM Security and Compliance Center
Legal

© Copyright IBM Corporation 2024. IBM, the IBM logo, and IBM Cloud are trademarks or registered trademarks of IBM Corp., in the U.S. and/or other countries. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

Client examples are presented as illustrations of how those clients have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.