The IBM internal hybrid cloud platform was created to host thousands of internal applications that run the businesses of IBM. The IBM Cloud® catalog contains hundreds of ready-to-use services. Application teams use fully managed cloud services instead of hosting their own services. IBM Cloud databases, for example, can provide back up, then restore and version upgrades on demand or on an automated schedule.
But the use of cloud services did not simplify corporate compliance requirement tracking. Do the cloud service instances created by the application teams address security compliance? Are the services configured to meet corporate security guidelines? Are the software versions consumed at the required security patch levels? These are the same problems managed at the IBM on-premises data centers.
The IBM hybrid cloud provides a platform for diverse application development teams. The platform and the application teams share the operational load. Application compliance was initially defined using a written check list, meetings and emails. Providing feedback and help was extremely limited.
The IBM Cloud Security and Compliance Center (SCC) provided automated controls collected into profiles. The CIO Hybrid Cloud Platform team selected a profile that closely matched its requirements, turned on scans, and opened their real time compliance controls dashboard. The controls are designed such that the team was able to visualize their security compliance posture when the first scan completed
Over time, the CIO Hybrid Cloud Platform team created a custom profile that matched their unique business requirements. The compliance results are recorded in “scans” and made available to application teams. All CIO Hybrid Cloud Platform team accounts were configured with appropriate SCC configuration and automated scans.
It is informative to compare compliance processes before and after SCC:
The SCC provides a dashboard where security compliance results are reported. The controls displayed are clear and concise to help the application teams identify failing controls and make the necessary changes to the application resources to resolve the issues. Recurring scans automatically produce updated reports. This allows the application teams to observe the impact of the changes. This eliminated the need for central enforcement email notifications and status meetings. In July 2024, a review of the established SCC controls for the CIO Hybrid Cloud Platform team showed an SCC dashboard reading of 91% passing – a 52% improvement in corporate application compliance over a previous 60% SCC data dashboard reading in June 2023.1
The list of controls is reviewed regularly by the CIO Hybrid Cloud Platform team against industry and corporate compliance standards. Compliance requirements are constantly changing. Defining policy as code with automated auditing positions the CIO Hybrid Cloud Platform team to address changing security compliance standards.
1 The security compliance performance data for the CIO Hybrid Cloud Platform team was obtained through the IBM Security and Compliance Center dashboard on dates June 19, 2023 and July 26, 2024.
The Chief Information Officer (CIO) organization leads IBM’s internal IT strategy and is responsible for delivering, securing, modernizing and supporting the IT solutions that IBM employees, clients and partners use to do their jobs every day. The CIO organization’s strategy encompasses creating an adaptive IT platform that makes IT easier to access across the enterprise, accelerates problem-solving and serves as an innovation engine for IBM, catalyzing business growth.
© Copyright IBM Corporation 2024. IBM, the IBM logo, and IBM Cloud are trademarks or registered trademarks of IBM Corp., in the U.S. and/or other countries. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
Client examples are presented as illustrations of how those clients have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.