Enterprises are embracing cloud technologies to drive innovation, modernize their IT infrastructure, and ultimately, digitize their business.
When it comes to hosting sensitive and regulated workloads on the public cloud, enterprises (particularly those in highly regulated industries) are being forced to take a hard look at their approach to managing security and compliance—consistently and continuously.
According to a recent Gartner study, the challenge is not whether the cloud is secure, but if it’s being used securely. The study points out that “99 percent of cloud security failures” will be based how customers are using cloud. When it comes to hosting regulated workloads, meeting regulatory compliance requirements are important. A Boston Consulting Group (BCG) report—Global Risk 2017: Staying the Course in Banking—indicates that between 2009 and 2017, there was an estimated $321B in penalties paid by the banks for not meeting regulations. In order to effectively manage their risk and compliance, enterprises need to define the set of cloud native security controls that they want their teams to implement. More importantly, they have to ensure that those controls are in place and that their workloads are properly configured to meet those security controls.
While enterprises are aware of this problem, the challenge is often the effort required to consistently verify and ensure that the right configurations and controls are in place—particularly in an IT environment that is rapidly growing and continuously changing. Manual audits and checks simply do not scale for this, making it imperative that enterprises adopt automation to consistently apply security controls and continuously monitor their security and compliance posture.
From regulatory compliance objectives to continuous monitoring
We have taken an end-to-end view of managing security and compliance—all the way from factoring in regulatory requirements and enterprise risk controls, to achieving those control objectives for workloads on IBM public cloud.
IBM’s approach to managing security and compliance is of two parts:
- Central to the delivery of the IBM Cloud for Financial Services, IBM collaborated with Bank of America and Promontory—an IBM business unit and global leader in financial services regulatory compliance consulting—to develop the right set of cloud security and compliance control requirements as the basis of its policy framework, allowing financial institutions to confidently host key applications and workloads. The IBM Cloud Policy Framework for Financial Services is now available and aims to deliver industry-informed IBM public cloud controls required to operate securely with bank-sensitive data in the public cloud.
- At the heart of the solution to achieve continuous security and compliance is the IBM Cloud Security and Compliance Center, a new security and compliance management platform on IBM Cloud where customers can define controls, assess posture, monitor security and compliance, remediate issues, and collect audit evidence. For example, an enterprise may define a collection of controls (e.g., ‘sensitive workload profile’) to address the security and compliance requirements for a cloud native application that handles sensitive data. These controls can cut across data security, network protection, identity and access management, application security, and audit logging. From the enterprise policy framework, the controls are then standardized based on the NIST 800-53 control set. Adopting DevSecOps methodology, clients can also shift left to enforcing appropriate guardrails as part of their CI/CD pipelines where security gates can be defined. In addition to posture management, the Center will bring together capabilities to define configuration rules to enable governance and integrate to the capabilities of IBM Cloud Security Advisor that provide insights about vulnerabilities and threats.
Enabling enterprises to manage security and compliance for their hybrid cloud
Leveraging capabilities from IBM Cloud Security and Compliance Center and aligning with IBM Cloud Satellite to enable enterprises to take advantage of their distributed cloud environment, clients will be able to assess the security and compliance posture of their workloads in a hybrid cloud deployment.
Recently acquired by IBM, the Spanugo solution will form part of the IBM Cloud Security and Compliance Center. The Spanugo solution was designed to deliver automated security assurance for the distributed hybrid cloud—a single dashboard covering the cloud infrastructure and traditional on-premises network, database, and compute servers.
Clients will be able to easily define multiple collections of resources in their infrastructure and select either pre-defined or custom control sets (called profiles) against them. Based on configuration, the solution continuously gathers all configuration data and verifies whether each collection of resources meets the target control set or not. The resulting report can be stored as evidence, used to automatically trigger a service management workflow, or form the basis for automated remediation within the platform.
Clients can gain insights into vulnerabilities, the status of expiring SSL certificates, and security threats based on network or access behavior. Clients can also set up configuration governance rules so that they can set preventive controls defining guardrails.
An integrated developer experience to achieve security and compliance
As discussed in the IBM Cloud security blog, the cloud development and operations model is driving culture and organizational changes in enterprises, with application teams having to take on more ownership for the security of the overall solution. But this requires the right toolset to help developers. According to the DevSecOps Insights study by Snyk, 48 percent of survey respondents see ensuring security as a major constraint on the ability to deliver software quickly.
Enabling developers to build and deliver secure applications is a key part of IBM Cloud strategy and capabilities. In particular, as enterprises move their regulated workloads to the cloud, embedding security and compliance into the DevOps process—thus positioning for an effective Dev-Sec-(Comp)-Ops—is key to achieving continuous security and compliance. IBM Cloud Security and Compliance Center will enable enterprise security teams and developers to collaborate effectively in achieving that goal.
Security teams can define control sets (profiles) that encapsulate the controls that they want enforced based on sensitivity of the workload, and those can be easily applied by the developers and application teams. IBM also provides toolchain templates as part of its OpenShift platform to cover best practices in CI/CD processes. Along with configuration governance rules, these toolchain templates and control sets act as guardrails that can be monitored continuously for compliance to those controls. The IBM platform can detect any failure or deviation, send alerts, and/or trigger remediation, keeping the workloads in a safe state.
Risk-based approach to protecting sensitive data
Data security is top of mind when moving regulated workloads and sensitive data to the cloud, and it is a critical part of achieving continuous security based on targeted risk and compliance posture. When it comes to encrypting data at rest, IBM is the only cloud provider who offers the industry’s strongest commercially available state-of-the-art cryptographic technology with IBM Cloud Hyper Protect Crypto Services. The service provides the unique “keep your own key” (KYOK) capability, giving clients the ability to retain control of their own encryption keys and the hardware-security modules (HSMs), based on FIPS 140-2 Level 4 certification, that protect them.
Pushing the boundary of data security by protecting data in use, IBM first announced our answer to confidential computing capabilities in 2018 with the release of IBM Cloud Data Shield and IBM Cloud Hyper Protect Services. These offerings protect data in use by performing computation in a hardware-based Trusted Execution Environment. Both of those offerings do not require any code change of applications, and IBM was the first cloud provider to provide these capabilities.
These built-in capabilities from IBM Cloud can be further strengthened for enterprise security teams by integrating security findings from the Center into enterprise threat management like IBM Security QRadar and incident response processes. Security Advisor has been integrated with the IBM Cloud Pak for Security so that based on security findings from IBM Cloud, enterprise teams can investigate the threats and respond with IBM Resilient.
With this new capability and integrated experience from IBM Cloud Security and Compliance Center—along with industry-leading data security capabilities—IBM is ensuring that enterprises don’t have to choose between IT agility and security—they can get both. The speed and flexibility that make cloud apps so appealing to the enterprise can now be matched with sophisticated security and compliance controls, which can be easily defined, managed, assessed, and remediated.
Learn more about the IBM Cloud for Financial Services.