About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
IBM Cloud® compliance: SOC 2
What is SOC 2?
Service Organization Control (SOC) reports are independent, third-party reports issued by assessors certified by the American Institute of Certified Public Accountants (AICPA) addressing the risk associated with an outsourced service. The AICPA has established Trust Services Criteria (TSC) for security, availability, processing integrity, confidentiality and privacy, against which service organizations may be assessed.
A SOC 2 report evaluates the internal controls that an organization has put in place to protect customer-owned data and provides details about the nature of those internal controls.
Contact an IBM representative to request SOC 2 reports.
A SOC 2 report may be provided for IBM services that have implemented controls in accordance with their selected Trust Service Principles. The SOC 2 report demonstrates that IBM designed controls for the selected Trust Service Principles appropriately and that the controls operated effectively for the report period.
The services listed below have a SOC 2 Type 2 report available, representing a period of time during which controls were assessed. As such reports represent an assessment period in the past, a bridge letter may accompany a SOC 2 Type 2 report, in which IBM attests to service control continued performance since the last reporting period ended.
IBM Service Descriptions (SDs) indicate if a given offering maintains SOC 2 Type 2 compliance status. Services below issue SOC 2 Type 2 reports at least once each year.
Services
- IBM Cloud Activity Tracker (via Mezmo)
- IBM Cloud App ID
- IBM Cloud App Configuration
- IBM Cloud Backup
- IBM Cloud Backup for VPC
- IBM Cloud Bare Metal
- IBM Cloud Bare Metal Servers for VPC
- IBM Cloud Block Storage
- IBM Cloud Block Storage for VPC
- IBM Cloud Block Storage Snapshots for Virtual Private Cloud
- IBM Cloud Code Engine
- IBM Cloud Container Registry
- IBM Cloud Continuous Delivery
- IBM Cloud Databases for DataStax
- IBM Cloud Databases for Elasticsearch
- IBM Cloud Databases for EnterpriseDB
- IBM Cloud Databases for etcd
- IBM Cloud Databases for MongoDB
- IBM Cloud Databases for MySQL
- IBM Cloud Databases for PostgreSQL
- IBM Cloud Databases for Redis
- IBM Cloud Direct Link (1.0; Connect, Dedicated, Dedicated Hosting, Exchange)
- IBM Cloud Direct Link Connect (2.0)
- IBM Cloud Direct Link Dedicated (2.0)
- IBM Cloud DNS Services
- IBM Cloud Event Notifications
- IBM Cloud File Storage
- IBM Cloud File Storage for Virtual Private Cloud
- IBM Cloud Flow Logs for VPC
- IBM Cloud Functions
- IBM Cloud for VMware Solutions (Dedicated)
- IBM Cloud for VMware Solutions Shared
- IBM Cloud Hardware Security Module
- IBM Cloud Internet Services Enterprise Next (via Cloudflare)
- IBM Cloud Internet Services Enterprise Package (via Cloudflare)
- IBM Cloud Internet Services Enterprise Usage Package (via Cloudflare)
- IBM Cloud Internet Services Standard (via Cloudflare)
- IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
- IBM Cloud Load Balancer
- IBM Cloud Messages for RabbitMQ
- IBM Cloud Monitoring (via Sysdig)
- IBM Cloud Object Storage
- IBM Cloud Object Storage (IaaS)
- IBM Cloud Platform – Core Services: IBM Cloud Account Management and Billing, IBM Cloud Catalog, IBM Cloud Global Search & Tagging, IBM Cloud Console, IBM Cloud Identity and Access Management and IBM Cloud Shell
- IBM Cloud Satellite
- IBM Cloud Schematics
- IBM Cloud Secrets Manager
- IBM Cloud Security and Compliance Center
- IBM Cloud Security and Compliance Center Workload Protection
- IBM Cloud Transit Gateway
- IBM Cloud Virtual Private Cloud
- IBM Cloud Virtual Private Cloud - Load Balancer for VPC: Application Load Balancer and Network Load Balancer
- IBM Cloud Virtual Private Cloud - VPN for VPC Site-to-Site Gateway and Client-to-Site Server
- IBM Cloud Virtual Private Endpoint for VPC
- IBM Cloud Virtual Server for VPC
- IBM Cloud Virtual Server for VPC - Auto Scale for VPC
- IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
- IBM Cloud Virtual Servers
- IBM Cloudant Dedicated Cluster
- IBM Cloudant for IBM Cloud
- IBM Event Streams for IBM Cloud (Standard)
- IBM Event Streams for IBM Cloud (Enterprise)
- IBM Key Protect for IBM Cloud
- IBM Log Analysis (via Mezmo)
- IBM Power Virtual Server on IBM Cloud
- IPSec VPN
- SAP-Certified Cloud Infrastructure
Accelerate your compliance using IBM Cloud services
The most recent version of the PCI DSS (v4.0) was released in March 2022. Organizations must implement these 12 requirements by 31 March 2025 to achieve compliance.
IBM Cloud offers following suite of services that will help you meet specific PCI DSS requirements and accelerate your compliance journey.
|
1. Risk Assesment |
|---|
IBM Security and Compliance Center
IBM Security and Compliance Center is an integrated solutions suite to define policy as code, implement controls for secure data and workload deployments, and assess security and compliance posture, across hybrid multicloud environments.
IBM Security and Compliance Center - Workload Protection
In architectures that are focused on container and microservices, you can use IBM Cloud® Security and Compliance Center Workload Protection to find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.
IBM Cloud Security Solutions - Threat Management - IBM Security QRadar Suite
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle. The portfolio is embedded with enterprise-grade AI and automation to dramatically increase analyst productivity, helping resource-strained security teams work more effectively across core technologies.
With a common user interface, shared insights and connected workflows, it offers integrated products for: Endpoint security (EDR, XDR, MDR), Log management , SIEM, SOAR
IBM Security Guardium
IBM Security® Guardium® is a family of data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
IBM Cloud Database services
IBM Cloud® Database-as-a-Service (DBaaS) services free developers and IT from complex and time-consuming tasks including deployment of infrastructure and database software, infrastructure operations, database software updates, and backup. IBM Cloud® Database SMEs deliver and maintain ready-to-use, highly available, database instances freeing developer and IT staff time to focus on other priorities.
IBM Cloud Monitoring
Cloud monitoring and troubleshooting for infrastructure, cloud services and applications
|
2. Control Activities |
|---|
IBM Cloud Identity and Access Management (IAM)
IBM Cloud Identity and Access Management (IAM) service securely authenticates users and controls access to all resources consistently in the IBM Cloud Platform.
IBM Cloud Database services
IBM Cloud® Database-as-a-Service (DBaaS) services free developers and IT from complex and time-consuming tasks including deployment of infrastructure and database software, infrastructure operations, database software updates, and backup. IBM Cloud® Database SMEs deliver and maintain ready-to-use, highly available, database instances freeing developer and IT staff time to focus on other priorities.
Continuous Delivery
Embrace enterprise-ready DevOps. Create secure toolchains that support your app delivery tasks. Automate builds, tests, deployments and more.
IBM Cloud Logs
Gain logs observability with IBM Cloud Logs to help improve infrastructure and app performance
|
3. Logical and Physical Access Controls |
|---|
IBM Cloud Internet Services (CIS)
IBM Cloud Internet Services brings market-leading security and performance to your external web content and internet applications before they reach the cloud.
IBM Cloud Direct Link
The IBM Cloud Direct Link solution is designed to seamlessly connect your on-premises resources to your cloud resources. The speed and reliability of IBM Cloud Direct Link helps enable you to extend your organization’s data center network and provides consistent, higher-throughput connectivity—without touching the public internet.
IBM Cloud Gateway Appliances
Gateway appliances are devices that give you enhanced control over network traffic, let you accelerate your network’s performance, and give your network a security boost. Manage your physical and virtual networks for routing multiple VLANs, for firewalls, VPN, traffic shaping and more.
IBM Cloud Transit Gateway
IBM Cloud Transit Gateway helps you connect and manage your IBM Cloud Virtual Private Cloud (VPC) networks.
FortiGate Security Appliance
The FortiGate Security Appliance (FSA) 10 Gbps is a hardware firewall that can be configured to protect traffic on multiple VLANs for both public and private networks.
Hardware Firewall
The Hardware Firewall provides customers with an essential layer of security that is provisioned on demand without service interruptions. It prevents unwanted traffic from hitting your servers, reducing your attack surface, and allowing your server resources to be dedicated for their intended use.
IBM Key Protect for IBM Cloud
The IBM® Key Protect for IBM Cloud® service helps you provision and store encrypted keys for apps across IBM Cloud services, so you can see and manage data encryption and the entire key lifecycle from one central location.
IBM Cloud App ID
IBM Cloud App ID allows you to easily add authentication to web and mobile apps. You no longer have to worry about setting up infrastructure for identity, ensuring geo-availability, and confirming compliance regulations. Instead, you can enhance your apps with advanced security capabilities like multifactor authentication and single sign-on.
Secrets Manager
With IBM Cloud® Secrets Manager, you can create secrets dynamically and lease them to applications while you control access from a single location. Built on open source HashiCorp Vault, Secrets Manager helps you get the data isolation of a dedicated environment with the benefits of a public cloud.
IBM Security and Compliance Center - Data Security Broker - Manager
Protect your data in the cloud with the IBM Cloud Data Security Broker, which is a complete data encryption solution that secures sensitive data in enterprise databases by integrating with key management and databases to provide application-level encryption.
IBM Cloud Hyper Protect Virtual Servers
Hyper Protect Virtual Servers for Virtual Private Cloud (VPC) is a fully managed confidential compute container runtime that enables the deployment of sensitive containerized workloads in a highly isolated environment with technical assurance.
IBM Cloud Hardware Security Module
IBM Cloud Hardware Security Module (HSM) 7.0 from Gemalto protects cryptographic infrastructure by more securely managing, processing and storing cryptographic keys inside a tamper-resistant hardware device. It helps you solve complex security, compliance, data sovereignty and control challenges migrating and running workloads on the cloud.
IBM Cloud Identity and Access Management (IAM)
IBM Cloud Identity and Access Management (IAM) service securely authenticates users and controls access to all resources consistently in the IBM Cloud Platform.
IBM Cloud Storage Services
Our cloud storage services offer a scalable, security-rich and cost-effective home for your data while supporting traditional and cloud-native workloads. Provision and deploy services such as access object, block and file storage. Adjust capacity and optimize performance as requirements change. Pay only for the cloud storage you need.
IBM Cloud Database services
IBM Cloud® Database-as-a-Service (DBaaS) services free developers and IT from complex and time-consuming tasks including deployment of infrastructure and database software, infrastructure operations, database software updates, and backup. IBM Cloud® Database SMEs deliver and maintain ready-to-use, highly available, database instances freeing developer and IT staff time to focus on other priorities.
Mobile Device Management (MDM)
IBM Security MaaS360 is a comprehensive UEM product that helps you manage your organization's mobile devices. It offers:
- Management of iOS, Android and iPadOS
- Mobile security
- Identity as a service (IDaaS)
- Multifactor authentication (MFA)
- Artificial intelligence (AI) and real-time analytics of data quality
- Remote control, app management and integration with 3rd party apps are available
IPSec VPN
VPN facilitates connectivity from your secure network to IBM IaaS platform’s private network. A VPN connection from your location to the private network allows for out-of-band management and server rescue through an encrypted VPN tunnel. Communicating using the private network is inherently more secure and gives users the flexibility to limit public access while still being able to access their servers. Any user on your account can be given VPN access, which is available as both SSL and PPTP. In addition IBM Bluemix also allows to establish a connection using IPSec.
SSL VPN
VPN access enables you to manage all servers and services that are associated with your account, remotely, over the IBM Cloud private network. A VPN connection from your location to the private network allows out-of-band management and server rescue through an encrypted VPN tunnel.
Communicating by using the private network is inherently more secure. It gives you the flexibility to limit public access while still being able to manage your servers. Any user on your account can be given VPN access, which is available as SSL. VPN interactions through the IBM Cloud console allow for VPN access customization at the user level.
|
4. System Operations |
|---|
IBM Cloud Direct Link
The speed and reliability of IBM Cloud Direct Link helps enable you to extend your organization’s data center network —without touching the public internet.
IBM Cloud Transit Gateway
IBM Cloud Transit Gateway helps you connect and manage your IBM Cloud Virtual Private Cloud (VPC) networks.
IBM Key Protect for IBM Cloud
The IBM® Key Protect for IBM Cloud® service helps you provision and store encrypted keys for apps across IBM Cloud services, so you can see and manage data encryption and the entire key lifecycle from one central location.
|
5. Protect all systems and networks from malicious software |
|---|
IBM Cloud Internet Services (CIS)
IBM Cloud Internet Services brings market-leading security and performance to your external web content and internet applications before they reach the cloud.
IBM Cloud Direct Link
The speed and reliability of IBM Cloud Direct Link helps enable you to extend your organization’s data center network —without touching the public internet.
FortiGate Security Appliance
Deploy a pair of FortiGate Virtual Appliances to your environment, which can help you reduce risk by implementing critical security controls within your virtual infrastructure.
IBM QRadar Suite
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.
IBM Security Guardium
Data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
|
6. Develop and maintain secure systems and software |
|---|
IBM Cloud Internet Services (CIS)
IBM Cloud Internet Services brings market-leading security and performance to your external web content and internet applications before they reach the cloud.
IBM Security and Compliance Center - Workload Protection
Find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.
IBM Security Guardium
Data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
IBM Cloud Container Registry
Store and distribute container images in a fully managed private registry. Push private images to conveniently run them in the IBM Cloud® Kubernetes Service and other runtime environments.
IBM Cloud Continuous Delivery
Embrace enterprise-ready DevOps. Create secure toolchains that support your app delivery tasks. Automate builds, tests, deployments and more.
IBM Cloud Kubernetes Service
Deploy secure, highly available clusters in a native Kubernetes experience.
|
7. Restrict access to systems components and cardholder data by business need to know |
|---|
IBM Cloud App ID
Easily add authentication to web and mobile apps. Enhance your apps with advanced security capabilities like multifactor authentication and single sign-on.
IBM Cloud Identity and Access Management (IAM)
IBM Cloud Identity and Access Management service securely authenticates users and controls access to all resources consistently in the IBM Cloud Platform.
|
8. Identify users and authenticate access to system components |
|---|
IBM Cloud App ID
Easily add authentication to web and mobile apps. Enhance your apps with advanced security capabilities like multifactor authentication and single sign-on.
IBM Cloud Secrets Manager
Create secrets dynamically and lease them to applications while you control access from a single location. Built on open source HashiCorp Vault.
IBM Cloud Identity and Access Management (IAM)
IBM Cloud Identity and Access Management service securely authenticates users and controls access to all resources consistently in the IBM Cloud Platform.
|
9. Restrict physical access to cardholder data |
|---|
IBM Cloud adopts several measures for increased physical security:
- Physical security of the data center perimeter
- Entry and exit access controls and logging
- Secure offices, rooms, and facilities
- Protection against external and environmental threats
- Redundancy of power and network equipment
- Secure disposal of equipment during de-provisioning
- Corporate HR business policy and security for onboarding, training, and offboarding
|
10. Log and monitor all access to system components and cardholder data |
|---|
IBM Cloud Flow Logs for VPC
Enable the collection, storage, and presentation of information about the Internet Protocol (IP) traffic going to and from network interfaces within your Virtual Private Cloud (VPC).
IBM QRadar Suite
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.
IBM Cloud Identity and Access Management (IAM)
IBM Cloud Identity and Access Management service securely authenticates users and controls access to all resources consistently in the IBM Cloud Platform.
IBM Security Guardium
Data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
IBM Cloud Logs
Gain logs observability with IBM Cloud Logs to help improve infrastructure and app performance.
IBM Cloud Monitoring
Cloud monitoring and troubleshooting for infrastructure, cloud services and applications.
|
11. Test security of systems and networks regularly |
|---|
IBM Security and Compliance Center - Workload Protection
Find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.
IBM QRadar Suite
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.
IBM Security Guardium
Data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
|
12. Support information security with organizational policies and programs |
|---|
IBM Security and Compliance Center - Workload Protection
Find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.
IBM Cloud Logs
Gain logs observability with IBM Cloud Logs to help improve infrastructure and app performance.
IBM Cloud Monitoring
Cloud monitoring and troubleshooting for infrastructure, cloud services and applications.
