Data Stewardship and the Importance of Export Compliance in the IBM Cloud

This spring IBM published our Principles for Trust and Transparency, which outline how we protect our clients’ data and insights and how we usher new innovative technologies into the world responsibly. These principles are more than just words — they are a model for how IBM treats our customers’ data, everyday, everywhere. This idea of responsible data stewardship extends to export compliance.

As a U.S. company, IBM takes compliance with export regulations seriously. Our control program permeates our global business processes due to the fact we provide hardware, software and services to customers all over the world. As a cognitive computing and cloud platform company, our cloud offerings are no exception. This blog highlights IBM’s rationale for our Cloud Export Control program and provides insight into why we do what we do.

Although the public cloud user is the exporter of record and is ultimately responsible for compliance with U.S. export regulations – Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), and Trade Sanctions from the Office of Foreign Assets Control (OFAC) – IBM, as your cloud provider, has a role to play. It’s not just the law, it’s the right thing to do.

IBM’s cloud offerings provide export compliant solutions for our customers, but we go further than just making that service/app available online. We work with our customers to understand how IBM will be involved in providing their solution to ensure our involvement complies with all applicable export controls.

As a multi-national corporation, IBM has talented people all over the world — however, customer data may be export-restricted in some countries. These restrictions directly affect where a solution can be deployed or which of our teams can be involved in delivery. IBM works with our customers to understand these export implications to prevent non-compliant custom solutions or boarding a customer into existing multi-tenant solutions that are non-compliant.

IBM does the following to ensure proper and compliant handling of customer data:

• All customers go through restricted parties screening
• IP blocking is implemented on all internet facing offerings where required
• Customers are asked detailed questions before a solution or sales proposal is developed

This is what responsible data stewardship is all about.

IBM doesn’t presume to tell customers which U.S export regulations apply to their business, how the regulations should be interpreted, or how customers should apply the regulations to their use of our cloud offerings. While we understand our business and how export regulations apply to what we do, IBM is not always an expert in export compliance controls that would apply to our customers. Developing an export-compliant solution is a partnership.

Let’s examine a few of IBM’s specific cloud export control policies:

• Customer Screening – One very basic tenant of the U.S. export regulations is that exporters must “screen what they know” before conducting a transaction. This includes making sure customers are not on one of the many ‘denied party’ lists and blocking all transactions from the sanctioned countries – commonly referred to as IP blocking or geoblocking. IBM’s internet-facing cloud offerings implement customer screening and IP blocking when required. Some Cloud Service Providers (CSPs) feel this is unnecessary since users can mask who they are and where they are located by providing false information and using proxies. While it’s true that users can do such things, it doesn’t change the requirement to screen what we know.
• EU Cloud Code of Conduct – On March 13th, 2017, IBM signed the EU Cloud Code of Conduct. This is another assurance of IBM’s commitment to implement robust data protection in the cloud regarding how customer data is used, stored, and managed. Not only is important for CSPs to state they have a secure and compliant platform — they must also be able to demonstrate it. You can read more here.
  
• Hybrid and Private Clouds vs. Public Clouds – Most often, public clouds are implemented to target the ‘normal’ user and tend to support minimal customization. IBM recognizes that different customers in different industry segments or geographical regions have vastly different requirements. IBM can provide tailored solutions to take into account local country data storage regulations and requirements, all while still complying with U.S. export regulations that are important to U.S. multi-national companies.

This additional effort takes time and investment on IBM’s part. But the result is that customers can be assured that their data is handled appropriately and will not be misused, misdirected or at risk of an export non-compliance situation. This is what IBM means by Cloud Data Stewardship for Export Compliance.