Accelerating and Maintaining Your Regulated Standards at Scale

Instead of figuring out how to assemble a compliant infrastructure architecture on your own, you can review the deployable architectures that are now available in the catalog. IBM Cloud provides automation for the deployment of common architectural patterns that combine one or more cloud resources, known as deployable architectures. Each deployable architecture is built and maintained by IBM Cloud experts following IBM Cloud best practices, taking the guesswork out of the architecture design process and reducing the time it takes to deploy to just minutes. Compliance managers and solution architects can review the components of the architecture and the level of compliance that each deployable architecture meets by reviewing the details directly from the catalog detail pages.

Capability highlights:

• The IBM Cloud catalog now includes a curated set of deployable architectures to help you build faster by orders of magnitude.
• Convenient provisioning through IBM Cloud by using a project, Terraform-as-a-Service or on your own with CLI commands to configure the architecture to fit your enterprise’s business needs.

Modular Infrastructure as Code (IaC) templates enable you to customize and extend with IBM tools and share with private catalogs to ensure that the architecture meets your needs.

Planning and defining your enterprise’s goals for running secure workloads on IBM Cloud is essential to your success because building infrastructure and applications in the cloud can be time-consuming and error-prone. With IBM Cloud, you can save your business time and money by taking advantage of our automation and standardized best practices as you work. Get started by reviewing our predefined, compliant-by-default architectures and control libraries to see how your industry fits in the cloud.

When your team has evaluated and chosen a deployable architecture, they can use a project to configure it to fit your enterprise’s business needs. A project is a named collection of configurations that are used to manage related resources and Infrastructure as Code (IaC) deployments across accounts. They enable your teams to focus on a shift-left approach by using DevOps best practices to configure, deploy and monitor deployments. Each project includes tools that scan for potentially harmful resource changes, compliance, security and cost, as well as tracking versioning and governance. They’re designed with an IaC- and compliance-first approach that helps to ensure that a project is managed, secure and always compliant.

Capability highlights:

• Deployable architectures lower customer risk in adopting solutions by ensuring patterns work with security and compliance profiles baked-in.
• Projects enable compliance tracking across accounts, easier detection of spend, and increased ease of management.
• The IBM Cloud Security and Compliance Center continuously monitors across accounts, enabling deployable architectures to proliferate best practices across the organization.
• Accelerator for IBM Cloud Framework for Financial Services.
• Conduct a shift-left, pre-deployment scan with projects to check compliance and cost for your configured deployable architecture, adding a layer of governance where changes require admin approval.

With continuous compliance at the core of IBM Cloud’s platform, your team has all the tools at your disposal to securely develop, deploy and manage your regulated, mission-critical enterprise workloads in the cloud. For highly regulated industries like financial services, achieving continuous compliance within a cloud environment is an important first step toward protecting customer and application data.

Historically, that process has been difficult and manual, which placed your organization at risk. With IBM Cloud, however, you can work with predefined deployable architectures, automate IaC deployments with projects and integrate automatic security checks into everyday workflows to minimize risk.

With IBM Cloud, your whole team— including solution architects, compliance managers, infrastructure DevOps teams and application development teams—can use a shift-left approach to identify security risks and exposures early when developing and deploying cloud solutions. This ensures that security and compliance is at the center of your workflow to promote a culture of security and compliance within your organization that allows your enterprise to operate in the cloud with confidence.

Capability highlights:

• Fully supported deployable architectures include shift-left security and compliance scans via an integrated DevSecOps model.
• The DevSecOps Application Lifecycle Management deployable architecture provides a streamlined way to set up continuous integration (CI), continuous development (CD), and continuous compliance (CC) toolchains for secure and agile application development.
• Continuously scan architectures against security and compliance profiles in the IBM Cloud Security and Compliance Center. Anomalies are flagged and remediations are suggested.
• Define custom profiles (Compliance as Code) based on IBM Cloud Framework for Financial Services to work across the entire cloud enterprise, specific workloads, individual applications and all points in between.

With DevSecOps, you can put security and compliance at the forefront of your development lifecycle. This sets your team up to implement a shift-left approach that prevents security issues in your application code from ever reaching production and collects evidence for handling security audits. By taking advantage of IBM Cloud DevSecOps, you can leverage the CC toolchain template to move from manual verification to using automation to continuously assess app security and compliance posture. To learn more, see the DevSecOps documentation.

Although IBM Cloud reduces the time and complexity of setting up a compliant enterprise application, you still need to ensure that you’re maintaining compliance. To do so, you can use the Security and Compliance Center to run automatic evaluations on your resource configurations. The evaluation results are provided in the dashboard of the Security and Compliance Center or you can get notified of changes. You can quickly assess the risk to your organization, fix issues and generate reports so that you’re always audit-ready.

Additionally, using DevSecOps CI/CD/CC toolchains can help to automate the evaluation of controls as part of the development process and can block non-compliant changes from being promoted. Managing your application code this way ensures that you have the evidence and change history that is needed to meet the required compliance standards for your industry. For more information about using DevSecOps Application Lifecycle Management for deploying your code, review the reference architecture.

Capability highlights:

• Security and compliance officers can track compliance at the project level, crossing account boundaries and grouping all related resources.
• Architects and developers can see the impact of a deployment scenario on overall cloud costs in real-time, before changes are applied.
• Cost, availability and compliance reporting occurring across accounts and shared infrastructure give you the ability to calculate accurate costs for inter-company chargebacks.
• Use the provided tools to support IaC and Compliance as Code modifications that are customized to your organization and shared via private catalogs.
• Monitor your code coverage, quality, vulnerability and build deployments with DevOps Insights.
• Set up a built-in pipeline to trigger alerts when critical events occur with Event Notifications integrated with popular tools like Slack and GitHub.

Unified controls frameworks, compliance profiles and user experience seamlessly integrate flows across both infrastructure and applications, ensuring security and compliance is baked-in at every step in the cloud journey. This full-stack solution provides compliance definitions, eliminates risk and blind spots at the architectural boundaries, and helps you manage scale quicker while avoiding potentially critical gaps.

An enterprise development team can maintain their compliance for multiple applications and all underlying infrastructure in one experience. Specific roles include the following:

• A risk and compliance officer can define an enterprise-level compliance profile.
• A cloud architect can select from a series of enterprise-compliant architectures and customize to suit their needs.
• An account admin can instantiate the reference infrastructure environment.
• A development team can stand up a secure and compliant application layer, including DevSecOps, on top of the infrastructure.
• An SRE has a project level context for viewing and reporting all relevant resources, even across accounts.
• A compliance focal can see continuous compliance results, ensure vulnerabilities are being alleviated and quickly access audit-ready compliance evidence.

With the tools available through IBM Cloud, you can stay compliant with automation and ensure that deployments are conducted by using a secure software supply chain, all while managing your resources at scale. Visit the IBM Cloud catalog to check out the deployable architectures, and visit the IBM Security and Compliance Center today to start defining your security and compliance goals.

For more information about setting up automated deployments using projects, customizing deployable architectures and more, see the Enterprise account architecture white paper and Running secure enterprise workloads documentation.

• Running secure enterprise workloads on IBM Cloud
• Documentation collection for Running secure enterprise workloads
• White Paper – Enterprise Account Architecture