Fortressing the digital frontier: A comprehensive look at IBM Cloud network security services

15 October 2024

6 min read

The cloud revolution has fundamentally transformed how businesses operate. Its superior scalability, agility and cost-effectiveness have made it the go-to platform for organizations of all sizes. However, this shift to the cloud has introduced a new landscape of ever-evolving security threats. Data breaches and cyberattacks continue to hit organizations, making robust cloud network security an absolute necessity.

IBM®, a titan in the tech industry, recognizes this critical need, provides a comprehensive suite of tools and offers unmatched expertise to fortify your cloud environment. Whether you’re a seasoned cloud veteran or a newcomer embarking on your migration journey, comprehensive IBM Cloud® security offerings empower you to safeguard your data, applications and cloud infrastructure.

Safeguarding your network: Unveiling the IBM Cloud network security arsenal

IBM Cloud® network security provides clients with the tools and expertise needed to protect their data, applications and infrastructure. This helps ensure a defense-in-depth approach to end-to-end security, safeguarding against the evolving threat landscape within and surrounding the cloud environment.

IBM Cloud Internet Services, powered by Cloudflare, provides a fast, highly performant, reliable and secure internet service for customers running their business on IBM Cloud using Cloudflare’s 165+ Global Points of Presence (PoPs). It discovers edge network services for securing internet-facing apps from DDoS attacks, data theft and bot attacks. This is a software-defined security solution that provides security, resiliency and performance capabilities for the web-facing applications. Some of the notable security features are as follows:

DDoS protection

Distributed Denial-of-Service (DDoS) attacks can cripple the online presence by overwhelming servers with a flood of illegitimate traffic. IBM’s DDoS protection services help mitigate these attacks, ensuring the network remains accessible and operational.

Web application security

Web applications are often prime targets for cybercriminals. IBM offers web application security solutions that scan for vulnerabilities, prevent common web application attacks such as SQL injection and cross-site scripting (XSS) and help secure web properties.

Transport Layer Security

Protect the web application and control the Transport Layer Security (TLS) by using: 

  • IBM-provided TLS certificates: IBM Cloud services offer built-in TLS certificates, which IBM automatically provisions and manages.
  • Bring your own certificates (BYOC): Users can bring their own TLS certificates and manage them within the IBM Cloud platform.
  • TLS settings: Users can configure the min and max versions of the TLS settings and specific cipher suites based on the allowed security requirements of the organization.

Cloud load balancing

Distribute traffic across multiple servers to optimize performance and ensure that your applications remain highly available. This helps prevent bottlenecks and single points of failure that could be exploited by attackers.

Advanced security

IBM Cloud Internet Services offers advanced security features that can be changed, enabled or disabled based on the requirements. A few of the examples are:

  • Browser integrity check: The browser integrity check looks for HTTP headers that spammers commonly abuse. It denies traffic with those headers access to your page. It also blocks or challenges visitors who do not have a user agent or who add a nonstandard user agent. This tactic is commonly used by abuse bots, crawlers or APIs.
  • Opportunistic encryption: Allows browsers to benefit from the improved performance of HTTP/2 by informing them that your site is available over an encrypted connection.
  • Email obfuscation: Prevents spam from harvesters and bots that try to access email addresses on your pages.
  • True-Client-IP header: Sends the user IP address in the True-Client-IP header.

IBM Cloud security groups

In a complex cloud environment, traditional network segmentation can become cumbersome. Micro-segmentation offers a more granular approach, allowing users to isolate workloads and resources at a finer level, minimizing the potential impact of a security breach.

In the world of cloud security, security groups are sets of IP filter rules designed to regulate access to network resources. They define how to handle incoming (ingress) and outgoing (egress) traffic to both the public and private interfaces of a virtual server instance. These are fundamental building blocks that form the first line of defense in the cloud network. Security groups offer granular control by allowing users to define access rules at the individual instance level.

In Figure 2, virtual server instances are associated with a set of security groups to restrict network traffic. The arrows represent network traffic flow.

The application developer has restricted access to the various infrastructure layers, as follows:

  • The application developer can access only the web layer on TCP port 443 (https).
  • Only web layer instances can access the application layer instances.
  • Only the application layer instances can access the database layer instances.

Use security groups for all virtual servers that need protection in any of the global data centers.

IBM Cloud network access control list (ACL)

The IBM Cloud network access control list (ACL) controls all incoming and outgoing traffic in the IBM Cloud Virtual Private Cloud. An ACL is a built-in virtual firewall, like a security group. In contrast to security groups, ACL rules control traffic to and from the subnets rather than to and from the instances.

An Access Control List (ACL) can manage (that is, it can allow or deny) inbound and outbound traffic for a subnet. An ACL is stateless, which means that inbound and outbound rules must be specified separately and explicitly. Each ACL consists of rules based on a source IP, source port, destination IP or destination port.

In Figure 3, within the IBM Cloud VPC, the 2 different subnets are segmented using the network ACL policies and the inbound and outbound request from the internet is also restricted.

Every VPC has a default ACL that allows all inbound and outbound traffic. You can edit the default ACL rules or create a custom ACL and attach it to your subnets. A subnet can only have 1 ACL attached to it at any time, but 1 ACL can be attached to multiple subnets.

These virtual firewalls act as gatekeepers, meticulously filtering incoming and outgoing traffic based on predefined security policies, preventing unwanted traffic from the internet hitting the servers and reducing the attack surface.

FortiGate Security Appliance (Firewalls)

The FortiGate Security Appliance (FSA) is a hardware-accelerated, high-performance, enterprise-grade firewall available as a service on IBM Cloud. It delivers powerful and reliable protection for enterprise workloads, helping ensure comprehensive security and providing advanced management control over network traffic—all within a unified platform.

This is one of the recent expansions in the existing firewall offering portfolio that satisfies both network performance throughput and robust perimeter security. Some of the advanced features are:

  • High throughput (up to 10 Gbps speed)
  • Automated provisioning of Next-Generation Firewalls capabilities like IPS, antivirus (AV) and web filtering.
  • Public and private network connectivity
  • Ability to associate multiple VLANs to a single firewall device through a single firewall device

As the demand for high-speed networks in cloud services continues to grow, securing workloads and networks has become a top priority. IBM Cloud is the only major cloud service provider that lets you use hardware-based firewalls in the cloud. We know that security solutions must evolve with new demands and offer protection efficiently.

Building a secure cloud future with IBM Cloud

There are different compliance frameworks as per different industry regulations that have been tailor-made for the specific requirements which IBM Cloud offers. These frameworks include:

  • IBM Cloud for Financial Services® is designed to build trust and enable a transparent public cloud ecosystem with the features for security, compliance and resiliency that financial institutions require. Financial institutions can confidently host their mission-critical applications in the cloud and transact quickly and efficiently.
  • Health Insurance Portability and Accountability Act (HIPAA) – As organizations transition to the cloud, security is a top priority. With the rapidly expanding volume of personal information in the cloud, including Protected Health Information (PHI), it is critical to describe how the cloud is secured through critical services such as authentication, authorization, auditing and end-client access. This guide outlines how an IBM Cloud client can build environments and applications that are ready for HIPAA.

More compliance programs can be viewed here.

The cloud opens endless possibilities, but security remains a top priority. IBM Cloud enables you to create a secure future with its robust suite of cloud network security solutions. Establishing a strong security foundation in the cloud is critical for any enterprise, and IBM Cloud’s network security services provide the essential tools to safeguard your environment. As you embark on your cloud journey, security is one of the most vital considerations for long-term success.

 

Author

Venkatramanan Vijayan

Security Architect, IBM

Insights you can’t miss. Subscribe to our newsletters.

Go beyond the hype with expert news on AI, quantum computing, cloud, security and much more.

Subscribe today