End-to-end encryption with extensive control
Our financial services cloud also offers an industry-leading key management approach that technically gives clients exclusive control of their data. Not even IBM can access it.¹ IBM Cloud® Hyper Protect Crypto Services enables cloud data encryption in a dedicated cloud hardware security module (HSM). The service offers technology like Keep Your Own Key (KYOK), a single-tenant key management service, which has key-vaulting provided by dedicated, user-controlled HSMs and that’s designed to support industry encryption standards, such as Public-Key Cryptography Standards (PKCS) #11. It’s also the only cloud service in the industry built on FIPS 140-2 Level 4-certified hardware. At this security level, the physical security mechanisms can provide an envelope of protection around the cryptographic module with the intent of detecting and responding to unauthorized attempts at physical access.
With this type of data protection, the client is the only party that governs and controls access to their private data. These capabilities can be game-changing for the financial services industry that needs to adhere to strict regulatory requirements for data protection.
IBM Cloud for Financial Services draws on additional services built into the IBM public cloud that also allow it to be used for mission-critical workloads and sensitive data.
Workload-centric security by default
Each workload requires various access and security rules. IBM enables organizations to define and enforce such guidelines by way of integrated container security and DevSecOps for cloud-native applications with Red Hat® OpenShift® as a service.
Multi-Zone Regions (MZRs)
Clients can leverage the underlying capabilities of IBM Cloud for Financial Services to enhance business resiliency and disaster recovery. MZRs comprise multiple high-speed, low-latency, interconnected Availability Zones that are independent from each other to help limit the impact of single-failure events to a single Availability Zone, only. They enable financial institutions to locate workloads in specific geographies to fit their needs.
Logging and auditing rules
SaaS and ISV providers are required to log all actions taken through the cloud portal, API or command-line interface to be recorded in detail using IBM Cloud® Activity Tracker. This provides standard logging of activity on systems and services and full-session recording of exactly what actions operators take. This information is centrally stored and analyzed. The logging process is auditable to enable tracing of all steps, including logging both successful and unsuccessful events, and gives role-based protection at all points of intervention. The access logs are stored along with time stamps to assist analysis and forensics.