Industry-standard data-protection and security capabilities built into IBM Cloud
IBM Cloud for Financial Services® has been designed with the exacting needs of the world’s largest and most complex organizations in mind. It draws on all the data data-protection security capabilities and services built into the IBM public cloud, allowing it to be used for mission-critical workloads and highly sensitive data. IBM offers an enterprise-grade public cloud with extensive service-deployment options—such as VMware and Red Hat® OpenShift® as a service—and is equipped to meet the specific requirements of financial services.
Zero trust: Built-in security across network, identity, endpoints and applications
Included within IBM Cloud for Financial Services are core technologies for managing security risk and regulatory compliance with a data-centric, zero trust approach.
IBM takes a holistic approach to confidential computing—spanning compute, containers, databases and encryption. Confidential computing helps clients remove the implicit trust that applications place in the underlying software stack and cloud providers, so you can move from operational to technical measures and protect the privacy of your sensitive data at rest, in transit and in use.
This can allow clients to move sensitive data and workloads to the cloud, unlocking new ways to collaborate and innovate. Although it’s impossible to completely prevent data breaches in today’s connected hybrid cloud environment, a data-centric, zero trust approach can help financial institutions modernize operations and embed security controls and is designed to mitigate the impact and cost of a data breach.
IBM Cloud® is the only cloud service in the industry built on FIPS 140-2 Level 4- certified hardware.
End-to-end encryption with extensive control
Our financial services cloud also offers an industry-leading key management approach that technically gives clients exclusive control of their data. Not even IBM can access it.¹ IBM Cloud® Hyper Protect Crypto Services enables cloud data encryption in a dedicated cloud hardware security module (HSM). The service offers technology like Keep Your Own Key (KYOK), a single-tenant key management service, which has key-vaulting provided by dedicated, user-controlled HSMs and that’s designed to support industry encryption standards, such as Public-Key Cryptography Standards (PKCS) #11. It’s also the only cloud service in the industry built on FIPS 140-2 Level 4-certified hardware. At this security level, the physical security mechanisms can provide an envelope of protection around the cryptographic module with the intent of detecting and responding to unauthorized attempts at physical access.
With this type of data protection, the client is the only party that governs and controls access to their private data. These capabilities can be game-changing for the financial services industry that needs to adhere to strict regulatory requirements for data protection.
IBM Cloud for Financial Services draws on additional services built into the IBM public cloud that also allow it to be used for mission-critical workloads and sensitive data.
Workload-centric security by default
Each workload requires various access and security rules. IBM enables organizations to define and enforce such guidelines by way of integrated container security and DevSecOps for cloud-native applications with Red Hat® OpenShift® as a service.
Multi-Zone Regions (MZRs)
Clients can leverage the underlying capabilities of IBM Cloud for Financial Services to enhance business resiliency and disaster recovery. MZRs comprise multiple high-speed, low-latency, interconnected Availability Zones that are independent from each other to help limit the impact of single-failure events to a single Availability Zone, only. They enable financial institutions to locate workloads in specific geographies to fit their needs.
Logging and auditing rules
SaaS and ISV providers are required to log all actions taken through the cloud portal, API or command-line interface to be recorded in detail using IBM Cloud® Activity Tracker. This provides standard logging of activity on systems and services and full-session recording of exactly what actions operators take. This information is centrally stored and analyzed. The logging process is auditable to enable tracing of all steps, including logging both successful and unsuccessful events, and gives role-based protection at all points of intervention. The access logs are stored along with time stamps to assist analysis and forensics.