|Industry||Computing, Cloud computing, Web services|
|Founder(s)||Charles Ranlett Flint|
|Headquarters||Armonk, New York, United States|
|Key people||Arvind Krishna (CEO)|
|Products||IaaS, PaaS, DBaaS, DaaS, SaaS|
|Revenue||$22.4 billion (2022)|
IBM Cloud is a collection of public, private, hybrid, and multicloud cloud computing services offered by IBM, an American multinational information technology company. IBM Cloud deploys to over 46 data centers in various locations around the world, primarily in the U.S. and Europe but also with some representation in the Pacific region and South America. More than 170 different products and services are associated with IBM Cloud, representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, data analysis, scientific computing, container management, developer support, blockchain management, internet of things, and artificial intelligence.
This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.
1. What experience do you have working with laboratory customers in our specific industry?
Few publicly described examples of non-technology laboratories working with IBM Cloud could be found, with only Allegany Ballistics Laboratory, a manufacturing and research center for the Department of Defense, being mentioned. One laboratory informatics vendor, L7 Informatics, Inc., could be verified to be using or have used IBM Cloud for its SaaS offerings. An IBM Cloud representative is more likely to be able to supply other examples of laboratories and laboratory informatics developers that use or have used IBM Cloud.
2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?
It will ultimately be up to your organization to get an answer from IBM tailored to your systems and business processes. However, this much can be said about IBM Cloud integrations. The company provides a wide variety of tools for integration, as outlined on its integration solutions page. Its main tool, IBM Cloud Pak for Integration, "provides an automated and closed-loop lifecycle across multiple styles of enterprise integration." Related integration tools include IBM API Connect, IBM App Connect, and IBM Secure Gateway Service (useful for hybrid cloud deployments).
3. What is the average total historical downtime for the service(s) we're interested in?
Some public information is made available about historic outages and downtime. IBM Cloud has a systems status page with status history (you have to click on the "History" link to the left). You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. A follow-up on this question with an IBM Cloud representative may reveal more historical downtime history for the services you are interested in.
4. Do we receive comprehensive downtime support in the case of downtime?
IBM Cloud does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with IBM Cloud what downtime support they provide based on the services your organization are interested in.
5. Where are your servers located, and how is data securely transferred to and from those servers?
IBM Cloud has 60 data centers spread across six regions and 18 availability zones, with three more regions planned (as of April 2021). These zones are distributed in various locations around the world, primarily in the U.S. and Europe but also with some representation in the Pacific region and South America. IBM Cloud uses its Content Delivery Network to deliver content, which "allows your users to receive the content with less delay, and delivers a better overall experience for your customers." Data in motion is protected through IBM Cloud's IBM Security Guardium Data Encryption suite for applying "data-at-rest and data-in-transit security quickly and consistently." As for data localization and residency requirements, IBM Cloud documentation and blog articles address some elements of this topic, partly in the scope of blockchain networks; discuss the topic further with an IBM Cloud representative.
6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?
IBM Cloud addresses this topic partially in its architecture documentation:
Each data center has at least one security entry point that is always staffed and can include one or more access controlled entry ways that are monitored by CCTV. Each controlled area requires at least badge reader based authentication. Sensitive areas such as server rooms, network closets, and utility closets require badge and biometric authentication. Access attempts are logged and logs retained for at least one calendar year. Repeated failed access attempts trigger an alert to the security guards ... Access to the data center does not in turn confer access to the secured rooms within the data center. Employee access is based on job role, for example, so that server technicians do not have access to the network closet, and only trained facility staff have access to power feed termination rooms.
As for certifications and training, little is said about certifications. IBM indicates that an "extensive security training program" is required of each employee, and they must recertify that training annually. They also receive additional security awareness training based on role. For additional information about roles, certifications, and training, discuss this with an IBM Cloud representative.
7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?
Not all IBM Cloud machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data.
8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)
It appears some IBM Cloud services may offer a premium "physical separation" plan. For example, the Text to Speech offering has a standard multi-tenant plan that provides "logical separation of data by using common encryption keys," and a premium single-tenant plan that provides "dedicated data storage accounts that use unique encryption keys." It's not clear how many other services IBM Cloud services have similar plans associated with them, but a 2020 blog post by IBM indicates they are able to accommodate both single- and multi-tenant environments in more than a few cases. Verify with a representative about physical vs. logical separation for your desired services.
As for tenant isolation, the previously mentioned blog post, as well as a few other bits of documentation, talks about tenant isolation security measures. For example, those on multi-tenant environments can take advantage of IBM's Cloud Key Protect, which "provides a root of trust that is secured by FIPS 140-2 Level 3 certified cloud-based HSMs that protect against theft of information." For more details about security measures in tenant isolation, discuss this with an IBM Cloud representative.
9. Do you have documented data security policies?
IBM Cloud documents its security practices in several places:
- IBM Cloud Security portal
- Cloud-native security practices in IBM Cloud
- Security architecture for cloud applications
Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with an IBM Cloud representative to obtain them.
10. How do you test your platform's security?
IBM Cloud notes the following about testing platform security:
In addition to the regular penetration testing conducted by IBM and our partners, customers can conduct their own penetration testing of their resources on IBM Cloud. No permission is necessary from IBM Cloud for penetration testing of IP addresses allocated to your classic infrastructure account that is set up on classic virtual or bare metal servers. For penetration testing of IBM Cloud VPC or PaaS offerings, or any IBM-owned IP space that is not allocated to your classic infrastructure account, open a support case to get instructions on signing the Client Penetration Testing Authorization Agreement.
IBM also has IBM X-Force Red, "a global team of hackers hired to break into organizations and uncover risky vulnerabilities that attackers may use for personal gain." However, it's not clear if this same team also tests IBM Cloud's own infrastructure. Discuss this topic more thoroughly with a representative.
11. What are your policies for security audits, intrusion detection, and intrusion reporting?
Audits: IBM Cloud discusses security audits and reviews in its security architecture documentation, under "Third-party security audits and reviews." IBM Cloud's approach to security audits is also demonstrated by its compliance credentials (e.g., see its trust center).
Intrusion detection and reporting:: IBM Cloud discusses intrusion detection and prevention in-depth in the "Network Protection" section of its security architecture documentation. They also note elsewhere:
Detection typically involves a sophisticated analytics engine that assembles the data that is collected in the visibility space. By correlating and assessing this data, you can identify events that are occurring over one or more related platforms and start an investigation and response. Modern analytics engines use AI and machine learning (ML) to identify events and reduce the manual effort to triage events. AI and ML are important in user and end-point behavior analytics (UEBA) that rely on those tools to establish baseline behaviors and recognize anomalies—a fundamental tool in identifying insider threats.
12. What data logging information is kept and acted upon in relation to our data?
While IBM Cloud offers customers tools like IBM Cloud Log Analysis to analyze their own logs, it's not clear what data logging information IBM collects and uses in relation to customer data. The Privacy Shield documentation notes, however:
The types of personal data that Privacy Shield-Certified Cloud Services collect will vary based on the type and nature of each offering, and is described in its offering documentation (searchable via this link) or as otherwise provided by IBM. IBM uses such personal data as needed to deliver the Cloud Service, along with additional purposes that may be described in the corresponding TD or Attachment.
13. How thorough are those logs and can we audit them on-demand?
Customers have the ability to audit the logs associated with their own activities. It also appears "interactions made by IBM Cloud infrastructure support staff" can also be captured and audited in those logs. However, it's not clear what logs, if any, are collected and maintained by IBM about your data, let alone whether or not you can access them. You'll have to have this discussion with a representative.
14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?
15. What happens to our data should the contract expire or be terminated?
Per the Cloud Services Agreement:
IBM will return or remove Content from IBM computing resources upon the expiration or cancellation of the Cloud Service, or earlier upon Client’s request. IBM may charge for certain activities performed at Client’s request (such as delivering Content in a specific format). IBM does not archive Content, however some Content may remain in Cloud Service backup files until expiration of such files as governed by IBM’s backup retention practices.
16. What happens to our data should you go out of business or suffer a catastrophic event?
It's not publicly clear how IBM Cloud would handle your data should they go out of business; consult with a representative about this topic. As for catastrophic events, like other cloud providers, IBM Cloud uses three zones per region (a multi-zone region or MZR) for redundancy: "The advantage of an MZR is that it provides consistent cloud services across different zones, better resiliency, availability, higher interconnect speed between data centers for your resources. These features can be critical to your applications. Deploying the application in an MZR rather than a [single-zone region] can increase the availability from 99.9% to 99.99% when deployed over three zones." It's highly unlikely that all three zones would be affected in an catastrophic event. However, if this is a concern, discuss further data redundancy with an IBM Cloud representative. (IBM provides some additional insight by discussing its approach to availability and disaster recovery in its documentation.)
17. Can we use your interface to extract our data when we want, and in what format will it be?
IBM does talk about moving data between buckets, but documentation about extracting data from their cloud service and moving it to your own private cloud or transferring it to another cloud service can't be found. IBM does note in a blog post that it is "active in the EU’s Switching Cloud Providers and Porting Data (SWIPO) initiative which lays out requirements for transparency at both infrastructure and software levels." However, it's not clear if IBM Cloud has mapped their cloud processes to the voluntary SWIPO codes of conduct. You'll have to discuss the details of data export and migration—including data formats—from IBM Cloud with a representative.
18. Are your support services native or outsourced/offshored?
It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an IBM Cloud representative.
Managed security services
IBM Managed Security Services is described by IBM as set of services that "simplifies security and risk with continuous, value-driven monitoring, management, and intelligence backed by global expertise, local delivery, and an integrated security portfolio." The company touts both managed cybersecurity services and managed network security services. This includes:
- Managed cybersecurity: threat management, managed detection and response, managed cloud security, managed endpoint security, identity management, and command center security
- Managed network security: managed firewall, as well as intrusion detection and prevention management
Documentation and other media
- Disaster recovery documentation
- HIPAA compliance guide
- Client security whitepaper
- IBM Managed Security Services data sheet
- IBM security and privacy principles
- IBM Cloud architecture framework or description
- IBM Cloud shared responsibility model
- IBM Cloud trust center
- IBM Managed Security Services
- "IBM Releases Fourth-quarter Results". IBM. 25 January 2023. https://newsroom.ibm.com/2023-01-25-IBM-RELEASES-FOURTH-QUARTER-RESULTS. Retrieved 02 August 2023.
- "IBM Cloud global data centers". IBM Cloud. https://www.ibm.com/cloud/data-centers. Retrieved 02 August 2023.
- "IBM Cloud Products". IBM. https://www.ibm.com/cloud/products. Retrieved 02 August 2023.
- "IBM Achieves Highest U.S. Defense Information Systems Agency Authorization for Cloud Services". IBM. 11 February 2016. Archived from the original on 24 January 2021. https://web.archive.org/web/20210124035001/https://www-03.ibm.com/press/us/en/pressrelease/49018.wss. Retrieved 02 August 2023.
- Lab7 Systems, Inc (23 May 2017). "Lab7 Systems Announces High-Performance Cloud For Genomic-Scale Data Management Built On IBM Cloud". BioSpace. https://www.biospace.com/article/releases/lab7-systems-announces-high-performance-cloud-for-genomic-scale-data-management-built-on-ibm-cloud-/. Retrieved 02 August 2023.
- "IBM Cloud Pak for Integration". IBM Cloud. https://www.ibm.com/products/cloud-pak-for-integration. Retrieved 02 August 2023.
- "IBM Cloud Multi-zone region" (PDF). IBM Cloud. https://www.ibm.com/downloads/cas/2BWNGJM3. Retrieved 02 August 2023.
- "About Content Delivery Network". IBM Cloud Docs - Content Delivery Network (CDN). IBM Cloud. 1 February 2021. https://cloud.ibm.com/docs/CDN?topic=CDN-about-content-delivery-networks-cdn-. Retrieved 02 August 2023.
- "Security architecture for cloud applications - Security for Data". IBM Cloud. Archived from the original on 24 December 2020. https://web.archive.org/web/20201224214242/https://www.ibm.com/cloud/architecture/architectures/securityArchitecture/security-for-data. Retrieved 02 August 2023.
- "Physical security architecture". IBM Cloud. https://www.ibm.com/cloud/architecture/architectures/physical-security-arch. Retrieved 02 August 2023.
- "Data Security". IBM Cloud Docs - Text to Speech. IBM Cloud. https://cloud.ibm.com/docs/text-to-speech?topic=text-to-speech-data-security. Retrieved 02 August 2023.
- "How do I know that my data is safe?". IBM Cloud Docs - Getting Started with IBM Cloud. IBM Cloud. 23 March 2021. https://cloud.ibm.com/docs/overview?topic=overview-security. Retrieved 02 August 2023.
- "X-Force Red Offensive Security Services". IBM. https://www.ibm.com/services/offensive-security. Retrieved 02 August 2023.
- "Threat management: Detection and response". Security architecture for cloud applications. IBM Cloud. https://www.ibm.com/cloud/architecture/architectures/security-threat-management-arch. Retrieved 02 August 2023.
- "Auditing system events for classic infrastructure". IBM Cloud Docs - Managing your account, resources, and access. IBM Cloud. 21 February 2022. https://cloud.ibm.com/docs/account?topic=account-audit-log. Retrieved 02 August 2023.
- "IBM Cloud compliance programs". IBM Cloud. https://www.ibm.com/cloud/compliance. Retrieved 02 August 2023.
- "Cloud Services Agreement" (PDF). IBM. March 2018. Archived from the original on 12 January 2022. https://web.archive.org/web/20220112081017/https://www.ibm.com/support/customer/pdf/terms/csa_th.pdf. Retrieved 02 August 2023.
- "Locations for resource deployment". IBM Cloud Docs - Getting Started with IBM Cloud. IBM Cloud. 22 June 2023. https://cloud.ibm.com/docs/overview?topic=overview-locations&locale=en. Retrieved 02 August 2023.
- Nott, C. (20 October 2020). "Cloud portability and interoperability". IBM THINK Blog. IBM. Archived from the original on 22 October 2021. https://web.archive.org/web/20211022233200/https://www.ibm.com/blogs/think/fi-fi/2020/10/20/cloud-portability-and-interoperability/. Retrieved 02 August 2023.
- "IBM Managed Security Services" (PDF). IBM. 2019. https://www.ibm.com/downloads/cas/BVWMRDGY. Retrieved 02 August 2023.
- "Managed Security Services (MSS)". IBM. https://www.ibm.com/services/managed-security. Retrieved 02 August 2023.
- "Top 250 MSSPs for 2023: Companies 20 to 11". Top 250 MSSPs: Cybersecurity Company List and Research for 2022. MSSP Alert. September 2022. https://www.msspalert.com/top250/list-2022/24/. Retrieved 02 August 2023.
- "Top 15 Best Managed Security Service Providers (MSSPs) In 2023". Software Testing Help. 1 August 2023. https://www.softwaretestinghelp.com/managed-security-service-providers/. Retrieved 02 August 2023.
- "Top 100 Managed Security Service Providers (MSSPs)". Cyber Defense Magazine. Cyber Defense Media Group. 18 February 2021. https://www.cyberdefensemagazine.com/top-100-managed-security-service-providers-mssps/. Retrieved 02 August 2023.