Cloud
April 25, 2023 By Kala Nenkova
Greg Effrein
Mark Meredith
Michelle Kaufman
7 min read

Today’s enterprises are challenged to manage risk, contain cost and unlock innovation in an increasingly complex hybrid cloud environment.

Enter IBM Cloud—the first real-world instantiation of a secure, compliance-focused cloud for regulated industries. Specifically designed to reduce risk, IBM Cloud has been reimagined as the hub for enterprise IT security and compliance. By adding new functionality and connecting existing tools, we have simplified the definition, implementation, management and assessment of critical enterprise workloads. For regulated industries, we have adopted and embedded the IBM Cloud for Financial Services concepts and controls into a seamless experience for enterprise customers.

Featured benefits that help accelerate and maintain your regulated standards at scale include the following:

  • Significantly reduce time to active use
  • Ensure secure-by-default environments for critical workloads
  • Enjoy continuous compliance across the cloud
  • Align IBM Cloud to your business
  • Align application and infrastructure security and compliance

Significantly reduce time to active use

Instead of figuring out how to assemble a compliant infrastructure architecture on your own, you can review the deployable architectures that are now available in the catalog. IBM Cloud provides automation for the deployment of common architectural patterns that combine one or more cloud resources, known as deployable architectures. Each deployable architecture is built and maintained by IBM Cloud experts following IBM Cloud best practices, taking the guesswork out of the architecture design process and reducing the time it takes to deploy to just minutes. Compliance managers and solution architects can review the components of the architecture and the level of compliance that each deployable architecture meets by reviewing the details directly from the catalog detail pages.

Capability highlights:

  • The IBM Cloud catalog now includes a curated set of deployable architectures to help you build faster by orders of magnitude.
  • Convenient provisioning through IBM Cloud by using a project, Terraform-as-a-Service or on your own with CLI commands to configure the architecture to fit your enterprise’s business needs.

Modular Infrastructure as Code (IaC) templates enable you to customize and extend with IBM tools and share with private catalogs to ensure that the architecture meets your needs.

Figure 1: Discover deployable architectures in the IBM Cloud catalog.

Ensure secure-by-default environments for critical workloads

Planning and defining your enterprise’s goals for running secure workloads on IBM Cloud is essential to your success because building infrastructure and applications in the cloud can be time-consuming and error-prone. With IBM Cloud, you can save your business time and money by taking advantage of our automation and standardized best practices as you work. Get started by reviewing our predefined, compliant-by-default architectures and control libraries to see how your industry fits in the cloud.

When your team has evaluated and chosen a deployable architecture, they can use a project to configure it to fit your enterprise’s business needs. A project is a named collection of configurations that are used to manage related resources and Infrastructure as Code (IaC) deployments across accounts. They enable your teams to focus on a shift-left approach by using DevOps best practices to configure, deploy and monitor deployments. Each project includes tools that scan for potentially harmful resource changes, compliance, security and cost, as well as tracking versioning and governance. They’re designed with an IaC- and compliance-first approach that helps to ensure that a project is managed, secure and always compliant.

Capability highlights:

  • Deployable architectures lower customer risk in adopting solutions by ensuring patterns work with security and compliance profiles baked-in.
  • Projects enable compliance tracking across accounts, easier detection of spend, and increased ease of management.
  • The IBM Cloud Security and Compliance Center continuously monitors across accounts, enabling deployable architectures to proliferate best practices across the organization.
  • Accelerator for IBM Cloud Framework for Financial Services.
  • Conduct a shift-left, pre-deployment scan with projects to check compliance and cost for your configured deployable architecture, adding a layer of governance where changes require admin approval.

Figure 2: Configuring a deployable architecture using projects.

Figure 3: Validating a deployable architecture using projects.

Enjoy continuous compliance across the cloud

With continuous compliance at the core of IBM Cloud’s platform, your team has all the tools at your disposal to securely develop, deploy and manage your regulated, mission-critical enterprise workloads in the cloud. For highly regulated industries like financial services, achieving continuous compliance within a cloud environment is an important first step toward protecting customer and application data.

Historically, that process has been difficult and manual, which placed your organization at risk. With IBM Cloud, however, you can work with predefined deployable architectures, automate IaC deployments with projects and integrate automatic security checks into everyday workflows to minimize risk.

With IBM Cloud, your whole team— including solution architects, compliance managers, infrastructure DevOps teams and application development teams—can use a shift-left approach to identify security risks and exposures early when developing and deploying cloud solutions. This ensures that security and compliance is at the center of your workflow to promote a culture of security and compliance within your organization that allows your enterprise to operate in the cloud with confidence.

Capability highlights:

  • Fully supported deployable architectures include shift-left security and compliance scans via an integrated DevSecOps model.
  • The DevSecOps Application Lifecycle Management deployable architecture provides a streamlined way to set up continuous integration (CI), continuous development (CD), and continuous compliance (CC) toolchains for secure and agile application development.
  • Continuously scan architectures against security and compliance profiles in the IBM Cloud Security and Compliance Center. Anomalies are flagged and remediations are suggested.
  • Define custom profiles (Compliance as Code) based on IBM Cloud Framework for Financial Services to work across the entire cloud enterprise, specific workloads, individual applications and all points in between.

Figure 4: IBM Cloud for Financial Services profile within the IBM Cloud Security and Compliance Center.

Align IBM Cloud to your business

With DevSecOps, you can put security and compliance at the forefront of your development lifecycle. This sets your team up to implement a shift-left approach that prevents security issues in your application code from ever reaching production and collects evidence for handling security audits. By taking advantage of IBM Cloud DevSecOps, you can leverage the CC toolchain template to move from manual verification to using automation to continuously assess app security and compliance posture. To learn more, see the DevSecOps documentation.

Although IBM Cloud reduces the time and complexity of setting up a compliant enterprise application, you still need to ensure that you’re maintaining compliance. To do so, you can use the Security and Compliance Center to run automatic evaluations on your resource configurations. The evaluation results are provided in the dashboard of the Security and Compliance Center or you can get notified of changes. You can quickly assess the risk to your organization, fix issues and generate reports so that you’re always audit-ready.

Additionally, using DevSecOps CI/CD/CC toolchains can help to automate the evaluation of controls as part of the development process and can block non-compliant changes from being promoted. Managing your application code this way ensures that you have the evidence and change history that is needed to meet the required compliance standards for your industry. For more information about using DevSecOps Application Lifecycle Management for deploying your code, review the reference architecture.

Capability highlights:

  • Security and compliance officers can track compliance at the project level, crossing account boundaries and grouping all related resources.
  • Architects and developers can see the impact of a deployment scenario on overall cloud costs in real-time, before changes are applied.
  • Cost, availability and compliance reporting occurring across accounts and shared infrastructure give you the ability to calculate accurate costs for inter-company chargebacks.
  • Use the provided tools to support IaC and Compliance as Code modifications that are customized to your organization and shared via private catalogs.
  • Monitor your code coverage, quality, vulnerability and build deployments with DevOps Insights.
  • Set up a built-in pipeline to trigger alerts when critical events occur with Event Notifications integrated with popular tools like Slack and GitHub.

Figure 5: Monitoring your environments with DevOps Insights.

Align application and infrastructure security and compliance

Unified controls frameworks, compliance profiles and user experience seamlessly integrate flows across both infrastructure and applications, ensuring security and compliance is baked-in at every step in the cloud journey. This full-stack solution provides compliance definitions, eliminates risk and blind spots at the architectural boundaries, and helps you manage scale quicker while avoiding potentially critical gaps.

An enterprise development team can maintain their compliance for multiple applications and all underlying infrastructure in one experience. Specific roles include the following:

  • A risk and compliance officer can define an enterprise-level compliance profile.
  • A cloud architect can select from a series of enterprise-compliant architectures and customize to suit their needs.
  • An account admin can instantiate the reference infrastructure environment.
  • A development team can stand up a secure and compliant application layer, including DevSecOps, on top of the infrastructure.
  • An SRE has a project level context for viewing and reporting all relevant resources, even across accounts.
  • A compliance focal can see continuous compliance results, ensure vulnerabilities are being alleviated and quickly access audit-ready compliance evidence.

Figure 6: Unified workload delivery model.

Get started with your enterprise workloads on IBM Cloud

With the tools available through IBM Cloud, you can stay compliant with automation and ensure that deployments are conducted by using a secure software supply chain, all while managing your resources at scale. Visit the IBM Cloud catalog to check out the deployable architectures, and visit the IBM Security and Compliance Center today to start defining your security and compliance goals.

For more information about setting up automated deployments using projects, customizing deployable architectures and more, see the Enterprise account architecture white paper and Running secure enterprise workloads documentation.

Related links

Kala Nenkova
Offering Manager, IBM Cloud Platform
Greg Effrein
Principal OM, IBM Cloud Developer Experience
Mark Meredith
Principal Product Manager, IBM Cloud Platform
Michelle Kaufman
Content Lead and Strategist, IBM Cloud Platform

More from Cloud
July 2, 2024

New 4th Gen Intel Xeon profiles and dynamic network bandwidth shake up the IBM Cloud Bare Metal Servers for VPC portfolio

3 min read - We’re pleased to announce that 4th Gen Intel® Xeon® processors on IBM Cloud Bare Metal Servers for VPC are available on IBM Cloud. Our customers can now provision Intel’s newest microarchitecture inside their own virtual private cloud and gain access to a host of performance enhancements, including more core-to-memory ratios (21 new server profiles/) and dynamic network bandwidth exclusive to IBM Cloud VPC. For anyone keeping track, that’s 3x as many provisioning options than our current 2nd Gen Intel Xeon…

July 2, 2024

IBM and AWS: Driving the next-gen SAP transformation  

5 min read - SAP is the epicenter of business operations for companies around the world. In fact, 77% of the world’s transactional revenue touches an SAP system, and 92% of the Forbes Global 2000 companies use SAP, according to Frost & Sullivan.   Global challenges related to profitability, supply chains and sustainability are creating economic uncertainty for many companies. Modernizing SAP systems and embracing cloud environments like AWS can provide these companies with a real-time view of their business operations, fueling growth and increasing…

July 2, 2024

Experience unmatched data resilience with IBM Storage Defender and IBM Storage FlashSystem

3 min read - IBM Storage Defender is a purpose-built end-to-end data resilience solution designed to help businesses rapidly restart essential operations in the event of a cyberattack or other unforeseen events. It simplifies and orchestrates business recovery processes by providing a comprehensive view of data resilience and recoverability across primary and  auxiliary storage in a single interface. IBM Storage Defender deploys AI-powered sensors to quickly detect threats and anomalies. Signals from all available sensors are aggregated by IBM Storage Defender, whether they come…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters