The security and privacy benefits of IBM and Promontory Services.

Every business knows that malicious actors will execute cyberattacks wherever they find a weakness, and it doesn’t matter if the business is an oil pipeline, a meat processing company, a sports team or even a local ferry system.

Although data breaches are not fully preventable, they can be mitigated through proper planning, governance, controls and strong security measures. In fact, simple human errors account for 85% of all data breaches, according to Verizon’s 2021 Data Breach Investigations Report.

Data breaches, whether malicious, technical or arising from human error, can lead to some sleepless nights in the C-suite. But IBM Cloud‘s unique combination of technical and regulatory experts can help.

Promontory, an IBM company, helps large organizations navigate the complexity of privacy and data protection regulations, in part by working with clients to consider, design and implement durable privacy cloud solutions.

This second post in our “Privacy and Security in the Cloud” series discusses the following:

1. IBM’s Principles for Trust and Transparency that guide our artificial intelligence (AI) ethics.
2. Promontory’s expertise in advising clients on data privacy and ethical risk frameworks to support socially responsible use of AI.
3. Selected IBM Cloud services that enhance security and privacy protections.

Trust and transparency

For decades, IBM followed core principles grounded in trust and transparency. These values continue to guide us in the development and deployment of new technologies, such as artificial intelligence (AI). Along with several other prominent technology companies, IBM has also endorsed a set of Trusted Cloud Principles intended to foster trust in cloud services around the world.

IBM’s Principles for Trust and Transparency comprise the following broad principles:

1. The purpose of AI is to augment human intelligence.
2. Data and insights belong to their creator.
3. Technology must be transparent and explainable.

Below are selected excerpts from those Principles:

The purpose of AI is to augment human intelligence

The purpose of AI and cognitive systems developed and applied by IBM is to augment — not replace — human intelligence. Our technology is and will be designed to enhance and extend human capability and potential.

Data belong to their creator

IBM clients own their data and privacy is core to a data-driven world. We are fully committed to protecting our clients’ data privacy. To that end, we do not put “backdoors” in our products for any government agency, nor do we provide source code or encryption keys to any government agency to access client data.

We also understand that governments might seek client data from cloud service providers, but we expect governments to deal directly with the appropriate client(s). IBM believes clients, not governments, should determine where their data is stored and how it is processed. Government mandates that data be kept or processed within national boundaries do not make data safer from hackers or cyber criminals.

Technology must be transparent and explainable

For the public to trust AI, it must be transparent. Companies must be clear about who trains their AI systems, what data were used in that training and, most importantly, what went into their algorithm’s recommendations. AI must be explainable to the public, especially when used to help make important decisions impacting individuals.

IBM’s long history of protecting privacy

As one of the first companies to appoint a chief privacy officer more than 20 years ago, IBM has long been focused on data privacy. We continue to advocate for strong and innovative means to enhance privacy and data protection while investing in privacy-enhancing technologies to protect personal data.

The security and privacy of data in the IBM Cloud are paramount, which is why we do the following:

• Maintain measures for a cloud service designed to be logically separate and prevent content from being exposed to or accessed by unauthorized persons.
• Enlist a qualified, independent third party to perform annual penetration testing.
• Assess each IBM cloud service separately for business continuity and disaster recovery requirements per documented risk management guidelines.
• Maintain and follow documented incident response policies consistent with the National Institute of Standards and Technology’s (NIST) Computer Security Incident Handling Guide.

“ Essentially, privacy regulation boils down to one thing: making sure that you’re able to safeguard the Personally Identifiable (PI) data that you’re collecting. At IBM, our ace in the hole is artificial intelligence (AI) because we are already infusing AI into every business process. In addition, we already have a central data & AI platform across the company.” — Ensuring Data Governance and Privacy at the Pace of Today and Tomorrow

Promontory’s Privacy and Data Protection expertise

Promontory’s Privacy and Data Protection practice includes former chief privacy officers, regulators and compliance managers experienced in helping industry leaders to tackle complex privacy challenges. This involves developing and implementing privacy frameworks and programs for global companies across various industries, including financial services, healthcare, retail, media, automotive, telecommunications and technology.

Promontory conducts privacy compliance assessments covering all areas of personal data collection, use, sharing and deletion, including broad General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) regulatory assessments and more targeted cloud assessments and strategic recommendations.

Promontory’s privacy practice also helps clients protect individual rights and data privacy by developing practical solutions aligned with regulations and best practices. In particular, Promontory supports socially responsible solutions by working with organizations in creating AI ethical risk frameworks that manage the complex ethical and societal issues raised by the growth of AI in products and services.

Securing data in the cloud

IBM Cloud also offers services that support data privacy and security to help clients meet their regulatory obligations and industry best practices.

1. Monitor potential threat vectors in varying environments: A challenge for many organizations is managing visibility across potential threat vectors in public and hybrid cloud environments. The IBM Cloud Security and Compliance Center is built into the IBM Cloud to allow clients to implement controls that continuously assess security and compliance posture, apply rules to enforce configuration standardization across accounts and gain insight into suspicious activity.
2. Keep your own key: IBM Cloud Hyper Protect Crypto Services is a dedicated key management service and hardware security module and is built on NIST’s Federal Information Processing Standard 140-2, Level 4-certified hardware. IBM’s “keep your own key” encryption allows clients to control their own encryption keys without an IBM or other external repository. This is increasingly important as regulators worldwide are concerned with governments accessing personal data.
3. Confidential computing: For years, encryption services have helped protect data at rest (i.e., in storage and databases) and data in transit (i.e., moving over a network connection.). Confidential computing is a cloud computing technology that isolates sensitive data in protected hardware during processing. The contents of the enclave — the data being processed and the techniques used to process it — are accessible only to authorized individuals. Confidential computing eliminates the remaining data security vulnerability by protecting data in use (i.e., during processing or runtime). The ability to physically protect sensitive data while in use is critical for all sectors, but it is especially important for heavily regulated industries, such as financial services and healthcare.
4. Isolation and network segmentation: IBM Cloud also supports compute isolation and network segmentation capabilities, meaning workloads can be deployed and managed with private-cloud-level security within a public cloud model. Compute isolation provides dedicated servers to mitigate concerns around shared cloud environments.
5. Integrate all your data: It’s not a surprise that data quality and integration can become major issues when pulling data from multiple cloud environments. Typically, siloed data complicates data integration, data management and keeps data from being easily accessible. IBM Cloud Pak® for Data allows enterprises to apply AI to data across any hybrid cloud environment. Cloud Pak for Data helps discover and unify disparate data sources — a data lake, catalog or warehouse — into one unified view. This gives business users a single point of access to find, understand, shape and use data throughout the organization. As many new privacy laws permit consumers to access personal data collected by entities, Cloud Pak for Data could be particularly useful in identifying disparate locations where data might be stored and can provide additional privacy capabilities for sensitive data governance and protection. Through the new IBM AutoPrivacy framework available on IBM Cloud Pak for Data, you can unlock your data’s potential. This delivers end-to-end, pre-integrated, automated and intelligent privacy capabilities for sensitive data governance and protection, as well as privacy risk and compliance management. These capabilities are of particular use for analytics, AI and data science use cases.
6. Cloud and on-premises, together: IBM recognizes that some organizations in heavily regulated industries might still be hesitant to go “all in” on the cloud with their critical workloads, but still want the efficiencies and innovations offered in the cloud. IBM Cloud Satellite gives organizations the flexibility to deploy and run applications managed as a service across on-premises, public clouds, edge and even those of other cloud vendors. IBM Cloud Satellite now extends financial services-level controls into any environment so you can get a consistent set of security, compliance and risk management controls anywhere — on other clouds, on-premises or at the edge.

Our team will help you rest easy

IBM and Promontory provide clients with a unique mix of technical and regulatory compliance expertise. As a result, IBM Cloud clients benefit not only from a secure cloud and strong security services, but from Promontory’s expertise in managing privacy and security risks. Working with us will let you rest easy, knowing that experts are helping to ensure your privacy and security in the cloud.