Security

IBM® Internet of Things Continuous Engineering on Cloud provides a highly secure development environment and promises a minimum 99.9% service-level objective.

Cloud data protection

For more information about cloud data protection, see: IBM Cloud® security.

Cloud administrator access to data

Since IBM administrators have to manage the databases and equipment, they have access to the data in the Virtual Private Cloud. Administrators sign strict non-disclosure agreements to ensure the confidentiality and security of the data. We have strict hiring guidelines, sensitive data handling training, and each of our service providers is required to pass a security and privacy training class. Refer also to IBM's standard SaaS Terms and Conditions.

International information security standards - ISO 27001 and ISO 27002

The Operations Team achieved an ISO 27001 Certification on March 31, 2018. The Offering overall is going through an ISO Certification with target completion June 30, 2019.

Data encryption

HTTPS provides standard in-flight encryption. For large and enterprise customers, with over 200 subscribed users, in-flight encryption is enhanced by a site-to-site virtual private network tunnel.

All SaaS tiers provide encryption at rest or all SaaS tiers. IBM uses a combination of IBM Db2® encryption and IBM Cloud Data Encryption Services (ICDES). ICDES is a software-defined data protection offering that runs in the background on application servers. Its cryptographic splitting combines AES-256 certified encryption with randomized (keyed) information dispersal into an easy-to-use FIPS 140-2 certified solution. ICDES has a built-in simplified key management system, so no large, expensive key storage systems are required. ICDES can help support regulatory compliance requirements for HIPAA, HITECH, FISMA, Sarbanes-Oxley, and PCI.

Supporting you in the execution of data subjects’ requests to access, correct, or delete their data

In general, executing requests to change data is your responsibility, because only you can access the application data in your SaaS environment that was input by your personnel. Personal data about customer is accessible by IBM personnel as agreed in the standard contract. However, any customization to the standard contract can be incorporated as a separate services statement of work for an additional fee. Discuss this with your IBM contact.

SoftLayer® FedRAMP certifiication

SoftLayer has received its ATO (Authority to Operate) in compliance with the Federal Risk and Authorization Management Program (FedRAMP). The ATO was sponsored by the Federal Communications Commission. Based on the FCC authorization, US government agencies can evaluate FCC GovCloud (US) for their applications and workloads, complete their own authorizations to use SoftLayer, and deploy systems into the SoftLayer Federal Cloud.

SoftLayer has two federal data centers in Ashburn and Dallas. The ATO covers both data centers and for virtually all the infrastructure services within the data center. It does not cover IBM solutions that are built on top of the SoftLayer infrastructure.

Comparing the FCC agency Authority To Operate (ATO) to the JAB ATO

For the agency ATO, the evaluation was done explicitly by the FCC. Other agencies can leverage their assessment, but each agency is responsible for their own security and therefore must provide an ATO for their agency. The process for a second agency is very short, since the FCC has already verified SoftLayer's controls. FCC is responsible for doing continuous monitoring of the SoftLayer Federal Cloud to ensure that SoftLayer remains in compliance with FedRAMP controls.

The Joint Authorization Board (JAB) ATO is a provisional ATO. The JAB is mad up of the GSA, DHS, and DoD, who collectively review the FedRAMP package and authorize its use. Still, each agency must evaluate the paperwork and security controls independently and approve it. It is called a Provisional ATO, because each agency must still sign it individually. In the case of the JAB ATO, the JAB takes the responsibility for the continuous monitoring. SoftLayer is still on plan to have a JAB ATO by the end of 2016. It is considered a more rigorous evaluation.

FedRAMP by definition implements FISMA Moderate controls. However, a client could potentially implement FISMA high controls on top of SoftLayer's moderate controls and achieve FISMA High-High-High compliance.

DoD controls

DISA will review the FedRAMP controls and likely issue an ATO for DoD Impact Level 2 workloads within a matter of days. SoftLayer is also pursuing Impact Level 5

For more information on the Softlayer status, see: FedRamp